Aloha. ʻO kēia ka mea aia kahi pūnaewele o nā mea kūʻai aku 5k. I kēia manawa ua hiki mai kahi manawa leʻaleʻa loa - ma ke kikowaena o ka pūnaewele loaʻa iā mākou kahi Brocade RX8 a hoʻomaka ia e hoʻouna i nā ʻeke ʻike ʻole-unicast, no ka mea, ua māhele ʻia ka pūnaewele i vlans - ʻaʻole kēia he pilikia, akā aia kekahi. vlans kūikawā no nā helu keʻokeʻo, etc. a ua hohola ʻia lākou ma nā ʻaoʻao a pau o ka pūnaewele. No laila, e noʻonoʻo ʻoe i kahi kahe e komo mai ana i ka helu wahi o kahi mea kūʻai aku ʻaʻole e aʻo ʻia ma ke ʻano he haumāna palena a lele kēia kahe i kahi loulou radio i kekahi (a i ʻole) kauhale - ua paʻa ke kahawai - ua huhū nā mea kūʻai - ke kaumaha ...
ʻO ka pahuhopu ka hoʻohuli ʻana i kahi pōpoki i mea hiʻona. Ke noʻonoʻo nei au i ke ala o q-in-q me kahi vlan mea kūʻai aku piha, akā ʻo nā ʻano lako like ʻole e like me P3310, ke hoʻohana ʻia ʻo dot1q, hoʻōki i ka hoʻokuʻu ʻana iā DHCP, ʻaʻole lākou ʻike pehea e koho ai i ka qinq a me nā mea he nui. mau lua o ia ano. He aha ka ip-unnambered a pehea e hana ai? Pōkole loa: helu wahi puka + ala ma ka interface. No kā mākou hana, pono mākou e: ʻoki i ka shaper, hāʻawi i nā helu i nā mea kūʻai aku, hoʻohui i nā ala i nā mea kūʻai aku ma o kekahi mau pilina. Pehea e hana ai i keia? Shaper - lisg, dhcp - db2dhcp ma nā kikowaena kūʻokoʻa ʻelua, holo ka dhcprelay ma nā kikowaena komo, holo pū ka ucarp ma nā kikowaena komo - no ke kākoʻo. Akā pehea e hoʻohui ai i nā ala? Hiki iā ʻoe ke hoʻohui i nā mea āpau ma mua me kahi palapala nui - akā ʻaʻole ʻoiaʻiʻo kēia. No laila e hana mākou i kahi koʻokoʻo kākau ponoʻī.
Ma hope o ka ʻimi ʻana ma ka Pūnaewele, ua loaʻa iaʻu kahi waihona kiʻekiʻe kiʻekiʻe no C++, kahi e hiki ai iā ʻoe ke honi nani i nā kaʻa. ʻO ka algorithm no ka papahana e hoʻohui i nā ala e like me kēia - ke hoʻolohe nei mākou i nā noi arp ma ka interface, inā loaʻa iā mākou kahi helu ma ka lo interface ma ke kikowaena i noi ʻia, a laila hoʻohui mākou i kahi ala ma o kēia interface a hoʻohui i kahi arp static. e hoʻopaʻa i kēia ip - ma ka laulā, he mau kope-pastes, kahi huaʻōlelo liʻiliʻi a ua pau ʻoe
Nā kumu o ka 'router'
#include <stdio.h>
#include <sys/types.h>
#include <ifaddrs.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <tins/tins.h>
#include <map>
#include <iostream>
#include <functional>
#include <sstream>
using std::cout;
using std::endl;
using std::map;
using std::bind;
using std::string;
using std::stringstream;
using namespace Tins;
class arp_monitor {
public:
void run(Sniffer &sniffer);
void reroute();
void makegws();
string iface;
map <string, string> gws;
private:
bool callback(const PDU &pdu);
map <string, string> route_map;
map <string, string> mac_map;
map <IPv4Address, HWAddress<6>> addresses;
};
void arp_monitor::makegws() {
struct ifaddrs *ifAddrStruct = NULL;
struct ifaddrs *ifa = NULL;
void *tmpAddrPtr = NULL;
gws.clear();
getifaddrs(&ifAddrStruct);
for (ifa = ifAddrStruct; ifa != NULL; ifa = ifa->ifa_next) {
if (!ifa->ifa_addr) {
continue;
}
string ifName = ifa->ifa_name;
if (ifName == "lo") {
char addressBuffer[INET_ADDRSTRLEN];
if (ifa->ifa_addr->sa_family == AF_INET) { // check it is IP4
// is a valid IP4 Address
tmpAddrPtr = &((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
inet_ntop(AF_INET, tmpAddrPtr, addressBuffer, INET_ADDRSTRLEN);
} else if (ifa->ifa_addr->sa_family == AF_INET6) { // check it is IP6
// is a valid IP6 Address
tmpAddrPtr = &((struct sockaddr_in6 *) ifa->ifa_addr)->sin6_addr;
inet_ntop(AF_INET6, tmpAddrPtr, addressBuffer, INET6_ADDRSTRLEN);
} else {
continue;
}
gws[addressBuffer] = addressBuffer;
cout << "GW " << addressBuffer << " is added" << endl;
}
}
if (ifAddrStruct != NULL) freeifaddrs(ifAddrStruct);
}
void arp_monitor::run(Sniffer &sniffer) {
cout << "RUNNED" << endl;
sniffer.sniff_loop(
bind(
&arp_monitor::callback,
this,
std::placeholders::_1
)
);
}
void arp_monitor::reroute() {
cout << "REROUTING" << endl;
map<string, string>::iterator it;
for ( it = route_map.begin(); it != route_map.end(); it++ ) {
if (this->gws.count(it->second) && !this->gws.count(it->second)) {
string cmd = "ip route replace ";
cmd += it->first;
cmd += " dev " + this->iface;
cmd += " src " + it->second;
cmd += " proto static";
cout << cmd << std::endl;
cout << "REROUTE " << it->first << " SRC " << it->second << endl;
system(cmd.c_str());
cmd = "arp -s ";
cmd += it->first;
cmd += " ";
cmd += mac_map[it->first];
cout << cmd << endl;
system(cmd.c_str());
}
}
for ( it = gws.begin(); it != gws.end(); it++ ) {
string cmd = "arping -U -s ";
cmd += it->first;
cmd += " -I ";
cmd += this->iface;
cmd += " -b -c 1 ";
cmd += it->first;
system(cmd.c_str());
}
cout << "REROUTED" << endl;
}
bool arp_monitor::callback(const PDU &pdu) {
// Retrieve the ARP layer
const ARP &arp = pdu.rfind_pdu<ARP>();
if (arp.opcode() == ARP::REQUEST) {
string target = arp.target_ip_addr().to_string();
string sender = arp.sender_ip_addr().to_string();
this->route_map[sender] = target;
this->mac_map[sender] = arp.sender_hw_addr().to_string();
cout << "save sender " << sender << ":" << this->mac_map[sender] << " want taregt " << target << endl;
if (this->gws.count(target) && !this->gws.count(sender)) {
string cmd = "ip route replace ";
cmd += sender;
cmd += " dev " + this->iface;
cmd += " src " + target;
cmd += " proto static";
// cout << cmd << std::endl;
/* cout << "ARP REQUEST FROM " << arp.sender_ip_addr()
<< " for address " << arp.target_ip_addr()
<< " sender hw address " << arp.sender_hw_addr() << std::endl
<< " run cmd: " << cmd << endl;*/
system(cmd.c_str());
cmd = "arp -s ";
cmd += arp.sender_ip_addr().to_string();
cmd += " ";
cmd += arp.sender_hw_addr().to_string();
cout << cmd << endl;
system(cmd.c_str());
}
}
return true;
}
arp_monitor monitor;
void reroute(int signum) {
monitor.makegws();
monitor.reroute();
}
int main(int argc, char *argv[]) {
string test;
cout << sizeof(string) << endl;
if (argc != 2) {
cout << "Usage: " << *argv << " <interface>" << endl;
return 1;
}
signal(SIGHUP, reroute);
monitor.iface = argv[1];
// Sniffer configuration
SnifferConfiguration config;
config.set_promisc_mode(true);
config.set_filter("arp");
monitor.makegws();
try {
// Sniff on the provided interface in promiscuous mode
Sniffer sniffer(argv[1], config);
// Only capture arp packets
monitor.run(sniffer);
}
catch (std::exception &ex) {
std::cerr << "Error: " << ex.what() << std::endl;
}
}
libtins hoʻokomo palapala
#!/bin/bash
git clone https://github.com/mfontanini/libtins.git
cd libtins
mkdir build
cd build
cmake ../
make
make install
ldconfig
Kauoha e kūkulu i ka binary
g++ main.cpp -o arp-rt -O3 -std=c++11 -lpthread -ltins
Pehea e hoʻomaka ai?
start-stop-daemon --start --exec /opt/ipoe/arp-routes/arp-rt -b -m -p /opt/ipoe/arp-routes/daemons/eth0.800.pid -- eth0.800
ʻAe - e kūkulu hou ia i nā papa ma muli o ka hōʻailona HUP. No ke aha ʻoe i hoʻohana ʻole ai i ka netlink? ʻO ka palaualelo wale nō a he palapala ʻo Linux ma kahi palapala - no laila ua maikaʻi nā mea a pau. ʻAe, he ala ala nā ala, he aha ka hope? Ma hope aʻe, pono mākou e hoʻouna i nā ala ma kēia kikowaena i ka palena - ma ʻaneʻi, ma muli o ka ʻenehana like ʻole, ua lawe mākou i ke ala o ke kūʻē liʻiliʻi - ua hāʻawi mākou i kēia hana iā BGP.
bgp configinoa hoʻokipa *****
hua huna *******
waihona waihona /var/log/bgp.log
!
# ʻO ka helu AS, nā ʻōlelo a me nā ʻoihana pūnaewele
mea hoʻokele bgp 12345
bgp router-id 1.2.3.4
e puunaue hou i pili
e puunaue hou
hoalauna 1.2.3.1 mamao-e like me 12345
hoalauna 1.2.3.1 hope-hop-pono iho
hoalauna 1.2.3.1 ala-palapala ʻaʻohe i loko
hoa pili 1.2.3.1 ala-palapala hoʻokuʻu aku i waho
!
ʻae hoʻokuʻu i ka papa inoa komo 1.2.3.0/24
!
palapala 'a'ai palapala 'ae 10
hoʻolike ip address export
!
Hōʻole ka palapala ʻāina alahele 20
E hoʻomau kāua. I mea e pane ai ke kikowaena i nā noi arp, pono ʻoe e ʻae i ka proxy arp.
echo 1 > /proc/sys/net/ipv4/conf/eth0.800/proxy_arp
E neʻe kākou - ucarp. Kākau mākou i nā palapala hoʻomaka no kēia hana mana.
Ka laʻana o ka holo ʻana i hoʻokahi daemon
start-stop-daemon --start --exec /usr/sbin/ucarp -b -m -p /opt/ipoe/ucarp-gen2/daemons/$iface.$vhid.$virtualaddr.pid -- --interface=eth0.800 --srcip=1.2.3.4 --vhid=1 --pass=carpasword --addr=10.10.10.1 --upscript=/opt/ipoe/ucarp-gen2/up.sh --downscript=/opt/ipoe/ucarp-gen2/down.sh -z -k 10 -P --xparam="10.10.10.0/24"
up.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
vlan=`echo $1 | sed "s/eth0.//"`
ip ad ad $addr/32 dev lo
ip ro add blackhole $gw
echo 1 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
killall -HUP arp-rt
iho.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
ip ad d $addr/32 dev lo
ip ro de blackhole $gw
echo 0 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
No ka hana ʻana o dhcprelay ma kahi interface, pono ia i kahi helu. No laila, ma nā loulou a mākou e hoʻohana ai e hoʻohui mākou i nā helu hema - no ka laʻana 10.255.255.1/32, 10.255.255.2/32, etc. ʻAʻole wau e haʻi iā ʻoe pehea e hoʻonohonoho ai i ka relay - maʻalahi nā mea āpau.
No laila he aha kā mākou? Hoʻihoʻi i nā ʻīpuka, hoʻonohonoho ʻokoʻa o nā ala, dhcp. ʻO kēia ka liʻiliʻi liʻiliʻi - hoʻopili pū ʻo lisg i nā mea āpau a puni ia a ua loaʻa iā mākou kahi shaper. No ke aha i lōʻihi a paʻakikī nā mea a pau? ʻAʻole maʻalahi ka lawe ʻana i ka accel-pppd a hoʻohana i ka pppoe holoʻokoʻa? ʻAʻole, ʻaʻole maʻalahi - hiki ʻole i ka poʻe ke hoʻopili i kahi patchcord i kahi alalai, ʻaʻole e haʻi i ka pppoe. He mea ʻoluʻolu ʻo accel-ppp - akā ʻaʻole ia i hana no mākou - nui nā hewa i ke code - ʻokiʻoki ia, ʻoki kekee, a ʻo ka mea kaumaha loa inā ua hoʻomālamalama - a laila pono nā kānaka e hoʻouka hou. nā mea āpau - ʻulaʻula nā kelepona - ʻaʻole i hana iki. He aha ka maikaʻi o ka hoʻohana ʻana i ka ucarp ma mua o ka keepalived? ʻAe, i nā mea āpau - aia nā puka 100, keepalived a hoʻokahi hewa i ka config - ʻaʻole hana nā mea āpau. ʻAʻole hana ka puka 1 me ka ucarp. E pili ana i ka palekana, ʻōlelo lākou e hoʻopaʻa inoa ka poʻe hema i nā helu no lākou iho a hoʻohana iā lākou ma ka māhele - e kāohi i kēia manawa, hoʻonohonoho mākou i ka dhcp-snooping + source-guard + arp inspection ma nā hoʻololi āpau / olts / bases. Inā ʻaʻohe dhpc ka mea kūʻai akā static - acces-list ma ke awa.
No ke aha i hana ʻia ai kēia mau mea? E hoʻopau i nā kaʻa i makemake ʻole ʻia. I kēia manawa ua loaʻa i kēlā me kēia hoʻololi kona vlan ponoʻī a ʻike ʻole-unicast ʻaʻole makaʻu hou, no ka mea pono e hele i hoʻokahi awa a ʻaʻole i nā mea a pau ... ʻAe, ʻo nā hopena ʻaoʻao he mea hoʻonohonoho maʻamau, ʻoi aku ka maikaʻi o ka hoʻokaʻawale ʻana i kahi wahi.
Pehea e hoʻonohonoho ai i ka lisg he kumuhana ʻokoʻa. Hoʻopili ʻia nā loulou i nā hale waihona puke. Malia paha e kōkua ka mea i luna i ka hoʻokō ʻana i kā lākou pahuhopu. ʻAʻole i hoʻokō ʻia ka mana 6 ma kā mākou pūnaewele - akā aia ka pilikia - aia nā manaʻo e kākau hou i ka lisg no ka mana 6, a pono e hoʻoponopono i ka papahana e hoʻohui i nā ala.
Source: www.habr.com