Talofa. O lona uiga o loʻo i ai se fesoʻotaʻiga o 5k tagata faʻatau. Talu ai nei na oʻo mai ai se taimi e le manaia tele - i le ogatotonu o le fesoʻotaʻiga o loʻo i ai a matou Brocade RX8 ma na amata ona lafoina le tele o pusa e le o iloa-unicast, talu ai o le fesoʻotaʻiga ua vaevaeina i vlans - e le o se faʻafitauli lenei, AE o loʻo i ai vlans fa'apitoa mo tuatusi papa'e, ma isi. ‘ua fa‘aloaloa fo‘i i itū uma o le ‘upega. Ia mafaufau la i se tafega o lo o sau i le tuatusi o le tagata o tausia e le o aʻoga o se tamaititi aʻoga tuaoi ma o lenei tafe e lele agai i se leitio soʻo i nisi (poʻo uma) nuʻu - ua poloka le alavai - ua feita tagata faʻatau - faʻanoanoa...
Ole fa'amoemoe ole fa'aliliuina lea ole bug ile fa'ailoga. Sa ou mafaufau i le itu o le q-in-q ma se tagata faʻatau atoa vlan, ae o ituaiga uma o meafaigaluega e pei o le P3310, pe a mafai le dot1q, taofi le tuʻuina atu o le DHCP, latou te le iloa foi pe faapefea ona filifili qinq ma le tele. mailei faapena. O le a le ip-unnambered ma fa'afefea ona aoga? Faʻapuupuu: tuatusi faitotoa + auala i luga o le faʻaoga. Mo la matou galuega, matou te manaʻomia le: tipi le shaper, tufatufa atu tuatusi i tagata faʻatau, faʻaopoopo auala i tagata faʻatau e ala i nisi fesoʻotaʻiga. E faapefea ona fai nei mea uma? Shaper - lisg, dhcp - db2dhcp i luga o 'auʻaunaga tutoʻatasi e lua, o le dhcprelay e tamoʻe i luga o 'auʻaunaga avanoa, o le ucarp foʻi e tamoʻe i luga o sapalai avanoa - mo faʻamaumauga. Ae faʻafefea ona faʻaopoopo auala? E mafai ona e fa'aopoopo muamua mea uma ma se fa'amatalaga tele - ae e le sa'o. O lea o le a tatou faia se tootoo tusitusia e le tagata lava ia.
Ina ua maeʻa se suʻesuʻega maeʻaeʻa i luga o le Initaneti, na ou maua ai se faletusi maualuga maualuga mo C ++, lea e mafai ai ona e sogisogi matagofie i fefaʻatauaiga. O le algorithm mo le polokalame e faʻaopoopo ai auala e faʻapea - matou te faʻalogo i talosaga arp i luga o le atinaʻe, afai ei ai sa matou tuatusi i luga o le lo interface i luga o le server o loʻo talosagaina, ona matou faʻaopoopoina lea o se auala e ala i lenei atinaʻe ma faʻaopoopo se static arp fa'amaumau i lenei ip - i se tulaga lautele, ni nai kopi-fa'apipi'i, sina fa'ailoga ma ua uma
Punavai o le 'auala'
#include <stdio.h>
#include <sys/types.h>
#include <ifaddrs.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <tins/tins.h>
#include <map>
#include <iostream>
#include <functional>
#include <sstream>
using std::cout;
using std::endl;
using std::map;
using std::bind;
using std::string;
using std::stringstream;
using namespace Tins;
class arp_monitor {
public:
void run(Sniffer &sniffer);
void reroute();
void makegws();
string iface;
map <string, string> gws;
private:
bool callback(const PDU &pdu);
map <string, string> route_map;
map <string, string> mac_map;
map <IPv4Address, HWAddress<6>> addresses;
};
void arp_monitor::makegws() {
struct ifaddrs *ifAddrStruct = NULL;
struct ifaddrs *ifa = NULL;
void *tmpAddrPtr = NULL;
gws.clear();
getifaddrs(&ifAddrStruct);
for (ifa = ifAddrStruct; ifa != NULL; ifa = ifa->ifa_next) {
if (!ifa->ifa_addr) {
continue;
}
string ifName = ifa->ifa_name;
if (ifName == "lo") {
char addressBuffer[INET_ADDRSTRLEN];
if (ifa->ifa_addr->sa_family == AF_INET) { // check it is IP4
// is a valid IP4 Address
tmpAddrPtr = &((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
inet_ntop(AF_INET, tmpAddrPtr, addressBuffer, INET_ADDRSTRLEN);
} else if (ifa->ifa_addr->sa_family == AF_INET6) { // check it is IP6
// is a valid IP6 Address
tmpAddrPtr = &((struct sockaddr_in6 *) ifa->ifa_addr)->sin6_addr;
inet_ntop(AF_INET6, tmpAddrPtr, addressBuffer, INET6_ADDRSTRLEN);
} else {
continue;
}
gws[addressBuffer] = addressBuffer;
cout << "GW " << addressBuffer << " is added" << endl;
}
}
if (ifAddrStruct != NULL) freeifaddrs(ifAddrStruct);
}
void arp_monitor::run(Sniffer &sniffer) {
cout << "RUNNED" << endl;
sniffer.sniff_loop(
bind(
&arp_monitor::callback,
this,
std::placeholders::_1
)
);
}
void arp_monitor::reroute() {
cout << "REROUTING" << endl;
map<string, string>::iterator it;
for ( it = route_map.begin(); it != route_map.end(); it++ ) {
if (this->gws.count(it->second) && !this->gws.count(it->second)) {
string cmd = "ip route replace ";
cmd += it->first;
cmd += " dev " + this->iface;
cmd += " src " + it->second;
cmd += " proto static";
cout << cmd << std::endl;
cout << "REROUTE " << it->first << " SRC " << it->second << endl;
system(cmd.c_str());
cmd = "arp -s ";
cmd += it->first;
cmd += " ";
cmd += mac_map[it->first];
cout << cmd << endl;
system(cmd.c_str());
}
}
for ( it = gws.begin(); it != gws.end(); it++ ) {
string cmd = "arping -U -s ";
cmd += it->first;
cmd += " -I ";
cmd += this->iface;
cmd += " -b -c 1 ";
cmd += it->first;
system(cmd.c_str());
}
cout << "REROUTED" << endl;
}
bool arp_monitor::callback(const PDU &pdu) {
// Retrieve the ARP layer
const ARP &arp = pdu.rfind_pdu<ARP>();
if (arp.opcode() == ARP::REQUEST) {
string target = arp.target_ip_addr().to_string();
string sender = arp.sender_ip_addr().to_string();
this->route_map[sender] = target;
this->mac_map[sender] = arp.sender_hw_addr().to_string();
cout << "save sender " << sender << ":" << this->mac_map[sender] << " want taregt " << target << endl;
if (this->gws.count(target) && !this->gws.count(sender)) {
string cmd = "ip route replace ";
cmd += sender;
cmd += " dev " + this->iface;
cmd += " src " + target;
cmd += " proto static";
// cout << cmd << std::endl;
/* cout << "ARP REQUEST FROM " << arp.sender_ip_addr()
<< " for address " << arp.target_ip_addr()
<< " sender hw address " << arp.sender_hw_addr() << std::endl
<< " run cmd: " << cmd << endl;*/
system(cmd.c_str());
cmd = "arp -s ";
cmd += arp.sender_ip_addr().to_string();
cmd += " ";
cmd += arp.sender_hw_addr().to_string();
cout << cmd << endl;
system(cmd.c_str());
}
}
return true;
}
arp_monitor monitor;
void reroute(int signum) {
monitor.makegws();
monitor.reroute();
}
int main(int argc, char *argv[]) {
string test;
cout << sizeof(string) << endl;
if (argc != 2) {
cout << "Usage: " << *argv << " <interface>" << endl;
return 1;
}
signal(SIGHUP, reroute);
monitor.iface = argv[1];
// Sniffer configuration
SnifferConfiguration config;
config.set_promisc_mode(true);
config.set_filter("arp");
monitor.makegws();
try {
// Sniff on the provided interface in promiscuous mode
Sniffer sniffer(argv[1], config);
// Only capture arp packets
monitor.run(sniffer);
}
catch (std::exception &ex) {
std::cerr << "Error: " << ex.what() << std::endl;
}
}libtins faʻapipiʻi tusitusiga
#!/bin/bash
git clone https://github.com/mfontanini/libtins.git
cd libtins
mkdir build
cd build
cmake ../
make
make install
ldconfig
Poloaiga e fausia le binary
g++ main.cpp -o arp-rt -O3 -std=c++11 -lpthread -ltinsE fa'afefea ona fa'alauiloa?
start-stop-daemon --start --exec /opt/ipoe/arp-routes/arp-rt -b -m -p /opt/ipoe/arp-routes/daemons/eth0.800.pid -- eth0.800
Ioe - o le a toe fausia laulau e fa'atatau i le fa'ailoga HUP. Aisea na e le fa'aogaina ai le netlink? Ua na'o le paie ma o Linux ose tusitusiga i luga o se tusitusiga - o lea e lelei mea uma. Ia, o auala o auala, o le a le isi mea? Ma le isi, e manaʻomia le auina atu o auala o loʻo i luga o lenei 'auʻaunaga i le tuaoi - iinei, ona o meafaigaluega tuai lava e tasi, na matou uia le ala e sili ona tetee - na matou tuʻuina atu lenei galuega i le BGP.
bgp configigoa talimalo *******
numera e le iloa e sesi *******
faila faila /var/log/bgp.log
!
# AS numera, tuatusi ma fesoʻotaʻiga e faʻamaonia
router bgp 12345
bgp router-id 1.2.3.4
toe tufa feso'ota'i
toe tufatufaina atu
tuaoi 1.2.3.1 mamao-pei o 12345
tuaoi 1.2.3.1 sosoo-hop-tagata
tuaoi 1.2.3.1 auala-faafanua leai se i totonu
tuaoi 1.2.3.1 auala-faafanua auina atu i fafo
!
avanoa-lisi fa'atau atu pemita 1.2.3.0/24
!
auala-faafanua pemita auina atu i fafo 10
fetaui ip tuatusi auina atu i fafo
!
auala-faafanua auina atu i fafo teena 20
Tatou faaauau. Ina ia mafai e le server ona tali atu i talosaga arp, e tatau ona e faʻatagaina le arp sui.
echo 1 > /proc/sys/net/ipv4/conf/eth0.800/proxy_arp
Sei o tatou agai i luma - ucarp. Matou te tusia tusi fa'alauiloa mo lenei vavega i matou lava.
Fa'ata'ita'iga o le ta'avale tasi le daemon
start-stop-daemon --start --exec /usr/sbin/ucarp -b -m -p /opt/ipoe/ucarp-gen2/daemons/$iface.$vhid.$virtualaddr.pid -- --interface=eth0.800 --srcip=1.2.3.4 --vhid=1 --pass=carpasword --addr=10.10.10.1 --upscript=/opt/ipoe/ucarp-gen2/up.sh --downscript=/opt/ipoe/ucarp-gen2/down.sh -z -k 10 -P --xparam="10.10.10.0/24"
luga.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
vlan=`echo $1 | sed "s/eth0.//"`
ip ad ad $addr/32 dev lo
ip ro add blackhole $gw
echo 1 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
killall -HUP arp-rt
lalo.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
ip ad d $addr/32 dev lo
ip ro de blackhole $gw
echo 0 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
Mo le dhcprelay e galue i luga o se atinaʻe, e manaʻomia se tuatusi. O le mea lea, i luga o fesoʻotaʻiga matou te faʻaogaina o le a matou faʻaopoopoina tuatusi agavale - mo se faʻataʻitaʻiga 10.255.255.1/32, 10.255.255.2/32, ma isi. Ou te le taʻuina atu ia te oe pe faʻafefea ona faʻapipiʻi le relay - e faigofie mea uma.
O a la tatou mea? Fa'asao o faitoto'a, fa'a-autometi o auala, dhcp. Ole seti la'ititi lea - o lo'o afifi fo'i e lisg mea uma fa'ata'ali'oli'o ma ua iai fo'i se tatou fa'ailoga. Aisea ua umi ma lavelave ai mea uma? E le faigofie ea le ave accel-pppd ma faʻaaoga uma le pppoe? Leai, e le faigofie - e le mafai e tagata ona faʻaogaina se patchcord i totonu o se router, ae le o le taʻua o pppoe. accel-ppp o se mea manaia - ae e leʻi aoga mo i matou - e tele naua mea sese i totonu o le code - e malepelepe, e tipi faʻafuaseʻi, ma o le mea e sili ona faanoanoa ai, afai e susulu - ona manaʻomia lea e tagata ona toe uta mea uma - o telefoni e mumu - e le'i aoga. O le a le aoga o le faʻaaogaina o le ucarp nai lo le keepalived? Ioe, i mea uma - e 100 faitotoʻa, tausia ma tasi le mea sese i le config - e le aoga mea uma. 1 faitotoa e le aoga i le ucarp. E tusa ai ma le saogalemu, latou te fai mai o le agavale o le a latou resitalaina tuatusi mo i latou lava ma faʻaaogaina i luga o le sea - e pulea ai le taimi nei, matou te setiina le dhcp-snooping + source-guard + arp inspection i sui uma / olts / faʻavae. Afai e le maua e le kalani le dhpc ae faʻamautu - acces-list i luga o le taulaga.
Aisea na faia ai nei mea uma? Le faʻaleagaina o feoaiga e le manaʻomia. O le taimi nei ua i ai i suiga taʻitasi lona lava vlan ma le le iloa-unicast ua le toe faʻafefe, talu ai e naʻo le tasi e manaʻomia le alu i le tasi uafu ae le o tagata uma ... Ia, o aʻafiaga o se mea faʻapipiʻiina meafaigaluega, sili atu le lelei i le tuʻuina atu o avanoa tuatusi.
E fa'afefea ona fa'atulaga le lisg o se mataupu e ese mai. O lo'o fa'apipi'i so'oga i faletusi. Atonu o le a fesoasoani mea o loʻo i luga i se tasi e ausia a latou sini. Version 6 e le o faʻatinoina i luga o la tatou fesoʻotaʻiga i le taimi nei - ae o le a iai se faʻafitauli - o loʻo i ai fuafuaga e toe tusia le lisg mo le version 6, ma o le a tatau ona faʻasaʻo le polokalame e faʻaopoopo ai auala.
puna: www.habr.com