我们有一个设置,其中 Linux 服务器上的程序控制其 Linux 下属程序(通过 TCP 和 UDP 与它们通信)。
有几组下属。每组通过以太网连接到服务器上的单个网络接口卡。
区分各组非常重要。
下属可能会丢失(它们会损坏),并且应该是热插拔的(损坏的会被新的替换,并且服务器应该在一分钟左右的时间内看到它们)。
通常我们只有少数下属(1-5 个)。
进行此类发现的最佳做法是什么?
我的第一次尝试是简单地 ping 并通过以下方式过滤结果
ping6 ff02::1%wlp3s0
但只有服务器本身在应答。奇怪的是,它在我的 android 平板电脑上运行良好,wireshark 也能看到来自其他设备的 ping 回复,但 ping 输出中没有任何内容。不过我可以 ping 单播。(我在我的 mint 笔记本上进行了测试,但如果它不在测试机上,为什么它在 ubuntu 服务器上可靠?它是否依赖于 nic 驱动程序?我有时会遇到 wifi 问题。)
我也尝试过发送多播 udp 包(这可能吗?),但即使在本地也没有成功:
// terminal a:
$ nc -6luv 10000
Listening on [:::] (family 10, port 10000)
//terminal b:
$ echo "blah" | nc -6uv "ff01::1%wlp3s0" 10000
nc: getaddrinfo: Name or service not known
$ echo "blah" | nc -6uv -q1 "ff02::1%wlp3s0" 10000
Connection to ff02::1%wlp3s0 10000 port [udp/*] succeeded! // nothing on terminal a
还有其他想法吗?
有人在评论中说这可能是 ip6tables 规则。我没有更改默认的 linux mint 规则,ip6tables 的输出如下:它很长,我几乎没有阅读经验。有什么帮助吗?
Chain INPUT (policy DROP)
target prot opt source destination
ufw6-before-logging-input all anywhere anywhere
ufw6-before-input all anywhere anywhere
ufw6-after-input all anywhere anywhere
ufw6-after-logging-input all anywhere anywhere
ufw6-reject-input all anywhere anywhere
ufw6-track-input all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw6-before-logging-forward all anywhere anywhere
ufw6-before-forward all anywhere anywhere
ufw6-after-forward all anywhere anywhere
ufw6-after-logging-forward all anywhere anywhere
ufw6-reject-forward all anywhere anywhere
ufw6-track-forward all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw6-before-logging-output all anywhere anywhere
ufw6-before-output all anywhere anywhere
ufw6-after-output all anywhere anywhere
ufw6-after-logging-output all anywhere anywhere
ufw6-reject-output all anywhere anywhere
ufw6-track-output all anywhere anywhere
Chain ufw6-after-forward (1 references)
target prot opt source destination
Chain ufw6-after-input (1 references)
target prot opt source destination
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-ns
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-dgm
ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:netbios-ssn
ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:microsoft-ds
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-client
ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-server
Chain ufw6-after-logging-forward (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw6-after-logging-input (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw6-after-logging-output (1 references)
target prot opt source destination
Chain ufw6-after-output (1 references)
target prot opt source destination
Chain ufw6-before-forward (1 references)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
ufw6-user-forward all anywhere anywhere
Chain ufw6-before-input (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ufw6-logging-deny all anywhere anywhere ctstate INVALID
DROP all anywhere anywhere ctstate INVALID
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 HL match HL == 255
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 HL match HL == 255
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 144
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 145
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 146
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 147
ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT udp anywhere ff02::fb udp dpt:mdns
ACCEPT udp anywhere ff02::f udp dpt:1900
ufw6-user-input all anywhere anywhere
Chain ufw6-before-logging-forward (1 references)
target prot opt source destination
Chain ufw6-before-logging-input (1 references)
target prot opt source destination
Chain ufw6-before-logging-output (1 references)
target prot opt source destination
Chain ufw6-before-output (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 HL match HL == 255
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 HL match HL == 255
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1
ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1
ufw6-user-output all anywhere anywhere
Chain ufw6-logging-allow (0 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw6-logging-deny (1 references)
target prot opt source destination
RETURN all anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw6-reject-forward (1 references)
target prot opt source destination
Chain ufw6-reject-input (1 references)
target prot opt source destination
Chain ufw6-reject-output (1 references)
target prot opt source destination
Chain ufw6-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all anywhere anywhere
Chain ufw6-skip-to-policy-input (6 references)
target prot opt source destination
DROP all anywhere anywhere
Chain ufw6-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain ufw6-track-forward (1 references)
target prot opt source destination
Chain ufw6-track-input (1 references)
target prot opt source destination
Chain ufw6-track-output (1 references)
target prot opt source destination
ACCEPT tcp anywhere anywhere ctstate NEW
ACCEPT udp anywhere anywhere ctstate NEW
Chain ufw6-user-forward (1 references)
target prot opt source destination
Chain ufw6-user-input (1 references)
target prot opt source destination
ACCEPT udp anywhere anywhere multiport dports 1714:1764
ACCEPT tcp anywhere anywhere multiport dports 1714:1764
Chain ufw6-user-limit (0 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain ufw6-user-logging-forward (0 references)
target prot opt source destination
Chain ufw6-user-logging-input (0 references)
target prot opt source destination
Chain ufw6-user-logging-output (0 references)
target prot opt source destination
Chain ufw6-user-output (1 references)
target prot opt source destination
我尝试禁用 ufw 防火墙,然后sudo ufw disableping 开始工作。我很快就会报告 ubuntu 的一个错误,但 ping 是一个好方法吗?
答案1
我在 LEDE 防火墙上遇到了类似的问题;本地链路多播 ping(例如到 ff02::1)没有得到答复,因为 ctstate INVALID 的输出规则丢弃了回应回复。单播 ping(本地链路和 ULA)工作正常。
我怀疑 conntrack 系统在这里缺少一个技巧——由于请求(多播)的目的地与答复(单播)的源不同,它无法将它们识别为相关的——尽管它应该如此。