A noise about the Linux bridge configuration

There are some things that are perfect for a day before a holiday, but it's definitely not a good place to take a look before you get ready to eat ... Last week I met such a worried thing, eventually ended with hypoglycemia, very embarrassed to go around foraging, but found a pack of super spicy chicken claw, after eating the feeling of aggravated symptoms, so the colleague next to beg the chocolate candy, alas ... It all started when I was getting ready for lunch before I got into a technical problem that I thought could be done by configuration, but eventually I had to end up with a change to the fxxxing code! It starts with a ban on the company: Ban Sisu!
Prohibit work time Sisu net, encounter problem can only drag, how wonderful administrative strategy. In fact, there are three ways to sisu a network during work:
1. If you watch live and so on, you can hide in the toilet squat to see, no one knows what you are looking at, the price is 3G flow and anesthesia state legs and feet;
2. Fill in a sign declarations, explain their reasons for surfing the internet, such as check the data and so very general but there is no reason for loopholes, and then find the leader to sign, generally will approve, and then you can check the information in the news, the weather forecast and so on;
3. Originally from the company's network management loopholes, just sealed off the well-known port, some ports are open, if you open a Linux machine at home, then you can go online through the home machine.
Above 3 points, 1th basically impossible, because since the company moved, the toilet on a little signal is not, do not say the internet, in case no paper is very troublesome thing, 2nd everybody will do, also did so, the results of the biggest effect of the company ban is all kinds of printing, various signatures, all kinds of running, But the technician is not satisfied with this non-technical solution, so be sure to try a 3rd way.
In general, the topology of the home network is the most outside there is a wireless router, and then inside several devices, PCs, all kinds of pad, mobile phones and the like, the PC is no longer popular, is the old-fashioned thought in prompting many people must buy or assemble a tall PC, Like 10 years ago, many people were fond of the large machines that were almost extinct today. In this post-terminal era, buy a small board can be loaded with Linux may be a good idea, it consumes less power, no noise, small, anywhere can be plugged in, long-term boot also does not matter, it is to do the best choice of home internet agent. Colleagues bought a small board like this, it is said to be very good. What do you need to do now when you want to be able to surf the Internet through the small device at home in your company? Obviously, making a IPIP or GRE tunnel is a good choice, but if you want to encrypt it, you have to use some kind of VPN technology, then the preferred is OpenVPN, because we have a ready-made configuration compared to IPSec. However, OpenVPN parameters too much, but also trouble, so think of using Simpletun, an almost just for learning, super small, simply not the project of small things, although it does not have encryption function, but for it to add a base64 encoding support is easy ... So we chose to use Simpletun to build tunnels.
Simpletun itself a little problem, very simple to set up the tunnel, the home as a service, the company as a client, because the company firewall only let the initiative to not let the initiative into. So what's the problem? Here's the problem. Using Tun mode or tap mode? I prefer tap mode, because this can put the home LAN Bridge to the company, the company's machine and home of small devices and home routers in a network segment, how good! But there are two additional jobs to do:
1. The physical network card of the home small device eth0 and Simpletun start the virtual network card tap0 with the Brctl command to make a bridge, and then let this bridge take over the original eth0 IP address,
2. If the company's machine is connected to the small device of the home, then its Simpletun virtual network card address should also be configured sing Woo home LAN with a network segment.
The 2nd question is a good solution, the hardest one is the 1th. To know, the operation of the home small device is remote SSH up, the packet through the home router's public IP connection, and then by the router Dnat to the eth0 IP address of the small device, which means that during the bridge Setup, it is necessary to ensure the connectivity of this IP address, but the current Linux The bridge mechanism is not supported.
Concept viewing Mencius The above process, in fact, and the virtual network card is not related, so you can turn the whole problem into: set eth0 on an IP, for IP, how to find a way to make this IP in the following process always maintain connectivity, the process for, will eth0 join a newly created network Bridge. In the whole problem, the key operation has two points, as follows:
1. The moment the net bridges up;
2. The moment the eth0 is added to the bridge;
One thing is beyond doubt, that is, if you add eth0 to the bridge, if Eth0 receives the packet, the kernel will assume that the packet is received by the bridge and is no longer eth0 received, including ARP reply, so the ARP table of the system would have the ARP entry of the router:
192.168.1.1 00:11:22:33:44:55 eth0
It will become:
192.168.1.1 00:11:22:33:44:55 br0 or 192.168.1.1 (incomplete) br0 (if Br0 is not up)
In order for data communication to complete, the Neighbor dev field of the routing result item must match the Neighbor Dev field of the ARP table entry, which is a consistent channel between layer two and level three. In other words, to maintain IP connectivity, you must change the route at the same moment that the eth0 joins the bridge, which is not possible because Brctl AddIf operation only completes one thing and will eth0 join br0!
If a change of mind, that is, the first route to take effect, and then add eth0 to br0 it? The same problem, the dev of the routing item is changed to Br0, but at this time the dev of the ARP entry is still eth0! In short, the dev of the route item and the Dev of Arp in the bridge operation sequence will always have an operation to cause its inconsistency, and this moment of inconsistency will lead to the network, the subsequent operation will not be completed, even if it is inconsistent, only by another configuration to make it consistent, it does not converge into a consistent state.
There are two essential reasons: 1.brctl and the route operation are atomic, they are not implicated; 2. The bridge does not have an intermediate transition state. Solving this problem is either associating the Brctl with the route or introducing an intermediate state. Think about it, the associated Brctl and route is certainly not good, after all, our demand is not a common demand, there are many ways to solve it, such as setting up a boot if-up script, or write a batch processing background execution. The reason why it is so seriously to a online job is because I always think I can solve all the network problems ... Then decided to use the second way, to introduce a middle state, a number of unrelated trigger mechanism to merge into a single trigger, for example, although the call to AddIf Eth0 added to Br0, call ifconfig for BR0 set IP address, but before that single trigger action is not executed, Everything is not in effect. It is obvious that if BR0 does not have up, even if eth0 joins the BR0, it still uses eth0 for data communication. It's easy to find the code you want to modify, because the code for the Linux bridge itself is easy to modify NET/BRIDGE/BR_INPUT.C's Br_handle_frame function:

struct Sk_buff *br_handle_frame (struct net_bridge_port *p, struct Sk_buff *skb) {        const unsigned char *dest = ETH_HDR (s KB)->h_dest;        Int (*rhook) (struct sk_buff *skb);////////Add the following code    INT flags = p->br->dev->flags;        if (! ( Flags & iff_up) {                return SKB;        } ////////.....}

The following sequence is then executed after the modified module is loaded:
1. New Network Bridge
Brctl ADDBR Br0
2. Turn off STP (optional)
Brctl STP br0 off
3. Set a slightly longer mask IP, temporarily set to the down state
Ifconfig br0 192.168.1.100/25 Down
4. Join Eth0 to Br0
Brctl addif br0 eth0
5. Turn on Br0
Ifconfig br0 up
6. Clear the Eth0 IP
Ifconfig eth0 0.0.0.0
It is worth mentioning that in the 3rd step above, Linux if the same route of different semantics is added to the tail of a list, so if two network cards are configured with the same IP address, then who first up who's link route in front priority is matched, Set the mask to a slightly longer IP address to make the BR0 segment more accurate than the eth0 segment, but be aware that the default gateway must not be split into different network segments by a 25-bit mask and br0 IP. For example, the default gateway is 192.168.1.128 after the address can not, because it is not a network segment with 192.168.1.100, if you really want to use a slightly longer mask IP address, you need to add a force onlink route. In fact, you can use metric to do the above said without a bit longer mask IP address, you can also modify the Linux kernel routing part, fn_hash_insert somewhere in the List_add_tail to List_add_head (here does not say, Interested in self-modification) ...
That's how it's done, but it's not going to work! What do you mean by implementation? That is to form a general plan, I think if I put the revised bridge mechanism to kernel maillist, there will be a lot of people scold, more likely is no one to talk to me ... From the code style, this hard-coded way is not advisable, from the actual effect, you can not guarantee that the use of bridge people must agree with your logic, so make optional options is better, how to choose the method? Module parameters are of course one, but there are better ways.
With this in question, why not use the Ebtables broute table? For example, you set a:
ebtables-t broute-a brouting-j DROP
The effect of this command is the same as the above modification of the code, but the problem comes again, when you execute Brctl addif br0 eth0, you will break the net, because at this time you need to delete the rule, but there is no chance to remove, because you can not even go up. In fact, this is a single trigger problem, and each action only triggers an action, and the problem discussed above is essentially the same. The reason for introducing a new problem at the end of this article is to show a better solution. Let's take a look at the ebtable command above. What is missing, what is lacking is a match, that is, the judgment of the BR0 state, that it will drop all the data to the upper layer in a single brain, if it becomes the following:
ebtables-t broute-a brouting-i br0-state--dev-state up-j DROP
That would not be perfect, the slightest change to the existing Linux bridge logic, need to do is only add a Ebtables match module, this modular thing is to let the expansion, as to how to expand, see Ebtables have iptables flexible, I don't think so, so I'll do it here.
This is obviously not a noisy, purely a boring and write a technical guide. Whatever it is! It's not what this article is about, it's about my great dissatisfaction with the information record, so the real spit is really starting.
I feel more and more the use of smart phones is a very dangerous thing, last night by the wife check the phone, after checking the anger, not for the wife, but for the no justice of the app, I have been to where, where to stay for a long time, through the pit Dad's iphone privacy can be found through another app, You can find out all the phone records, text messages, which websites have been on, and most of all, the things you delete may not really be deleted, still remain in a corner of the machine, such as/var/cache/... I say a specific dilemma, if you use the iphone to download Sina Weibo, with an account login, and then quit, the account will always exist in your mobile phone, next time, you just enter the first account, you will automatically complete, OK, you can not find anywhere to delete this login information, then how to do? Directly remove the program, and then re-download, this quiet, not automatically complete, seemingly clear the login information, OK, yes, really clear, this time do not log in, wait, wait, and then suddenly received a login account of the special attention of friends a new microblogging, God, I have not logged in now, How do you know that Weibo to push to me ah ... The above is a true fact, which I have deliberately tested.
Also have the problem, I put an unfavorable public of * * * pull to the friend Circle blacklist, and then remove him, but his update I still can see. And so many more, interested in their own to play it. Don't tell me the problem of technical immaturity, in my opinion, technology can never mature! The point of view of technology is naïve, for only know the technology or other things in life do not care about people do not understand, accidentally by others into a hopeless abyss, I do not know how boring this matter, in fact, it is very simple, you do a bad thing let others toss to chant, all others play and not illegal. You know, all the good ideas are not technical staff out, all the TMD is the extension of the clown. The phonograph was invented not to record music, even to think that recording music is blasphemy of this damned but great invention, but the truth?
As you walk down the street, a large number of cameras point at you, like a sniper aiming at you in the dark and not shooting you, because once he shoots, you won't feel anything for a moment. When smoking in the corridor next to the freight elevator, maybe security is staring at you to see what you are looking at through your mobile phone, and if you are looking at a ban on the net, they will benefit. The bank's bills will tell people when and where you spend your money at which store, and if you justify buying a pound of pork in the latitude and longitude of a Muslim mall, you're lying because you don't know what information is registered; portals, iphones, company Nas, They will record your information, you do not know how this information will eventually be handled, the simplest way is to TMD less information exchange, although I will not be on the company not allowed on the site, but I also refused to use Google access to the formal technical content, I refuse to use the Internet, that's all, Although I will not go to Dongguan, will not talk to strange women, but I still deleted all the communications and apps, I refuse to use the smartphone, that's all.
Close your eyes, pee in the toilet and pee in the center of the People's Square street, for those without the mind is the same, but in a moment to monitor the status of netizens, in essence and close their eyes in the center of the square Pee no different. For a small number of technical personnel, can always be in the urine when the cover of a simple barrier, and even directly open the eyes to pee, but also raised the middle finger around, but for most technical staff, in order to pee, but only know that they hold a toilet, if you want to go to the toilet, next to the mall there. Ignorance leads to lag ...