我在 VirtualBox 环境中运行 Linux。我已经成功定义了 2 个通过桥连接的命名空间,可以相互通信。我希望能够将 UDP 数据包发送到实际网络上,以便我可以解决在另一个进程中运行的 QEMU 会话(不是我当前问题的重点)。
这是我的设置脚本,它似乎在命名空间中工作:
#!/bin/bash -x
sudo ip link add br0 type bridge
sudo ip addr add 172.31.24.5/24 dev br0
sudo ip link set dev br0 up
# tie the ethernet physical port to the bridge
sudo ip link set dev enp0s3 master br0
sudo ip netns add gmi153
sudo ip netns add mock135
sudo ip link add veth-gmi type veth peer name veth-gmi-br
sudo ip link add veth-mock type veth peer name veth-mock-br
sudo ip link
sudo ip link set veth-gmi netns gmi153
sudo ip link set veth-mock netns mock135
sudo ip link set veth-gmi-br master br0
sudo ip link set veth-mock-br master br0
sudo ip -n gmi153 addr add 172.31.24.153/24 dev veth-gmi
sudo ip -n mock135 addr add 172.31.24.135/24 dev veth-mock
sudo ip -n gmi153 link set veth-gmi up
sudo ip -n mock135 link set veth-mock up
sudo ip link set veth-gmi-br up
sudo ip link set veth-mock-br up
# add the default gateway in all the network namespace.
ip netns exec gmi153 ip route add default via 172.31.24.5
sudo ip netns exec gmi153 ping 172.31.24.135
在正常网络中我可以看到:
如果配置
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.24.5 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::1cf3:fdff:fe58:ba01 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:86:e4:57 txqueuelen 1000 (Ethernet)
RX packets 375 bytes 21413 (21.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62 bytes 6916 (6.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::4943:c6f9:c5c1:da26 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:86:e4:57 txqueuelen 1000 (Ethernet)
RX packets 572 bytes 298973 (298.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 569 bytes 59746 (59.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 560 bytes 55475 (55.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 560 bytes 55475 (55.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth-gmi-br: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::18cc:ff:fe79:58df prefixlen 64 scopeid 0x20<link>
ether 1a:cc:00:79:58:df txqueuelen 1000 (Ethernet)
RX packets 80 bytes 7264 (7.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 91 bytes 8675 (8.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth-mock-br: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f05c:a9ff:fe6b:df90 prefixlen 64 scopeid 0x20<link>
ether f2:5c:a9:6b:df:90 txqueuelen 1000 (Ethernet)
RX packets 35 bytes 3022 (3.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85 bytes 8238 (8.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
但在命名空间内我看到了这一点:
ip netns exec gmi153 ifconfig
veth-gmi: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.24.153 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::5c20:80ff:fe4c:6a63 prefixlen 64 scopeid 0x20<link>
ether 5e:20:80:4c:6a:63 txqueuelen 1000 (Ethernet)
RX packets 91 bytes 8675 (8.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 80 bytes 7264 (7.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
当我这样做时,我没有得到 ping 响应:
ip netns exec gmi153 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
注意:如果没有命名空间前缀,我也不会得到 ping 响应,这是我在执行安装脚本之前所做的。所以,显然,我真的不明白我在做什么。
几秒钟后,tcpdump 显示:
tcp转储
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth-gmi-br, link-type EN10MB (Ethernet), capture size 262144 bytes
14:09:21.468289 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 9, length 64
14:09:22.492296 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 10, length 64
14:09:23.515931 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 11, length 64
14:09:24.539827 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 12, length 64
14:09:25.577254 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 13, length 64
14:09:26.587574 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 14, length 64
14:09:27.623271 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 15, length 64
14:09:28.655940 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 16, length 64
14:09:29.661224 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 17, length 64
14:09:30.683523 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 18, length 64
14:09:31.708402 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 19, length 64
14:09:32.733287 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 20, length 64
14:09:33.764490 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 21, length 64
14:09:34.784327 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 22, length 64
14:09:35.804343 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 23, length 64
14:09:36.829240 IP 172.31.24.153 > 8.8.8.8: ICMP echo request, id 2499, seq 24, length 64
14:09:40.028085 ARP, Request who-has 172.31.24.5 tell 172.31.24.153, length 28
14:09:40.028101 ARP, Reply 172.31.24.5 is-at 08:00:27:86:e4:57 (oui Unknown), length 28
我的目标只是拥有 2 个命名空间,我可以在其中声明它们的 IP 地址,这些地址可以相互通信,也可以在它们的命名空间之外连接到其他位置,无论是在本地 Linux 地址空间还是在互联网上。谢谢
答案1
我认为您缺少获取网络命名空间以访问外部网络所需的以下一个或多个步骤:
- 您需要使用 sysctl 来确保在内核中启用 IP 数据包转发。
- 您需要将防火墙配置为在命名空间接口和它们需要访问的任何其他接口之间进行伪装/NAT,即将您的计算机设置为路由器。
- 您需要确保路由配置正确,例如使用
ip route子命令。
很难给出更完整的答案,因为该问题缺乏某些特定信息,例如您的发行版和防火墙,但这应该会让您走上正确的轨道。