veth-pair-bridge
-
bridge设备也是一种虚拟的网络设备,所以具有网络设备的特性,bridge设备是一种纯软件实现的虚拟交换机,所以和物理的交换机有着类似的功能(mac地址学习、stp、fdb等) -
bridge设备既可以配置ip地址也可以配置mac地址,可以实现交换机的二层转发
-
bridge设备有多个端口,我们可以将tap设备、veth设备attach到bridge设备,我们可以想象成是交换机上的各种端口
创建bridge设备
当我们创建br0设备时,它是一个独立的网络设备,可以看成是一端连接协议栈,然后br0没有任何端口,就像NF没有任何板卡,纯属是一个二层设备
# 创建bridge设备
ip link add name br0 type bridge
ip link set br0 up
ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:9d:16:87 brd ff:ff:ff:ff:ff:ff
altname enp2s1
3: br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 42:70:f8:b9:f4:dc brd ff:ff:ff:ff:ff:ff
将veth0添加到br0
ip link add veth0 type veth peer name veth1
ip addr add 10.70.2.10/24 dev veth0
ip addr add 10.70.2.11/24 dev veth1
ip link set veth0 up
ip link set veth1 up
ip link set veth0 master br0
# 开启veth设备ARP响应
echo 1 > /proc/sys/net/ipv4/conf/all/accept_local
echo 1 > /proc/sys/net/ipv4/conf/default/accept_local
echo 1 > /proc/sys/net/ipv4/conf/veth1/accept_local
echo 1 > /proc/sys/net/ipv4/conf/veth0/accept_local
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/veth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
[root@boy ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:ad:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::624c:c1db:e3b4:9165/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:88:30:e1:69:6f brd ff:ff:ff:ff:ff:ff
inet6 fe80::18e9:8eff:feb7:2115/64 scope link
valid_lft forever preferred_lft forever
4: veth1@veth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 26:54:ea:ad:02:fa brd ff:ff:ff:ff:ff:ff
inet 10.70.2.11/24 scope global veth1
valid_lft forever preferred_lft forever
inet6 fe80::2454:eaff:fead:2fa/64 scope link
valid_lft forever preferred_lft forever
5: veth0@veth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether 52:88:30:e1:69:6f brd ff:ff:ff:ff:ff:ff
inet 10.70.2.10/24 scope global veth0
valid_lft forever preferred_lft forever
inet6 fe80::5088:30ff:fee1:696f/64 scope link
valid_lft forever preferred_lft forever
br0和veth0相连之后,发生了几个变化:
- br0和veth0之间是双向通道,可以互发消息
- 一旦 br0 和 veth0 连接之后,它们之间将变成双向通道,但是内核协议栈和 veth0 之间变成了单通道,协议栈能发数据给 veth0,但 veth0 从外面收到的数据不会转发给协议栈,而是转发给br0,同时 br0 的 MAC 地址变成了 veth0 的 MAC 地址
root@debian:~# ping -I veth0 10.70.2.11
root@debian:~# tcpdump -i br0 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:57:28.530267 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
20:57:29.556537 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
20:57:30.579032 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
root@debian:~# tcpdump -i veth0 -n #一组包
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:57:45.941376 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
20:57:45.941613 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
20:57:46.962508 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
20:57:46.962619 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
20:57:47.985747 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
20:57:47.985783 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
root@debian:~# tcpdump -i veth1 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:58:35.090084 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
20:58:35.090216 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
20:58:36.117156 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
20:58:36.117521 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
20:58:37.146029 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
20:58:37.146089 ARP, Reply 10.70.2.11 is-at ee:38:2a:54:4f:dc, length 28
这里个人猜测br0没有IP,故而不会将该数据包发送给协议栈
给br0配置IP
- 可以看到 上面veth0 收到应答包后没有给协议栈,而是直接转发给 br0,这样协议栈得不到 veth1 的 MAC 地址,从而 ping 不通。br0 在 veth0 和协议栈之间将数据包给拦截了。但是如果我们给 br0 配置 IP,会怎么样呢?
ip addr del 10.70.2.10/24 dev veth0
ip addr add 10.70.2.10/24 dev br0
当去掉 veth0 的 IP,而给 br0 配置了 IP 之后,协议栈在路由的时候不会将数据包发给 veth0,为了表达更直观,我们协议栈和 veth0 之间的连接线去掉,这时候的 veth0 相当于一根网线
root@debian:~# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether 00:50:56:c0:00:08 C ens33
root@debian:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.2 0.0.0.0 UG 100 0 0 ens33
10.70.2.0 0.0.0.0 255.255.255.0 U 0 0 0 veth1
10.70.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
root@debian:~# ping -c 1 -I br0 10.70.2.11
PING 10.70.2.11 (10.70.2.11) from 10.70.2.10 br0: 56(84) bytes of data.
64 bytes from 10.70.2.11: icmp_seq=1 ttl=64 time=0.070 ms
root@debian:~# tcpdump -i br0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:11:56.157229 ARP, Request who-has debian tell debian, length 28
14:11:56.157255 ARP, Reply debian is-at f6:a8:f3:c0:d2:8c (oui Unknown), length 28
14:11:56.157261 IP debian > debian: ICMP echo request, id 59610, seq 1, length 64
root@debian:~# tcpdump -i veth0 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:11:56.157237 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
14:11:56.157255 ARP, Reply 10.70.2.11 is-at f6:a8:f3:c0:d2:8c, length 28
14:11:56.157264 IP 10.70.2.10 > 10.70.2.11: ICMP echo request, id 59610, seq 1, length 64
^C
root@debian:~# tcpdump -i veth1 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:11:56.157241 ARP, Request who-has 10.70.2.11 tell 10.70.2.10, length 28
14:11:56.157253 ARP, Reply 10.70.2.11 is-at f6:a8:f3:c0:d2:8c, length 28
14:11:56.157265 IP 10.70.2.10 > 10.70.2.11: ICMP echo request, id 59610, seq 1, length 64
root@debian:~# tcpdump -i lo -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:11:56.157280 IP 10.70.2.11 > 10.70.2.10: ICMP echo reply, id 59610, seq 1, length 64
将ens33加入br0
root@debian:~# ping -c 1 -I ens33 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.10 ens33: 56(84) bytes of data.
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
root@debian:~# tcpdump -i veth0 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:39:13.106320 ARP, Request who-has 192.168.0.10 tell 192.168.0.2, length 46
14:39:13.106395 ARP, Reply 192.168.0.10 is-at f6:a8:f3:c0:d2:8c, length 28
root@debian:~# tcpdump -i veth1 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:39:13.106322 ARP, Request who-has 192.168.0.10 tell 192.168.0.2, length 46
14:39:13.106395 ARP, Reply 192.168.0.10 is-at f6:a8:f3:c0:d2:8c, length 28
root@debian:~# tcpdump -i lo -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
root@debian:~# tcpdump -i br0 -n -p arp or -p icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:39:05.857245 ARP, Request who-has 192.168.0.10 (ee:c3:ea:99:56:2b) tell 192.168.0.1, length 46
14:39:05.857258 ARP, Reply 192.168.0.10 is-at ee:c3:ea:99:56:2b, length 28
14:39:13.106311 ARP, Request who-has 192.168.0.10 tell 192.168.0.2, length 46
14:39:13.106329 ARP, Reply 192.168.0.10 is-at ee:c3:ea:99:56:2b, length 28
14:39:13.106417 IP 192.168.0.2 > 192.168.0.10: ICMP echo reply, id 28850, seq 1, length 64
14:39:18.164680 ARP, Reply 192.168.0.2 is-at 00:50:56:f6:85:f4, length 46
14:39:19.188732 ARP, Reply 192.168.0.2 is-at 00:50:56:f6:85:f4, length 46
14:39:20.211918 ARP, Reply 192.168.0.2 is-at 00:50:56:f6:85:f4, length 46
br0根本不区分接入进来的是物理设备还是虚拟设备,对它来说都一样的,都是网络设备,所以当eth0加入br0之后,落得和上面veth0一样的下场,从外面网络收到的数据包将无条件的转发给br0,自己变成了一根网线。
通过ens33来ping网关失败,但由于br0通过ens33这根网线连上了外面的物理交换机,所以连在br0上的设备都能ping通网关,这里连上的设备就是veth1和br0自己,veth1是通过veth0这根网线连上去的,而br0可以理解为自己有一块自带的网卡
root@debian:~# ping -I ens33 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.10 ens33: 56(84) bytes of data.
^C
--- 192.168.0.2 ping statistics ---
28 packets transmitted, 0 received, 100% packet loss, time 27530ms
root@debian:/home/debian# tcpdump -i ens33
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C^C^C
15:06:37.300934 ARP, Request who-has _gateway tell debian, length 28
此时ping 192.168.0.2,只能通过veth1和br0出去(ens33接到bridge上,相当于和协议栈断开连接了),协议栈无法将数据包发送给ens33,veth0
由于eth0已经变成了和网线差不多的功能,所以在eth0上配置IP已经没有什么意义了,并且还会影响协议栈的路由选择,比如如果上面ping的时候不指定网卡的话,协议栈有可能优先选择eth0,导致ping不通,所以这里需要将eth0上的IP去掉
root@debian:~# ip route
default via 192.168.0.2 dev ens33 proto static metric 100
10.70.2.0/24 dev veth1 proto kernel scope link src 10.70.2.11
10.70.2.0/24 dev br0 proto kernel scope link src 10.70.2.10
192.168.0.0/24 dev ens33 proto kernel scope link src 192.168.0.10 metric 100
root@debian:~# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
^C
--- 192.168.0.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms
# 由于ens33和协议栈断开连接,所以数据包出不去,并且需要删除br0 ip,将br0修改为192.168.0.11,即可通网关,我这里未删除ens33的IP
root@debian:~# ip route del default dev ens33
root@debian:~# ip route add default dev br0
root@debian:~# ip addr del 10.70.2.10/24 dev br0
root@debian:~# ip addr add 192.168.0.11/24 dev br0
root@debian:~# ip route
default dev br0 scope link
10.70.2.0/24 dev veth1 proto kernel scope link src 10.70.2.11
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.11
192.168.0.0/24 dev ens33 proto kernel scope link src 192.168.0.10 metric 100
root@debian:~# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=128 time=0.207 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=128 time=0.135 ms
^C
--- 192.168.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
参考链接:http://blog.nsfocus.net/linux-bridge/
参考链接:https://www.jianshu.com/p/3fce865c4425
参考链接:https://segmentfault.com/a/1190000009491002
2189
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
