A noise about the Linux bridge configuration

Source: Internet
Author: User

There are some things that are perfect for a day before a holiday, but it's definitely not a good place to take a look before you get ready to eat ... Last week I came across something so worried that I finally ended up with a low blood sugar. Very embarrassed to go around foraging, but found a pack of super spicy chicken claw. After eating, the feeling of symptoms increased. He then begged his neighbour's colleague to beg for chocolate candy. Alas... It all started when I was getting ready for lunch. A technical problem, I thought can be configured to do, and finally still have to change the fxxxing code ended! It starts with a ban on the company: Ban Sisu!


Prohibit work time Sisu net, encounter problem only can drag. What a wonderful administrative strategy.

In fact. There are three ways to sisu a network during a job:
1. Let's say that you can hide in the toilet and see what you're looking at. The price is 3G flow and anesthesia state of the legs and feet;
2. Fill out a sign declarations to explain your reasons for surfing the Internet. For example, look for information such as very general but there is no loophole, and then find the leader to sign, generally will approve. Then you'll be able to look at the news while you check the information. Weather forecasts and the like.
3. From the company's network management loopholes, only to seal off the well-known port, some port is open, if you open a Linux machine at home, then you can go to the Internet through the home machine.
Of the above 3 points, the 1th is almost impossible. Since the company moved, the toilet has no signal. Do not say the internet, in case no paper is very troublesome. 2nd everyone will do, and indeed do so, the result is the biggest effect of the company ban is a variety of printing. Various signatures, all kinds of running, but technicians are not satisfied with such a non-technical solution. So be sure to try the 3rd way.


Generally speaking. The topology of the home network is in the outermost there is a wireless router, and then inside several devices, PCs, all kinds of pad, cell phones and the like. PCs are becoming less popular. It is the old-fashioned idea that many people must buy or assemble a tall pc, just like 10 years ago when a lot of people love a mainframe that is almost extinct. In this post-terminal era. Buy a small board that can carry Linux may be a good idea, it consumes less power, no noise, small, anywhere can be plugged in, long-term boot also does not matter, it is to do the best choice of home internet agent.

Colleagues bought a small board like this, it is said to be very good. What do you need to do now when you want to be able to surf the Internet through the small device at home in your company? Obviously, making a IPIP or GRE tunnel is a good choice, but if you pretend to encrypt it, you must use some kind of VPN technology. The preferred is OpenVPN, as compared to IPSec. We have a ready-made configuration.

However OpenVPN too many, also trouble, so thought of with Simpletun. A little thing that is almost just for learning, a super-small, not even a project, even though it has no encryption function. But for it to add a base64 encoding support or easy ... So we chose to use Simpletun to build tunnels.
Simpletun itself has no problem at all. Very easy to set up the tunnel, the home as a service, the company as a client, because the company's firewall only let the initiative to not let the initiative into. So what's the problem? Here's the problem.

Using Tun mode or tap mode? I am more inclined to tap mode, because this will be able to put the home LAN Bridge to the company, the company's machine and home of small devices and home routers in a network segment, how good! But this requires two extra work:
1. The physical network card of the home small device eth0 and Simpletun start the virtual network card tap0 with the Brctl command to make a bridge, and then let this bridge take over the original eth0 IP address,
2. Assume that the company's machine is connected to the home's small device successfully. Then its Simpletun virtual network card address also to configure Sing Woo home LAN with a network segment.
The 2nd question above is a very good solution. The hard part is the 1th one.

You know, the operation of small devices in the home is remote ssh up. The packet is connected through the public IP of the home router, which is then dnat to the eth0 IP address of the small device, which means that during the bridge setup. The connectivity of this IP address must be ensured, but the current Linux bridge mechanism is not supported.
Concept viewing Mencius The above process, in fact, the virtual network card is not related. So the whole problem can be transformed into: set eth0 on an IP, for IP. How to find a way to make this IP always maintain connectivity in the following process, the process is to add eth0 to a newly created network Bridge.

In the whole problem, the key operation is two points. For example, see the following:
1. The moment the net bridges up.
2. Add eth0 to the bridge at the moment;
One thing is beyond doubt, it's just that you have to add eth0 to the bridge. Assuming Eth0 receives a packet, the kernel assumes that the packet was received by the bridge and is no longer eth0 received, including ARP reply, and the ARP entry for the router that was originally owned by the system's ARP table:
192.168.1.1 00:11:22:33:44:55 eth0
It will become:
192.168.1.1 00:11:22:33:44:55 br0 or 192.168.1.1 (incomplete) br0 (assuming Br0 is not up)
To complete the data communication, the Neighbor Dev field of the routing result item must match the Neighbor Dev field of the ARP table entry. This is also a consistent channel between layer two and level three. Other words. To maintain IP connectivity, you must change the route at the same time that the eth0 increases the bridge, and this is not possible, because Brctl addif operation is only finished one thing, will eth0 increase br0!
Let's say a different idea. The route takes effect first. And then add eth0 to Br0? The same problem, the dev change for the routing item is br0. At this point, however, the ARP entry's dev is still eth0!

In short, the Dev and ARP entries of the route entry will always have an operation in the operation sequence of the bridge causing it to be inconsistent. And this moment of inconsistency will lead to the network, perhaps the operation will not complete, even if it is inconsistent, only can rely on a configuration to make it consistent, it does not converge into a consistent state.


There are two essential reasons: 1.brctl and the route operation are atomic, they are not implicated; 2. The bridge does not have an intermediate transition state. Solving the problem is either associating the Brctl with the route or introducing an intermediate state. Just think about it. Associating Brctl and route is certainly not good, after all, our demand is not a universal demand, there are a lot of ways to solve it, for example, set up a boot if-up script. or write a batch-processing background run. The reason why so seriously have to come to an online job is because I have always thought that I can solve all the network problems ... It was decided to introduce an intermediate state in another way, merging multiple unrelated triggering mechanisms into a single trigger, for example, even though the call to AddIf would add eth0 to Br0, and Ifconfig to br0 set the IP address. But nothing happens until that single trigger action is not running. It is obvious to assume that Br0 does not have up, even if eth0 increases Br0 still uses eth0 for data communication. Finding the code to change is very easy, because the Linux Bridge code itself is very easy to change the net/bridge/br_input.c br_handle_frame function:

struct Sk_buff *br_handle_frame (struct net_bridge_port *p, struct Sk_buff *skb) {        const unsigned char *dest = ETH_HDR (s KB)->h_dest;        Int (*rhook) (struct sk_buff *skb);////////Add the following code    INT flags = p->br->dev->flags;        if (! ( Flags & iff_up) {                return SKB;        } ////////.....}
Then, after loading the modified module, run the following sequence:
1. New Network Bridge
Brctl ADDBR Br0
2. Turn off STP (optional)
Brctl STP br0 off
3. Set a slightly longer mask IP, temporarily set to the down state
Ifconfig br0 192.168.1.100/25 Down
4. Increase eth0 to Br0
Brctl addif br0 eth0
5. Turn on Br0
Ifconfig br0 up
6. Clear the Eth0 IP
Ifconfig eth0 0.0.0.0
It is worth mentioning that the 3rd step above. Linux assumes that different semantics of the same route is added to the end of a list, so assume that the two network cards configured the same IP address, then who first up whose link route in front priority is matched, set the mask a little longer IP address is to let the BR0 network segment than the ETH0 network segment more accurate, but pay attention. The default gateway must not be split into different network segments by a 25-bit mask and br0 IP. For example, the default gateway is 192.168.1.128 after the address can not, because it has been and 192.168.1.100 is not a network segment. Suppose you really want to use a slightly longer mask IP address. You will need to add a route to the Force Onlink. In fact can use metric to do above said without a bit longer mask IP address, can also change the Linux kernel routing part, fn_hash_insert somewhere in the List_add_tail to List_add_head (here do not say. Interested in self-modification) ...
That's how it's done. But it can't be fulfilled! What do you mean by implementation? It means to form a common plan. I would like to assume that I have changed the bridge mechanism to submit to kernel maillist, there will be a lot of people scold, more likely, there is no one to talk to me ... This hard-coded approach is undesirable from the code style. From a practical point of view, you cannot guarantee that the person using bridge will allow your logic, so it is better to make optional options, how can you choose a method? The module parameters are of course one, but there are better ways.


With this in question, why not use the Ebtables broute table? For example, you set up an article:
Ebtables-t broute-a brouting-j DROP
The effect of this command is the same as the above code changes, but the problem comes again, when you run Brctl addif br0 eth0, you will break the net. Because you need to delete that rule at this time. However, there is no chance to delete, because you can not even go up. As a matter of fact. This is also a single trigger issue. Each action only triggers an action. And the problem discussed above is essentially the same.

The reason for introducing a new problem at the end of this article is to show a better solution.

Let's see what's missing from the ebtable command above and what's lacking is a match. That is, the inference of the BR0 state, it will be a brain to drop all the data to the upper layer, assuming it becomes the following:
Ebtables-t broute-a brouting-i br0-state--dev-state up-j DROP
that wouldn't be perfect. The slightest need to change the existing Linux bridge logic, need to do is only add a ebtables match module, such a modular thing is to let the extension, as to how to expand, see ebtables There is no iptables flexible, as if there is no, So I'm doing it here too.
       It's obviously not a noisy thing. It is purely a technical guide that is more boring than it is written.

Whatever it is! What makes people noise is not what this article is about. It is my great dissatisfaction with the record of information, so the real noise is really beginning.
The more I think of the critical thing about using a smartphone. Last night was the wife Check cell phone, check after the anger, not for the wife. It's about apps that don't. Where I've been, how long I've been in that place, I've been able to find out through my dad's iphone privacy, through an app. will be able to find all the previous call logs, SMS. Which sites have been on. The most irritating thing is that the things you delete may not really be deleted, but still remain in the corner of the machine. For example/var/cache/... Let me say a detailed dilemma, assuming you downloaded Sina Weibo with an iphone and logged in with an account. Then quit, and this account will always be on your phone. Next time, you just have to enter the first number of accounts, you will take the initiative to fill the whole, OK. You can not find any place to delete this login information. So what? Delete the program directly, and then download it again. This is a quiet situation. Can not take the initiative to complete, seemingly clear the login information. All right, yes, it's clear. Don't log in, wait, wait, and then suddenly receive a new tweet from a special concern friend who has logged in to the account. Oh, my God. I have not logged in now, how can I know that the micro-bo to push me ah ... The above is a true fact. It's good for me to try this.
There are also problems. I pulled an inappropriate friend to the blacklist of friends. And then remove him, but I can still see his update. And so many more, interested in their own to play it. Don't tell me the problem of technical immaturity, in my opinion, technology can never mature! The idea of technology supremacy is naïve, for only know the technology or other things in life do not care about the people do not understand, accidentally by others into a hopeless abyss, I do not know how boring this matter. In fact, very easy, you do a bad thing to let others toss. It's not illegal to play with others.

You need to know. All the good ideas are not technical staff out, all TMD is the clown extension.

The phonograph was invented not to record music, even to record music as a sacrilege to this damned but great invention. But what is the truth?
As you walk down the street, a large number of cameras point at you, like a sniper aiming at you in the dark and not shooting you. Because once he shoots. For a moment you won't have any feelings whatsoever. When smoking in the corridor next to the freight elevator, maybe security is staring at you to see what you're looking at through your phone. Suppose you look at a net ban, and they will benefit.

The bank's bills will tell people when and where you spend your money at which store, and if you justify saying you bought a pound of pork at the latitude and longitude of the Muslim Mall, you must be lying because you don't know what the information is. Portal site. Iphone. The company's Nas, they will record your information, you do not know how the information will finally be treated. The simplest way is the TMD less information exchange, although I will not be on the company not allowed on the site, but I also refused to use Google to check the formal technical content, I refuse to use the Internet, only that, although I will not go to Dongguan, will not talk to strange women, But I deleted all the communications and apps, and I refused to use the smartphone, that's all.
Close your eyes, pee in the toilet and pee in the center of the People's Square street, for those without the mind is the same, but in a moment to monitor the status of netizens, in essence and close their eyes in the center of the square Pee no different.

For a handful of technicians, it is always possible to cover a simple barrier when urinating, or even to urinate directly, and at the same time raise the middle finger around, but for most technicians, to pee. But only to know that they hold the urine to cover a toilet, if you want to go to the toilet, next to the mall there. Ignorance leads to lag ...

A noise about the Linux bridge configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.