Netruon understanding (12): using Linux Bridge to connect the Linux network namespace to the extranet

Last Update:2016-08-15 Source: Internet

Author: User

Tags openvswitch

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Learn Neutron Series Articles:(1) Virtualization Network implemented by Neutron(2) Neutron Openvswitch + VLAN Virtual network(3) Neutron Openvswitch + gre/vxlan Virtual network(4) Neutron OVS OpenFlow flow table and L2 Population(5) Neutron DHCP Agent(6) Neutron L3 Agent(7) Neutron LBaas(8) Neutron Security Group(9) Neutron FWaas and Nova Security Group(ten) Neutron Vpnaas(one) Neutron DVR(Neutron VRRP)(+) High Availability (HA)(14) Connect the Linux network namespace to the extranet using NAT(15) using Linux Bridge to connect the Linux network namespace to the external networkThe previous article introduced the use of NAT to connect the Linux network namespace to the extranet, but this model has a lot of limitations, including that it uses an internal ip, so the external computer does not have direct access to its IP and needs to access it by accessing its host and then through DNAT. Its application scenario is usually because the enterprise uses the public network IP address is generally limited, when the internal computer needs to access the public network, often to take a NAT Approach. This article describes the use of Linux Bridge to connect the Linux network namespace to the external Network.1. Environment and Configuration 1.1 test environment(fig. 1)Environment description: <ul> <ul> <li>Computer 1 (host1) is a VMware virtual machine on ESXi that has two network cards, eth0 used to communicate with computer 2 (host2).</li> <li>The IP address of the host1 is 192.168.1.87. Another machine used by the experiment host2 the IP for 192.168.1.48. Their gateways are 192.168.1.1.</li> <li>The/proc/sys/net/ipv4/ip_forward content on the host1 is 0, which means the IP forwarding is off</li> <li>Iptables Filter table on Host1:</li> </ul> </ul><pre><pre>[email protected]:/etc# iptables-t filter-S-p INPUT Accept-p FORWARD DROP-p OUTPUT Accept</pre></pre>In order to be able to ping host2 from the Netns ns2 on the host1, you need to do the configuration and instructions: <table border="0"> <tbody> <tr> <td>Steps</td> <td>Command</td> <td>Description</td> </tr> <tr> <td>1</td> <td>IP netns Add ns2</td> <td>Create a Linux network namespace named ' Ns2 '</td> </tr> <tr> <td>2</td> <td>IP link Add veth1 type Veth peer name Veth2</td> <td>Create a Veth device, one end is veth1, the other is Veth2</td> </tr> <tr> <td>3</td> <td>IP link set veth2 netns ns2</td> <td>Add Veth2 to NS2 as one of its network interface</td> </tr> <tr> <td>4</td> <td>Brctl ADDBR BR1Brctl addif eth0 BR1Ifconfig eth0 0.0.0.0Ifconfig BR1 192.168.1.87/24 upBrctl addif BR1 veth1</td> <td>Create Liux Bridge ' BR1 'Remove the IP address of the eth0 and set its address to BR1Add eth0 to BR1Add Veth1 to BR1</td> </tr> <tr> <td>5</td> <td>IP netns exec ns2 ifconfig veth2 192.168.1.88/24 up</td> <td>Configure the IP address of the veth2, which is on the same network segment as Host1 and Host2</td> </tr> <tr> <td>6</td> <td>IP netns exec ns2 route add default GW 192.168.1.1</td> <td>Set the default route for NS2 to the gateway address of Host1 and Host2</td> </tr> <tr> <td>7</td> <td>Iptables-t filter-a forward-m physdev--physdev-in eth0--physdev-out veth1-j ACCEPTIptables-t filter-a forward-m physdev--physdev-out eth0--physdev-in veth1-j ACCEPT</td> <td>Set FORWARD Rules</td> </tr> </tbody> </table>After you have done the above configuration, <ul> <ul> <li>You can ping other computers from the ns2, whether it is a 192.168.1.0 network segment or another network segment</li> <li>You can ping 192.168.1.88 from another computer</li> </ul> </ul>2. Principle 2.1 Linux Bridge forwardingWhen you ping the IP address of veth2 from an external computer iptables statistics:<pre>Chain INPUT (policy ACCEPT1814packets, 198K bytes) pkts bytes target prot optinch outsource Destinationchain FORWARD (policy DROP thePackets7950bytes) pkts bytes target prot optinch outSource Destination154 11794ACCEPT all--* *0.0.0.0/0 0.0.0.0/0Physdev match--physdev-inchens9f0--physdev- outveth1121 8724ACCEPT all--* *0.0.0.0/0 0.0.0.0/0Physdev match--physdev-inchveth1--physdev- outens9f0chain OUTPUT (policy ACCEPT thepackets, 184K bytes) pkts bytes target prot optinch outSource destination</pre>This means that network traffic does go through the Linux bridge to do Forwarding. For more details on the description of the Iptables settings on Linux bridge, please refer to ebtables/iptables interaction on a linux-based bridge. Highlights Include: <ul> <ul> <ul> <li>Iptables and Ebtables filter tables related to Linux Bridge</li> <li>The Linux kernel 2.6 version contains the code for Ebtables and br-nf, where the BR-NF code makes the network frame/packet of Bridge pass through the iptables filter table; ebtables table works on the network two layer (Ethernet), iptables The table works on the upper layer (IP).</li> <li>When an IP packet enters a bridge/router interface, it sends the network packet to another bridge interface in the following scenarios:</li> <li>(fig. 2)</li> <li>When an IP packet enters a bridge/router interface, it sends the network packet to a Non-bridge interface case as Follows: <ul> <li>(fig. 3)</li> </ul></li> </ul> </ul> </ul>Based on the above principles, the requirements of the case in this paper,(1) If you use the Physdev module, you can use the following two rules for precise control:<pre><pre>IPTABLES-T filter -A forward-m physdev--physdev- in eth0--physdev- out veth1--t filter< C7/>-a forward-m physdev--physdev- out eth0--physdev- in Veth1-j ACCEPT</pre></pre>Note: <ul> <ul> <li>physdev-in specifies the port of the bridge to which the network packet enters</li> <li>PHYSDEV-OUT specifies the port of the bridge to which the network packet left</li> </ul> </ul>(2) You can also use general rules to control whether BR1 are allowed to be forwarding<pre><pre>Iptables-t filter-a forward-i br1-j ACCEPT</pre></pre>(3) the IP forwrading of the Linux kernel does not need to be enabled, it is primarily for NAT Scenarios.2.2 The forwarding behavior of Linux BridgeLinux Bridge determines its behavior based on the destination MAC address of the received Frame: <ul> <ul> <li>If the destination MAC address of the frame is known at the other end of bridge, it will do bridging (forwarding)</li> <li>If the destination MAC address of the frame is unknown, it will do flooding (flooding)</li> <li>If the destination MAC address of a frame is the MAC address (local) of Bridge itself or one of its ports, it is sent to the upper IP layer</li> <li>If the destination MAC address is known and is on the source side of bridge, Discard</li> </ul> </ul>Linux Bridge itself maintains a mapping table for MAC addresses and input ports:<pre>[email protected]:/home/s1# brctl Showmacs br-Ens9f0port no Mac addris local?Ageing Timer 1 -: 0e:d5:c6: -: -No224.96 27e: -: -: bb: +: theYes0.00 27e: -: -: bb: +: theYes0.00 1A0: $: 9f:5c: the: F8 No58.07 1A0: $: 9f: the: b1: theYes0.00 1A0: $: 9f: the: b1: theYes0.00 2Ee: the: to: Cc: the: oneNo0.29</pre> <ul> <ul> <li>When you ping an external computer from ns2, because Bridge discovers that its destination MAC address is not local, it executes the Linux bridging on that IP packet, which triggers the filtering rules discussed in 2.1.</li> <li>When Ping host1 from ns2, because the destination MAC address is local, it will be sent directly to the IP layer, at this time, the previous discussion of the FORWARD chain filter table Two filtering rules do not work on it, which is why even if you do not add the Two-day rule, ping Host1 will also Succeed.</li> </ul> </ul>2.3 Promiscuous mode of the network interface (promiscuous mode, abbreviated as Promisc Mode)According to wikipedia, the PROMISC model refers to a NIC that gives all the network traffic it accepts to the cpu, rather than just handing over the part it wants to transfer to the CPU. In an IEEE 802 network, each network frame has a destination MAC address. In Non-promiscuous mode, the NIC will only accept unicast frames with the destination MAC address as its own Mac address, as well as multicast and broadcast Frames. In promiscuous mode, the NIC accepts all frames that pass through it.simply, You can use the Ifconfig command or the netstat-i command to see if the promiscuous mode on a network interface is open: <ul> <ul> <li>Ifconfig eth0, View the configuration of the eth0, including promiscuous Mode. When the output contains prmisc, it indicates that the network interface is in promiscuous Mode. But there are also special cases, see the 2.3.2 section Below.</li> </ul> </ul><pre><pre>[email protected]:/home/s1# ifconfig eth0eth0 Link encap:ethernet HWaddr a0:9f:97 : b1: inet6 addr:fe80::a236:9fff:fe97:b168/ scope:link Promisc multicast MTU: Metric:1 </pre></pre> <ul> <ul> <li>Ifconfig eth0 promisc//make eth0 into promiscuous mode</li> <li>Ifconfig eth0-promisc//make eth0 exit promiscuous mode</li> </ul> </ul>In this example, after eth0 network traffic, including to it, but also to the ns2, the destination MAC address of the frame is no longer the Eth0 own Mac address, therefore, eth0 promiscuous mode must be turned On. however, during the testing process, two interesting things were found.2.3.1 Promiscuous mode of NIC for VMware virtual machineAccording to how promiscuous mode works at the virtual switch and portgroup levels this article, the VMware virtual machine NIC needs to enable promiscuous mode when VMware VSwitch and its The Vport in Virtual group also needs to turn on promiscuous Mode. When VSwitch is enabled for promiscuous mode, all the port groups (portgroup) above it also turn on promiscuous mode by Default. well, in my test, it took me quite a while to find this Problem.(1) turn on the promiscuous mode of VSwitch(2) the promiscuous mode of the port group, The default is the promiscuous mode with vSwitch, but you can also explicitly open or close2.3.2 Hybrid mode for Linux bridge and its interfaceThe testing process found that when a network interface is added to the Linux bridge, its promiscuous mode is automatically turned on and cannot be closed until it is removed from Bridge.(1) automatically exits promiscuous mode when the Veth device leaves the Linux bridge<pre><pre>Brctl delif br-| grep promiscuous[498665.637647 left promiscuous mode</pre></pre>You can manually set its Promisc mode now:<pre>[email protected]:/home/s1# Netstat-i |grep veth40veth40 the 0 68386 0 0 0 280670 0 0 0Bmru[email protected]:/home/s1# ifconfig veth40 promisc[email protected]:/home/s1# Netstat-i |grep veth40veth40 the 0 68386 0 0 0 280670 0 0 0BMPru[498822.803260] Device Veth40 entered promiscuous mode</pre>(2) automatically enter Promisc mode when the Veth device is added to Linux bridge<pre><pre>Brctl addif br-| grep promiscuous[498681.199680] device Veth40 entered promiscuous mode</pre></pre>Even if it is set to Non-promisc mode through ifconfig, Netstat-i also shows that it is in Non-promis mode, but it is still in Promisc mode at this point:<pre><pre></pre></pre><pre><pre>DMESG No RECORDS.</pre></pre><pre><pre>[email protected]:/home/s1# ifconfig veth40- [email protected]:/home/s1# netstat-i | the 0 68410 0 0 0 280723 0 0 0 Bmru</pre></pre>Conclusion: <ul> <ul> <li>After the network device is added to Linux bridge, it automatically enters promiscuous mode and cannot exit. It should be said that this approach also simplifies the network configuration in the Linux bridge Environment.</li> <li>After the network device moves out of the Linux bridge, it automatically exits promiscuous mode and can modify</li> <li>Linux Bridge itself is a two-tier network device, but it does not have a promiscuous mode, it will be forwarded according to the situation or flooding network frames</li> </ul> </ul>Note: the relevant knowledge of Linux Bridge and iptables in this paper is more complicated, the author only confirms the test process and results in this paper, and some errors may exist in the theory Analysis. This article will remain updated continuously.Netruon understanding (12): using Linux Bridge to connect the Linux network namespace to the extranet

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More