Version 1 (modified by mitty, 15 years ago) (diff) |
---|
iproute2
- ../ のネットワークを使用
centos-inner
- パケットの往路と復路が異なってしまう問題への対応
- see route
設定前
- centos-inner ~]$ route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 * 255.255.0.0 U 0 0 0 eth2 10.0.0.0 10.1.0.254 255.255.0.0 UG 0 0 0 eth1 10.1.0.0 * 255.255.0.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
- 10.0.0.0/16のルートについては設定済み
- centos-inner ~]$ ip route
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.110 10.2.0.0/16 dev eth2 proto kernel scope link src 10.2.0.110 10.0.0.0/16 via 10.1.0.254 dev eth1 10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.110 169.254.0.0/16 dev eth2 scope link default via 192.168.50.1 dev eth0
- centos-inner ~]$ ip route show dev eth0
192.168.50.0/24 proto kernel scope link src 192.168.50.110 default via 192.168.50.1
- centos-inner ~]$ ip route show dev eth1
10.0.0.0/16 via 10.1.0.254 10.1.0.0/16 proto kernel scope link src 10.1.0.110
- centos-inner ~]$ ip route show dev eth2
10.2.0.0/16 proto kernel scope link src 10.2.0.110 169.254.0.0/16 scope link
- centos-inner ~]$ ip route show dev eth0
- centos-inner ~]$ ip rule
0: from all lookup 255 32766: from all lookup main 32767: from all lookup default
- centos-outer <=(router)=> centos-inner
- centos-outer ~]$ ping 10.2.0.110 -c 1
- centos-outer:eth1
- ubuntu-router:eth0
- ubuntu-router:eth2
17:18:03.739868 IP 10.0.0.20 > 10.2.0.110: ICMP echo request, id 31500, seq 1, length 64
- centos-inner:eth2
17:18:03.794897 IP 10.0.0.20 > 10.2.0.110: ICMP echo request, id 31500, seq 1, length 64
- centos-inner:eth1
17:18:03.795150 IP 10.2.0.110 > 10.0.0.20: ICMP echo reply, id 31500, seq 1, length 64
- ubuntu-router:eth1
17:18:03.741063 IP 10.2.0.110 > 10.0.0.20: ICMP echo reply, id 31500, seq 1, length 64
- ubuntu-router:eth0
- centos-outer:eth1
設定
- routing table 設定
- centos-inner ~]$ sudo ip route add default via 10.1.0.254 table 1
- centos-inner ~]$ sudo ip route add default via 10.2.0.254 table 2
- routing policy 設定
- centos-inner ~]$ sudo ip rule add from 10.1.0.110 table 1 prio 1
- centos-inner ~]$ sudo ip rule add from 10.2.0.110 table 2 prio 2
- routing policy に関しては、centos-innerはeth1とeth2でネットワークが分かれているので以下のような設定でも良い
- centos-inner ~]$ sudo ip rule add from 10.1.0.0/16 table 1 prio 1
- centos-inner ~]$ sudo ip rule add from 10.2.0.0/16 table 2 prio 2
- centos-inner ~]$ ip rule
0: from all lookup 255 1: from 10.1.0.0/16 lookup 1 2: from 10.2.0.0/16 lookup 2 32766: from all lookup main 32767: from all lookup default
反映
- ip route list table main
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.110 10.2.0.0/16 dev eth2 proto kernel scope link src 10.2.0.110 10.0.0.0/16 via 10.1.0.254 dev eth1 10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.110 169.254.0.0/16 dev eth2 scope link default via 192.168.50.1 dev eth0
- main(default)のtableには変化無し
- ip route list table 1
default via 10.1.0.254 dev eth1
- ip route list table 2
default via 10.2.0.254 dev eth2
- ip rule
0: from all lookup 255 1: from 10.1.0.110 lookup 1 2: from 10.2.0.110 lookup 2 32766: from all lookup main 32767: from all lookup default
結果
- eth1(10.1.0.110)に入ってきたパケットはeth1から、eth2(10.2.0.110)に入ってきたパケットはeth2から送出されるようになる。
- centos-outer ~]$ ping 10.2.0.110 -c 1
- centos-outer:eth1
- ubuntu-router:eth0
- ubuntu-router:eth2
17:09:25.667375 IP 10.0.0.20 > 10.2.0.110: ICMP echo request, id 22028, seq 1, length 64 17:09:25.668310 IP 10.2.0.110 > 10.0.0.20: ICMP echo reply, id 22028, seq 1, length 64
- centos-inner:eth2
17:09:25.682422 IP 10.0.0.20 > 10.2.0.110: ICMP echo request, id 22028, seq 1, length 64 17:09:25.682547 IP 10.2.0.110 > 10.0.0.20: ICMP echo reply, id 22028, seq 1, length 64
- centos-outer ~]$ ping 10.1.0.110 -c 1
- centos-outer:eth1
- ubuntu-router:eth0
- ubuntu-router:eth1
17:12:29.065247 IP 10.0.0.20 > 10.1.0.110: ICMP echo request, id 25356, seq 1, length 64 17:12:29.075733 IP 10.1.0.110 > 10.0.0.20: ICMP echo reply, id 25356, seq 1, length 64
- centos-inner:eth1
17:12:29.111101 IP 10.0.0.20 > 10.1.0.110: ICMP echo request, id 25356, seq 1, length 64 17:12:29.116137 IP 10.1.0.110 > 10.0.0.20: ICMP echo reply, id 25356, seq 1, length 64
補足
- ルールを削除する場合は、table あるいは priority を指定して削除する
0: from all lookup 255 1: from 10.1.0.110 lookup 1 2: from 10.2.0.110 lookup 2 32766: from all lookup main 32767: from all lookup default
- sudo ip rule del table 1
- sudo ip rule del prio 1
- priority は現在のところ省略可能
- sudo ip rule add from 10.1.0.110 table 1
- ip rule
0: from all lookup 255 32765: from 10.1.0.110 lookup 1 32766: from all lookup main 32767: from all lookup default
- attachment:ip-cref.pdf:wiki:TipAndDoc/network/iproute p.38
Really, for historical reasons ip rule add does not require a priority value and allows them to be non-unique. If the user does not supplied a priority, it is selected by the kernel. If the user creates a rule with a priority value that already exists, the kernel does not reject the request. It adds the new rule before all old rules of the same priority. It is mistake in design, no more. And it will be fixed one day, so do not rely on this feature. Use explicit priorities.
- prio(priorityの省略形)の代わりに、preferも使える模様
- sudo ip rule add from 10.1.0.110 table 1 prefer 1
- ip rule
0: from all lookup 255 1: from 10.1.0.110 lookup 1 32766: from all lookup main 32767: from all lookup default
[mitty@centos-inner ~]$ [mitty@centos-inner ~]$ ip rule 0: from all lookup 255 32766: from all lookup main 32767: from all lookup default
- routing table はキャッシュされるので、すぐに反映されない場合がある
- cacheの確認 => ip route show cache
- cacheの破棄 => sudo ip route flush cache
Warning: Changes to the RPDB made with these commands do not become active immediately. It is assumed that after a script finishes a batch of updates, it flushes the routing cache with ip route flush cache.