A message about Linux Bridge configuration

In other words, some things are very suitable for one day before the holiday, but they are definitely not suitable for you to take a look before you are going to eat... I met such a worried thing last week. In the end, I ended up with low blood sugar. I found a pack of super-Spicy Chicken claw in a very bad way. After eating it, I felt worse, so I begged for chocolate candy from my colleague next to me... it all originated from a technical problem that I had written before lunch. I thought I could handle it by configuration, but I still had to end up modifying The Fxxxing code! It originated from a company ban: Prohibit Internet access!
Prohibit Internet access during working hours. If you encounter problems, you can only drag on. What a wonderful administrative strategy. In fact, there are three ways to connect the Internet during work:
1. If you watch a live video, you can hide it in the toilet and nobody knows what you are watching. The price is the 3G traffic and the legs and feet in the anesthesia status;
2. fill in a signing form to explain the reasons for surfing the Internet. For example, the reason for querying information is very general but there is no vulnerability. If you ask the lead to sign the form, you will generally approve it, then you can take a look at the news, weather forecasts, and so on while checking the information;
3. the original company's network management vulnerabilities only closed the well-known ports, but some ports are open. If you open a Linux machine at home, you can access the Internet through the machine at home.
In the above three o'clock, 1st is basically impossible, because after the company moves, there will be no signal at all in the restroom, not to mention surfing the Internet. In case of no paper, it will be very troublesome, second, everyone will do the same. As a result, the maximum effect of the company's ban is printing, signing, and running. However, technicians are not satisfied with this non-technical solution, therefore, you must try the 3rd methods.
Generally, the topology of the home network is a wireless router on the outermost side. Then there are several devices, PCs, various pads, mobile phones, and so on, and PCs are no longer popular, the old idea is encouraging many people to buy or assemble high-end PCs, just as many people love almost extinct mainframes 10 years ago. In this post-terminal era, it may be a good idea to buy a small Board containing Linux. It consumes less power, has no noise, is small, and can be used wherever it is needed, it doesn't matter if you start the system for a long time. It is the best choice for a home Internet proxy. My colleague bought a small board like this, which is said to be quite good. What do I need to do if I want to use the small device at home to access the Internet in my company? Obviously, creating an IPIP or GRE tunnel is a good choice, but if you want to encrypt it, you must use some VPN technology, so the first choice is OpenVPN, because compared with IPSec, we have ready-made configurations. However, there are too many OpenVPN parameters and they are also troublesome. I thought of using simpletun, which is almost just for learning. It is super small and cannot be called a project. Although it has no encryption function, however, it is easy to add a base64 encoding for it... therefore, we chose to use simpletun to establish a tunnel.
The simpletun itself has no problem at all. It is very simple to establish the tunnel. The home is used as the server, and the company is used as the client, because the company firewall only allows active access and does not allow active access. So what's the problem? The problem arises. In tun or tap mode? I prefer the tap mode, because we can bridge the LAN at home to the company. How nice is the company's machine and the small equipment at home and the router at home in a network segment! However, this requires two additional tasks:
1. Run the brctl command to create a bridge for the physical network card eth0 and the virtual network card tap0 started by simpletun on the small device in the house, and then let the bridge take over the IP address of the original eth0,
2. If the company's machine is successfully connected to a small device at home, the virtual network card address of the simpletun should be configured to be in the same network segment as the home LAN.
The above 2nd problems are well solved, but the difficulty is 1st. You need to know that the operations on small devices in the home are performed remotely through SSH. data packets are connected through the public IP address of the home router, and then DNAT the vro to the eth0 IP address of the small device, this means that the connectivity of the IP address must be ensured during the Bridge setup, but the current Linux Bridge mechanism does not support it.
The above process is actually irrelevant to the virtual network card, so the whole problem can be transformed into: how to find a way to set an IP address on eth0 as an ip address, make the ip always maintain connectivity in the following process: Add eth0 to a new bridge. The key operations are as follows:
1. The moment when the bridge is up;
2. Add eth0 to the bridge;
There is no doubt that, as long as you add eth0 to the bridge, if eth0 receives the packet, the kernel will think that the packet is received by the bridge instead of received by eth0, including ARP Reply, as a result, the arp entries of the original vro in the system's arp table are:
192.168.1.1 00: 11: 22: 33: 44: 55 eth0
It will become:
192.168.1.1 00: 11: 22: 33: 44: 55 br0 or 192.168.1.1 (incomplete) br0 (if br0 has not been up)
In order to complete data communication, the neighbor dev field of the route result item must be consistent with the neighbor dev field of the arp table item, which is also a consistent channel between Layer 2 and Layer 3. In other words, to maintain IP connectivity, you must change the route at the moment that eth0 is added to the bridge. This is impossible because the brctl addif operation only completes one task, add eth0 to br0!
What if I want to change the route to take effect first and then add eth0 to br0? Similarly, the dev of the route entry is changed to br0. However, the dev of the arp entry is still eth0! In short, the dev of the route item and the dev of the arp item always have an operation in the bridge operation sequence, which leads to inconsistency. At this moment, inconsistency will lead to network disconnection, subsequent operations cannot be completed. Even if they are inconsistent, they can only be made consistent by another configuration, and they will not converge to the consistent state themselves.
There are two essential reasons: 1. brctl and route operations are atomic, and the two are independent of each other; 2. the bridge does not have an intermediate transition state. To solve this problem, you can either associate brctl with route or introduce an intermediate state. If you think about it, it is definitely not good to associate brctl and route. After all, this requirement is not a common requirement and there are many ways to solve it. For example, you can set a boot if-up script, or write a batch processing background for execution. The reason why I had to come to an online job is that I always thought I could solve all the network problems... therefore, we decided to use the second method to introduce an intermediate state and combine multiple unrelated triggers into a single trigger. For example, although addif was called to add eth0 to br0, ifconfig is called to set an IP address for br0, but it does not take effect until the single trigger action is executed. Obviously, if br0 is not up, eth0 is still used for data communication even if eth0 is added to br0. It is easy to find the code to be modified, because the code of the Linux bridge itself is very easy. Modify the br_handle_frame function of net/bridge/br_input.c:

Struct sk_buff * br_handle_frame (struct net_bridge_port * p, struct sk_buff * skb) {const unsigned char * dest = eth_hdr (skb)-> h_dest; int (* fig) (struct sk_buff * skb); // Add the following code int flags = p-> br-> dev-> flags; if (! (Flags & IFF_UP) {return skb ;}////////.....}

Then, load the modified module and execute the following sequence:
1. New Bridge
Brctl addbr br0
2. Disable STP (optional)
Brctl stp br0 off
3. Set an IP address with a slightly longer mask to the down status.
Ifconfig br0 192.168.1.100/25 down
4. Add eth0 to br0
Brctl addif br0 eth0
5. Enable br0
Ifconfig br0 up
6. Clear the IP address of eth0
Ifconfig eth0 0.0.0.0
It is worth mentioning that in the above 3rd steps, if the same routing with different semantics in Linux is added to the end of a list, if the two NICs are configured with the same IP address, then, the link route of the person who gets up first is matched first. The IP address with a slightly longer mask is set to make the network segment of br0 more accurate than the network segment of eth0, the default gateway cannot be split into different network segments by the 25-bit mask and br0 IP address. For example, the default gateway cannot be located after 192.168.1.128 because it is no longer in the same network segment as 192.168.1.100, if you want to use an IP address with a long mask, you need to add a route entry for force onlink. In fact, you can use metric to do what we mentioned above without a slightly longer mask IP address. You can also modify the routing part of the Linux kernel and change list_add_tail in fn_hash_insert to list_add_head (not to mention it here, if you are interested, modify it yourself )...
The problem is solved in this way, but it cannot be implemented! What is implementation? That is to say, to form a general solution, I think if I submit the modified bridge mechanism to the kernel maillist, there will certainly be a lot of scolds, and it is more likely that no one cares about me at all... in terms of the Code style, this hard encoding method is not desirable. In terms of actual results, you cannot guarantee that people who use bridge will agree with your logic. Therefore, it is better to make an optional option, how can this problem be selected? Module parameters are of course one of them, but there are better methods.
At this point, I have a question: why not use the ebtables broute table? For example, if you set one:
Ebtables-t broute-a brouting-j DROP
The effect of this command is the same as that of the Code modified above, but the problem arises again. When you execute brctl addif br0 eth0, the network will be disconnected because you need to delete the rule at this time, however, you have no chance to delete it because you can no longer connect to it. In fact, this is also a single trigger. Each operation only triggers one action, which is essentially the same as the problem discussed above. The reason for introducing a new problem at the end of this article is to demonstrate a better solution. Let's take a look at what the above ebtable command lacks. What it lacks is a match, that is, to judge the br0 state, it will DROP all the data to the upper layer, if it becomes the following:
Ebtables-t broute-a brouting-I br0-state -- dev-state up-j DROP
That's not perfect. There is no need to change the existing Linux Bridge logic. All we need to do is add an ebtables match module. This modular thing is to let the expansion. How to expand it, it seems that ebtables is flexible, so I will do it here.
This is obviously not a joke. It is simply a technical guide that you are bored. Whatever you want! It is not the content expressed in this article, but my great dissatisfaction with the information record. Therefore, the true sputation started.
I feel more and more dangerous to use a smart phone. My wife checked her mobile phone last night. After checking the phone, I got angry. It wasn't for my wife, but for an unreasonable APP, where I have been, how long I have stayed in that place, I can find all the call records and text messages through the privacy check on my iPhone, which websites have been used, and the most annoying thing is that the deleted items may not be deleted and remain in a certain corner of the machine, such as/var/cache /... let me talk about a specific dilemma. If you use an iPhone to download Sina Weibo, log in with an account, and exit, this account will always exist on your mobile phone. Next time, you only need to enter the first account and the account will be automatically completed. Well, you cannot find any place to delete this logon information. What should you do? Directly Delete the program and download it again. It's quiet and cannot be completed automatically. It seems that the login information has been cleared. Okay, yes, it's really cleared. Don't log on at this time. Wait, wait, and then I suddenly receive a new Weibo message from my friend who has logged on to the account. Oh, my God, I haven't logged on yet, how can I know that Weibo is going to push it to me... the above is a real fact. I tested it on purpose.
There is also a problem. I pulled an unsuitable friend to the blacklist of his friends and deleted him. However, I can still see his updates. There are many other such things. If you are interested, go and have fun. Don't tell me the problems caused by immature technology. In my opinion, technology will never mature! How naive is the technology-oriented view. People who only know technology or do not care about other things in their lives will be accidentally introduced into the abyss of 10 thousand, I don't know how boring it is to go into the matter. In fact, it is very simple. You can make a bad thing yourself to let others go over it. It's not against the law to make others play. You need to know that all the good ideas are not developed by technicians, and TMD is derived from the clown. The original intention of the phonograph was not to record music. I even thought that recording music was a great, damn invention. But what is the truth?
When you walk down the street, a large number of cameras point at you, just like a sniper aiming at you in the dark, but not shooting at you, because once he shoots, you won't feel anything in a moment. When smoking in the corridor next to the freight elevator, the security guard may be staring at you to see what you are reading through your cell phone. If you are watching a no-net attack, they will also benefit from it. The Bank's flow account will tell others when and where you spent much money in the store. If you argue that you have bought a pound of pork at the longitude and latitude of the Muslim mall, then you must be lying, because you do not know what the registration information is. portals, iPhones, and company NAS will record your information, you do not know how the information will be processed. The simplest way is to conduct less information exchange with TMD. Although I will not access websites that the company will not allow, however, I also refused to use google to view formal technical content, and I refused to use the Internet. That's all. Although I won't go to Dongguan, I won't talk to strangers, however, I still deleted all the contacts and apps. I refused to use the smartphone, that's all.
Close your eyes, peat in the toilet, and peat in the center of the People's Square road. This is the same for people without a mind, But netizens who are in the state of being monitored at all times, essentially, it is no different from closing your eyes and peeing in the center of the square. For a few technical personnel, they can always put a simple barrier on when they urinate, or even directly peat with their eyes, and also erect a middle finger around them, however, for most technical personnel, they only know that they are holding their urine to build a toilet. If you want to go to the toilet, there will be one in the mall next to it. Ignorance causes lag...