1)
Add two namespaces "ns1" and "ns2"
#sudo ip netns add ns1
#sudo ip netns add ns2
2)
List all namespaces
#sudo ip netns list
3)
List all interfaces in the global namespace
#ifconfig -a
OR
#ifconfig -a | less
4)
Create a Linux Bridge
4a)
Create the bridge br-test
#sudo brctl addbr br-test
4b)
Run following command in global naamespace to see the bridge interface
#ifconfig br-test
4c)
Disable the Spanning Tree Protocol for bridge interface "br-test"
#sudo brctl stp br-test off
*The Spanning Tree Protocol (STP) is created so that only one path exists between any pair of LAN segments. It was developed to prevent routing loops in network. Loops can happen when there is more than one route to a destination. Bridges by default are not capable of handling more than one route to a destination address.STP is used on a bridge, it is either placed into a forwarding state or a blocking state
4d)
Bring up the bridge interface "br-test".
#sudo ip link set dev br-test up
* At this point, the port/interface "br-test" is UP. You can see the status as "UP BROADCAST MULTICAST" in the output of command "#ifconfig br-test", that means UP.
5)
Create first veth/port interface pairs (Pipe) "tap1"======="br-tap1" and connect to namespace "ns1" and linux bridge "br-test".
5a)
Create veth/port interface pairs (Pipe) "tap1" and "br-tap1" in the global namespace
#sudo ip link add tap1 type veth peer name br-tap1
* Pipe: "tap1"======="br-tap1"
5b)
List all interfaces in the global namespace
#ifconfig -a
OR
#ifconfig -a | less
* At this point the interface "tap1" and "br-tap1" don't have IP associated with it.
5c)
Move "tap1" interface from global namespace to the "ns1" namespace.
OR
Attach one side of the Pipe "tap1=======br-tap1" to "ns1" namespace.
#sudo ip link set tap1 netns ns1
* At this point run "#ifconfig -a" in global namespace an you would not able to see the "tap1" interface there.
* Run "#ifconfig -a" in "ns1" namespace to see "tap1" interface.
* Example:#sudo ip netns exec ns1 ifconfig -a
5d)
List interfaces in the linux bridge "br-test"
#brctl show br-test
* At this point you can see that there is no interfaces atatched to the linux bridge "br-test"
5e)
Move "br-tap1" interface from global namespace to the Linux Bridge "br-test".
OR
Attach other side of the Pipe "tap1=======br-tap1" to Linux Bridge "br-test".
#sudo brctl addif br-test br-tap1
5f)
List interfaces in the linux bridge "br-test"
#brctl show br-test
* At this point you can see that the interface "br-tap1" is atatched to the linux bridge "br-test"
5g)
Check the IP Address of linux bridge "br-test" and interface "br-tap1"
#sudo ifconfig br-test
#sudo ifconfig br-tap1
* You can see that, there is no IP address associated with linux bridge "br-test" and interface "br-tap1".
5h)
Check the IP Address of interface "tap1" in the namespace "ns1"
#sudo ip netns exec ns1 ifconfig -a tap1
* You can see that, there is no IP address associated with the interface "tap1"
5i)
Set interfaces "tap1" and "br-tap1" to UP
#sudo ip netns exec ns1 ip link set dev tap1 up
#sudo ip link set dev br-tap1 up
5j)
Again Check the interfaces "tap1" and "br-tap1".
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ifconfig -a br-tap1
* At this point, the ports/interfaces "br-tap1" and "tap1" are UP. You can see the status as "UP BROADCAST MULTICAST" in the output of command, that means UP.
6)
Create second veth/port interface pairs (Pipe) "tap2"======="br-tap2" and connect to namespace "ns2" and linux bridge "br-test".
6a)
Create veth/port interface pairs (Pipe) "tap2" and "br-tap2" in the global namespace
#sudo ip link add tap2 type veth peer name br-tap2
* Pipe: "tap2"======="br-tap2"
6b)
List all interfaces in the global namespace
#ifconfig -a
OR
#ifconfig -a | less
* At this point the interface "tap2" and "br-tap2" don't have IP associated with it.
6c)
Move "tap2" interface from global namespace to the "ns2" namespace.
OR
Attach one side of the Pipe "tap2=======br-tap2" to "ns2" namespace.
#sudo ip link set tap2 netns ns2
* At this point run "#ifconfig -a" in global namespace an you would not able to see the "tap2" interface there.
* Run "#ifconfig -a" in "ns2" namespace to see "tap2" interface.
* Example:#sudo ip netns exec ns2 ifconfig -a
6d)
List interfaces in the linux bridge "br-test"
#brctl show br-test
* At this point you can see that there is only one interface "br-tap1" is atatched to the linux bridge "br-test"
6e)
Move "br-tap2" interface from global namespace to the Linux Bridge "br-test".
OR
Attach other side of the Pipe "tap2=======br-tap2" to Linux Bridge "br-test".
#sudo brctl addif br-test br-tap2
6f)
List interfaces in the linux bridge "br-test"
#brctl show br-test
bridge name bridge id STP enabled interfaces
br-test 8000.822e41140e4c no br-tap1
br-tap2
* At this point you can see that the interfaces "br-tap1" and "br-tap2" are atatched to the linux bridge "br-test"
6g)
Check the IP Address of linux bridge "br-test" and interface "br-tap2"
#sudo ifconfig br-test
#sudo ifconfig br-tap2
* You can see that, there is no IP address associated with linux bridge "br-test" and interface "br-tap2".
6h)
Check the IP Address of interface "tap2" in the namespace "ns2"
#sudo ip netns exec ns2 ifconfig -a tap2
* You can see that, there is no IP address associated with the interface "tap2"
6i)
Set interfaces "tap2" and "br-tap2" to UP
#sudo ip netns exec ns2 ip link set dev tap2 up
#sudo ip link set dev br-tap2 up
6j)
Again Check the interfaces "tap2" and "br-tap2".
#sudo ip netns exec ns2 ifconfig -a tap2
#sudo ifconfig -a br-tap2
* At this point, the ports/interfaces "br-tap2" and "tap2" are UP. You can see the status as "UP BROADCAST MULTICAST" in the output of command, that means UP.
7)
Assign IP address to the interfaces "tap1" in the namespace "ns1 and "tap2" in the namespace "ns2" and ping from "ns1" to "ns2".
7a)
Assign IP address to the interface "tap1" in the namespace "ns1".
#sudo ip netns exec ns1 ip addr add 10.1.1.4/24 dev tap1
7b)
Assign IP address to the interface "tap2" in the namespace "ns2".
#sudo ip netns exec ns2 ip addr add 10.1.1.5/24 dev tap2
7c)
Check the IP address of the interfaces "tap1" and "tap2"
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ip netns exec ns2 ifconfig -a tap2
7d)
Ping from "ns1" to "ns2".
#sudo ip netns exec ns1 ping 10.1.1.5
* Ping works
7d,a)
Capture Ping (ICMP) packets from interfaces "tap1", "tap1" and bridge "br-test".
#sudo ip netns exec ns1 tshark -i tap1 icmp
#sudo ip netns exec ns2 tshark -i tap2 icmp
#sudo tshark -i br-tap1 icmp
#sudo tshark -i br-tap2 icmp
#sudo tshark -i br-test icmp
* You can see that packets are going from "tap1" to "tap2" through "br-tap1" and "br-tap2".
* You can also able to capture ICMP packets from interfaces "tap1", "tap2", "br-tap1" and "br-tap2".
* But you can't able to see/capture the ICMP packets from bridge interface "br-test", because destination IP/network 10.1.1.5 is local to the bridge, so packet will not flow outside the bridge through "br-test" and routing table. See the picture.
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
7e)
Debug bridge
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
In the course of its operation a bridge must attempt to determine which MAC addresses are reachable through each of its attached interfaces. It does this by inspecting the source address of each packet that arrives at the bridge and recording it in a table. In the case of the Linux bridging module it is possible to inspect the content of this table using the brctl showmacs command:
#brctl showmacs br-test
port no mac addr is local? ageing timer
1 82:2e:41:14:0e:4c yes 0.00
2 ea:9a:12:97:cb:89 yes 0.00
* Here "82:2e:41:14:0e:4c" is the MAC of "br-tap1" interface.
* Here "ea:9a:12:97:cb:89" is the MAC of "br-tap2" interface.
8)
Try to ping to differen IP/Network from namespace "ns1"
8a)
Ping to "173.194.36.16" (www.google.com) from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16
connect: Network is unreachabl
* You will get error like "connect: Network is unreachable"
8b)
Check routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
* Routing table has only one entry for the network 10.1.1.x.
* So we need to define the default gateway in the routing table to ping to another network. So the packets for different networks will flow through that gateway to outside.
8c)
Check the IP of Lnux bridge "br-test"
#ifconfig br-test
8d)
Set IP Address for the bridge "br-test"
#sudo ip addr add 10.1.1.3/24 dev br-test
8e)
Check the IP of Lnux bridge "br-test"
#ifconfig br-test
8f)
Add a default gateway to flow packets which are not destined for the network 10.1.1.x to outside.
#sudo ip netns exec ns1 route add default gw 10.1.1.3 tap1
* Defalut gateway has set to the IP address of the linux bridge "br-test"
8g)
Check routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.3 0.0.0.0 UG 0 0 0 tap1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
* Packets which are not destined for the network 10.1.1.x will flow through the default gateway "10.1.1.3" (linux bridge) to outside.
8h)
Ping to 173.194.36.16 from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16
PING 173.194.36.16 (173.194.36.16) 56(84) bytes of data.
* Ping will not work.
* But, if you capture the packets from the interface "tap1", "br-tap1" and "br-test", you can see that request packets are flowing from "tap1" to "br-test" via "br-tap1".
* That means reply packets are not routing properly. So we need to add SNAT in global namespace for packet which has source IP:10.1.1.4 or 10.1.1.x. OR we need to add MASQURIDE rule for interface "eth0"(virtualBox NAT).
8h,a)
Capture the packets from the interface "tap1", "br-tap1" and "br-test".
#sudo ip netns exec ns1 tshark -i tap1 icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=1/256, ttl=64
2 1.008723 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=2/512, ttl=64
3 2.016698 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=3/768, ttl=64
* Note: Here, You can see only the request packets.
#sudo tshark -i br-tap1 icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=1/256, ttl=64
2 1.008766 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=2/512, ttl=64
3 2.016713 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=3/768, ttl=64
* Note: Here, You can see only the request packets.
#sudo tshark -i br-test icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=1/256, ttl=64
2 1.008766 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=2/512, ttl=64
3 2.016713 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=3/768, ttl=64
* Note: Here, You can see only the request packets.
8h,b)
Check routing table in the golbal namespace
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-test
192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
* You can see that, global namespace has 3 interfaces "eth0"(virtualBox NAT), "eth1"(VirtualBox HostOnly) and Linux bridge "br-test".
* According to this routing table, request packets from the interface "br-test"(10.1.1.0) will go through the gateway 10.0.2.2 of interface "eth0"(virtualBox NAT).
#So try to capture the packets from the interface "eth0"(virtualBox NAT)
#sudo tshark -i eth0 icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a32, seq=1/256, ttl=63
2 1.009619 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a32, seq=2/512, ttl=63
3 2.017055 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a32, seq=3/768, ttl=63
* Note: Here, You can see only the request packets.
#Capture packets from the "wlan0" WIFI interface in the laptop.
#sudo tshark -i wlan0 icmp
1 0.000000 100.112.28.126 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a40, seq=1/256, ttl=62
0.041521 173.194.36.16 -> 100.112.28.126 ICMP 98 Echo (ping) reply id=0x1a40, seq=1/256, ttl=56 (request in 1)
2 1.007943 100.112.28.126 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a40, seq=2/512, ttl=62
1.065012 173.194.36.16 -> 100.112.28.126 ICMP 98 Echo (ping) reply id=0x1a40, seq=2/512, ttl=56 (request in 3)
* Note: Here, you can see both the request and reply packets.
Links
=======
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO-3.html
Add two namespaces "ns1" and "ns2"
#sudo ip netns add ns1
#sudo ip netns add ns2
2)
List all namespaces
#sudo ip netns list
3)
List all interfaces in the global namespace
#ifconfig -a
OR
#ifconfig -a | less
4)
Create a Linux Bridge
4a)
Create the bridge br-test
#sudo brctl addbr br-test
4b)
Run following command in global naamespace to see the bridge interface
#ifconfig br-test
4c)
Disable the Spanning Tree Protocol for bridge interface "br-test"
#sudo brctl stp br-test off
*The Spanning Tree Protocol (STP) is created so that only one path exists between any pair of LAN segments. It was developed to prevent routing loops in network. Loops can happen when there is more than one route to a destination. Bridges by default are not capable of handling more than one route to a destination address.STP is used on a bridge, it is either placed into a forwarding state or a blocking state
4d)
Bring up the bridge interface "br-test".
#sudo ip link set dev br-test up
* At this point, the port/interface "br-test" is UP. You can see the status as "UP BROADCAST MULTICAST" in the output of command "#ifconfig br-test", that means UP.
5)
Create first veth/port interface pairs (Pipe) "tap1"======="br-tap1" and connect to namespace "ns1" and linux bridge "br-test".
5a)
Create veth/port interface pairs (Pipe) "tap1" and "br-tap1" in the global namespace
#sudo ip link add tap1 type veth peer name br-tap1
* Pipe: "tap1"======="br-tap1"
5b)
List all interfaces in the global namespace
#ifconfig -a
OR
#ifconfig -a | less
* At this point the interface "tap1" and "br-tap1" don't have IP associated with it.
5c)
Move "tap1" interface from global namespace to the "ns1" namespace.
OR
Attach one side of the Pipe "tap1=======br-tap1" to "ns1" namespace.
#sudo ip link set tap1 netns ns1
* At this point run "#ifconfig -a" in global namespace an you would not able to see the "tap1" interface there.
* Run "#ifconfig -a" in "ns1" namespace to see "tap1" interface.
* Example:#sudo ip netns exec ns1 ifconfig -a
5d)
List interfaces in the linux bridge "br-test"
#brctl show br-test
* At this point you can see that there is no interfaces atatched to the linux bridge "br-test"
5e)
Move "br-tap1" interface from global namespace to the Linux Bridge "br-test".
OR
Attach other side of the Pipe "tap1=======br-tap1" to Linux Bridge "br-test".
#sudo brctl addif br-test br-tap1
5f)
List interfaces in the linux bridge "br-test"
#brctl show br-test
* At this point you can see that the interface "br-tap1" is atatched to the linux bridge "br-test"
5g)
Check the IP Address of linux bridge "br-test" and interface "br-tap1"
#sudo ifconfig br-test
#sudo ifconfig br-tap1
* You can see that, there is no IP address associated with linux bridge "br-test" and interface "br-tap1".
5h)
Check the IP Address of interface "tap1" in the namespace "ns1"
#sudo ip netns exec ns1 ifconfig -a tap1
* You can see that, there is no IP address associated with the interface "tap1"
5i)
Set interfaces "tap1" and "br-tap1" to UP
#sudo ip netns exec ns1 ip link set dev tap1 up
#sudo ip link set dev br-tap1 up
5j)
Again Check the interfaces "tap1" and "br-tap1".
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ifconfig -a br-tap1
* At this point, the ports/interfaces "br-tap1" and "tap1" are UP. You can see the status as "UP BROADCAST MULTICAST" in the output of command, that means UP.
6)
Create second veth/port interface pairs (Pipe) "tap2"======="br-tap2" and connect to namespace "ns2" and linux bridge "br-test".
6a)
Create veth/port interface pairs (Pipe) "tap2" and "br-tap2" in the global namespace
#sudo ip link add tap2 type veth peer name br-tap2
* Pipe: "tap2"======="br-tap2"
6b)
List all interfaces in the global namespace
#ifconfig -a
OR
#ifconfig -a | less
* At this point the interface "tap2" and "br-tap2" don't have IP associated with it.
6c)
Move "tap2" interface from global namespace to the "ns2" namespace.
OR
Attach one side of the Pipe "tap2=======br-tap2" to "ns2" namespace.
#sudo ip link set tap2 netns ns2
* At this point run "#ifconfig -a" in global namespace an you would not able to see the "tap2" interface there.
* Run "#ifconfig -a" in "ns2" namespace to see "tap2" interface.
* Example:#sudo ip netns exec ns2 ifconfig -a
6d)
List interfaces in the linux bridge "br-test"
#brctl show br-test
* At this point you can see that there is only one interface "br-tap1" is atatched to the linux bridge "br-test"
6e)
Move "br-tap2" interface from global namespace to the Linux Bridge "br-test".
OR
Attach other side of the Pipe "tap2=======br-tap2" to Linux Bridge "br-test".
#sudo brctl addif br-test br-tap2
6f)
List interfaces in the linux bridge "br-test"
#brctl show br-test
bridge name bridge id STP enabled interfaces
br-test 8000.822e41140e4c no br-tap1
br-tap2
* At this point you can see that the interfaces "br-tap1" and "br-tap2" are atatched to the linux bridge "br-test"
6g)
Check the IP Address of linux bridge "br-test" and interface "br-tap2"
#sudo ifconfig br-test
#sudo ifconfig br-tap2
* You can see that, there is no IP address associated with linux bridge "br-test" and interface "br-tap2".
6h)
Check the IP Address of interface "tap2" in the namespace "ns2"
#sudo ip netns exec ns2 ifconfig -a tap2
* You can see that, there is no IP address associated with the interface "tap2"
6i)
Set interfaces "tap2" and "br-tap2" to UP
#sudo ip netns exec ns2 ip link set dev tap2 up
#sudo ip link set dev br-tap2 up
6j)
Again Check the interfaces "tap2" and "br-tap2".
#sudo ip netns exec ns2 ifconfig -a tap2
#sudo ifconfig -a br-tap2
* At this point, the ports/interfaces "br-tap2" and "tap2" are UP. You can see the status as "UP BROADCAST MULTICAST" in the output of command, that means UP.
7)
Assign IP address to the interfaces "tap1" in the namespace "ns1 and "tap2" in the namespace "ns2" and ping from "ns1" to "ns2".
7a)
Assign IP address to the interface "tap1" in the namespace "ns1".
#sudo ip netns exec ns1 ip addr add 10.1.1.4/24 dev tap1
7b)
Assign IP address to the interface "tap2" in the namespace "ns2".
#sudo ip netns exec ns2 ip addr add 10.1.1.5/24 dev tap2
7c)
Check the IP address of the interfaces "tap1" and "tap2"
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ip netns exec ns2 ifconfig -a tap2
7d)
Ping from "ns1" to "ns2".
#sudo ip netns exec ns1 ping 10.1.1.5
* Ping works
7d,a)
Capture Ping (ICMP) packets from interfaces "tap1", "tap1" and bridge "br-test".
#sudo ip netns exec ns1 tshark -i tap1 icmp
#sudo ip netns exec ns2 tshark -i tap2 icmp
#sudo tshark -i br-tap1 icmp
#sudo tshark -i br-tap2 icmp
#sudo tshark -i br-test icmp
* You can see that packets are going from "tap1" to "tap2" through "br-tap1" and "br-tap2".
* You can also able to capture ICMP packets from interfaces "tap1", "tap2", "br-tap1" and "br-tap2".
* But you can't able to see/capture the ICMP packets from bridge interface "br-test", because destination IP/network 10.1.1.5 is local to the bridge, so packet will not flow outside the bridge through "br-test" and routing table. See the picture.
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
7e)
Debug bridge
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
In the course of its operation a bridge must attempt to determine which MAC addresses are reachable through each of its attached interfaces. It does this by inspecting the source address of each packet that arrives at the bridge and recording it in a table. In the case of the Linux bridging module it is possible to inspect the content of this table using the brctl showmacs command:
#brctl showmacs br-test
port no mac addr is local? ageing timer
1 82:2e:41:14:0e:4c yes 0.00
2 ea:9a:12:97:cb:89 yes 0.00
* Here "82:2e:41:14:0e:4c" is the MAC of "br-tap1" interface.
* Here "ea:9a:12:97:cb:89" is the MAC of "br-tap2" interface.
8)
Try to ping to differen IP/Network from namespace "ns1"
8a)
Ping to "173.194.36.16" (www.google.com) from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16
connect: Network is unreachabl
* You will get error like "connect: Network is unreachable"
8b)
Check routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
* Routing table has only one entry for the network 10.1.1.x.
* So we need to define the default gateway in the routing table to ping to another network. So the packets for different networks will flow through that gateway to outside.
8c)
Check the IP of Lnux bridge "br-test"
#ifconfig br-test
8d)
Set IP Address for the bridge "br-test"
#sudo ip addr add 10.1.1.3/24 dev br-test
8e)
Check the IP of Lnux bridge "br-test"
#ifconfig br-test
8f)
Add a default gateway to flow packets which are not destined for the network 10.1.1.x to outside.
#sudo ip netns exec ns1 route add default gw 10.1.1.3 tap1
* Defalut gateway has set to the IP address of the linux bridge "br-test"
8g)
Check routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.3 0.0.0.0 UG 0 0 0 tap1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
* Packets which are not destined for the network 10.1.1.x will flow through the default gateway "10.1.1.3" (linux bridge) to outside.
8h)
Ping to 173.194.36.16 from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16
PING 173.194.36.16 (173.194.36.16) 56(84) bytes of data.
* Ping will not work.
* But, if you capture the packets from the interface "tap1", "br-tap1" and "br-test", you can see that request packets are flowing from "tap1" to "br-test" via "br-tap1".
* That means reply packets are not routing properly. So we need to add SNAT in global namespace for packet which has source IP:10.1.1.4 or 10.1.1.x. OR we need to add MASQURIDE rule for interface "eth0"(virtualBox NAT).
8h,a)
Capture the packets from the interface "tap1", "br-tap1" and "br-test".
#sudo ip netns exec ns1 tshark -i tap1 icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=1/256, ttl=64
2 1.008723 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=2/512, ttl=64
3 2.016698 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=3/768, ttl=64
* Note: Here, You can see only the request packets.
#sudo tshark -i br-tap1 icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=1/256, ttl=64
2 1.008766 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=2/512, ttl=64
3 2.016713 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=3/768, ttl=64
* Note: Here, You can see only the request packets.
#sudo tshark -i br-test icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=1/256, ttl=64
2 1.008766 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=2/512, ttl=64
3 2.016713 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a07, seq=3/768, ttl=64
* Note: Here, You can see only the request packets.
8h,b)
Check routing table in the golbal namespace
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-test
192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
* You can see that, global namespace has 3 interfaces "eth0"(virtualBox NAT), "eth1"(VirtualBox HostOnly) and Linux bridge "br-test".
* According to this routing table, request packets from the interface "br-test"(10.1.1.0) will go through the gateway 10.0.2.2 of interface "eth0"(virtualBox NAT).
#So try to capture the packets from the interface "eth0"(virtualBox NAT)
#sudo tshark -i eth0 icmp
1 0.000000 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a32, seq=1/256, ttl=63
2 1.009619 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a32, seq=2/512, ttl=63
3 2.017055 10.1.1.4 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a32, seq=3/768, ttl=63
* Note: Here, You can see only the request packets.
#Capture packets from the "wlan0" WIFI interface in the laptop.
#sudo tshark -i wlan0 icmp
1 0.000000 100.112.28.126 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a40, seq=1/256, ttl=62
0.041521 173.194.36.16 -> 100.112.28.126 ICMP 98 Echo (ping) reply id=0x1a40, seq=1/256, ttl=56 (request in 1)
2 1.007943 100.112.28.126 -> 173.194.36.16 ICMP 98 Echo (ping) request id=0x1a40, seq=2/512, ttl=62
1.065012 173.194.36.16 -> 100.112.28.126 ICMP 98 Echo (ping) reply id=0x1a40, seq=2/512, ttl=56 (request in 3)
* Note: Here, you can see both the request and reply packets.
Links
=======
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO-3.html
create_2_namespaces_and_1_bridge()
ReplyDelete{
echo "Creating namespace and bridge......"
sudo ip netns add ns1
sudo ip netns add ns2
sudo brctl addbr br-test
sudo brctl stp br-test off
sudo ip link set dev br-test up
sudo ip link add tap1 type veth peer name br-tap1
sudo ip link set tap1 netns ns1
sudo brctl addif br-test br-tap1
sudo ip netns exec ns1 ip link set dev tap1 up
sudo ip link set dev br-tap1 up
sudo ip link add tap2 type veth peer name br-tap2
sudo ip link set tap2 netns ns2
sudo brctl addif br-test br-tap2
sudo ip netns exec ns2 ip link set dev tap2 up
sudo ip link set dev br-tap2 up
sudo ip netns exec ns1 ip addr add 10.1.1.4/24 dev tap1
sudo ip netns exec ns2 ip addr add 10.1.1.5/24 dev tap2
sudo ip netns exec ns1 ping 10.1.1.5 -c 1
if [ $? -eq 0 ]; then
echo "Ping working from ns1 (10.1.1.4) to ns2 (10.1.1.5)"
echo "Created namespace and bridge......"
else
echo "Failed to Create namespace and bridge......"
fi
}
delete_2_namespaces_and_1_bridge()
{
echo "Deleting namespace and bridge......"
sudo ip netns del ns1
sudo ip netns del ns2
sudo ip link set dev br-test down
sudo brctl delbr br-test
if [ $? -eq 0 ]; then
echo "Deleted namespace and bridge......"
else
echo "Failed to delete namespace and bridge......"
fi
}
#create_2_namespaces_and_1_bridge
#delete_2_namespaces_and_1_bridge
http://www.opencloudblog.com/?p=66
ReplyDeleteGreat writeup. Alternatively, you can connect two namespaces directly using one veth pair. No connection to outside though. So yeah, your method works great.
ReplyDeleteHi admin,
ReplyDeleteI have got stock in step 7d), two namespaces can not ping each other. I have checked with vshark and find out brdige do not transfer request to other peer.
what should I do?