内核:5.5.8-arch1-1
我正在尝试使用连接到我的物理接口的网桥来使虚拟网络正常工作。这是一个典型的设置,我什至不想做任何奇怪的事情。
br0enp6s0f0问题是 Linux 没有将任何 IP 流量转发出物理接口。由于 ARP 解析有效,它双向转发ARP 流量,但没有 IP 流量从 enp6s0f0 发出。
我尝试过的事情:
enp6s0f1到桥接器,提供enp7s0f0给 VM,并使用电缆链接enp7s0f0到enp6s0f1
br0,但它不会转发到虚拟机端口(或者互联星空端口或enp6s0f1)? ? ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp6s0f0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
link/ether 00:10:18:85:1c:c0 brd ff:ff:ff:ff:ff:ff
inet6 fe80::210:18ff:fe85:1cc0/64 scope link
valid_lft forever preferred_lft forever
3: enp6s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:10:18:85:1c:c2 brd ff:ff:ff:ff:ff:ff
4: enp7s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:10:18:85:1c:c4 brd ff:ff:ff:ff:ff:ff
5: enp7s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:10:18:85:1c:c6 brd ff:ff:ff:ff:ff:ff
6: enp9s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b4:2e:99:a6:22:f9 brd ff:ff:ff:ff:ff:ff
7: wlp8s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 08:71:90:4e:e9:77 brd ff:ff:ff:ff:ff:ff
8: br-183e1a17d7f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ba:03:e1:9d brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-183e1a17d7f6
valid_lft forever preferred_lft forever
9: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:02:61:00:66 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:10:18:85:1c:c0 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.205/24 brd 192.168.1.255 scope global dynamic noprefixroute br0
valid_lft 9730sec preferred_lft 7930sec
inet6 fe80::210:18ff:fe85:1cc0/64 scope link
valid_lft forever preferred_lft forever
11: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:be:eb:3e brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:febe:eb3e/64 scope link
valid_lft forever preferred_lft forever
? ? brctl showstp br0
br0
bridge id 8000.001018851cc0
designated root 1000.44e4d9d88a00
root port 1 path cost 4
max age 19.99 bridge max age 19.99
hello time 1.99 bridge hello time 1.99
forward delay 14.99 bridge forward delay 14.99
ageing time 299.99
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 25.78
flags
enp6s0f0 (1)
port id 8001 state forwarding
designated root 1000.44e4d9d88a00 path cost 4
designated bridge 1000.44e4d9d88a00 message age timer 19.21
designated port 800d forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vnet0 (2)
port id 8002 state forwarding
designated root 1000.44e4d9d88a00 path cost 100
designated bridge 8000.001018851cc0 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 4 hold timer 0.22
flags
? ? bridge -d link show
2: enp6s0f0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 4
hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off enp6s0f0
8: br-183e1a17d7f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-183e1a17d7f6 br-183e1a17d7f6
9: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master docker0 docker0
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 br0
11: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 100
hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off vnet0
? ? sysctl net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 1
? ? sysctl net.ipv4.conf.br0.forwarding
net.ipv4.conf.br0.forwarding = 1
看来,可能是因为来自 Docker 的 iptables 规则,您已经br_netfilter加载并激活了模块(即:sysctl net.bridge.bridge-nf-call-iptables返回 1)。这使得桥接帧(以太网,第 2 层)受到iptables过滤(IP,第 3 层)的影响:
什么是网桥过滤器?
从 Linux 内核 3.18-rc1 开始,您必须 modprobe br_netfilter 才能启用 bridge-netfilter。
bridge-netfilter 代码启用以下功能:
{Ip,Ip6,Arp}表可以过滤桥接的 IPv4/IPv6/ARP 数据包,即使封装在 802.1Q VLAN 或 PPPoE 标头中也是如此。这将启用有状态透明防火墙的功能。因此,这 3 个工具的所有过滤、日志记录和 NAT 功能都可以用于桥接帧。结合 ebtables,bridge-nf 代码使 Linux 成为一个非常强大的透明防火墙。这使得创建透明伪装机器成为可能(即所有本地主机都认为它们直接连接到 Internet)。 让 {ip,ip6,arp} 表看到桥接流量可以禁用或启用使用适当的 proc 条目,位于
/proc/sys/net/bridge/:
bridge-nf-call-arptables
bridge-nf-call-iptables
bridge-nf-call-ip6tables
例如,每当使用physdev匹配的 iptables 时,即使在其他网络命名空间中,该模块也会自动加载。
有文档解释了此模块引起的副作用。这些副作用是打算将它用于透明桥防火墙时。此外,没有它,iptables physdev匹配就无法正常工作(它根本就不再匹配了)。它还解释了如何防止其影响,特别是在第 7 章:
由于 br-nf 代码,帧/数据包可以通过 2 种方式通过 3 个给定的 iptables 链。第一种方式是当帧被桥接时,因此桥代码调用 iptables 链。第二种方式是当数据包被路由时。
而不是像这样在iptables 上禁用这个模块:
sysctl -w net.bridge.bridge-nf-call-iptables=1
应该调整其 iptables 规则,如第 7 章所述,以避免副作用。否则系统的其他未知部分将被中断。
直到最近在 内核 5.3 中,这个模块还没有命名空间感知,并且在所有网络命名空间上突然加载它会在意外时导致各种麻烦。也正是从那时起,还可以为每个网桥 ( ip link set dev BRIDGE type bridge nf_call_iptables 1) 而不是每个命名空间启用它。
一旦工具(Docker...)和内核(>= 5.3)跟随进化,只需在选择的网络命名空间和网桥中启用它就足够了,但今天可能不是。另请注意,内核 5.3还继承了本机桥接状态防火墙,可由 nftables 使用,可能很快就会使该模块过时(一旦桥中对 VLAN 和 PPPoE 的直接封装/解封装支持可用):
网络过滤器
为网桥添加本机连接跟踪支持。在此补丁集之前,人们进行状态过滤的唯一机会是使用 br_netfilter 仿真层,这是弃用它的一步