Advanced Linux Routing and Traffic Control: Building bridges and using ARP proxy to construct pseudo-network bridges

Source: Internet
Author: User
Keywords Linux traffic control ARP proxy advanced routing Building Network bridge pseudo-Network bridge
Tags advanced advanced routing aliyun arp proxy building network bridge configuration control data

A network bridge is a device that is installed on a network and does not require any subsequent configuration. The network switch is basically a multiple-port network bridge. This means that the bridge is a two-port switch. Linux can support a network bridge with multiple interfaces and become a real exchanger.

Bridges are often used to improve the http://www.aliyun.com/zixun/aggregation/7317.html of those who are not working well but cannot be modified. Because the bridge is a 2-tier device (the layer below the IP), routers and servers are unaware of its existence. This means that you can block or modify data packets completely and transparently, or even flow-shaping.

Another good thing is that if a network bridge crashes, you can use a hub or even a crossover line to replace it.

The bad news is that if it is not explicitly documented in the engineering document, the bridge can cause confusion. It does not appear in the traceroute, but it causes the packet to disappear from point A to point B ("Haunted online!"). ”)。 You should also want to know whether an organization that "doesn't want to change anything" is doing what it should.

The Linux 2.4/2.5 Network Bridge document is on this page.

1. Bridging and Iptables relations

As of Linux 2.4.20, bridges and iptables cannot see each other without the help of other conditions. If you take the packet from the Eth0 Bridge to the eth1, it will not pass the iptables. This means you can't do packet filtering, NAT, mangle, etc. Starting with Linux 2.5.45, this problem has been resolved.

You may have heard of another so-called "Ebtables" program, which can achieve Macnat and "brouting" and so on crazy functions. It's really exciting!

2. Bridging and Flow shaping

Advertise: No problem!

Just want to be clear which network card is on which side, otherwise you may in the Internal network card configuration external network flow shaping, that certainly cannot work. Use sniffer to confirm if necessary.

3. Using ARP proxy to realize pseudo-network bridge

If you just want to implement a pseudo network bridge, read the "Implementation" section directly, but it's not a bad thing to see how it works.

The work of the Pseudo Network bridge is somewhat special. By default, a network bridge sends data frames from one port to another without change. It simply looks at the hardware address of the data frame to determine where the frame should be sent. That is, as long as the data frame has the appropriate hardware address, you can let Linux forward the data frame it does not know.

The work of the Pseudo network bridge is somewhat different, it looks more like a stealth router, not a network bridge. But similar to the Network Bridge is, the network design does not have much influence.

Because it is not a bridge, it has an advantage: Data frames (packets) pass through the kernel, so you can filter, modify, redirect, or reroute.

A true network bridge can also implement the above techniques, but that requires specific code, like the Ethernet frame splitter or the patch mentioned above.

Another advantage of the pseudo-network bridge is that it does not forward the packets it does not know, which prevents some cruft from flooding the network, thereby purifying your network environment. If you really need these cruft (such as SAP Packages or NetBEUI), you should use the real bridge.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.