在我的 centos 虚拟机中,我创建了一个 6to4 隧道sit6to4和一座桥cbr0,我希望桥上的所有流量都通过6to4 隧道。
sit6to4 的配置:
DEVICE=sit6to4
TYPE=sit
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPV6INIT=yes
IPV6_MTU=8800
IPV6TUNNELIPV4=any
IPV6TUNNELIPV4LOCAL=172.18.176.95
IPV6ADDR=2002:ac12:b05f::1/48
cbr0的配置:
TYPE=Bridge
ONBOOT=yes
DEVICE=cbr0
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=172.18.176.95
GATEWAY=172.18.176.1
NETMASK=255.255.255.0
MTU=8800
IPV6INIT=yes
IPV6_DEFAULTDEV="sit6to4"
IPV6ADDR=2002:ac12:b05f:1::21/48
IPV6ADDR_SECONDARIES="2002:ac12:b05f:1::2100/48"
IPV6_ROUTER=yes
IPV6_AUTOCONF=no
IPV6FORWARDING=yes
将物理适配器 eht0 绑定到 cbr0:
TYPE=Ethernet
DEVICE=eth0
NAME=eth0
ONBOOT=yes
BRIDGE=cbr0
NM_CONTROLLED=no
MTU=8800
IPV6INIT=yes
然后我创建了命名空间:
# ip netns show
testns (id: 0)
创建 veth 对k8sveth0 k8sveth1,并将k8sveth0添加到cbr0,将k8sveth1添加到命名空间testns。
IPv6 路由:
# ip -6 r
::/96 dev sit6to4 proto kernel metric 256 mtu 8800
2002:ac12:b05f::/48 dev sit6to4 proto kernel metric 256
2002:ac12:b05f::/48 dev cbr0 proto kernel metric 256 mtu 1500
2002:ac10::/28 dev sit6to4 metric 8
2002:c0a8::/32 dev sit6to4 metric 8
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev cbr0 proto kernel metric 256 mtu 1500
fe80::/64 dev k8sveth0 proto kernel metric 256
default dev sit6to4 metric 1
以下是command ip a输出:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8800 qdisc pfifo_fast master cbr0 state UP qlen 1000
link/ether 52:82:00:4d:f5:42 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5082:ff:fe4d:f542/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 52:82:00:5c:5d:31 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 52:82:00:58:6d:97 brd ff:ff:ff:ff:ff:ff
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
21: cbr0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 22:22:22:77:e7:c5 brd ff:ff:ff:ff:ff:ff
inet 172.18.176.95/24 brd 172.18.176.255 scope global cbr0
valid_lft forever preferred_lft forever
inet6 2002:ac12:b05f:1::2100/48 scope global
valid_lft forever preferred_lft forever
inet6 2002:ac12:b05f:1::21/48 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5082:ff:fe4d:f542/64 scope link
valid_lft forever preferred_lft forever
22: sit6to4@NONE: <NOARP,UP,LOWER_UP> mtu 8800 qdisc noqueue state UNKNOWN
link/sit 172.18.176.95 brd 0.0.0.0
inet6 2002:ac12:b05f::1/48 scope global
valid_lft forever preferred_lft forever
inet6 ::172.18.176.95/96 scope global
valid_lft forever preferred_lft forever
24: k8sveth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master cbr0 state UP qlen 1000
link/ether a2:93:80:1c:2f:d6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::a093:80ff:fe1c:2fd6/64 scope link
valid_lft forever preferred_lft forever
以下是命名空间 testns ip 配置:
# ip netns exec testns ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
23: k8sveth1@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether a2:f3:40:c1:21:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 2002:ac12:b05f:1::2102/48 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a0f3:40ff:fec1:214e/64 scope link
valid_lft forever preferred_lft forever
现在我执行了ping6在主机上:
# ping6 2002:ac1c:b401:1::11
PING 2002:ac1c:b401:1::11(2002:ac1c:b401:1::11) 56 data bytes
64 bytes from 2002:ac1c:b401:1::11: icmp_seq=1 ttl=63 time=1.14 ms
64 bytes from 2002:ac1c:b401:1::11: icmp_seq=2 ttl=63 time=1.05 ms
没关系。但是当我执行ping6在 testns 命名空间中,我得到了这个:
# ip netns exec testns ping6 2002:ac1c:b401:1::11
PING 2002:ac1c:b401:1::11(2002:ac1c:b401:1::11) 56 data bytes
^C
--- 2002:ac1c:b401:1::11 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
我尝试在 sit6to4 接口上使用 tcpdump 监听,没有输出。然后我在 cbr0 接口上使用 tcpdump 监听:
# tcpdump -i cbr0 -n icmp6 -eee
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on cbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:50:23.681084 a2:f3:40:c1:21:4e > 33:33:ff:00:00:11, ethertype IPv6 (0x86dd), length 86: 2002:ac12:b05f:1::2102 > ff02::1:ff00:11: ICMP6, neighbor solicitation, who has 2002:ac1c:b401:1::11, length 32
16:50:24.682453 a2:f3:40:c1:21:4e > 33:33:ff:00:00:11, ethertype IPv6 (0x86dd), length 86: 2002:ac12:b05f:1::2102 > ff02::1:ff00:11: ICMP6, neighbor solicitation, who has 2002:ac1c:b401:1::11, length 32
16:50:25.684448 a2:f3:40:c1:21:4e > 33:33:ff:00:00:11, ethertype IPv6 (0x86dd), length 86: 2002:ac12:b05f:1::2102 > ff02::1:ff00:11: ICMP6, neighbor solicitation, who has 2002:ac1c:b401:1::11, length 32
尝试将 sit6to4 接口绑定到 cbr0:
# ip link set dev sit6to4 master cbr0
RTNETLINK answers: Invalid argument
我已经允许所有 ipv6 转发,并将 cbr0 promisc 设置为开启。
有人能帮我吗?
答案1
网桥使用 L2 帧(带以太网报头)。6to4/6in4 纯粹是 L3 隧道 - 正如其名称所示,它直接封装 IPv6 数据包,而不是以太网帧。因此它不能桥接,仅路由。
您有整整一个 /48 可供使用,因此我建议将其划分为 /64 并使用标准路由。实际上没有人使用 /48 链路;不要直接将“2002:xxxx/48”分配给接口 - 而是将一个 /64 用于 sit6to4 接口,将另一个 /64 用于桥接。