netns
文章目录
一、基本概念
link DEVICE
specifies the physical device to act operate on.
NAME specifies the name of the new virtual device.
TYPE specifies the type of the new device.
Link types:
bridge - Ethernet Bridge device
bond - Bonding device
dummy - Dummy network interface
hsr - High-availability Seamless Redundancy device
ifb - Intermediate Functional Block device
ipoib - IP over Infiniband device
macvlan - Virtual interface base on link layer address (MAC)
macvtap - Virtual interface based on link layer address (MAC) and TAP.
vcan - Virtual Controller Area Network interface
vxcan - Virtual Controller Area Network tunnel interface
veth - Virtual ethernet interface
vlan - 802.1q tagged virtual LAN interface
vxlan - Virtual eXtended LAN
ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
ipip - Virtual tunnel interface IPv4 over IPv4
sit - Virtual tunnel interface IPv6 over IPv4
gre - Virtual tunnel interface GRE over IPv4
gretap - Virtual L2 tunnel interface GRE over IPv4
erspan - Encapsulated Remote SPAN over GRE and IPv4
ip6gre - Virtual tunnel interface GRE over IPv6
ip6gretap - Virtual L2 tunnel interface GRE over IPv6
ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
vti - Virtual tunnel interface
nlmon - Netlink monitoring device
ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4 / Bluetooth
geneve - GEneric NEtwork Virtualization Encapsulation
macsec - Interface for IEEE 802.1AE MAC Security (MACsec)
vrf - Interface for L3 VRF domains
netns
- 创建一个完全隔离的网络环境,包括一个独立的网卡空间,路由表,ARP表,ip地址表,iptables等。
ip netns add [NAMESPACE NAME]
VLAN
- Virtual LANs give you the ability to sub-divide a LAN. Linux can accept VLAN tagged traffic and presents each VLAN ID as a different network interface.
ip link add link eth0 name eth0.5 type vlan id 5
VxLAN
- Virtual eXtensible Local Area Network,虚拟可扩展的局域网。它是一种 overlay 技术,通过三层的网络来搭建虚拟的二层网络。
ip link add link [DEVICE NAME] type vxlan
Veth pair
- Veth devices are built as pairs of connected virtual ethernet interfaces and can be thought of as a virtual patch cable. What goes in one end will come out the other.
ip link add link [DEVICE NAME] type veth
TUN/TAP
- TUN (tunnel) devices operate at layer 3, meaning the data (packets) you will receive from the file descriptor will be IP based. Data written back to the device must also be in the form of an IP packet.
- TAP (network tap) operates much like TUN however instead of only being able to write and receive layer 3 packets to/from the file descriptor it can do so with raw ethernet packets. You will typically see tap devices used by KVM/Qemu virtualization, where a TAP device is assigned to a virtual guests interface during creation.
ip tuntap add tap0 mode tap
ip link set dev tap0 up
ip link add br0 type bridge
ip link set tap0 master br0
ip link set eth0 master br0
bridge
- Linux bridge is a layer 2 virtual device that on its own cannot receive or transmit anything unless you bind one or more real devices to it。
ip link add name bridge_name type bridge
ip link set bridge_name up
# 创建 Bridge:
brctl addbr [BRIDGE NAME]
# 删除 Bridge:
brctl delbr [BRIDGE NAME]
# attach 设备到 Bridge:
brctl addif [BRIDGE NAME] [DEVICE NAME]
# 从 Bridge detach 设备:
brctl delif [BRIDGE NAME] [DEVICE NAME]
# 查询 Bridge 情况:
brctl show
MacVLAN
- MacVLAN的功能是给同一个物理网卡配置多个MAC地址,可以在软件上配置多个以太网口,属于物理层的功能。
# 如果你想配置MacVLAN的模式,请在ip link命令后面添加mode参数:
ip link add link eth0 name macv1 type macvlan mode bridge|vepa|private
MacVTAP
- MacVTAP是用来替代TUN/TAP和Bridge内核模块。MacTap是基于MacVLAN,提供TUN、TAP中TAP设备使用的接口,使用MacVTAP以太网口的虚拟机能够通过TAP设备接口,直接将数据传递到内核中对应的MacVTAP以太网中。
- TAP 设备与TUN设备工作方式完全相同,TAP工作在二层,TUN工作在三层。
- TUN 设备的 /dev/tunX 文件收发的是 IP 层数据包,只能工作在 IP 层,无法与物理网卡做 bridge,但是可以通过三层交换(如 ip_forward)与物理网卡连通。
- TAP 设备的 /dev/tapX 文件收发的是 MAC 层数据包,拥有 MAC 层功能,可以与物理网卡做 bridge,支持 MAC 层广播。
- 由于 MacVLAN 是工作在MAC层的,所以 MacVTAP 也只能工作在 MAC 层,不会有 MacVTUN 这样的设备。
# 如果你想配置MacVLAN的模式,请在ip link命令后面添加mode参数:
ip link add link eth0 name macv1 type macvtap mode bridge|vepa|private
ipVLAN
ip link add link enp0s3 ipvlan1 type ipvlan mode l3
ip addr add 10.0.2.18/24 dev ipvlan1
tunnel
- ipip 是把 IP 层封装到 IP 层的一个 tunnel,相当于一个基于IP层的网桥。普通的网桥是基于mac层的,而ipip则是通过两端的路由做一个tunnel,把两个本来不通的网络通过点对点连接起来。ipip的源代码在内核 net/ipv4/ipip.c 中。
- sit 和 isatap 都是 IPv6 over IPv4 的 tunnel,它们的源代码在 net/ipv6/sit.c 中。
- IPSec 还用到一个叫 L2TP 的 tunnel,在内核源代码 net/l2tp 中,PPTP 是另外一个,在 drivers/net/pptp.c 中实现。
- gre
- GRE Over IPSec
## ipip
ip tunnel add a2b mode ipip remote 2.2.2.2 local 1.1.1.1
ifconfig a2b 192.168.2.1 netmask 255.255.255.0
## gre
ip tunnel add gre1 mode gre remote 111.2.33.28 local 121.207.22.123 ttl 255
ip link set gre1 up
ip addr add 10.10.10.1 peer 10.10.10.2 dev gre1
# ip tunnel add gre1 mode gre remote 121.207.22.123 local 111.2.33.28 ttl 255
# ip link set gre1 up
# ip addr add 10.10.10.2 peer 10.10.10.1 dev gre1
ip route
cat /etc/iproute2/rt_tables
# 0#表: 系统保留表
# 253#表: defulte table 没特别指定的默认路由都放在改表
# 254#表: main table 没指明路由表的所有路由放在该表
# 255#表: locale table 保存本地接口地址,广播地址、NAT地址 由系统维护,用户不得更改
ip route list table 0
ip route list table 253
ip route list table 254
ip route list table 255
yum install -y traceroute mtr
traceroute -n -m 5 -q 4 -w 3 www.baidu.com
mtr -r -c -4 10 10.254.0.2
# iptables包含4个表:filter,nat,mangle,raw。我们最常用的就是filter这个表。filte表有三个内建的chain:INPUT、OUTPUT和FORWORD。
sudo iptables -L -t filter -v
sudo iptables -L -t nat -v
sudo iptables -L -n -v
ip rule
ip rule show
ip rule add from 192.168.1.10/32 table 1 pref 100
二、常用命令
# yum -y install bridge-utils net-tools iproute
ip netns add blue
ip link add vethtest01 type veth peer name vethest002
ip link list
ip link set vethest002 netns blue
ip netns exec blue ip link list
ip netns exec blue ifconfig vethest002 10.1.1.2/16 up
ip netns exec blue ifconfig
ip netns exec blue /bin/bash
brctl show
ip link add name test-bridge type bridge
ip link set test-bridge up
brctl addbr test-bridge up
ip link set dev vethtest01 master test-bridge
ifconfig test-bridge 10.1.2.2/16 up
# 宿主机网桥IP是 10.1.2.2,网络命名空间blue内的是 10.1.1.2
ping 10.1.1.2
ip netns exec ns0 iperf -c $server_ip -i 1 -t 60
ip netns exec ns0 iperf -s
#sr-iov
#pci-passthrough
#VEPA vs VN-Tag
#Virtual Ethernet Port Aggregator。它是HP在虚拟化支持领域对抗Cisco的VN-Tag的技术。
# ServerA(192.168.9.125)上
ip tunnel add tunl666 mode ipip remote 192.168.9.183 local 192.168.9.125
ifconfig tunl666 172.31.2.1 netmask 255.255.255.0
/sbin/route add -net 192.168.33.0/24 gw 172.31.2.2
# ServerB(192.168.9.183)上
sudo ip tunnel add tunl666 mode ipip remote 192.168.9.125 local 192.168.9.183
sudo ifconfig tunl666 172.31.2.2 netmask 255.255.255.0
iptables -t nat -A POSTROUTING -s 172.31.2.1 -d 192.168.33.0/24 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
sed -i '/net.ipv4.ip_forward/ s/0/1/' /etc/sysctl.conf
三、参考
- MacVTap - Linux Virtualization Wiki
- ip: show / manipulate routing, network devices, interfaces and tunnels - Linux Man Pages (8)
- ip-tunnel: tunnel configuration - Linux Man Pages (8)
- ip-link: network device configuration - Linux Man Pages (8)
- IPIP实现IP隧道 - kk Blog —— 通用基础
- 使用ip tunnel打通私有网络 - Ops运维工具
- 【 Linux 网络虚拟化 】Netns - hukey - 博客园
- Network bridge - ArchWiki
- VLAN - ArchWiki
- vxlan 协议原理简介 | Cizixs Write Here
- linux 上实现 vxlan 网络 | Cizixs Write Here
- (KVM连载) 5.1.4 使用virtio_net (半虚拟化网卡) – 笑遍世界
- kubernetes 不同网络方案性能对比 - mainred - 博客园
- Linux Vxlan网络隧道互通环境模拟
- ifconfig、route、ip route、ip addr、 ip link 用法-13140617-51CTO博客
- Linux 内核网络设备——vEth 设备和 network namespace 初步 | 绿盟科技博客
- Linux虚拟网络设备之bridge(桥) - Linux程序员 - SegmentFault 思否
- Linux 虚拟网络设备—router、tun
- 计算机网络——从ifconfig看Linux网络设备 - 博客 - binsite
- Linux上的物理网卡与虚拟网络设备 李佶澳的博客
上次更新 2019-03-22
原始文档 查看本文 Markdown 版本 »