# 一、基本概念 ```bash link DEVICE specifies the physical device to act operate on. NAME specifies the name of the new virtual device. TYPE specifies the type of the new device. Link types: bridge - Ethernet Bridge device bond - Bonding device dummy - Dummy network interface hsr - High-availability Seamless Redundancy device ifb - Intermediate Functional Block device ipoib - IP over Infiniband device macvlan - Virtual interface base on link layer address (MAC) macvtap - Virtual interface based on link layer address (MAC) and TAP. vcan - Virtual Controller Area Network interface vxcan - Virtual Controller Area Network tunnel interface veth - Virtual ethernet interface vlan - 802.1q tagged virtual LAN interface vxlan - Virtual eXtended LAN ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6 ipip - Virtual tunnel interface IPv4 over IPv4 sit - Virtual tunnel interface IPv6 over IPv4 gre - Virtual tunnel interface GRE over IPv4 gretap - Virtual L2 tunnel interface GRE over IPv4 erspan - Encapsulated Remote SPAN over GRE and IPv4 ip6gre - Virtual tunnel interface GRE over IPv6 ip6gretap - Virtual L2 tunnel interface GRE over IPv6 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6 vti - Virtual tunnel interface nlmon - Netlink monitoring device ipvlan - Interface for L3 (IPv6/IPv4) based VLANs lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4 / Bluetooth geneve - GEneric NEtwork Virtualization Encapsulation macsec - Interface for IEEE 802.1AE MAC Security (MACsec) vrf - Interface for L3 VRF domains ``` ## netns * 创建一个完全隔离的网络环境,包括一个独立的网卡空间,路由表,ARP表,ip地址表,iptables等。 ```bash ip netns add [NAMESPACE NAME] ``` ## VLAN * Virtual LANs give you the ability to sub-divide a LAN. Linux can accept VLAN tagged traffic and presents each VLAN ID as a different network interface. ```bash ip link add link eth0 name eth0.5 type vlan id 5 ``` ## VxLAN * Virtual eXtensible Local Area Network,虚拟可扩展的局域网。它是一种 overlay 技术,通过三层的网络来搭建虚拟的二层网络。 ```bash ip link add link [DEVICE NAME] type vxlan ``` ## Veth pair * Veth devices are built as pairs of connected virtual ethernet interfaces and can be thought of as a virtual patch cable. What goes in one end will come out the other. ```bash ip link add link [DEVICE NAME] type veth ``` ## TUN/TAP * TUN (tunnel) devices operate at layer 3, meaning the data (packets) you will receive from the file descriptor will be IP based. Data written back to the device must also be in the form of an IP packet. * TAP (network tap) operates much like TUN however instead of only being able to write and receive layer 3 packets to/from the file descriptor it can do so with raw ethernet packets. You will typically see tap devices used by KVM/Qemu virtualization, where a TAP device is assigned to a virtual guests interface during creation. ```bash ip tuntap add tap0 mode tap ip link set dev tap0 up ip link add br0 type bridge ip link set tap0 master br0 ip link set eth0 master br0 ``` ## bridge * Linux bridge is a layer 2 virtual device that on its own cannot receive or transmit anything unless you bind one or more real devices to it。 ```bash ip link add name bridge_name type bridge ip link set bridge_name up # 创建 Bridge: brctl addbr [BRIDGE NAME] # 删除 Bridge: brctl delbr [BRIDGE NAME] # attach 设备到 Bridge: brctl addif [BRIDGE NAME] [DEVICE NAME] # 从 Bridge detach 设备: brctl delif [BRIDGE NAME] [DEVICE NAME] # 查询 Bridge 情况: brctl show ``` ## MacVLAN * MacVLAN的功能是给同一个物理网卡配置多个MAC地址,可以在软件上配置多个以太网口,属于物理层的功能。 ```bash # 如果你想配置MacVLAN的模式,请在ip link命令后面添加mode参数: ip link add link eth0 name macv1 type macvlan mode bridge|vepa|private ``` ## MacVTAP * MacVTAP是用来替代TUN/TAP和Bridge内核模块。MacTap是基于MacVLAN,提供TUN、TAP中TAP设备使用的接口,使用MacVTAP以太网口的虚拟机能够通过TAP设备接口,直接将数据传递到内核中对应的MacVTAP以太网中。 * TAP 设备与TUN设备工作方式完全相同,TAP工作在二层,TUN工作在三层。 * TUN 设备的 /dev/tunX 文件收发的是 IP 层数据包,只能工作在 IP 层,无法与物理网卡做 bridge,但是可以通过三层交换(如 ip_forward)与物理网卡连通。 * TAP 设备的 /dev/tapX 文件收发的是 MAC 层数据包,拥有 MAC 层功能,可以与物理网卡做 bridge,支持 MAC 层广播。 * 由于 MacVLAN 是工作在MAC层的,所以 MacVTAP 也只能工作在 MAC 层,不会有 MacVTUN 这样的设备。 ```bash # 如果你想配置MacVLAN的模式,请在ip link命令后面添加mode参数: ip link add link eth0 name macv1 type macvtap mode bridge|vepa|private ``` ## ipVLAN ```bash ip link add link enp0s3 ipvlan1 type ipvlan mode l3 ip addr add 10.0.2.18/24 dev ipvlan1 ``` ## tunnel * ipip 是把 IP 层封装到 IP 层的一个 tunnel,相当于一个基于IP层的网桥。普通的网桥是基于mac层的,而ipip则是通过两端的路由做一个tunnel,把两个本来不通的网络通过点对点连接起来。ipip的源代码在内核 net/ipv4/ipip.c 中。 * sit 和 isatap 都是 IPv6 over IPv4 的 tunnel,它们的源代码在 net/ipv6/sit.c 中。 * IPSec 还用到一个叫 L2TP 的 tunnel,在内核源代码 net/l2tp 中,PPTP 是另外一个,在 drivers/net/pptp.c 中实现。 * gre * GRE Over IPSec ```bash ## ipip ip tunnel add a2b mode ipip remote 2.2.2.2 local 1.1.1.1 ifconfig a2b 192.168.2.1 netmask 255.255.255.0 ## gre ip tunnel add gre1 mode gre remote 111.2.33.28 local 121.207.22.123 ttl 255 ip link set gre1 up ip addr add 10.10.10.1 peer 10.10.10.2 dev gre1 # ip tunnel add gre1 mode gre remote 121.207.22.123 local 111.2.33.28 ttl 255 # ip link set gre1 up # ip addr add 10.10.10.2 peer 10.10.10.1 dev gre1 ``` ## ip route ```bash cat /etc/iproute2/rt_tables # 0#表: 系统保留表 # 253#表: defulte table 没特别指定的默认路由都放在改表 # 254#表: main table 没指明路由表的所有路由放在该表 # 255#表: locale table 保存本地接口地址,广播地址、NAT地址 由系统维护,用户不得更改 ip route list table 0 ip route list table 253 ip route list table 254 ip route list table 255 yum install -y traceroute mtr traceroute -n -m 5 -q 4 -w 3 www.baidu.com mtr -r -c -4 10 10.254.0.2 # iptables包含4个表:filter,nat,mangle,raw。我们最常用的就是filter这个表。filte表有三个内建的chain:INPUT、OUTPUT和FORWORD。 sudo iptables -L -t filter -v sudo iptables -L -t nat -v sudo iptables -L -n -v ``` ## ip rule ```bash ip rule show ip rule add from 192.168.1.10/32 table 1 pref 100 ``` # 二、常用命令 ```bash # yum -y install bridge-utils net-tools iproute ip netns add blue ip link add vethtest01 type veth peer name vethest002 ip link list ip link set vethest002 netns blue ip netns exec blue ip link list ip netns exec blue ifconfig vethest002 10.1.1.2/16 up ip netns exec blue ifconfig ip netns exec blue /bin/bash brctl show ip link add name test-bridge type bridge ip link set test-bridge up brctl addbr test-bridge up ip link set dev vethtest01 master test-bridge ifconfig test-bridge 10.1.2.2/16 up # 宿主机网桥IP是 10.1.2.2,网络命名空间blue内的是 10.1.1.2 ping 10.1.1.2 ip netns exec ns0 iperf -c $server_ip -i 1 -t 60 ip netns exec ns0 iperf -s #sr-iov #pci-passthrough #VEPA vs VN-Tag #Virtual Ethernet Port Aggregator。它是HP在虚拟化支持领域对抗Cisco的VN-Tag的技术。 ``` ```bash # ServerA(192.168.9.125)上 ip tunnel add tunl666 mode ipip remote 192.168.9.183 local 192.168.9.125 ifconfig tunl666 172.31.2.1 netmask 255.255.255.0 /sbin/route add -net 192.168.33.0/24 gw 172.31.2.2 # ServerB(192.168.9.183)上 sudo ip tunnel add tunl666 mode ipip remote 192.168.9.125 local 192.168.9.183 sudo ifconfig tunl666 172.31.2.2 netmask 255.255.255.0 iptables -t nat -A POSTROUTING -s 172.31.2.1 -d 192.168.33.0/24 -j MASQUERADE sysctl -w net.ipv4.ip_forward=1 sed -i '/net.ipv4.ip_forward/ s/0/1/' /etc/sysctl.conf ``` # 三、参考 * [MacVTap - Linux Virtualization Wiki](https://virt.kernelnewbies.org/MacVTap) * [ip: show / manipulate routing, network devices, interfaces and tunnels - Linux Man Pages (8)](https://www.systutorials.com/docs/linux/man/8-ip/) * [ip-tunnel: tunnel configuration - Linux Man Pages (8)](https://www.systutorials.com/docs/linux/man/8-ip-tunnel/) * [ip-link: network device configuration - Linux Man Pages (8)](https://www.systutorials.com/docs/linux/man/8-ip-link/) * [IPIP实现IP隧道 - kk Blog —— 通用基础](http://abcdxyzk.github.io/blog/2018/07/23/kernel-ip_tunnel/) * [使用ip tunnel打通私有网络 - Ops运维工具](http://www.opstool.com/article/183) * [【 Linux 网络虚拟化 】Netns - hukey - 博客园](https://www.cnblogs.com/hukey/p/6569132.html) * [Network bridge - ArchWiki](https://wiki.archlinux.org/index.php/Network_bridge) * [VLAN - ArchWiki](https://wiki.archlinux.org/index.php/VLAN) * [vxlan 协议原理简介 | Cizixs Write Here](http://cizixs.com/2017/09/25/vxlan-protocol-introduction/) * [linux 上实现 vxlan 网络 | Cizixs Write Here](http://cizixs.com/2017/09/28/linux-vxlan/) * [(KVM连载) 5.1.4 使用virtio_net (半虚拟化网卡) – 笑遍世界](http://smilejay.com/2012/11/kvm-virtio-network/) * [kubernetes 不同网络方案性能对比 - mainred - 博客园](https://www.cnblogs.com/haoqingchuan/p/8659798.html) * [Linux Vxlan网络隧道互通环境模拟](https://blog.csdn.net/bc_vnetwork/article/details/53535315) * [ifconfig、route、ip route、ip addr、 ip link 用法-13140617-51CTO博客](https://blog.51cto.com/13150617/1963833) * [Linux 内核网络设备——vEth 设备和 network namespace 初步 | 绿盟科技博客](http://blog.nsfocus.net/linux-veth-network-namespace/) * [Linux虚拟网络设备之bridge(桥) - Linux程序员 - SegmentFault 思否](https://segmentfault.com/a/1190000009491002) * [Linux 虚拟网络设备---router、tun](https://blog.csdn.net/LL845876425/article/details/82729161) * [计算机网络——从ifconfig看Linux网络设备 - 博客 - binsite](https://www.binss.me/blog/learning-computer-network-by-the-output-of-ifconfig/) * [Linux上的物理网卡与虚拟网络设备 李佶澳的博客](https://www.lijiaocn.com/%E6%8A%80%E5%B7%A7/2017/03/31/linux-net-devices.html)