多网关路由 - Fedora 内核 3.17 & 3.18

tag-icon tag-icon networking fedora routing
多网关路由 - Fedora 内核 3.17 & 3.18

我知道关于多网关源(基于策略)路由的讨论已被多次讨论,但我尚未找到当前问题的答案。

服务器(运行 Fedora 21,内核 3.17 或 3.18)通过两个 NIC 连接,使用 teamd-1.15-1(Fedora 更新)进行分组,并在分组接口(Team0)上构建了六个 VLAN。firewalld 和 NetworkManager 守护进程已被禁用,并且我没有使用 IPTABLES,因为我有一个主要的硬件防火墙设备。请不要问为什么要有六个 VLAN,这是网络的要求。

当单独分配为默认网关时,所有六个 VLAN 都可以正常运行,但我的问题是如何让所有六个 VLAN 都作为其各自 VLAN 流量的网关运行?

到目前为止,我对 /usr/lib/sysctl.d/50-default.conf 进行了以下设置更改:

# Source route verification
net.ipv4.conf.default.rp_filter = 0 (original default =1)
net.ipv4.conf.all.rp_filter = 0 (original default =1)

# Accept IPv4 forwarding
net.ipv4.ip_forward = 1 (original default =0)

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0 (original default =1)
net.ipv4.conf.all.accept_source_route = 0 (original default =1)

这些变化持续且正确地反映在 /net/ipv4/conf 文件等中。

/iproute2/rt_tables 文件已被更改以反映所需的附加路由表,如下所示:

#
# reserved values
#
255     local
254     main
253     default
205     EXTRAAPPS
204     DNSEXT
203     SERVEXT
202     INTRAAPPS
201     DNSINT
200     SERVINT
0       unspec
#
#       local
#
#1      inr.ruhep

一个 VLAN(vlan30,使用路由表 200)的设置如下所示,其中显示了 IFCFG、ROUTE 和 RULE 文件:

ifcfg-vlan30

DEVICE=team0.30
PHYSDEV=team0
VLAN=yes
ONPARENT=yes
BOOTPROTO=static
NM_CONTROLLED=no
DEFROUTE=yes
IPADDR1=192.168.129.67
NETMASK1=255.255.255.248
IPADDR0=192.168.129.66
NETMASK0=255.255.255.248
GATEWAY=192.168.129.65

路由-vlan30

default table SERVINT via 192.168.129.50
192.168.129.64/29 dev team0.30 proto static scope global src 192.168.129.66 table SERVINT

规则-vlan30

from 192.168.129.66/32 table SERVINT
to 192.168.129.66/32 table SERVINT
from 192.168.129.67/32 table SERVINT
to 192.168.129.67/32 table SERVINT

自定义表(200-205 inc)看起来是正确的,因为它们出现在 /proc/etc/fib_trei 文件中,如“route-vlanxx”文件条目中所定义。

光纤链路

Id 200:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.64
        /29 universe UNICAST
Id 201:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
         /0 universe UNICAST
     |-- 192.168.129.72
        /29 universe UNICAST
Id 202:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
 |-- 192.168.129.80
        /29 universe UNICAST
Id 203:
  +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.96
        /29 universe UNICAST
Id 204:
   +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.104
        /29 universe UNICAST
Id 205:
   +-- 0.0.0.0/0 1 0 0
     |-- 0.0.0.0
        /0 universe UNICAST
     |-- 192.168.129.112
        /28 universe UNICAST
Main:
+-- 0.0.0.0/0 1 0 0
 |-- 0.0.0.0
    /0 universe UNICAST
 +-- 192.168.129.64/26 3 0 2
    |-- 192.168.129.64
       /29 link UNICAST
    |-- 192.168.129.72
       /29 link UNICAST
    |-- 192.168.129.80
       /29 link UNICAST
    |-- 192.168.129.96
       /29 link UNICAST
    |-- 192.168.129.104
       /29 link UNICAST
    |-- 192.168.129.112
       /28 link UNICAST
Local:
+-- 0.0.0.0/0 1 0 0
   +-- 127.0.0.0/8 1 0 0
      +-- 127.0.0.0/31 1 0 0
         |-- 127.0.0.0
            /32 link BROADCAST
            /8 host LOCAL
 (Snipped for brevity - not required for this matter)

结果ip addr、ip link 和 ip route命令如下所示:

IP 地址

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

11: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

12: team0.30@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.66/29 brd 192.168.129.71 scope global team0.30
   valid_lft forever preferred_lft forever
inet 192.168.129.67/29 brd 192.168.129.71 scope global secondary team0.30
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

13: team0.31@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.74/29 brd 192.168.129.79 scope global team0.31
   valid_lft forever preferred_lft forever
inet 192.168.129.75/29 brd 192.168.129.79 scope global secondary team0.31
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

14: team0.32@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.82/29 brd 192.168.129.87 scope global team0.32
   valid_lft forever preferred_lft forever
inet 192.168.129.83/29 brd 192.168.129.87 scope global secondary team0.32
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

15: team0.36@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.98/29 brd 192.168.129.103 scope global team0.36
   valid_lft forever preferred_lft forever
inet 192.168.129.99/29 brd 192.168.129.103 scope global secondary team0.36
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

16: team0.37@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.106/29 brd 192.168.129.111 scope global team0.37
   valid_lft forever preferred_lft forever
inet 192.168.129.107/29 brd 192.168.129.111 scope global secondary team0.37
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

17: team0.38@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.114/28 brd 192.168.129.127 scope global team0.38
   valid_lft forever preferred_lft forever
inet 192.168.129.115/28 brd 192.168.129.127 scope global secondary team0.38
   valid_lft forever preferred_lft forever
inet 192.168.129.120/28 brd 192.168.129.127 scope global secondary team0.38
   valid_lft forever preferred_lft forever
inet6 fe80::20a:f7ff:fe18:420c/64 scope link 
   valid_lft forever preferred_lft forever

网际协议连接

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP mode DEFAULT group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP mode DEFAULT group default qlen 1000
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

11: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

12: team0.30@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

13: team0.31@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

14: team0.32@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

15: team0.36@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

16: team0.37@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

17: team0.38@team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
link/ether 00:0a:f7:18:42:0c brd ff:ff:ff:ff:ff:ff

路由

default via 192.168.129.113 dev team0.38 
192.168.129.64/29 dev team0.30  proto kernel  scope link  src 192.168.129.66 
192.168.129.72/29 dev team0.31  proto kernel  scope link  src 192.168.129.74 
192.168.129.80/29 dev team0.32  proto kernel  scope link  src 192.168.129.82 
192.168.129.96/29 dev team0.36  proto kernel  scope link  src 192.168.129.98 
192.168.129.104/29 dev team0.37  proto kernel  scope link  src 192.168.129.106 
192.168.129.112/28 dev team0.38  proto kernel  scope link  src 192.168.129.114

表 200-205 中的路由已设置为“范围全局”(显示为宇宙单播在 /proc/net/fib_trei 中),因为这些 VLAN 中的地址需要通过源路由到互联网上大量“尚未”知道的目的地(通过主防火墙路由器设备),但是“ip route”命令响应显示路由为作用域链接,因为它在 MAIN 表中,而不是作用域 全局如自定义路由表 200-205 中所定义,以及光纤链路項目。

在我看来,内核正在采用主 IP 表,而不是像 Fedora 文档中所述,任何在之前正确定义和列出的表和规则(即较低的表 ID 号)都应优先。

我是否遗漏了默认值设置中显而易见的任何内容,或者路由表或规则中是否存在可以纠正此问题的错误?

在我拔掉剩下的那几根头发之前,任何指导、建议或提示都将不胜感激......

干杯,加思。

答案1

发现 Fedora 21 和 22“服务器”安装不包含使 fib_rules.c 运行所需的文件,该文件控制多个表规则。

制定具有多个表的策略路由所需的软件包包括:

kernel-headers、kernel-devel 和 libnl3-devel

一旦安装了这些,策略路由就可以正常工作。

相关内容