IMPORTANT: Per accedir als fitxer de subversion: http://acacha.org/svn (sense password). Poc a poc s'aniran migrant els enllaços. Encara però funciona el subversion de la farga però no se sap fins quan... (usuari: prova i la paraula de pas 123456)

Vegeu també Bridging

Introducció

El següent gràfic mostra per on passa un paquet al entrar a una màquina amb sistema operatiu Linux (Packet Flow o Linux Packet Flow)

Linux-Packet-Flow.png

Vegeu també Iptables#Diagrama_de_flux_d.27iptables

Podeu veure que hi ha un punt del flux ("processing decision" a la gràfica) on es decideix si el transit s'envia a la capa d'enllaç o cap a la capa de xarxa. Aquesta decisió és molt simple, si la targeta de xarxa d'entrada del paquet (ingress) és un bridge aleshores s'envia a la capa d'enllaç i sinó s'envia a la capa d'encaminament.

Utilitats de bridge a Linux. Paquet bridge-utils

El paquet bridge-utils proporciona el suport per a gestionar bridges a Linux.

Instal·lació:

$ sudo apt-get install bridge-utils

Comandes:

$ dpkg -L bridge-utils | grep bin
/usr/sbin
/usr/sbin/brctl

Fitxers de configuració:

$ dpkg -L bridge-utils | grep etc
/etc
/etc/network
/etc/network/if-pre-up.d
/etc/network/if-pre-up.d/bridge
/etc/network/if-post-down.d
/etc/network/if-post-down.d/bridge

Resta de fitxers instal·lats:

$ sudo dpkg -L bridge-utils
/.
/etc
/etc/network
/etc/network/if-pre-up.d
/etc/network/if-post-down.d
/sbin
/sbin/brctl
/lib
/lib/bridge-utils
/lib/bridge-utils/ifupdown.sh
/lib/bridge-utils/bridge-utils.sh
/lib/udev
/lib/udev/bridge-network-interface
/lib/udev/rules.d
/lib/udev/rules.d/40-bridge-network-interface.rules
/usr
/usr/share
/usr/share/doc
/usr/share/doc/bridge-utils
/usr/share/doc/bridge-utils/README
/usr/share/doc/bridge-utils/THANKS
/usr/share/doc/bridge-utils/TODO
/usr/share/doc/bridge-utils/FAQ
/usr/share/doc/bridge-utils/FIREWALL
/usr/share/doc/bridge-utils/HOWTO
/usr/share/doc/bridge-utils/PROJECTS
/usr/share/doc/bridge-utils/WISHLIST
/usr/share/doc/bridge-utils/examples
/usr/share/doc/bridge-utils/examples/pm-utils
/usr/share/doc/bridge-utils/examples/hibernate
/usr/share/doc/bridge-utils/README.Debian
/usr/share/doc/bridge-utils/copyright
/usr/share/doc/bridge-utils/changelog.Debian.gz
/usr/share/man
/usr/share/man/man8
/usr/share/man/man8/brctl.8.gz
/usr/share/man/man5
/usr/share/man/man5/bridge-utils-interfaces.5.gz
/etc/network/if-pre-up.d/bridge
/etc/network/if-post-down.d/bridge

Recursos:

Comanda brctl

Gestió dels bridges

Show. Mostrar els bridges

S'utilitza l'opció show:

$ brctl show 
 bridge name     bridge id               STP enabled     interfaces
 br0             8000.001601a1a9b7       no              eth0
                                                         wlan0
 br1             8000.000000000000       no

Un exemple de la comanda executada en un servidor Proxmox:

$ sudo brctl show
bridge name	bridge id		STP enabled	interfaces
vmbr0		8000.001e672e3cf4	no		bond0.11
							tap100i0
							tap106i0
							tap122i0
							tap141i0
							tap142i0
							tap143i0
							tap144i0
							tap150i0
							tap161i0
							tap180i0
							tap191i0
vmbr1		8000.001e672e3cf4	no		bond0.1
vmbr10		8000.001e672e3cf4	no		bond0.10
							tap106i2
							tap143i1
vmbr11		8000.000000000000	no		
vmbr12		8000.001e672e3cf4	no		bond0.12
vmbr13		8000.001e672e3cf4	no		bond0.13
							tap106i5
							tap141i1
vmbr14		8000.001e672e3cf4	no		bond0.14
vmbr15		8000.001e672e3cf4	no		bond0.15
vmbr16		8000.001e672e3cf4	no		bond0.16
vmbr17		8000.001e672e3cf4	no		bond0.17
vmbr18		8000.001e672e3cf4	no		bond0.18
							tap304i0
vmbr19		8000.001e672e3cf4	no		bond0.19
							tap106i3
							tap308i0
vmbr2		8000.001e672e3cf4	no		bond0.2
							tap106i1
							tap142i1
							tap144i1
vmbr3		8000.001e672e3cf4	no		bond0.3
							tap106i4
vmbr4		8000.001e672e3cf4	no		bond0.4
							tap150i1
vmbr5		8000.001e672e3cf4	no		bond0.5
vmbr6		8000.001e672e3cf4	no		bond0.6
vmbr7		8000.001e672e3cf4	no		bond0.7
Crear un nou bridge
$ sudo brctl addbr br1

Comproveu que la interfície està creada:

$ ifconfig br1
Eliminar un bridge
$ sudo brctl delbr br1

Afegir/treure interfícies a un bridge

Per afegir un port a un bridge:

$ sudo brctl addif br1 eth0

A l'exemple afegim la interfície eth0 al bridge br1 (se suposa que el bridge existeix).

Comproveu amb:

$ sudo brctl show
bridge name	bridge id		STP enabled	interfaces
br1		8000.5cf9dd4777a2	no		eth0

Per eliminar un port d'un bridge:

$ sudo brctl delif

AGEING

TODO

brctl showmacs

Brctl setgcint

Creació del bridge de forma permanent. /etc/network/interfaces

Instal·lem el paquet bridge-utils i al fitxer /etc/network/interfaces creem una interfície que sigui un bridge de la eth0:

$ cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
 address 192.168.1.2
 netmask 255.255.255.0
 gateway 192.168.1.1
 bridge_ports eth0

auto eth0
iface eth0 inet manual

També podem utilitzar DHCP:

$ cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto br0
iface br0 inet dhcp
 bridge_ports eth0

auto eth0
iface eth0 inet manual
NOTA: Noteu com la interfície eth0 es configura com manual i la línia bridge_ports eth0.


I tornem a iniciar la xarxa:

$ sudo /etc/init.d/networking restart

A partir d'ara la interfície eth0, tal i com podem observar a l'executar ifconfig:

$ ifconfig
br0       Link encap:Ethernet  HWaddr 00:30:1B:B7:CD:B6  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::230:1bff:feb7:cdb6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28932 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28277 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24356075 (23.2 MB)  TX bytes:17213164 (16.4 MB)

eth0      Link encap:Ethernet  HWaddr 00:30:1B:B7:CD:B6  
          inet6 addr: fe80::230:1bff:feb7:cdb6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20788 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14681 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:23664360 (22.5 MB)  TX bytes:1995733 (1.9 MB)
          Interrupt:20 

És una interfície no configurada (TONTA o Dummy). Això és normal, comproveu com la xarxa funciona igualment

Manual

$ man brctl
BRCTL(8)                                                                                                BRCTL(8)

NAME
      brctl - ethernet bridge administration

SYNOPSIS
       brctl [command]

DESCRIPTION
       brctl is used to set up, maintain, and inspect the ethernet bridge configuration in the linux kernel.

       An ethernet bridge is a device commonly used to connect different networks of ethernets together, so that these ethernets   
       will appear as one ethernet to the participants. 

      Each  of  the ethernets being connected corresponds to one physical interface in the bridge. These individual ethernets are 
      bundled into one bigger ('logical') ethernet, this bigger ethernet corresponds
      to the bridge network interface.

INSTANCES
      The command brctl addbr <name> creates a new instance of the ethernet bridge. The network interface corresponding to 
      the  bridge will be called <name>.

      The command brctl delbr <name> deletes the instance <name> of the ethernet bridge. The network interface 
      corresponding to the bridge must be down before it can be deleted!

      The command brctl show shows all current instances of the ethernet bridge.

PORTS
      Each bridge has a number of ports attached to it. Network traffic coming in on any of these ports will be forwarded to the  
      other ports transparently, so that the bridge is invisible to the rest  of  the network (i.e. it will not show up in 
      traceroute(8) ).

      The command brctl addif <brname> <ifname> will make the interface <ifname> a port of the bridge <brname>. This means 
      that  all frames received on <ifname> will be processed as if destined for the bridge.
      Also, when sending frames on <brname>, <ifname> will be considered as a potential output interface.

      The command brctl delif <brname> <ifname> will detach the interface <ifname> from the bridge <brname>.

      The command brctl show <brname> will show some information on the bridge and its attached ports.

AGEING
      The bridge keeps track of ethernet addresses seen on each port. When it needs to forward a frame, and it happens to know on 
      which port the destination  ethernet  address  (specified  in  the  frame) is located, it can 'cheat' by forwarding the frame  
      to that port only, thus saving a lot of redundant copies and transmits.

      However, the ethernet address location data is not static data. Machines can move to other ports, network cards can be 
      replaced (which changes the machine's ethernet address), etc.

      brctl showmacs <brname> shows a list of learned MAC addresses for this bridge.

      brctl  setageing <brname>  sets the ethernet (MAC) address ageing time, in seconds. After <time> seconds of   
      not   having  seen a frame coming from a certain address, the bridge will time out (delete)
      that address from the Forwarding DataBase (fdb).

      brctl setgcint <brname> <time> sets the garbage collection interval for the bridge <brname> to <time> seconds. This 
      means that the bridge will check the forwarding database for timed out  entries  every
      <time> seconds.

 SPANNING TREE PROTOCOL
      Multiple ethernet bridges can work together to create even larger networks of ethernets using the IEEE 802.1d spanning tree 
      protocol. This protocol is used for finding the shortest path between two ethernets, and for eliminating loops from the  
      topology. As this protocol is a standard, linux bridges will interwork properly with other third party bridge products.  
      Bridges communicate with  eachother  by sending and receiving BPDUs (Bridge Protocol Data Units). These BPDUs can be  
      recognised by an ethernet destination address of 01:80:c2:00:00:00

      The  spanning  tree protocol can also be turned off (for those situations where it just doesn't make sense, for example when 
      this linux box is the only bridge on the LAN, or when you know that there are no loops in the topology.)

      brctl(8) can be used for configuring certain spanning tree protocol parameters. For an explanation of these parameters, see  
      the IEEE 802.1d specification (or send me an email). The default values should be just fine. If you don't know what these  
      parameters mean, you probably won't feel the desire to tweak them.

      brctl  stp  <bridge>  <state>  controls  this bridge instance's participation in the spanning tree protocol. If 
      <state> is "on" or "yes" the STP will be turned on, otherwise it will be turned off.  When
      turned off, the bridge will not send or receive BPDUs, and will thus not participate in the spanning tree protocol. If your  
      bridge isn't the only bridge on the LAN, or if there are loops  in  the  LAN's
      topology, DO NOT turn this option off. If you turn this option off, please know what you are doing.

      brctl  setbridgeprio  <bridge> <priority> sets the bridge's priority to <priority>. The priority value is an unsigned 16-bit 
      quantity (a number between 0 and 65535), and has no dimension. Lower priority
      values are 'better'. The bridge with the lowest priority will be elected 'root bridge'.

      brctl setfd <bridge> <time> sets the bridge's 'bridge forward delay' to <time> seconds.

      brctl sethello <bridge> <time> sets the bridge's 'bridge hello time' to <time> seconds.

      brctl setmaxage <bridge> <time> sets the bridge's 'maximum message age' to <time> seconds.

      [[brctl setpathcost <bridge> <port> <cost> sets the port cost of the port <port> to <cost>. This is a dimensionless 
      metric.

      brctl setportprio <bridge> <port> <priority> sets the port <port>'s priority to <priority>. The priority value is an 
      unsigned   8-bit quantity (a number between 0 and 255), and has no dimension. This met‐
      ric is used in the designated port and root port selection algorithms.

NOTES
      brctl(8) replaces the older brcfg tool.

SEE ALSO
      ipchains(8), iptables(8)

AUTHOR
      Lennert Buytenhek <buytenh@gnu.org>

                                                                                                November 7,   
2001                                                                                        BRCTL(8)

Filtratge capa 2. Ebtables

Vegeu ebtables

Paquet uml-utilities

Instal·lació de User Mode Linux utilities package (uml-utilities):

$ sudo apt-get install uml-utilities
/.
/etc
/etc/network
/etc/network/if-pre-up.d
/etc/network/if-pre-up.d/uml-utilities
/etc/network/if-up.d
/etc/network/if-up.d/uml-utilities
/etc/default
/etc/default/uml-utilities
/etc/init.d
/etc/init.d/uml-utilities
/usr
/usr/share
/usr/share/doc
/usr/share/doc/uml-utilities
/usr/share/doc/uml-utilities/examples
/usr/share/doc/uml-utilities/examples/tty_log.pl
/usr/share/doc/uml-utilities/examples/interfaces.example
/usr/share/doc/uml-utilities/copyright
/usr/share/doc/uml-utilities/changelog.Debian.gz
/usr/share/doc/uml-utilities/README.Debian
/usr/share/man
/usr/share/man/man8
/usr/share/man/man8/tunctl.8.gz
/usr/share/man/man1
/usr/share/man/man1/uml_switch.1.gz
/usr/share/man/man1/jail_uml.1.gz
/usr/share/man/man1/humfsify.1.gz
/usr/share/man/man1/uml_mount.1.gz
/usr/share/man/man1/uml_mkcow.1.gz
/usr/share/man/man1/uml_moo.1.gz
/usr/share/man/man1/uml_mconsole.1.gz
/usr/sbin
/usr/sbin/tunctl
/usr/sbin/jail_uml
/usr/bin
/usr/bin/uml_mkcow
/usr/bin/uml_mconsole
/usr/bin/uml_mount
/usr/bin/uml_moo
/usr/bin/uml_watchdog
/usr/bin/uml_switch
/usr/bin/jailtest
/usr/bin/humfsify
/usr/lib
/usr/lib/uml
/usr/lib/uml/port-helper
/usr/lib/uml/uml_net


Conté eines per crear interfícies TAP.

Afegir permisos a l'usuari per accedir a la interfície:

$ sudo gpasswd -a <user> uml-net

Per exemple

$ sudo gpasswd -a sergi uml-net
  

Cal tornar a iniciar per aplicar els permissos

Per afegir la interfície TAP editem el fitxer /etc/network/interfaces i afegim:

auto tap0
iface tap0 inet manual
     up ifconfig $IFACE 0.0.0.0 up
     down ifconfig $IFACE down
     tunctl_user <user>

On a user posem el nostre usuari. Per exemple:

auto tap0
iface tap0 inet manual
     up ifconfig $IFACE 0.0.0.0 up
     down ifconfig $IFACE down
     tunctl_user sergi
     bridge_ports eth0 tap0

Tornar a iniciar la xarxa:

$ sudo /etc/init.d/networking restart

tunctl

IMPORTANT: Observeu que la comanda ip amb ip tuntap també suporta la creació d'interfícies tun/tap.Vegeu també openvpn --mktun

tunctl crea i gestiona interfícies de xarxa persistents TUN/TAP.

La sintaxi és la següent:

$ tunctl [ OPTIONS ] [ -u owner ] [ -t device-name ]

o

$ tunctl -d device-name

tunctl permet al administrador del sistema preconfigurar interfícies de xarxa TUN/TAP per tal de ser utilitzades per un usuari en concret. Aquest usuari pot obrir i utilitzar i modificar els aspectes que d'aquesta targeta de xarxa en l'espai d'usuari però no en l'espai de kernel.

Vegem alguns exemples simples d'ús:

Per a crear una interfície per tal de ser utilitzada per un usuari en particular, invoqueu:

$ sudo tunctl -u someuser

Això crea la interfície tap0 per a l'usuari 'someuser'. Per veure l'interfecte utilitzeu l'ordre:

$ ifconfig -a

NOTA: Observeu que la interfície només apareix si la comanda la executa l'usuari 'someuser'

Un cop creada la interfície es pot configurar com qualsevol altre:

$ sudo ifconfig tap0 192.168.0.254 up
$ sudo route add -host 192.168.0.253 dev tap0
$ sudo bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp'
$ arp -Ds 192.168.0.253 eth0 pub

Per esborrar la interfície:

$ sudo tunctl -d tap0

Vegem un altre exemple:

$ sudo apt-get install uml-utilities
$ sudo tunctl -t tap1 -u sergi
$ sudo chmod 666 /dev/net/tun

I:

$ sudo brctl addbr br0 
$ sudo ifconfig eth0 0.0.0.0 promisc 
$ sudo brctl addif br0 eth0
$ dhclient br0


$ sudo brctl addif br0 tap1 

Recursos:

Interfícies tun i tap

Vegeu també tunctl

En xarxes, TUN i TAP són dispositius virtuals de xarxa del nucli de Linux (kernel). Són dispositius de xarxa que són 100% suportats per software, el que és diferent dels adaptadors de xarxa basats en targetes físiques o NICs.

TAP (en anglès clau de pas o aixeta) simula un dispositius de capa d'enllaç (capa 2) (és similar al que es coneix com un network tap físic), i s'utilitza per connectar dos interfícies de xarxa a nivell de capa 2 (per exemple per deixar passar entre les dos interfícies els paquets o frames Ethernet). TUN (com els TÚNels de xarxa) simulen un dispositius de capa 3 (capa de xarxa, habitualment la capa IP). Els TAPs s'utilitzen per a fer bridges i els TUN per a fer encaminament.

Els paquets que el sistema operatiu envia a una interfície TUN i TAP són gestionats per un programa en l'espai d'usuari (user-space i no pas el kernel-space)

TODO:

Tun/tap interfaces are software-only interfaces, meaning that they exist only in the kernel and, unlike regular network interfaces, they have no physical hardware component (and so there's no physical "wire" connected to them). You can think of a tun/tap interface as a regular network interface that, when the kernel decides that the moment has come to send data "on the wire", instead sends data to some userspace program that is attached to the interface (using a specific procedure, see below). When the program attaches to the tun/tap interface, it gets a special file descriptor, reading from which gives it the data that the interface is sending out. In a similar fashion, the program can write to this special descriptor, and the data (which must be properly formatted, as we'll see) will appear as input to the tun/tap interface. To the kernel, it would look like the tun/tap interface is receiving data "from the wire". The difference between a tap interface and a tun interface is that a tap interface outputs (and must be given) full ethernet frames, while a tun interface outputs (and must be given) raw IP packets (and no ethernet headers are added by the kernel). Whether an interface functions like a tun interface or like a tap interface is specified with a flag when the interface is created.

The interface can be transient, meaning that it's created, used and destroyed by the same program; when the program terminates, even if it doesn't explicitly destroy the interface, the interfaces ceases to exist. Another option (the one I prefer) is to make the interface persistent; in this case, it is created using a dedicated utility (like tunctl or openvpn --mktun), and then normal programs can attach to it; when they do so, they must connect using the same type (tun or tap) used to originally create the interface, otherwise they will not be able to attach. We'll see how that is done in the code.

Once a tun/tap interface is in place, it can be used just like any other interface, meaning that IP addresses can be assigned, its traffic can be analyzed, firewall rules can be created, routes pointing to it can be established, etc.

With this knowledge, let's try to see how we can use a tun/tap interface and what can be done with it.

TODO:

TUN/TAP is used for:

   virtual private networks
       OpenVPN, Ethernet/IP over TCP/UDP; encrypted, compressed
       n2n, an open source Layer 2 over Layer 3 VPN application which utilises a peer-to-peer architecture for network membership and routing.
       tinc (protocol) [1], Ethernet/IPv4/IPv6 over TCP/UDP; encrypted, compressed
       VTun [2], Ethernet/IP/serial/Unix pipe over TCP; encrypted, compressed, traffic shaping
       OpenSSH
       CJDNS
       ICMPTX [3], IP over ICMP (ping)
       NSTX [1], iodine [4], IP over DNS
       HTun [5], IP over HTTP
       coLinux, Ethernet/IP over TCP/UDP
       Hamachi
       NeoRouter
       VPN-X Java TAP Wrapper, VPN-X can be a P2P VPN, can be a SSL VPN
   virtual machine networking
       Bochs
       coLinux
       Hercules (S/390 emulator)
       QEMU/Kvm
       User-mode Linux
       VirtualBox
   connecting real machines with network simulation
       ns-3[2]

TUN/TAP drivers are available on at least the following platforms:

   FreeBSD
   Linux, starting around version 2.1.60
   Mac OS X
   NetBSD
   OpenBSD
   Solaris Operating System
   Microsoft Windows 2000/XP/Vista/7
   QNX, only tap driver


brctl

$ dpkg -S brctl
bridge-utils: /usr/sbin/brctl


Bridging VLANs

TODO

If we add the subif into a bridge, so that the other interface(s) in the bridge and/or the bridge itself can communicate on the VLAN attached to the mainif, all works as expected.

# brctl add br0
# brctl addif br0 eth0.100
# ip li s dev br0 up
# brctl show
bridge name bridge id         STP enabled interfaces
br0         8000.deadbeefd00d no          eth0.100

VLANS etiquetades i bridges

Si observeu la gràfica de més amunt veureu que hi ha un problema amb els bridges i les VLAN. El problema és que el procés de tagging de les VLAN succeïx com a part del procés de selecció de les interfícies, de forma que quan el bridge rep trànsit etiquetat al port eth0, el procés de bridging mai veu l'etiqueta per que el codi que la

Així per exemple a Proxmox és possible tenir VLANs si fem primer les VLAN i després el bridge

bond0 --> vlan --> bridge

En canvi si creem un bridge sobre una targeta física o sobre un bonding:

bond0 --> bridge -> vlan 

després no podem obtenir les VLAN. És a dir tot i que podrem definir VLAN dins de la màquina virtual no veuran el trànsit etiquetat.

Afortunadament és possible utilitzar ebtables (Ethernet Bridge Tables) que és l'alternativa a iptables per a la capa d'enllaç. Consulteu l'apartat Bridging#BROUTING

Recursos:

ip tuntap

TODO
$ sudo ip tuntap help
Usage: ip tuntap { add | del } [ dev PHYS_DEV ] 
         [ mode { tun | tap } ] [ user USER ] [ group GROUP ]
         [ one_queue ] [ pi ] [ vnet_hdr ]

Where: USER  := { STRING | NUMBER }
       GROUP := { STRING | NUMBER }

Recursos:

ebtables

Vegeu ebtables.

Troubleshooting. Resol·lució de problemes

Bucles de xarxa i Bridges. STP

TODO

Consulteu STP

Vegeu també

Enllaços externs