Roteamento de Múltiplos Portais - Fedora Kernel 3.17 & 3.18

Question

Roteamento de Múltiplos Portais - Fedora Kernel 3.17 & 3.18

#1 resposta do (0 votos)

0

Sei que as discussões sobre o roteamento de fontes com vários gateways (baseadas em políticas) foram criptografadas muitas vezes, mas ainda encontro uma resposta para meu problema atual.

O servidor (executando o Fedora 21, Kernel 3.17 ou 3.18) é conectado através de duas placas de rede, usando teamd-1.15-1 (Fedora Update), com seis VLANs construídas na interface agrupada (Team0). Os daemons firewalld e NetworkManager foram desativados e não estou usando IPTABLES, pois tenho um dispositivo de firewall de hardware principal. Por favor, não pergunte por que seis VLANs, é um requisito para a rede.

Todas as seis VLANs funcionam corretamente quando atribuídas individualmente como o gateway padrão, mas meu problema é como ter todas as seis funcionando como gateways para seu tráfego de VLAN individual?

Até agora eu fiz as seguintes alterações em /usr/lib/sysctl.d/50-default.conf:

# Source route verification
net.ipv4.conf.default.rp_filter = 0 (original default =1)
net.ipv4.conf.all.rp_filter = 0 (original default =1)

# Accept IPv4 forwarding
net.ipv4.ip_forward = 1 (original default =0)

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0 (original default =1)
net.ipv4.conf.all.accept_source_route = 0 (original default =1)

Essas alterações são persistentes & refletido corretamente nos arquivos / net / ipv4 / conf, etc.

O arquivo / iproute2 / rt_tables foi alterado para refletir as tabelas de roteamento adicionais necessárias, conforme abaixo:

#
# reserved values
#
255     local
254     main
253     default
205     EXTRAAPPS
204     DNSEXT
203     SERVEXT
202     INTRAAPPS
201     DNSINT
200     SERVINT
0       unspec
#
#       local
#
#1      inr.ruhep

As configurações para uma VLAN (vlan30, usando a tabela de roteamento 200) são mostradas abaixo, com os arquivos IFCFG, ROUTE e RULE mostrados:

ifcfg-vlan30

DEVICE=team0.30
PHYSDEV=team0
VLAN=yes
ONPARENT=yes
BOOTPROTO=static
NM_CONTROLLED=no
DEFROUTE=yes
IPADDR1=192.168.129.67
NETMASK1=255.255.255.248
IPADDR0=192.168.129.66
NETMASK0=255.255.255.248
GATEWAY=192.168.129.65

route-vlan30

default table SERVINT via 192.168.129.50
192.168.129.64/29 dev team0.30 proto static scope global src 192.168.129.66 table SERVINT

rule-vlan30

from 192.168.129.66/32 table SERVINT
to 192.168.129.66/32 table SERVINT
from 192.168.129.67/32 table SERVINT
to 192.168.129.67/32 table SERVINT

As tabelas personalizadas (200-205 inc) parecem estar corretas, conforme aparecem no arquivo / proc / etc / fib_trei, conforme definido nas entradas do arquivo "route-vlanxx".

FIB_TREI

Id 200:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.64
        /29 universe UNICAST
Id 201:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
         /0 universe UNICAST
     |-- 192.168.129.72
        /29 universe UNICAST
Id 202:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
 |-- 192.168.129.80
        /29 universe UNICAST
Id 203:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.96
        /29 universe UNICAST
Id 204:
   +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.104
        /29 universe UNICAST
Id 205:
   +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.112
        /28 universe UNICAST
Main:
+-- 0.0.0.0/0 1 0 0
 |-- 0.0.0.0
    /0 universe UNICAST
 +-- 192.168.129.64/26 3 0 2
    |-- 192.168.129.64
       /29 link UNICAST
    |-- 192.168.129.72
       /29 link UNICAST
    |-- 192.168.129.80
       /29 link UNICAST
    |-- 192.168.129.96
       /29 link UNICAST
    |-- 192.168.129.104
       /29 link UNICAST
    |-- 192.168.129.112
       /28 link UNICAST
Local:
+-- 0.0.0.0/0 1 0 0
   +-- 127.0.0.0/8 1 0 0
      +-- 127.0.0.0/31 1 0 0
         |-- 127.0.0.0
            /32 link BROADCAST
            /8 host LOCAL
 (Snipped for brevity - not required for this matter)

Os resultados dos comandos ip addr, ip link e ip route são mostrados abaixo:

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

11: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

12: team0.30@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.66/29 brd 192.168.129.71 scope global team0.30
   valid_lft forever preferred_lft forever
inet 192.168.129.67/29 brd 192.168.129.71 scope global secondary team0.30
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

13: team0.31@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.74/29 brd 192.168.129.79 scope global team0.31
   valid_lft forever preferred_lft forever
inet 192.168.129.75/29 brd 192.168.129.79 scope global secondary team0.31
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

14: team0.32@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.82/29 brd 192.168.129.87 scope global team0.32
   valid_lft forever preferred_lft forever
inet 192.168.129.83/29 brd 192.168.129.87 scope global secondary team0.32
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

15: team0.36@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.98/29 brd 192.168.129.103 scope global team0.36
   valid_lft forever preferred_lft forever
inet 192.168.129.99/29 brd 192.168.129.103 scope global secondary team0.36
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

16: team0.37@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.106/29 brd 192.168.129.111 scope global team0.37
   valid_lft forever preferred_lft forever
inet 192.168.129.107/29 brd 192.168.129.111 scope global secondary team0.37
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

17: team0.38@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.114/28 brd 192.168.129.127 scope global team0.38
   valid_lft forever preferred_lft forever
inet 192.168.129.115/28 brd 192.168.129.127 scope global secondary team0.38
   valid_lft forever preferred_lft forever
inet 192.168.129.120/28 brd 192.168.129.127 scope global secondary team0.38
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP mode DEFAULT group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP mode DEFAULT group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

11: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

12: team0.30@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

13: team0.31@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

14: team0.32@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

15: team0.36@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

16: team0.37@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

17: team0.38@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

rota ip

default via 192.168.129.113 dev team0.38 
192.168.129.64/29 dev team0.30  proto kernel  scope link  src 192.168.129.66 
192.168.129.72/29 dev team0.31  proto kernel  scope link  src 192.168.129.74 
192.168.129.80/29 dev team0.32  proto kernel  scope link  src 192.168.129.82 
192.168.129.96/29 dev team0.36  proto kernel  scope link  src 192.168.129.98 
192.168.129.104/29 dev team0.37  proto kernel  scope link  src 192.168.129.106 
192.168.129.112/28 dev team0.38  proto kernel  scope link  src 192.168.129.114

As rotas nas tabelas 200-205 inclusive foram definidas para "escopo global" (mostrado como Universo UNICAST em / proc / net / fib_trei), pois os endereços nessas VLANs precisam ser fonte -routed para uma ampla gama de destinos "até agora" desconhecidos na internet (via dispositivo de roteador de firewall primário), no entanto, a resposta do comando "ip route" mostra as rotas como sendo link de escopo , como está na tabela MAIN em vez de escopo global conforme definido nas tabelas de roteamento personalizadas 200-205 e também nas entradas FIB_TREI .

Parece-me que o Kernel está tomando a tabela MAIN IP, ao invés da descrita nos documentos do Fedora, que qualquer tabela e regras corretamente definidas e listadas ANTES, isto é, menor número de ID da tabela, deve ter precedência.

Existe alguma coisa que eu perdi que pode ser óbvia nas configurações dos valores padrão, ou algo incorreto nas tabelas de roteamento ou regras que poderiam corrigir este problema?

Qualquer orientação, conselho ou dicas seriam muito apreciados, antes de eu arrancar o pouco cabelo que tenho ...

Felicidades, Garth.

networking routing fedora

por Garth 19.02.2015 / 11:39

1 resposta

Tags networking routing fedora

Como descubro qual conjunto de ferramentas do GCC está instalado? Crie um gráfico de barras a partir de uma coluna de datas, plotando o número de ocorrências por mês

score 0 · Answer 1

A conclusão foi que o Fedora 21 e 22 "Server" não incluem os arquivos necessários para permitir que fib_rules.c seja executado, o que controla as múltiplas regras da tabela.

Os pacotes necessários para fazer o Policy Routing com várias tabelas são:

kernel-headers, kernel-devel e libnl3-devel

Depois que eles forem instalados, o roteamento de políticas funcionará corretamente.