我知道关于多网关源(基于策略)路由的讨论已被多次讨论,但我尚未找到当前问题的答案。
服务器(运行 Fedora 21,内核 3.17 或 3.18)通过两个 NIC 连接,使用 teamd-1.15-1(Fedora 更新)进行分组,并在分组接口(Team0)上构建了六个 VLAN。firewalld 和 NetworkManager 守护进程已被禁用,并且我没有使用 IPTABLES,因为我有一个主要的硬件防火墙设备。请不要问为什么要有六个 VLAN,这是网络的要求。
当单独分配为默认网关时,所有六个 VLAN 都可以正常运行,但我的问题是如何让所有六个 VLAN 都作为其各自 VLAN 流量的网关运行?
到目前为止,我对 /usr/lib/sysctl.d/50-default.conf 进行了以下设置更改:
# Source route verification
net.ipv4.conf.default.rp_filter = 0 (original default =1)
net.ipv4.conf.all.rp_filter = 0 (original default =1)
# Accept IPv4 forwarding
net.ipv4.ip_forward = 1 (original default =0)
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0 (original default =1)
net.ipv4.conf.all.accept_source_route = 0 (original default =1)
这些变化持续且正确地反映在 /net/ipv4/conf 文件等中。
/iproute2/rt_tables 文件已被更改以反映所需的附加路由表,如下所示:
#
# reserved values
#
255 local
254 main
253 default
205 EXTRAAPPS
204 DNSEXT
203 SERVEXT
202 INTRAAPPS
201 DNSINT
200 SERVINT
0 unspec
#
# local
#
#1 inr.ruhep
一个 VLAN(vlan30,使用路由表 200)的设置如下所示,其中显示了 IFCFG、ROUTE 和 RULE 文件:
ifcfg-vlan30
DEVICE=team0.30
PHYSDEV=team0
VLAN=yes
ONPARENT=yes
BOOTPROTO=static
NM_CONTROLLED=no
DEFROUTE=yes
IPADDR1=192.168.129.67
NETMASK1=255.255.255.248
IPADDR0=192.168.129.66
NETMASK0=255.255.255.248
GATEWAY=192.168.129.65
路由-vlan30
default table SERVINT via 192.168.129.50
192.168.129.64/29 dev team0.30 proto static scope global src 192.168.129.66 table SERVINT
规则-vlan30
from 192.168.129.66/32 table SERVINT
to 192.168.129.66/32 table SERVINT
from 192.168.129.67/32 table SERVINT
to 192.168.129.67/32 table SERVINT
自定义表(200-205 inc)看起来是正确的,因为它们出现在 /proc/etc/fib_trei 文件中,如“route-vlanxx”文件条目中所定义。
光纤链路
Id 200:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
|-- 192.168.129.64
/29 universe UNICAST
Id 201:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
|-- 192.168.129.72
/29 universe UNICAST
Id 202:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
|-- 192.168.129.80
/29 universe UNICAST
Id 203:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
|-- 192.168.129.96
/29 universe UNICAST
Id 204:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
|-- 192.168.129.104
/29 universe UNICAST
Id 205:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
|-- 192.168.129.112
/28 universe UNICAST
Main:
+-- 0.0.0.0/0 1 0 0
|-- 0.0.0.0
/0 universe UNICAST
+-- 192.168.129.64/26 3 0 2
|-- 192.168.129.64
/29 link UNICAST
|-- 192.168.129.72
/29 link UNICAST
|-- 192.168.129.80
/29 link UNICAST
|-- 192.168.129.96
/29 link UNICAST
|-- 192.168.129.104
/29 link UNICAST
|-- 192.168.129.112
/28 link UNICAST
Local:
+-- 0.0.0.0/0 1 0 0
+-- 127.0.0.0/8 1 0 0
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/32 link BROADCAST
/8 host LOCAL
(Snipped for brevity - not required for this matter)
结果ip addr、ip link 和 ip route命令如下所示:
IP 地址
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
11: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
12: team0.30@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.66/29 brd 192.168.129.71 scope global team0.30
valid_lft forever preferred_lft forever
inet 192.168.129.67/29 brd 192.168.129.71 scope global secondary team0.30
valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
13: team0.31@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.74/29 brd 192.168.129.79 scope global team0.31
valid_lft forever preferred_lft forever
inet 192.168.129.75/29 brd 192.168.129.79 scope global secondary team0.31
valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
14: team0.32@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.82/29 brd 192.168.129.87 scope global team0.32
valid_lft forever preferred_lft forever
inet 192.168.129.83/29 brd 192.168.129.87 scope global secondary team0.32
valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
15: team0.36@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.98/29 brd 192.168.129.103 scope global team0.36
valid_lft forever preferred_lft forever
inet 192.168.129.99/29 brd 192.168.129.103 scope global secondary team0.36
valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
16: team0.37@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.106/29 brd 192.168.129.111 scope global team0.37
valid_lft forever preferred_lft forever
inet 192.168.129.107/29 brd 192.168.129.111 scope global secondary team0.37
valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
17: team0.38@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.114/28 brd 192.168.129.127 scope global team0.38
valid_lft forever preferred_lft forever
inet 192.168.129.115/28 brd 192.168.129.127 scope global secondary team0.38
valid_lft forever preferred_lft forever
inet 192.168.129.120/28 brd 192.168.129.127 scope global secondary team0.38
valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link
valid_lft forever preferred_lft forever
网际协议连接
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP mode DEFAULT group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP mode DEFAULT group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
11: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
12: team0.30@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
13: team0.31@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
14: team0.32@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
15: team0.36@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
16: team0.37@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
17: team0.38@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
路由
default via 192.168.129.113 dev team0.38
192.168.129.64/29 dev team0.30 proto kernel scope link src 192.168.129.66
192.168.129.72/29 dev team0.31 proto kernel scope link src 192.168.129.74
192.168.129.80/29 dev team0.32 proto kernel scope link src 192.168.129.82
192.168.129.96/29 dev team0.36 proto kernel scope link src 192.168.129.98
192.168.129.104/29 dev team0.37 proto kernel scope link src 192.168.129.106
192.168.129.112/28 dev team0.38 proto kernel scope link src 192.168.129.114
表 200-205 中的路由已设置为“范围全局”(显示为宇宙单播在 /proc/net/fib_trei 中),因为这些 VLAN 中的地址需要通过源路由到互联网上大量“尚未”知道的目的地(通过主防火墙路由器设备),但是“ip route”命令响应显示路由为作用域链接,因为它在 MAIN 表中,而不是作用域 全局如自定义路由表 200-205 中所定义,以及光纤链路項目。
在我看来,内核正在采用主 IP 表,而不是像 Fedora 文档中所述,任何在之前正确定义和列出的表和规则(即较低的表 ID 号)都应优先。
我是否遗漏了默认值设置中显而易见的任何内容,或者路由表或规则中是否存在可以纠正此问题的错误?
在我拔掉剩下的那几根头发之前,任何指导、建议或提示都将不胜感激......
干杯,加思。
答案1
发现 Fedora 21 和 22“服务器”安装不包含使 fib_rules.c 运行所需的文件,该文件控制多个表规则。
制定具有多个表的策略路由所需的软件包包括:
kernel-headers、kernel-devel 和 libnl3-devel
一旦安装了这些,策略路由就可以正常工作。