Vegeu també Bridging
El següent gràfic mostra per on passa un paquet al entrar a una màquina amb sistema operatiu Linux (Packet Flow o Linux Packet Flow)
Vegeu també Iptables#Diagrama_de_flux_d.27iptables
Podeu veure que hi ha un punt del flux ("processing decision" a la gràfica) on es decideix si el transit s'envia a la capa d'enllaç o cap a la capa de xarxa. Aquesta decisió és molt simple, si la targeta de xarxa d'entrada del paquet (ingress) és un bridge aleshores s'envia a la capa d'enllaç i sinó s'envia a la capa d'encaminament.
El paquet bridge-utils proporciona el suport per a gestionar bridges a Linux.
Instal·lació:
$ sudo apt-get install bridge-utils
Comandes:
$ dpkg -L bridge-utils | grep bin /usr/sbin /usr/sbin/brctl
Fitxers de configuració:
$ dpkg -L bridge-utils | grep etc /etc /etc/network /etc/network/if-pre-up.d /etc/network/if-pre-up.d/bridge /etc/network/if-post-down.d /etc/network/if-post-down.d/bridge
Resta de fitxers instal·lats:
$ sudo dpkg -L bridge-utils /. /etc /etc/network /etc/network/if-pre-up.d /etc/network/if-post-down.d /sbin /sbin/brctl /lib /lib/bridge-utils /lib/bridge-utils/ifupdown.sh /lib/bridge-utils/bridge-utils.sh /lib/udev /lib/udev/bridge-network-interface /lib/udev/rules.d /lib/udev/rules.d/40-bridge-network-interface.rules /usr /usr/share /usr/share/doc /usr/share/doc/bridge-utils /usr/share/doc/bridge-utils/README /usr/share/doc/bridge-utils/THANKS /usr/share/doc/bridge-utils/TODO /usr/share/doc/bridge-utils/FAQ /usr/share/doc/bridge-utils/FIREWALL /usr/share/doc/bridge-utils/HOWTO /usr/share/doc/bridge-utils/PROJECTS /usr/share/doc/bridge-utils/WISHLIST /usr/share/doc/bridge-utils/examples /usr/share/doc/bridge-utils/examples/pm-utils /usr/share/doc/bridge-utils/examples/hibernate /usr/share/doc/bridge-utils/README.Debian /usr/share/doc/bridge-utils/copyright /usr/share/doc/bridge-utils/changelog.Debian.gz /usr/share/man /usr/share/man/man8 /usr/share/man/man8/brctl.8.gz /usr/share/man/man5 /usr/share/man/man5/bridge-utils-interfaces.5.gz /etc/network/if-pre-up.d/bridge /etc/network/if-post-down.d/bridge
Recursos:
S'utilitza l'opció show:
$ brctl show bridge name bridge id STP enabled interfaces br0 8000.001601a1a9b7 no eth0 wlan0 br1 8000.000000000000 no
Un exemple de la comanda executada en un servidor Proxmox:
$ sudo brctl show bridge name bridge id STP enabled interfaces vmbr0 8000.001e672e3cf4 no bond0.11 tap100i0 tap106i0 tap122i0 tap141i0 tap142i0 tap143i0 tap144i0 tap150i0 tap161i0 tap180i0 tap191i0 vmbr1 8000.001e672e3cf4 no bond0.1 vmbr10 8000.001e672e3cf4 no bond0.10 tap106i2 tap143i1 vmbr11 8000.000000000000 no vmbr12 8000.001e672e3cf4 no bond0.12 vmbr13 8000.001e672e3cf4 no bond0.13 tap106i5 tap141i1 vmbr14 8000.001e672e3cf4 no bond0.14 vmbr15 8000.001e672e3cf4 no bond0.15 vmbr16 8000.001e672e3cf4 no bond0.16 vmbr17 8000.001e672e3cf4 no bond0.17 vmbr18 8000.001e672e3cf4 no bond0.18 tap304i0 vmbr19 8000.001e672e3cf4 no bond0.19 tap106i3 tap308i0 vmbr2 8000.001e672e3cf4 no bond0.2 tap106i1 tap142i1 tap144i1 vmbr3 8000.001e672e3cf4 no bond0.3 tap106i4 vmbr4 8000.001e672e3cf4 no bond0.4 tap150i1 vmbr5 8000.001e672e3cf4 no bond0.5 vmbr6 8000.001e672e3cf4 no bond0.6 vmbr7 8000.001e672e3cf4 no bond0.7
$ sudo brctl addbr br1
Comproveu que la interfície està creada:
$ ifconfig br1
$ sudo brctl delbr br1
Per afegir un port a un bridge:
$ sudo brctl addif br1 eth0
A l'exemple afegim la interfície eth0 al bridge br1 (se suposa que el bridge existeix).
Comproveu amb:
$ sudo brctl show bridge name bridge id STP enabled interfaces br1 8000.5cf9dd4777a2 no eth0
Per eliminar un port d'un bridge:
$ sudo brctl delif
TODO
Instal·lem el paquet bridge-utils i al fitxer /etc/network/interfaces creem una interfície que sigui un bridge de la eth0:
$ cat /etc/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1 bridge_ports eth0 auto eth0 iface eth0 inet manual
També podem utilitzar DHCP:
$ cat /etc/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet dhcp bridge_ports eth0 auto eth0 iface eth0 inet manual
NOTA: Noteu com la interfície eth0 es configura com manual i la línia bridge_ports eth0.
I tornem a iniciar la xarxa:
$ sudo /etc/init.d/networking restart
A partir d'ara la interfície eth0, tal i com podem observar a l'executar ifconfig:
$ ifconfig br0 Link encap:Ethernet HWaddr 00:30:1B:B7:CD:B6 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::230:1bff:feb7:cdb6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28932 errors:0 dropped:0 overruns:0 frame:0 TX packets:28277 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:24356075 (23.2 MB) TX bytes:17213164 (16.4 MB) eth0 Link encap:Ethernet HWaddr 00:30:1B:B7:CD:B6 inet6 addr: fe80::230:1bff:feb7:cdb6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:20788 errors:0 dropped:0 overruns:0 frame:0 TX packets:14681 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23664360 (22.5 MB) TX bytes:1995733 (1.9 MB) Interrupt:20
És una interfície no configurada (TONTA o Dummy). Això és normal, comproveu com la xarxa funciona igualment
$ man brctl BRCTL(8) BRCTL(8) NAME brctl - ethernet bridge administration SYNOPSIS brctl [command] DESCRIPTION brctl is used to set up, maintain, and inspect the ethernet bridge configuration in the linux kernel. An ethernet bridge is a device commonly used to connect different networks of ethernets together, so that these ethernets will appear as one ethernet to the participants. Each of the ethernets being connected corresponds to one physical interface in the bridge. These individual ethernets are bundled into one bigger ('logical') ethernet, this bigger ethernet corresponds to the bridge network interface. INSTANCES The command brctl addbr <name> creates a new instance of the ethernet bridge. The network interface corresponding to the bridge will be called <name>. The command brctl delbr <name> deletes the instance <name> of the ethernet bridge. The network interface corresponding to the bridge must be down before it can be deleted! The command brctl show shows all current instances of the ethernet bridge. PORTS Each bridge has a number of ports attached to it. Network traffic coming in on any of these ports will be forwarded to the other ports transparently, so that the bridge is invisible to the rest of the network (i.e. it will not show up in traceroute(8) ). The command brctl addif <brname> <ifname> will make the interface <ifname> a port of the bridge <brname>. This means that all frames received on <ifname> will be processed as if destined for the bridge. Also, when sending frames on <brname>, <ifname> will be considered as a potential output interface. The command brctl delif <brname> <ifname> will detach the interface <ifname> from the bridge <brname>. The command brctl show <brname> will show some information on the bridge and its attached ports. AGEING The bridge keeps track of ethernet addresses seen on each port. When it needs to forward a frame, and it happens to know on which port the destination ethernet address (specified in the frame) is located, it can 'cheat' by forwarding the frame to that port only, thus saving a lot of redundant copies and transmits. However, the ethernet address location data is not static data. Machines can move to other ports, network cards can be replaced (which changes the machine's ethernet address), etc. brctl showmacs <brname> shows a list of learned MAC addresses for this bridge. brctl setageing <brname> sets the ethernet (MAC) address ageing time, in seconds. After <time> seconds of not having seen a frame coming from a certain address, the bridge will time out (delete) that address from the Forwarding DataBase (fdb). brctl setgcint <brname> <time> sets the garbage collection interval for the bridge <brname> to <time> seconds. This means that the bridge will check the forwarding database for timed out entries every <time> seconds. SPANNING TREE PROTOCOL Multiple ethernet bridges can work together to create even larger networks of ethernets using the IEEE 802.1d spanning tree protocol. This protocol is used for finding the shortest path between two ethernets, and for eliminating loops from the topology. As this protocol is a standard, linux bridges will interwork properly with other third party bridge products. Bridges communicate with eachother by sending and receiving BPDUs (Bridge Protocol Data Units). These BPDUs can be recognised by an ethernet destination address of 01:80:c2:00:00:00 The spanning tree protocol can also be turned off (for those situations where it just doesn't make sense, for example when this linux box is the only bridge on the LAN, or when you know that there are no loops in the topology.) brctl(8) can be used for configuring certain spanning tree protocol parameters. For an explanation of these parameters, see the IEEE 802.1d specification (or send me an email). The default values should be just fine. If you don't know what these parameters mean, you probably won't feel the desire to tweak them. brctl stp <bridge> <state> controls this bridge instance's participation in the spanning tree protocol. If <state> is "on" or "yes" the STP will be turned on, otherwise it will be turned off. When turned off, the bridge will not send or receive BPDUs, and will thus not participate in the spanning tree protocol. If your bridge isn't the only bridge on the LAN, or if there are loops in the LAN's topology, DO NOT turn this option off. If you turn this option off, please know what you are doing. brctl setbridgeprio <bridge> <priority> sets the bridge's priority to <priority>. The priority value is an unsigned 16-bit quantity (a number between 0 and 65535), and has no dimension. Lower priority values are 'better'. The bridge with the lowest priority will be elected 'root bridge'. brctl setfd <bridge> <time> sets the bridge's 'bridge forward delay' to <time> seconds. brctl sethello <bridge> <time> sets the bridge's 'bridge hello time' to <time> seconds. brctl setmaxage <bridge> <time> sets the bridge's 'maximum message age' to <time> seconds. [[brctl setpathcost <bridge> <port> <cost> sets the port cost of the port <port> to <cost>. This is a dimensionless metric. brctl setportprio <bridge> <port> <priority> sets the port <port>'s priority to <priority>. The priority value is an unsigned 8-bit quantity (a number between 0 and 255), and has no dimension. This met‐ ric is used in the designated port and root port selection algorithms. NOTES brctl(8) replaces the older brcfg tool. SEE ALSO ipchains(8), iptables(8) AUTHOR Lennert Buytenhek <[email protected]> November 7, 2001 BRCTL(8)
Vegeu ebtables
Instal·lació de User Mode Linux utilities package (uml-utilities):
$ sudo apt-get install uml-utilities /. /etc /etc/network /etc/network/if-pre-up.d /etc/network/if-pre-up.d/uml-utilities /etc/network/if-up.d /etc/network/if-up.d/uml-utilities /etc/default /etc/default/uml-utilities /etc/init.d /etc/init.d/uml-utilities /usr /usr/share /usr/share/doc /usr/share/doc/uml-utilities /usr/share/doc/uml-utilities/examples /usr/share/doc/uml-utilities/examples/tty_log.pl /usr/share/doc/uml-utilities/examples/interfaces.example /usr/share/doc/uml-utilities/copyright /usr/share/doc/uml-utilities/changelog.Debian.gz /usr/share/doc/uml-utilities/README.Debian /usr/share/man /usr/share/man/man8 /usr/share/man/man8/tunctl.8.gz /usr/share/man/man1 /usr/share/man/man1/uml_switch.1.gz /usr/share/man/man1/jail_uml.1.gz /usr/share/man/man1/humfsify.1.gz /usr/share/man/man1/uml_mount.1.gz /usr/share/man/man1/uml_mkcow.1.gz /usr/share/man/man1/uml_moo.1.gz /usr/share/man/man1/uml_mconsole.1.gz /usr/sbin /usr/sbin/tunctl /usr/sbin/jail_uml /usr/bin /usr/bin/uml_mkcow /usr/bin/uml_mconsole /usr/bin/uml_mount /usr/bin/uml_moo /usr/bin/uml_watchdog /usr/bin/uml_switch /usr/bin/jailtest /usr/bin/humfsify /usr/lib /usr/lib/uml /usr/lib/uml/port-helper /usr/lib/uml/uml_net
Conté eines per crear interfícies TAP.
Afegir permisos a l'usuari per accedir a la interfície:
$ sudo gpasswd -a <user> uml-net
Per exemple
$ sudo gpasswd -a sergi uml-net
Cal tornar a iniciar per aplicar els permissos
Per afegir la interfície TAP editem el fitxer /etc/network/interfaces i afegim:
Acacha Wikiauto tap0
iface tap0 inet manual
up ifconfig $IFACE 0.0.0.0 up
down ifconfig $IFACE down
tunctl_user <user>
On a user posem el nostre usuari. Per exemple:
auto tap0
iface tap0 inet manual
up ifconfig $IFACE 0.0.0.0 up
down ifconfig $IFACE down
tunctl_user sergi
bridge_ports eth0 tap0
Tornar a iniciar la xarxa:
$ sudo /etc/init.d/networking restart
IMPORTANT: Observeu que la comanda ip amb ip tuntap també suporta la creació d'interfícies tun/tap.Vegeu també openvpn --mktun
tunctl crea i gestiona interfícies de xarxa persistents TUN/TAP.
La sintaxi és la següent:
$ tunctl [ OPTIONS ] [ -u owner ] [ -t device-name ]
o
$ tunctl -d device-name
tunctl permet al administrador del sistema preconfigurar interfícies de xarxa TUN/TAP per tal de ser utilitzades per un usuari en concret. Aquest usuari pot obrir i utilitzar i modificar els aspectes que d'aquesta targeta de xarxa en l'espai d'usuari però no en l'espai de kernel.
Vegem alguns exemples simples d'ús:
Per a crear una interfície per tal de ser utilitzada per un usuari en particular, invoqueu:
$ sudo tunctl -u someuser
Això crea la interfície tap0 per a l'usuari 'someuser'. Per veure l'interfecte utilitzeu l'ordre:
$ ifconfig -a
NOTA: Observeu que la interfície només apareix si la comanda la executa l'usuari 'someuser'
Un cop creada la interfície es pot configurar com qualsevol altre:
$ sudo ifconfig tap0 192.168.0.254 up $ sudo route add -host 192.168.0.253 dev tap0 $ sudo bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp' $ arp -Ds 192.168.0.253 eth0 pub
Per esborrar la interfície:
$ sudo tunctl -d tap0
Vegem un altre exemple:
$ sudo apt-get install uml-utilities $ sudo tunctl -t tap1 -u sergi $ sudo chmod 666 /dev/net/tun
I:
$ sudo brctl addbr br0
$ sudo ifconfig eth0 0.0.0.0 promisc $ sudo brctl addif br0 eth0 $ dhclient br0
$ sudo brctl addif br0 tap1
Recursos:
Vegeu també tunctl
En xarxes, TUN i TAP són dispositius virtuals de xarxa del nucli de Linux (kernel). Són dispositius de xarxa que són 100% suportats per software, el que és diferent dels adaptadors de xarxa basats en targetes físiques o NICs.
TAP (en anglès clau de pas o aixeta) simula un dispositius de capa d'enllaç (capa 2) (és similar al que es coneix com un network tap físic), i s'utilitza per connectar dos interfícies de xarxa a nivell de capa 2 (per exemple per deixar passar entre les dos interfícies els paquets o frames Ethernet). TUN (com els TÚNels de xarxa) simulen un dispositius de capa 3 (capa de xarxa, habitualment la capa IP). Els TAPs s'utilitzen per a fer bridges i els TUN per a fer encaminament.
Els paquets que el sistema operatiu envia a una interfície TUN i TAP són gestionats per un programa en l'espai d'usuari (user-space i no pas el kernel-space)
TODO:
Tun/tap interfaces are software-only interfaces, meaning that they exist only in the kernel and, unlike regular network interfaces, they have no physical hardware component (and so there's no physical "wire" connected to them). You can think of a tun/tap interface as a regular network interface that, when the kernel decides that the moment has come to send data "on the wire", instead sends data to some userspace program that is attached to the interface (using a specific procedure, see below). When the program attaches to the tun/tap interface, it gets a special file descriptor, reading from which gives it the data that the interface is sending out. In a similar fashion, the program can write to this special descriptor, and the data (which must be properly formatted, as we'll see) will appear as input to the tun/tap interface. To the kernel, it would look like the tun/tap interface is receiving data "from the wire". The difference between a tap interface and a tun interface is that a tap interface outputs (and must be given) full ethernet frames, while a tun interface outputs (and must be given) raw IP packets (and no ethernet headers are added by the kernel). Whether an interface functions like a tun interface or like a tap interface is specified with a flag when the interface is created.
The interface can be transient, meaning that it's created, used and destroyed by the same program; when the program terminates, even if it doesn't explicitly destroy the interface, the interfaces ceases to exist. Another option (the one I prefer) is to make the interface persistent; in this case, it is created using a dedicated utility (like tunctl or openvpn --mktun), and then normal programs can attach to it; when they do so, they must connect using the same type (tun or tap) used to originally create the interface, otherwise they will not be able to attach. We'll see how that is done in the code.
Once a tun/tap interface is in place, it can be used just like any other interface, meaning that IP addresses can be assigned, its traffic can be analyzed, firewall rules can be created, routes pointing to it can be established, etc.
With this knowledge, let's try to see how we can use a tun/tap interface and what can be done with it.
TODO:
TUN/TAP is used for:
virtual private networks
OpenVPN, Ethernet/IP over TCP/UDP; encrypted, compressed
n2n, an open source Layer 2 over Layer 3 VPN application which utilises a peer-to-peer architecture for network membership and routing.
tinc (protocol) [1], Ethernet/IPv4/IPv6 over TCP/UDP; encrypted, compressed
VTun [2], Ethernet/IP/serial/Unix pipe over TCP; encrypted, compressed, traffic shaping
OpenSSH
CJDNS
ICMPTX [3], IP over ICMP (ping)
NSTX [1], iodine [4], IP over DNS
HTun [5], IP over HTTP
coLinux, Ethernet/IP over TCP/UDP
Hamachi
NeoRouter
VPN-X Java TAP Wrapper, VPN-X can be a P2P VPN, can be a SSL VPN
virtual machine networking
Bochs
coLinux
Hercules (S/390 emulator)
QEMU/Kvm
User-mode Linux
VirtualBox
connecting real machines with network simulation
ns-3[2]
TUN/TAP drivers are available on at least the following platforms:
FreeBSD Linux, starting around version 2.1.60 Mac OS X NetBSD OpenBSD Solaris Operating System Microsoft Windows 2000/XP/Vista/7 QNX, only tap driver
$ dpkg -S brctl bridge-utils: /usr/sbin/brctl
TODO
If we add the subif into a bridge, so that the other interface(s) in the bridge and/or the bridge itself can communicate on the VLAN attached to the mainif, all works as expected.
# brctl add br0 # brctl addif br0 eth0.100 # ip li s dev br0 up # brctl show bridge name bridge id STP enabled interfaces br0 8000.deadbeefd00d no eth0.100
Si observeu la gràfica de més amunt veureu que hi ha un problema amb els bridges i les VLAN. El problema és que el procés de tagging de les VLAN succeïx com a part del procés de selecció de les interfícies, de forma que quan el bridge rep trànsit etiquetat al port eth0, el procés de bridging mai veu l'etiqueta per que el codi que la
Així per exemple a Proxmox és possible tenir VLANs si fem primer les VLAN i després el bridge
bond0 --> vlan --> bridge
En canvi si creem un bridge sobre una targeta física o sobre un bonding:
bond0 --> bridge -> vlan
després no podem obtenir les VLAN. És a dir tot i que podrem definir VLAN dins de la màquina virtual no veuran el trànsit etiquetat.
Afortunadament és possible utilitzar ebtables (Ethernet Bridge Tables) que és l'alternativa a iptables per a la capa d'enllaç. Consulteu l'apartat Bridging#BROUTING
Recursos:
TODO
$ sudo ip tuntap help Usage: ip tuntap { add | del } [ dev PHYS_DEV ] [ mode { tun | tap } ] [ user USER ] [ group GROUP ] [ one_queue ] [ pi ] [ vnet_hdr ] Where: USER := { STRING | NUMBER } GROUP := { STRING | NUMBER }
Recursos:
Vegeu ebtables.
TODO
Consulteu STP