Prohibit work time Sisu net, encounter problem only can drag. What a wonderful administrative strategy.
In fact. There are three ways to sisu a network during a job:
1. Let's say that you can hide in the toilet and see what you're looking at. The price is 3G flow and anesthesia state of the legs and feet;
2. Fill out a sign declarations to explain your reasons for surfing the Internet. For example, look for information such as very general but there is no loophole, and then find the leader to sign, generally will approve. Then you'll be able to look at the news while you check the information. Weather forecasts and the like.
3. From the company's network management loopholes, only to seal off the well-known port, some port is open, if you open a Linux machine at home, then you can go to the Internet through the home machine.
Of the above 3 points, the 1th is almost impossible. Since the company moved, the toilet has no signal. Do not say the internet, in case no paper is very troublesome. 2nd everyone will do, and indeed do so, the result is the biggest effect of the company ban is a variety of printing. Various signatures, all kinds of running, but technicians are not satisfied with such a non-technical solution. So be sure to try the 3rd way.
Generally speaking. The topology of the home network is in the outermost there is a wireless router, and then inside several devices, PCs, all kinds of pad, cell phones and the like. PCs are becoming less popular. It is the old-fashioned idea that many people must buy or assemble a tall pc, just like 10 years ago when a lot of people love a mainframe that is almost extinct. In this post-terminal era. Buy a small board that can carry Linux may be a good idea, it consumes less power, no noise, small, anywhere can be plugged in, long-term boot also does not matter, it is to do the best choice of home internet agent.
Colleagues bought a small board like this, it is said to be very good. What do you need to do now when you want to be able to surf the Internet through the small device at home in your company? Obviously, making a IPIP or GRE tunnel is a good choice, but if you pretend to encrypt it, you must use some kind of VPN technology. The preferred is OpenVPN, as compared to IPSec. We have a ready-made configuration.
However OpenVPN too many, also trouble, so thought of with Simpletun. A little thing that is almost just for learning, a super-small, not even a project, even though it has no encryption function. But for it to add a base64 encoding support or easy ... So we chose to use Simpletun to build tunnels.
Simpletun itself has no problem at all. Very easy to set up the tunnel, the home as a service, the company as a client, because the company's firewall only let the initiative to not let the initiative into. So what's the problem? Here's the problem.
Using Tun mode or tap mode? I am more inclined to tap mode, because this will be able to put the home LAN Bridge to the company, the company's machine and home of small devices and home routers in a network segment, how good! But this requires two extra work:
1. The physical network card of the home small device eth0 and Simpletun start the virtual network card tap0 with the Brctl command to make a bridge, and then let this bridge take over the original eth0 IP address,
2. Assume that the company's machine is connected to the home's small device successfully. Then its Simpletun virtual network card address also to configure Sing Woo home LAN with a network segment.
The 2nd question above is a very good solution. The hard part is the 1th one.
You know, the operation of small devices in the home is remote ssh up. The packet is connected through the public IP of the home router, which is then dnat to the eth0 IP address of the small device, which means that during the bridge setup. The connectivity of this IP address must be ensured, but the current Linux bridge mechanism is not supported.
Concept viewing Mencius The above process, in fact, the virtual network card is not related. So the whole problem can be transformed into: set eth0 on an IP, for IP. How to find a way to make this IP always maintain connectivity in the following process, the process is to add eth0 to a newly created network Bridge.
In the whole problem, the key operation is two points. For example, see the following:
1. The moment the net bridges up.
2. Add eth0 to the bridge at the moment;
One thing is beyond doubt, it's just that you have to add eth0 to the bridge. Assuming Eth0 receives a packet, the kernel assumes that the packet was received by the bridge and is no longer eth0 received, including ARP reply, and the ARP entry for the router that was originally owned by the system's ARP table:
192.168.1.1 00:11:22:33:44:55 eth0
It will become:
192.168.1.1 00:11:22:33:44:55 br0 or 192.168.1.1 (incomplete) br0 (assuming Br0 is not up)
To complete the data communication, the Neighbor Dev field of the routing result item must match the Neighbor Dev field of the ARP table entry. This is also a consistent channel between layer two and level three. Other words. To maintain IP connectivity, you must change the route at the same time that the eth0 increases the bridge, and this is not possible, because Brctl addif operation is only finished one thing, will eth0 increase br0!
Let's say a different idea. The route takes effect first. And then add eth0 to Br0? The same problem, the dev change for the routing item is br0. At this point, however, the ARP entry's dev is still eth0!
In short, the Dev and ARP entries of the route entry will always have an operation in the operation sequence of the bridge causing it to be inconsistent. And this moment of inconsistency will lead to the network, perhaps the operation will not complete, even if it is inconsistent, only can rely on a configuration to make it consistent, it does not converge into a consistent state.
There are two essential reasons: 1.brctl and the route operation are atomic, they are not implicated; 2. The bridge does not have an intermediate transition state. Solving the problem is either associating the Brctl with the route or introducing an intermediate state. Just think about it. Associating Brctl and route is certainly not good, after all, our demand is not a universal demand, there are a lot of ways to solve it, for example, set up a boot if-up script. or write a batch-processing background run. The reason why so seriously have to come to an online job is because I have always thought that I can solve all the network problems ... It was decided to introduce an intermediate state in another way, merging multiple unrelated triggering mechanisms into a single trigger, for example, even though the call to AddIf would add eth0 to Br0, and Ifconfig to br0 set the IP address. But nothing happens until that single trigger action is not running. It is obvious to assume that Br0 does not have up, even if eth0 increases Br0 still uses eth0 for data communication. Finding the code to change is very easy, because the Linux Bridge code itself is very easy to change the net/bridge/br_input.c br_handle_frame function:
struct Sk_buff *br_handle_frame (struct net_bridge_port *p, struct Sk_buff *skb) { const unsigned char *dest = ETH_HDR (s KB)->h_dest; Int (*rhook) (struct sk_buff *skb);////////Add the following code INT flags = p->br->dev->flags; if (! ( Flags & iff_up) { return SKB; } ////////.....}
With this in question, why not use the Ebtables broute table? For example, you set up an article:
Ebtables-t broute-a brouting-j DROP
The effect of this command is the same as the above code changes, but the problem comes again, when you run Brctl addif br0 eth0, you will break the net. Because you need to delete that rule at this time. However, there is no chance to delete, because you can not even go up. As a matter of fact. This is also a single trigger issue. Each action only triggers an action. And the problem discussed above is essentially the same.
The reason for introducing a new problem at the end of this article is to show a better solution.
Let's see what's missing from the ebtable command above and what's lacking is a match. That is, the inference of the BR0 state, it will be a brain to drop all the data to the upper layer, assuming it becomes the following:
Ebtables-t broute-a brouting-i br0-state--dev-state up-j DROP
that wouldn't be perfect. The slightest need to change the existing Linux bridge logic, need to do is only add a ebtables match module, such a modular thing is to let the extension, as to how to expand, see ebtables There is no iptables flexible, as if there is no, So I'm doing it here too.
It's obviously not a noisy thing. It is purely a technical guide that is more boring than it is written.
Whatever it is! What makes people noise is not what this article is about. It is my great dissatisfaction with the record of information, so the real noise is really beginning.
The more I think of the critical thing about using a smartphone. Last night was the wife Check cell phone, check after the anger, not for the wife. It's about apps that don't. Where I've been, how long I've been in that place, I've been able to find out through my dad's iphone privacy, through an app. will be able to find all the previous call logs, SMS. Which sites have been on. The most irritating thing is that the things you delete may not really be deleted, but still remain in the corner of the machine. For example/var/cache/... Let me say a detailed dilemma, assuming you downloaded Sina Weibo with an iphone and logged in with an account. Then quit, and this account will always be on your phone. Next time, you just have to enter the first number of accounts, you will take the initiative to fill the whole, OK. You can not find any place to delete this login information. So what? Delete the program directly, and then download it again. This is a quiet situation. Can not take the initiative to complete, seemingly clear the login information. All right, yes, it's clear. Don't log in, wait, wait, and then suddenly receive a new tweet from a special concern friend who has logged in to the account. Oh, my God. I have not logged in now, how can I know that the micro-bo to push me ah ... The above is a true fact. It's good for me to try this.
There are also problems. I pulled an inappropriate friend to the blacklist of friends. And then remove him, but I can still see his update. And so many more, interested in their own to play it. Don't tell me the problem of technical immaturity, in my opinion, technology can never mature! The idea of technology supremacy is naïve, for only know the technology or other things in life do not care about the people do not understand, accidentally by others into a hopeless abyss, I do not know how boring this matter. In fact, very easy, you do a bad thing to let others toss. It's not illegal to play with others.
You need to know. All the good ideas are not technical staff out, all TMD is the clown extension.
The phonograph was invented not to record music, even to record music as a sacrilege to this damned but great invention. But what is the truth?
As you walk down the street, a large number of cameras point at you, like a sniper aiming at you in the dark and not shooting you. Because once he shoots. For a moment you won't have any feelings whatsoever. When smoking in the corridor next to the freight elevator, maybe security is staring at you to see what you're looking at through your phone. Suppose you look at a net ban, and they will benefit.
The bank's bills will tell people when and where you spend your money at which store, and if you justify saying you bought a pound of pork at the latitude and longitude of the Muslim Mall, you must be lying because you don't know what the information is. Portal site. Iphone. The company's Nas, they will record your information, you do not know how the information will finally be treated. The simplest way is the TMD less information exchange, although I will not be on the company not allowed on the site, but I also refused to use Google to check the formal technical content, I refuse to use the Internet, only that, although I will not go to Dongguan, will not talk to strange women, But I deleted all the communications and apps, and I refused to use the smartphone, that's all.
Close your eyes, pee in the toilet and pee in the center of the People's Square street, for those without the mind is the same, but in a moment to monitor the status of netizens, in essence and close their eyes in the center of the square Pee no different.
For a handful of technicians, it is always possible to cover a simple barrier when urinating, or even to urinate directly, and at the same time raise the middle finger around, but for most technicians, to pee. But only to know that they hold the urine to cover a toilet, if you want to go to the toilet, next to the mall there. Ignorance leads to lag ...
A noise about the Linux bridge configuration
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
