你是否也有这样的疑问,当我们路由器局域内的下挂设备,是怎么互相访问的呢。假设我的路由器当前的网段是192.168.1.1,有一台PC有线接入,IP地址为 192.168.1.142 ,一台手机WiFi接入,IP地址为192.168.1.223,示意图如下:
此时PC给手机发送一个ping(icmp)报文,那么这个报文在我们linxu内核协议栈是怎么样的一个流程呢。那么就要提到一个概念,桥转发。
桥转发:在链路层,根据报文的目的MAC地址进行报文转发,我们也叫二层转发。进行二层转发的一般叫网桥(bridge), 进行二层转发的设备可以是一台设备,比如我们的交换机,而我们这里的桥转发,就是软件实现的交换机。
每个桥内都会维护一张转发表,转发表现包含如下信息:
port: 该设备连接在路由器上的哪个端口,也可以理解为接在哪个interface口,对于我们WiFi设备来说,可能是wlan0,wlan1等也就是2.4G或者5G,有线接入的设备的话可能是eth0.X, 不同的网络设备可能有所差别。
addr:设备的mac地址
is local: yes表示是否是本机,no表示不是本机
ageing timer: 设备的老化时间,当我的设备拔掉网线,或者断开WiFi的时候,这里的老化时间就会增加,达到一定阈值就会删除表项(FDB表),不同设备时间有差别,这个是Linux内核实现,可以修改;
FDB表:即二层MAC地址表,用于二层转发,当某个端口收到一个数据帧时,会根据我们的FDB表转发出去报文,就是我们上面用命令brctl showmacs br-lan 查看的那个表。
对于我们的路由转发(三层转发, 根据IP地址来转发),在netfilter框架,会有五个钩子点,可以分为:
1.送入本机
2.从本机发出
3.从本机转发
这三点经过的钩子点是不同的,在我们桥转发,也会有这样的钩子点;那么我们桥转发经过的钩子点有哪些呢
直接上代码测试:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/ip.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <uapi/linux/netfilter_bridge.h>
#include <linux/in_route.h>
#include <net/ip.h>
#include <linux/proc_fs.h>
#include <linux/fs.h>
static unsigned int
test_nf_pre_routing(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
u_int8_t smac[ETH_ALEN] = {0};
u_int8_t dmac[ETH_ALEN] = {0};
struct ethhdr *ethhdr = NULL;
struct iphdr *iph = NULL;
static int count = 0;
ethhdr = eth_hdr(skb);
iph = ip_hdr(skb);
if (!ethhdr)
return NF_ACCEPT;
memcpy(dmac, ethhdr->h_dest, ETH_ALEN);
memcpy(smac, ethhdr->h_source, ETH_ALEN);
if (!skb->dev)
return NF_ACCEPT;
if (iph->protocol == IPPROTO_ICMP) {
printk("<%s:%d:%p>, dev=%s, source mac = %02X:%02X:%02X:%02X:%02X:%02X, destination mac = %02X:%02X:%02X:%02X:%02X:%02X\n",
__FUNCTION__, __LINE__, skb, skb->dev->name, smac[0], smac[1], smac[2], smac[3], smac[4], smac[5],
dmac[0], dmac[1], dmac[2], dmac[3], dmac[4], dmac[5]);
printk("icmp(ping) packet %pI4--->%pI4 count = %d\n",
&iph->saddr, &iph->daddr, ++count);
}
return NF_ACCEPT;
}
static unsigned int
test_nf_local_in(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
u_int8_t smac[ETH_ALEN] = {0};
u_int8_t dmac[ETH_ALEN] = {0};
struct ethhdr *ethhdr = NULL;
struct iphdr *iph = NULL;
static int count = 0;
ethhdr = eth_hdr(skb);
iph = ip_hdr(skb);
if (!ethhdr)
return NF_ACCEPT;
memcpy(dmac, ethhdr->h_dest, ETH_ALEN);
memcpy(smac, ethhdr->h_source, ETH_ALEN);
if (!skb->dev)
return NF_ACCEPT;
if (iph->protocol == IPPROTO_ICMP) {
printk("<%s:%d:%p>, dev=%s, source mac = %02X:%02X:%02X:%02X:%02X:%02X, destination mac = %02X:%02X:%02X:%02X:%02X:%02X\n",
__FUNCTION__, __LINE__, skb, skb->dev->name, smac[0], smac[1], smac[2], smac[3], smac[4], smac[5],
dmac[0], dmac[1], dmac[2], dmac[3], dmac[4], dmac[5]);
printk("icmp(ping) packet %pI4--->%pI4 count = %d\n",
&iph->saddr, &iph->daddr, ++count);
}
return NF_ACCEPT;
}
static unsigned int
test_nf_forward(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
u_int8_t smac[ETH_ALEN] = {0};
u_int8_t dmac[ETH_ALEN] = {0};
struct ethhdr *ethhdr = NULL;
struct iphdr *iph = NULL;
static int count = 0;
ethhdr = eth_hdr(skb);
iph = ip_hdr(skb);
if (!ethhdr)
return NF_ACCEPT;
memcpy(dmac, ethhdr->h_dest, ETH_ALEN);
memcpy(smac, ethhdr->h_source, ETH_ALEN);
if (!skb->dev)
return NF_ACCEPT;
if (iph->protocol == IPPROTO_ICMP) {
printk("<%s:%d:%p>, dev=%s, source mac = %02X:%02X:%02X:%02X:%02X:%02X, destination mac = %02X:%02X:%02X:%02X:%02X:%02X\n",
__FUNCTION__, __LINE__, skb, skb->dev->name, smac[0], smac[1], smac[2], smac[3], smac[4], smac[5],
dmac[0], dmac[1], dmac[2], dmac[3], dmac[4], dmac[5]);
printk("icmp(ping) packet %pI4--->%pI4 count = %d\n",
&iph->saddr, &iph->daddr, ++count);
}
return NF_ACCEPT;
}
static unsigned int
test_nf_local_out(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
u_int8_t smac[ETH_ALEN] = {0};
u_int8_t dmac[ETH_ALEN] = {0};
struct ethhdr *ethhdr = NULL;
struct iphdr *iph = NULL;
static int count = 0;
ethhdr = eth_hdr(skb);
iph = ip_hdr(skb);
if (!ethhdr)
return NF_ACCEPT;
memcpy(dmac, ethhdr->h_dest, ETH_ALEN);
memcpy(smac, ethhdr->h_source, ETH_ALEN);
if (!skb->dev)
return NF_ACCEPT;
if (iph->protocol == IPPROTO_ICMP) {
printk("<%s:%d:%p>, dev=%s, source mac = %02X:%02X:%02X:%02X:%02X:%02X, destination mac = %02X:%02X:%02X:%02X:%02X:%02X\n",
__FUNCTION__, __LINE__, skb, skb->dev->name, smac[0], smac[1], smac[2], smac[3], smac[4], smac[5],
dmac[0], dmac[1], dmac[2], dmac[3], dmac[4], dmac[5]);
printk("icmp(ping) packet %pI4--->%pI4 count = %d\n",
&iph->saddr, &iph->daddr, ++count);
}
return NF_ACCEPT;
}
static unsigned int
test_nf_post_routing(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
u_int8_t smac[ETH_ALEN] = {0};
u_int8_t dmac[ETH_ALEN] = {0};
struct ethhdr *ethhdr = NULL;
struct iphdr *iph = NULL;
static int count = 0;
ethhdr = eth_hdr(skb);
iph = ip_hdr(skb);
if (!ethhdr)
return NF_ACCEPT;
memcpy(dmac, ethhdr->h_dest, ETH_ALEN);
memcpy(smac, ethhdr->h_source, ETH_ALEN);
if (!skb->dev)
return NF_ACCEPT;
if (iph->protocol == IPPROTO_ICMP) {
printk("<%s:%d:%p>, dev=%s, source mac = %02X:%02X:%02X:%02X:%02X:%02X, destination mac = %02X:%02X:%02X:%02X:%02X:%02X\n",
__FUNCTION__, __LINE__, skb, skb->dev->name, smac[0], smac[1], smac[2], smac[3], smac[4], smac[5],
dmac[0], dmac[1], dmac[2], dmac[3], dmac[4], dmac[5]);
printk("icmp(ping) packet %pI4--->%pI4 count = %d\n",
&iph->saddr, &iph->daddr, ++count);
}
return NF_ACCEPT;
}
static const struct nf_hook_ops test_nf_ops[] = {
{
.hook = test_nf_pre_routing,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_PRE_ROUTING,
.priority = NF_BR_PRI_FILTER_OTHER,
},
{
.hook = test_nf_local_in,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_IN,
.priority = NF_BR_PRI_FILTER_OTHER,
},
{
.hook = test_nf_forward,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_FILTER_OTHER,
},
{
.hook = test_nf_local_out,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
.priority = NF_BR_PRI_FILTER_OTHER,
},
{
.hook = test_nf_post_routing,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_POST_ROUTING,
.priority = NF_BR_PRI_FILTER_OTHER,
},
};
static int __init test_module_init(void)
{
printk("bridge...init\n");
nf_register_net_hooks(&init_net, test_nf_ops, ARRAY_SIZE(test_nf_ops));
return 0;
}
static void test_module_exit(void)
{
printk("bridge....exit\n");
nf_unregister_net_hooks(&init_net, test_nf_ops, ARRAY_SIZE(test_nf_ops));
return;
}
module_init(test_module_init);
module_exit(test_module_exit);
MODULE_LICENSE("GPL v2");注意:openwrt要开ebtables 那部分的内核代码netfilter部分要看编译到没,我这里直接是打开ebtables工具和内核桥转发netfilter宏,就可以生效了。
用PC给手机发送一个ICMP报文
路由器上打印如下:
从上面打印我们看到从本机转发的报文经过的钩子点为:
NF_BR_PRE_ROUTING->NFPROTO_BRIDGE->NFPROTO_BRIDGE换成用PC给路由器发送一个ICMP报文
路由器上打印如下:
从上面的打印我们看到发往本机的报文经过的钩子点为:
NF_BR_PRE_ROUTING->NFPROTO_BRIDGE->NFPROTO_BRIDGE路由器给PC发一个ICMP报文
路由器上打印如下:
从上面的打印我们可以看到从本机发出去的报文经过的钩子点为:
NF_BR_PRE_ROUTING->NFPROTO_BRIDGE->NFPROTO_BRIDGE理解了上面转发会经过的钩子点后,那么我们平常工作如何去定位问题呢,不可能每次都去编版本,对于我们桥转发,给我们提供了ebtables工具,也就是ebtalbes命令行去下发这些规则。
ebtables简单命令使用如下:
//查看我们nat表上挂的规则,可以看到报文个数
ebtables -t nat -L --Lc清除表上的规则可以用:
//-t 指定表,不加默认是filter表
ebtables -t nat -F假如我当前PC的IP地址为:192.168.1.142,需要确认我们协议栈的包是否送出去了,那么规则应该怎么下发呢?
我们可以先确认ICMP包是否进了PREROUTING, 规则如下:
//在 nat表的PREROUTING链加规则,如果源IP是192.168.1.142的ICMP允许通过
ebtables -t nat -A PREROUTING -p IPv4 --ip-proto icmp --ip-sr
c 192.168.1.142 -j ACCEPT再确认是否从POSTROUTING发出去,规则如下:
//在nat表的POSTROUING链,源IP是192.168.1.142的ICMP我们允许通过
ebtables -t nat -A POSTROUTING -p IPv4 --ip-proto icmp --ip-sr
c 192.168.1.142 -j ACCEPT添加完,我们查看nat表的ebtables规则如下:
我的手机是IP为192.168.1.223,我ping一下手机,给手机发一个ICMP包
查看nat表的规则:
从上面的图,我们可以看到,我的PREROUTING和POSTROUTING链上的pcnt为1,也就是我的ICMP都经过了这两个钩子点
