桥接模式下无 IPv6 流量

桥接模式下无 IPv6 流量

大家好,快乐的人 o/~

昨天我大胆地重启了一台远程 Linux 服务器。Ubuntu 64、12.04 安装从内核 3.11.0-19-generic 升级到 3.13.0-32-generic,并且从能够同时通过 IPv4 和 IPv6 进行通信变为只能接收和发送 IPv4 流量。

### Hetzner's default network, modified to fit a bridge
# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
auto  virbr1
iface virbr1 inet static
  address   5.9.87.134
  broadcast 5.9.87.159
  netmask   255.255.255.224
  gateway   5.9.87.129
  bridge_ports eth0
  bridge_stp on
  bridge_maxwait 0
  # Set-up IPv6 and Hetzner routes
  # guarantee idempotency:
  pre-up ip addr del 2a01:4f8:162:11c5::2/64 dev virbr1 || true
  up ip addr add 2a01:4f8:162:11c5::2/64 dev virbr1
  # default route to access subnet
  # idempotency here is easier, because we have 'replace'
  up ip route replace to 5.9.87.128/255.255.255.224 via 5.9.87.129 dev virbr1
  # add Hetzner IPv6 route
  up ip route replace default via fe80::1 dev virbr1

结果如下:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr1 state UP qlen 1000
    link/ether c8:60:00:df:06:35 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ca60:ff:fedf:635/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether c8:60:00:df:06:35 brd ff:ff:ff:ff:ff:ff
    inet 5.9.87.134/27 brd 5.9.87.159 scope global virbr1
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:162:11c5::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ca60:ff:fedf:635/64 scope link 
       valid_lft forever preferred_lft forever
4: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 52:54:00:65:05:b0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:162:11c5::10:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe65:5b0/64 scope link 
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master virbr0 state DOWN qlen 500
    link/ether 52:54:00:65:05:b0 brd ff:ff:ff:ff:ff:ff
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN qlen 500
    link/ether fe:54:00:dc:99:21 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fedc:9921/64 scope link 
       valid_lft forever preferred_lft forever

路由:

igalic@steak ~ % ip r
default via 5.9.87.129 dev virbr1  metric 100 
5.9.87.128/27 via 5.9.87.129 dev virbr1 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 
igalic@steak ~ % ip -6 r
2a01:4f8:162:11c5::10:0/112 dev virbr0  proto kernel  metric 256 
2a01:4f8:162:11c5::/64 dev virbr1  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev vnet0  proto kernel  metric 256 
fe80::/64 dev vnet1  proto kernel  metric 256 
fe80::/64 dev vnet2  proto kernel  metric 256 
fe80::/64 dev vnet3  proto kernel  metric 256 
fe80::/64 dev vnet4  proto kernel  metric 256 
fe80::/64 dev vnet5  proto kernel  metric 256 
fe80::/64 dev vnet6  proto kernel  metric 256 
fe80::/64 dev vnet7  proto kernel  metric 256 
fe80::/64 dev vnet8  proto kernel  metric 256 
fe80::/64 dev virbr0  proto kernel  metric 256 
fe80::/64 dev vnet9  proto kernel  metric 256 
fe80::/64 dev vnet10  proto kernel  metric 256 
fe80::/64 dev virbr1  proto kernel  metric 256 
default via fe80::1 dev virbr1  metric 1024 
igalic@steak ~ % 

为简洁起见,这里省略了,因为服务器有很多虚拟机。它可以通过 IPv4 和 IPv6 与这些虚拟机顺利通信。它可以通过 IPv4 与世界顺利通信——它的虚拟机也是如此。

让我们在这里停下来,考虑一下##networking 和这里的评论中经常被问到的问题:

为什么你的设计所以诡异的?

virbr1使用外部的IPv4 地址的网桥。根据 Hetzner 的网络设计或其建议,我必须将主 IPv6 地址绑定到它上面。

看,http://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen#IPv6_Subnetz(注:关于如何拆分 /64 的建议在同一文档的英文版中并不存在:http://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen/en

但我仅将 IPv6 地址用于内部的通信,也就是说,我仅使用它来连接不需要与外界联系的服务器之间的服务:puppet、数据库等……我不能在这里使用 ULA 地址,原因与我不能坚持使用 IPv4 相同:需要互相通信的服务器不在同一个 DC 中,私有 IPv4 或 ULA 将毫无用处。

我也需要这些内部链路上的 IPv4:我使用它们进行配置。Hetzner 不允许不受其控制的 PXE,因此我必须在设置服务器上运行服务器。(您是否尝试过通过 VPN 进行预安装?通过 IPv6 进行 PXE 启动?这就是原因)

短暂休息后,让我们回到……

IPv6:毫无作用

主机无法通过 IPv6 与外界通信。外界无法通过 IPv6 与主机通信。主机可以通过 IPv6 连接到自己的虚拟机。虚拟机可以通过 IPv6 连接到主机。但虚拟机无法相互连接。

igalic@steak ~ % ping6 google.com -c5
PING google.com(fra07s30-in-x08.1e100.net) 56 data bytes
From steak icmp_seq=1 Destination unreachable: Address unreachable
From steak icmp_seq=2 Destination unreachable: Address unreachable
From steak icmp_seq=3 Destination unreachable: Address unreachable
From steak icmp_seq=4 Destination unreachable: Address unreachable
From steak icmp_seq=5 Destination unreachable: Address unreachable

--- google.com ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4024ms

1 igalic@steak ~ %

我有第二台服务器,其设置完全相同,可以正常工作。以下是从培根(可以工作)到牛排(不可以工作)的 ping 操作:

igalic@bacon ~ % ping6 a01:4f:16:c5::2 -c5
PING 2a01:4f8:162:11c5::2(a01:4f:16:c5::2) 56 data bytes

--- a01:4f:16:c5::2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms

1 igalic@bacon ~ %

当我这样做时,tcpdump 会显示发生的情况:

igalic@steak ~ % sudo tcpdump -vi any icmp6
[sudo] password for igalic: 
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:17:31.712316 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 1
10:17:31.712316 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 1
10:17:31.712429 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
          source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:32.709170 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
          source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:32.718647 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 2
10:17:32.718647 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 2
10:17:33.709162 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
          source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:33.729483 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 3
10:17:33.729483 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 3
10:17:34.709180 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:34.709214 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:34.709239 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:34.735945 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 4
10:17:34.735945 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 4
10:17:34.736042 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
          source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:35.733165 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
          source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:35.745519 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 5
10:17:35.745519 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 5
10:17:36.733160 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
          source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:37.733188 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:37.733215 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
^C
21 packets captured
26 packets received by filter
0 packets dropped by kernel
igalic@steak ~ % 

禁用 iptables对行为的影响。

这些都是我认为有用的信息。我现在有点不知所措,不知道如何进行调试。

相关内容