FreeBSD 10: komplexe Bridge Zones (mit lacp uplink)

Wer eine Einführung benötigt kann sich folgende Blogeinträge anschauen:

1: FreeBSD 10: VIMAGE (virtualized network stack) mit if_bridge & epair

2: FreeBSD 10: LACP failover, Multiple Bridge, in-Kernel IPFW NAT und CARP in der Jail

WARNING: VIMAGE (virtualized network stack) is a highly experimental feature.

Gewünscht sind folgende Funktionen:

Link Aggregation and Failover LACP für beide Netzwerkkarten
– LACP mit Spanning Tree Protocol
– Multiple Bridge:
-> bridge0 (vswitch0) mit lagg0 (sowie stp), epair0a, epair2a, epair3a, epair4a, epair5a, epair6a, epair7a, epair8a, epair9a
-> bridge1 (vswitch1) verbindet epair0b und epair1b
-> HOST Interface mit epair1a, tap0, tun0, enc0, gif0-25 und einem vlan interface
-> bridge2 (vswitch2) soll tap1-25 für VirtualBox vMaschinen verbinden
-> brdige3 (vswitch3) verteilt:
–> epair10 – vswitch10 – epair50 bis epair49 – vswitch49 – epair89
–> weitere epairs ab 90+ können beliebig verwendet werden
-> tagged vlan über lagg0 an vswitch5-9 (vswitch4 läuft im Leerlauf)
-> das HOST Interface/alle JAILs sollen ein epairNa bekommen
-> der FreeBSD HOST nutzt IPFW mit in-Kernel NAT (ohne IPDIVERT und Userland NATd)
-> Jails mit CARP (für high availability)
-> IPFW zur Filterung auf Layer2 und Layer3 Ebene
-> Kernel FLOWTABLE Support für „per-cpu routing cache“
-> Kernel ROUTETABLES=16 Support für (Forward Information Base/multiple routing tables)
-> statisch definierte MAC-Adressen
-> Kernel IPSTEALTH Support für forward packets without decrementing the time to live (TTL) counter

plitc_vimage_complex_vswitch_lacp

FreeBSD Beastie komplexe Bridge Zones (mit lacp uplink)

Punkt 1: neuer Kernel für VIMAGE, IPFW mit in-Kernel NAT, LACP, CARP, BRIDGE, FLOWTABLE, ROUTETABLES, IPSTEALTH und weiteren Modulen

Dummynet (QoS) funktioniert NICHT in der Jail, jedoch kann man mit speziellen Einstellungen direkt das Bridge-Interface, auf dem HOST, filtern!

if_epair Patch beachten!

$
cd /usr/ports/devel/subversion/ && make install clean
 
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj
 
cd /usr
chflags -R noschg /usr/obj/*
rm -rfv /usr/obj/*
rm -rfv /usr/src/*
rm -rfv /usr/src/.svn
 
cd /usr/src
svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src
svn up /usr/src
$
$
cd /usr/src/sys/amd64/conf
mkdir /root/kernels
cp GENERIC /root/kernels/BRIDGEZONES
ln -s /root/kernels/BRIDGEZONES
vi /root/kernels/BRIDGEZONES
$
$
### ### ### PLITC ### ### ###
#
cpu             HAMMER
ident           BRIDGEZONES

makeoptions     DEBUG=-g                        # Build kernel with gdb(1) debug symbols
makeoptions     WITH_CTF=1                      # Run ctfconvert(1) for DTrace support

### < --- --- --- > ###

options         IPFIREWALL                      # enables IPFW
options         IPFIREWALL_VERBOSE              # enables logging for rules with log keyword
options         IPFIREWALL_VERBOSE_LIMIT=256    # limits number of logged packets per-entry
options         IPFIREWALL_DEFAULT_TO_ACCEPT    # sets default policy to pass what is not explicitly denied
### options         IPDIVERT                        # enables NATd Support
options         IPFIREWALL_NAT                  # IPFW in-Kernel NAT support
options         LIBALIAS                        # required for in-Kernel NAT / replacement for NATd

options         DUMMYNET                        # traffic shaper, bandwidth manager and delay emulator
options         HZ=1000                         # strongly recommended

device          carp
device          lagg
device          enc
device          gre
options         XBONEHACK

options         TCP_SIGNATURE                   # include support for RFC 2385

options         VIMAGE                          # Network Stack Virtualization
options         NULLFS                          # NULL filesystem

### VIMAGE - if_bridge/epair virtualization // ###
device          if_bridge
device          epair
### // VIMAGE - if_bridge/epair virtualization ###

### VIMAGE - netgraph virtualization // ###
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_BRIDGE
options         NETGRAPH_EIFACE
options         NETGRAPH_SOCKET
### // VIMAGE - netgraph virtualization ###

device          tap                             # virtual link layer 2 device

options         VFS_AIO

### DEFAULT ### options         TCP_OFFLOAD     # TCP offload

options         RACCT                           # Resource accounting
options         RCTL                            # Controls resource limits

device          crypto                          # core crypto support
device          cryptodev                       # /dev/crypto for access to h/w

device          rndtest                         # FIPS 140-2 entropy tester

device          hifn                            # Hifn 7951, 7781, etc.
options         HIFN_DEBUG                      # enable debugging support: hw.hifn.debug
options         HIFN_RNDTEST                    # enable rndtest support

device          ubsec                           # Broadcom 5501, 5601, 58xx
options         UBSEC_DEBUG                     # enable debugging support: hw.ubsec.debug
options         UBSEC_RNDTEST                   # enable rndtest support

options         IPSEC                           # IP security (requires device crypto)
options         IPSEC_NAT_T                     # NAT-T support, UDP encap of ESP
options         IPSEC_FILTERTUNNEL              #

options         FDESCFS                         # File descriptor filesystem

### NOT WITH VIMAGE ### device          pf
### NOT WITH VIMAGE ### device          pflog
### NOT WITH VIMAGE ### device          pfsync
### NOT WITH VIMAGE ### options         ALTQ
### NOT WITH VIMAGE ### options         KTR_ALQ
### NOT WITH VIMAGE ### options         ALTQ_CBQ       # Class Based Queueing
### NOT WITH VIMAGE ### options         ALTQ_RED       # Random Early Detection
### NOT WITH VIMAGE ### options         ALTQ_RIO       # RED In/Out
### NOT WITH VIMAGE ### options         ALTQ_HFSC      # Hierarchical Packet Scheduler
### NOT WITH VIMAGE ### options         ALTQ_CDNR      # Traffic conditioner
### NOT WITH VIMAGE ### options         ALTQ_PRIQ      # Priority Queueing
### NOT WITH VIMAGE ### options         ALTQ_NOPCC     # Required if the TSC is unusable
### NOT WITH VIMAGE ### options         MROUTING       # multicast routing
### NOT WITH VIMAGE ### options         ROUTETABLES=15 # max 16 FIB (Forward Information Base/multiple routing tables) support
#
options         FLOWTABLE                       # per-cpu routing cache
options         IPSTEALTH                       # forward packets without decrementing the time to live (TTL) counter
#
### colors // ###
options     SC_PIXEL_MODE
options     SC_NORM_ATTR=(FG_CYAN|BG_BLACK) # The normal text will be blue on black background
options     SC_KERNEL_CONS_ATTR=(FG_RED|BG_BLACK) # Kernel message will be red on black background
### // colors ###
#
### options         DEVICE_POLLING              # compatible with bge
#
### ### ### PLITC ### ### ###
$

Punkt 2: Kernel bauen/installieren

$
cd /usr/src
time make buildkernel KERNCONF=BRIDGEZONES
time make installkernel KERNCONF=BRIDGEZONES

reboot
$

Punkt 3: /etc/rc.conf

$
vi /etc/rc.conf


### ### ### PLITC ### ### ###
#
### LACP // ###
## // ifconfig_bge0="ether CA:FE:BA:BE:00:0E polling up"
## // ifconfig_bge1="ether CA:FE:BA:BE:00:0E polling up"
ifconfig_bge0="ether CA:FE:BA:BE:00:0E up"
ifconfig_bge1="ether CA:FE:BA:BE:00:0E up"
ifconfig_lagg0="laggproto lacp laggport em0 laggport em1 lagghash l3"
### // LACP ###

### VIMAGE // ###
#
cloned_interfaces="lagg0 vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 bridge0 bridge1 bridge2 bridge3 bridge4 bridge5 bridge6 bridge7 bridge8 bridge9 bridge10 bridge11 bridge12 bridge13 bridge14 bridge15 bridge16 bridge17 bridge18 bridge19 bridge20 bridge21 bridge22 bridge23 bridge24 bridge25 bridge26 bridge27 bridge28 bridge29 bridge30 bridge31 bridge32 bridge33 bridge34 bridge35 bridge36 bridge37 bridge38 bridge39 bridge40 bridge41 bridge42 bridge43 bridge44 bridge45 bridge46 bridge47 bridge48 bridge49 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 tap10 tap11 tap12 tap13 tap14 tap15 tap16 tap17 tap18 tap19 tap20 tap21 tap22 tap23 tap24 tap25 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11 tun12 tun13 tun14 tun15 tun16 tun17 tun18 tun19 tun20 tun21 tun22 tun23 tun24 tun25 gif0 gif1 gif2 gif3 gif4 gif5 gif6 gif7 gif8 gif9 gif10 gif11 gif12 gif13 gif14 gif15 gif16 gif17 gif18 gif19 gif20 gif21 gif22 gif23 gif24 gif25 epair0 epair1 epair2 epair3 epair4 epair5 epair6 epair7 epair8 epair9 epair10 epair11 epair12 epair13 epair14 epair15 epair16 epair17 epair18 epair19 epair20 epair21 epair22 epair23 epair24 epair25 epair26 epair27 epair28 epair29 epair30 epair31 epair32 epair33 epair34 epair35 epair36 epair37 epair38 epair39 epair40 epair41 epair42 epair43 epair44 epair45 epair46 epair47 epair48 epair49 epair50 epair51 epair52 epair53 epair54 epair55 epair56 epair57 epair58 epair59 epair60 epair61 epair62 epair63 epair64 epair65 epair66 epair67 epair68 epair69 epair70 epair71 epair72 epair73 epair74 epair75 epair76 epair77 epair78 epair79 epair80 epair81 epair82 epair83 epair84 epair85 epair86 epair87 epair88 epair89"
#
ifconfig_tap0="ether CA:FE:BA:BA:01:00 up"
ifconfig_tap1="ether CA:FE:BA:BA:01:01 up"
ifconfig_tap2="ether CA:FE:BA:BA:01:02 up"
ifconfig_tap3="ether CA:FE:BA:BA:01:03 up"
ifconfig_tap4="ether CA:FE:BA:BA:01:04 up"
ifconfig_tap5="ether CA:FE:BA:BA:01:05 up"
ifconfig_tap6="ether CA:FE:BA:BA:01:06 up"
ifconfig_tap7="ether CA:FE:BA:BA:01:07 up"
ifconfig_tap8="ether CA:FE:BA:BA:01:08 up"
ifconfig_tap9="ether CA:FE:BA:BA:01:09 up"
ifconfig_tap10="ether CA:FE:BA:BA:01:10 up"
ifconfig_tap11="ether CA:FE:BA:BA:01:11 up"
ifconfig_tap12="ether CA:FE:BA:BA:01:12 up"
ifconfig_tap13="ether CA:FE:BA:BA:01:13 up"
ifconfig_tap14="ether CA:FE:BA:BA:01:14 up"
ifconfig_tap15="ether CA:FE:BA:BA:01:15 up"
ifconfig_tap16="ether CA:FE:BA:BA:01:16 up"
ifconfig_tap17="ether CA:FE:BA:BA:01:17 up"
ifconfig_tap18="ether CA:FE:BA:BA:01:18 up"
ifconfig_tap19="ether CA:FE:BA:BA:01:19 up"
ifconfig_tap20="ether CA:FE:BA:BA:01:20 up"
ifconfig_tap21="ether CA:FE:BA:BA:01:21 up"
ifconfig_tap22="ether CA:FE:BA:BA:01:22 up"
ifconfig_tap23="ether CA:FE:BA:BA:01:23 up"
ifconfig_tap24="ether CA:FE:BA:BA:01:24 up"
ifconfig_tap25="ether CA:FE:BA:BA:01:25 up"
#
ifconfig_tun0="up"
ifconfig_tun1="up"
ifconfig_tun2="up"
ifconfig_tun3="up"
ifconfig_tun4="up"
ifconfig_tun5="up"
ifconfig_tun6="up"
ifconfig_tun7="up"
ifconfig_tun8="up"
ifconfig_tun9="up"
ifconfig_tun10="up"
ifconfig_tun11="up"
ifconfig_tun12="up"
ifconfig_tun13="up"
ifconfig_tun14="up"
ifconfig_tun15="up"
ifconfig_tun16="up"
ifconfig_tun17="up"
ifconfig_tun18="up"
ifconfig_tun19="up"
ifconfig_tun20="up"
ifconfig_tun21="up"
ifconfig_tun22="up"
ifconfig_tun23="up"
ifconfig_tun24="up"
ifconfig_tun25="up"
#
ifconfig_gif0="up"
ifconfig_gif1="up"
ifconfig_gif2="up"
ifconfig_gif3="up"
ifconfig_gif4="up"
ifconfig_gif5="up"
ifconfig_gif6="up"
ifconfig_gif7="up"
ifconfig_gif8="up"
ifconfig_gif9="up"
ifconfig_gif10="up"
ifconfig_gif11="up"
ifconfig_gif12="up"
ifconfig_gif13="up"
ifconfig_gif14="up"
ifconfig_gif15="up"
ifconfig_gif16="up"
ifconfig_gif17="up"
ifconfig_gif18="up"
ifconfig_gif19="up"
ifconfig_gif20="up"
ifconfig_gif21="up"
ifconfig_gif22="up"
ifconfig_gif23="up"
ifconfig_gif24="up"
ifconfig_gif25="up"
#
### HOST // ###
ifconfig_epair0a="ether CA:FE:BA:BE:00:0A up"
ifconfig_epair0b="ether CA:FE:BA:BE:00:0B up"
### HOST Interface // ###
ifconfig_epair1a="ether CA:FE:BA:BE:01:0A up"
ifconfig_epair1a_alias0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_epair1a_ipv6="inet6 auto_linklocal accept_rtadv"
ifconfig_epair1a_alias1="inet6 2001:aaaa:bbbb:cccc::1 prefixlen 64"
### // HOST Interface ###
ifconfig_epair1b="ether CA:FE:BA:BE:01:0B up"
### // HOST ###
#
### VirtualMachine // ###
ifconfig_epair2a="ether CA:FE:BA:BE:02:0A up"
ifconfig_epair2b="ether CA:FE:BA:BE:02:0B up"
### // VirtualMachine ###
#
### vswitch - Jails // ###
ifconfig_epair3a="ether CA:FE:BA:BE:03:0A up"
ifconfig_epair3b="ether CA:FE:BA:BE:03:0B up"
### // vswitch - Jails ###
#
### Jails - vswitch // ###
ifconfig_epair10a="ether CA:FE:BA:BE:10:0A up"
ifconfig_epair10b="ether CA:FE:BA:BE:10:0B up"
ifconfig_epair11a="ether CA:FE:BA:BE:11:0A up"
ifconfig_epair11b="ether CA:FE:BA:BE:11:0B up"
ifconfig_epair12a="ether CA:FE:BA:BE:12:0A up"
ifconfig_epair12b="ether CA:FE:BA:BE:12:0B up"
ifconfig_epair13a="ether CA:FE:BA:BE:13:0A up"
ifconfig_epair13b="ether CA:FE:BA:BE:13:0B up"
ifconfig_epair14a="ether CA:FE:BA:BE:14:0A up"
ifconfig_epair14b="ether CA:FE:BA:BE:14:0B up"
ifconfig_epair15a="ether CA:FE:BA:BE:15:0A up"
ifconfig_epair15b="ether CA:FE:BA:BE:15:0B up"
ifconfig_epair16a="ether CA:FE:BA:BE:16:0A up"
ifconfig_epair16b="ether CA:FE:BA:BE:16:0B up"
ifconfig_epair17a="ether CA:FE:BA:BE:17:0A up"
ifconfig_epair17b="ether CA:FE:BA:BE:17:0B up"
ifconfig_epair18a="ether CA:FE:BA:BE:18:0A up"
ifconfig_epair18b="ether CA:FE:BA:BE:18:0B up"
ifconfig_epair19a="ether CA:FE:BA:BE:19:0A up"
ifconfig_epair19b="ether CA:FE:BA:BE:19:0B up"
ifconfig_epair20a="ether CA:FE:BA:BE:20:0A up"
ifconfig_epair20b="ether CA:FE:BA:BE:20:0B up"
ifconfig_epair21a="ether CA:FE:BA:BE:21:0A up"
ifconfig_epair21b="ether CA:FE:BA:BE:21:0B up"
ifconfig_epair22a="ether CA:FE:BA:BE:22:0A up"
ifconfig_epair22b="ether CA:FE:BA:BE:22:0B up"
ifconfig_epair23a="ether CA:FE:BA:BE:23:0A up"
ifconfig_epair23b="ether CA:FE:BA:BE:23:0B up"
ifconfig_epair24a="ether CA:FE:BA:BE:24:0A up"
ifconfig_epair24b="ether CA:FE:BA:BE:24:0B up"
ifconfig_epair25a="ether CA:FE:BA:BE:25:0A up"
ifconfig_epair25b="ether CA:FE:BA:BE:25:0B up"
ifconfig_epair26a="ether CA:FE:BA:BE:26:0A up"
ifconfig_epair26b="ether CA:FE:BA:BE:26:0B up"
ifconfig_epair27a="ether CA:FE:BA:BE:27:0A up"
ifconfig_epair27b="ether CA:FE:BA:BE:27:0B up"
ifconfig_epair28a="ether CA:FE:BA:BE:28:0A up"
ifconfig_epair28b="ether CA:FE:BA:BE:28:0B up"
ifconfig_epair29a="ether CA:FE:BA:BE:29:0A up"
ifconfig_epair29b="ether CA:FE:BA:BE:29:0B up"
ifconfig_epair30a="ether CA:FE:BA:BE:30:0A up"
ifconfig_epair30b="ether CA:FE:BA:BE:30:0B up"
ifconfig_epair31a="ether CA:FE:BA:BE:31:0A up"
ifconfig_epair31b="ether CA:FE:BA:BE:31:0B up"
ifconfig_epair32a="ether CA:FE:BA:BE:32:0A up"
ifconfig_epair32b="ether CA:FE:BA:BE:32:0B up"
ifconfig_epair33a="ether CA:FE:BA:BE:33:0A up"
ifconfig_epair33b="ether CA:FE:BA:BE:33:0B up"
ifconfig_epair34a="ether CA:FE:BA:BE:34:0A up"
ifconfig_epair34b="ether CA:FE:BA:BE:34:0B up"
ifconfig_epair35a="ether CA:FE:BA:BE:35:0A up"
ifconfig_epair35b="ether CA:FE:BA:BE:35:0B up"
ifconfig_epair36a="ether CA:FE:BA:BE:36:0A up"
ifconfig_epair36b="ether CA:FE:BA:BE:36:0B up"
ifconfig_epair37a="ether CA:FE:BA:BE:37:0A up"
ifconfig_epair37b="ether CA:FE:BA:BE:37:0B up"
ifconfig_epair38a="ether CA:FE:BA:BE:38:0A up"
ifconfig_epair38b="ether CA:FE:BA:BE:38:0B up"
ifconfig_epair39a="ether CA:FE:BA:BE:39:0A up"
ifconfig_epair39b="ether CA:FE:BA:BE:39:0B up"
ifconfig_epair40a="ether CA:FE:BA:BE:40:0A up"
ifconfig_epair40b="ether CA:FE:BA:BE:40:0B up"
ifconfig_epair41a="ether CA:FE:BA:BE:41:0A up"
ifconfig_epair41b="ether CA:FE:BA:BE:41:0B up"
ifconfig_epair42a="ether CA:FE:BA:BE:42:0A up"
ifconfig_epair42b="ether CA:FE:BA:BE:42:0B up"
ifconfig_epair43a="ether CA:FE:BA:BE:43:0A up"
ifconfig_epair43b="ether CA:FE:BA:BE:43:0B up"
ifconfig_epair44a="ether CA:FE:BA:BE:44:0A up"
ifconfig_epair44b="ether CA:FE:BA:BE:44:0B up"
ifconfig_epair45a="ether CA:FE:BA:BE:45:0A up"
ifconfig_epair45b="ether CA:FE:BA:BE:45:0B up"
ifconfig_epair46a="ether CA:FE:BA:BE:46:0A up"
ifconfig_epair46b="ether CA:FE:BA:BE:46:0B up"
ifconfig_epair47a="ether CA:FE:BA:BE:47:0A up"
ifconfig_epair47b="ether CA:FE:BA:BE:47:0B up"
ifconfig_epair48a="ether CA:FE:BA:BE:48:0A up"
ifconfig_epair48b="ether CA:FE:BA:BE:48:0B up"
ifconfig_epair49a="ether CA:FE:BA:BE:49:0A up"
ifconfig_epair49b="ether CA:FE:BA:BE:49:0B up"
### // Jails - vswitch ###
#
### Jails // ###
ifconfig_epair50a="ether CA:FE:BA:BE:50:0A up"
ifconfig_epair50b="ether CA:FE:BA:BE:50:0B up"
ifconfig_epair51a="ether CA:FE:BA:BE:51:0A up"
ifconfig_epair51b="ether CA:FE:BA:BE:51:0B up"
ifconfig_epair52a="ether CA:FE:BA:BE:52:0A up"
ifconfig_epair52b="ether CA:FE:BA:BE:52:0B up"
ifconfig_epair53a="ether CA:FE:BA:BE:53:0A up"
ifconfig_epair53b="ether CA:FE:BA:BE:53:0B up"
ifconfig_epair54a="ether CA:FE:BA:BE:54:0A up"
ifconfig_epair54b="ether CA:FE:BA:BE:54:0B up"
ifconfig_epair55a="ether CA:FE:BA:BE:55:0A up"
ifconfig_epair55b="ether CA:FE:BA:BE:55:0B up"
ifconfig_epair56a="ether CA:FE:BA:BE:56:0A up"
ifconfig_epair56b="ether CA:FE:BA:BE:56:0B up"
ifconfig_epair57a="ether CA:FE:BA:BE:57:0A up"
ifconfig_epair57b="ether CA:FE:BA:BE:57:0B up"
ifconfig_epair58a="ether CA:FE:BA:BE:58:0A up"
ifconfig_epair58b="ether CA:FE:BA:BE:58:0B up"
ifconfig_epair59a="ether CA:FE:BA:BE:59:0A up"
ifconfig_epair59b="ether CA:FE:BA:BE:59:0B up"
ifconfig_epair60a="ether CA:FE:BA:BE:60:0A up"
ifconfig_epair60b="ether CA:FE:BA:BE:60:0B up"
ifconfig_epair61a="ether CA:FE:BA:BE:61:0A up"
ifconfig_epair61b="ether CA:FE:BA:BE:61:0B up"
ifconfig_epair62a="ether CA:FE:BA:BE:62:0A up"
ifconfig_epair62b="ether CA:FE:BA:BE:62:0B up"
ifconfig_epair63a="ether CA:FE:BA:BE:63:0A up"
ifconfig_epair63b="ether CA:FE:BA:BE:63:0B up"
ifconfig_epair64a="ether CA:FE:BA:BE:64:0A up"
ifconfig_epair64b="ether CA:FE:BA:BE:64:0B up"
ifconfig_epair65a="ether CA:FE:BA:BE:65:0A up"
ifconfig_epair65b="ether CA:FE:BA:BE:65:0B up"
ifconfig_epair66a="ether CA:FE:BA:BE:66:0A up"
ifconfig_epair66b="ether CA:FE:BA:BE:66:0B up"
ifconfig_epair67a="ether CA:FE:BA:BE:67:0A up"
ifconfig_epair67b="ether CA:FE:BA:BE:67:0B up"
ifconfig_epair68a="ether CA:FE:BA:BE:68:0A up"
ifconfig_epair68b="ether CA:FE:BA:BE:68:0B up"
ifconfig_epair69a="ether CA:FE:BA:BE:69:0A up"
ifconfig_epair69b="ether CA:FE:BA:BE:69:0B up"
ifconfig_epair70a="ether CA:FE:BA:BE:70:0A up"
ifconfig_epair70b="ether CA:FE:BA:BE:70:0B up"
ifconfig_epair71a="ether CA:FE:BA:BE:71:0A up"
ifconfig_epair71b="ether CA:FE:BA:BE:71:0B up"
ifconfig_epair72a="ether CA:FE:BA:BE:72:0A up"
ifconfig_epair72b="ether CA:FE:BA:BE:72:0B up"
ifconfig_epair73a="ether CA:FE:BA:BE:73:0A up"
ifconfig_epair73b="ether CA:FE:BA:BE:73:0B up"
ifconfig_epair74a="ether CA:FE:BA:BE:74:0A up"
ifconfig_epair74b="ether CA:FE:BA:BE:74:0B up"
ifconfig_epair75a="ether CA:FE:BA:BE:75:0A up"
ifconfig_epair75b="ether CA:FE:BA:BE:75:0B up"
ifconfig_epair76a="ether CA:FE:BA:BE:76:0A up"
ifconfig_epair76b="ether CA:FE:BA:BE:76:0B up"
ifconfig_epair77a="ether CA:FE:BA:BE:77:0A up"
ifconfig_epair77b="ether CA:FE:BA:BE:77:0B up"
ifconfig_epair78a="ether CA:FE:BA:BE:78:0A up"
ifconfig_epair78b="ether CA:FE:BA:BE:78:0B up"
ifconfig_epair79a="ether CA:FE:BA:BE:79:0A up"
ifconfig_epair79b="ether CA:FE:BA:BE:79:0B up"
ifconfig_epair80a="ether CA:FE:BA:BE:80:0A up"
ifconfig_epair80b="ether CA:FE:BA:BE:80:0B up"
ifconfig_epair81a="ether CA:FE:BA:BE:81:0A up"
ifconfig_epair81b="ether CA:FE:BA:BE:81:0B up"
ifconfig_epair82a="ether CA:FE:BA:BE:82:0A up"
ifconfig_epair82b="ether CA:FE:BA:BE:82:0B up"
ifconfig_epair83a="ether CA:FE:BA:BE:83:0A up"
ifconfig_epair83b="ether CA:FE:BA:BE:83:0B up"
ifconfig_epair84a="ether CA:FE:BA:BE:84:0A up"
ifconfig_epair84b="ether CA:FE:BA:BE:84:0B up"
ifconfig_epair85a="ether CA:FE:BA:BE:85:0A up"
ifconfig_epair85b="ether CA:FE:BA:BE:85:0B up"
ifconfig_epair86a="ether CA:FE:BA:BE:86:0A up"
ifconfig_epair86b="ether CA:FE:BA:BE:86:0B up"
ifconfig_epair87a="ether CA:FE:BA:BE:87:0A up"
ifconfig_epair87b="ether CA:FE:BA:BE:87:0B up"
ifconfig_epair88a="ether CA:FE:BA:BE:88:0A up"
ifconfig_epair88b="ether CA:FE:BA:BE:88:0B up"
ifconfig_epair89a="ether CA:FE:BA:BE:89:0A up"
ifconfig_epair89b="ether CA:FE:BA:BE:89:0B up"
### // Jails ###
#
# 802.1q VLANs
ifconfig_vlan0="ether CA:FE:BA:BE:02:00 vlan 100 vlandev lagg0 up"
ifconfig_vlan0_alias0="inet 192.168.100.1 netmask 255.255.255.0"
#
ifconfig_vlan1="ether CA:FE:BA:BE:02:01 vlan 101 vlandev lagg0 up"
ifconfig_vlan2="ether CA:FE:BA:BE:02:02 vlan 102 vlandev lagg0 up"
ifconfig_vlan3="ether CA:FE:BA:BE:02:03 vlan 103 vlandev lagg0 up"
ifconfig_vlan4="ether CA:FE:BA:BE:02:04 vlan 104 vlandev lagg0 up"
ifconfig_vlan5="ether CA:FE:BA:BE:02:05 vlan 105 vlandev lagg0 up"
#
### Gateway // ###
defaultrouter="192.168.0.254"
ipv6_defaultrouter="fe80::aaaa:bbbb:dddd%epair1a"
ip6addrctl_policy="ipv6_prefer"
### // Gateway ###
#
ifconfig_bridge0_name="vswitch0"
ifconfig_vswitch0="ether CA:FE:BA:BE:00:00 addm lagg0 stp lagg0 addm epair0a addm epair2a addm epair3a up"
#
ifconfig_bridge1_name="vswitch1"
ifconfig_vswitch1="ether CA:FE:BA:BE:00:01 addm epair0b stp epair0b addm epair1b up"
#
ifconfig_bridge2_name="vswitch2"
ifconfig_vswitch2="ether CA:FE:BA:BE:00:02 addm epair2b stp epair2b addm tap1 addm tap2 addm tap3 addm tap4 addm tap5 addm tap6 addm tap7 addm tap8 addm tap9 addm tap10 addm tap11 addm tap12 addm tap13 addm tap14 addm tap15 addm tap16 addm tap17 addm tap18 addm tap19 addm tap20 addm tap21 addm tap22 addm tap23 addm tap24 addm tap25 up"
#
ifconfig_bridge3_name="vswitch3"
ifconfig_vswitch3="ether CA:FE:BA:BE:00:03 addm epair3b stp epair3b addm epair10a addm epair11a addm epair12a addm epair13a addm epair14a addm epair15a addm epair16a addm epair17a addm epair18a addm epair19a addm epair20a addm epair21a addm epair22a addm epair23a addm epair24a addm epair25a addm epair26a addm epair27a addm epair28a addm epair29a addm epair30a addm epair31a addm epair32a addm epair33a addm epair34a addm epair35a addm epair36a addm epair37a addm epair38a addm epair39a addm epair40a addm epair41a addm epair42a addm epair43a addm epair44a addm epair45a addm epair46a addm epair47a addm epair48a addm epair49a up"
ifconfig_vswitch3_alias0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_vswitch3_ipv6="inet6 auto_linklocal"
ifconfig_vswitch3_alias1="inet6 2001:aaaa:bbbb:ffff::1 prefixlen 64"
#
ifconfig_bridge4_name="vswitch4"
## // ifconfig_vswitch4="ether CA:FE:BA:BE:00:04 addm vlan0 addm epair4b up"
#
ifconfig_bridge5_name="vswitch5"
ifconfig_vswitch5="ether CA:FE:BA:BE:00:05 addm vlan1 addm epair5b up"
#
ifconfig_bridge6_name="vswitch6"
ifconfig_vswitch6="ether CA:FE:BA:BE:00:06 addm vlan2 addm epair6b up"
#
ifconfig_bridge7_name="vswitch7"
ifconfig_vswitch7="ether CA:FE:BA:BE:00:07 addm vlan3 addm epair7b up"
#
ifconfig_bridge8_name="vswitch8"
ifconfig_vswitch8="ether CA:FE:BA:BE:00:08 addm vlan4 addm epair8b up"
#
ifconfig_bridge9_name="vswitch9"
ifconfig_vswitch9="ether CA:FE:BA:BE:00:09 addm vlan5 addm epair9b up"
#
### Jails // ###
#
### jail1
ifconfig_bridge10_name="vswitch10"
ifconfig_vswitch10="ether CA:FE:BA:BE:00:10 addm epair10b stp epair10b addm epair50b up"
#
### jail2/jail3 CARP
ifconfig_bridge11_name="vswitch11"
ifconfig_vswitch11="ether CA:FE:BA:BE:00:11 addm epair11b stp epair11b addm epair51b addm epair52b up"
#
### jail3
ifconfig_bridge12_name="vswitch12"
## // ifconfig_vswitch12="ether CA:FE:BA:BE:00:12 addm epair12b stp epair12b addm epair52b up"
#
### // VIMAGE ###

### Firewall // ###
firewall_enable="YES"
#firewall_type="open"
firewall_logging="YES"
firewall_type="/etc/firewall.rules"
firewall_script="/etc/rc.firewall.local"
#
pf_enable="NO"                  # PF aktivieren (Modul, wenn noetig, aktivieren)
pf_rules="/etc/pf.conf"         # Datei mit Regeldefinitionen fuer pf
pf_flags=""                     # zusaetzliche Parameter fuer den Start von pfctl
pflog_enable="NO"               # starte pflogd(8)
pflog_logfile="/var/log/pflog"  # wo soll pflogd die Protokolldatei speichern
pflog_flags=""                  # zusaetzliche Parameter fuer den Start von pflogd
### // Firewall ###
#
### ### ### PLITC ### ### ###
$

Auf keinen Fall darf die Option: ipv6_activate_all_interfaces=“YES“ verwendet werden, dies führt zu einem Kernelcrash!

lagg0: IPv6 address on bge0 have been removed before adding it as a member to prevent IPv6 address scope violation

Verwendet man direkt eine IP-Adresse auf dem Bridge-Interface (z.B. zum ipfw filtern für Dummynet QoS), darf man allen Bridge-Membern keine direkte IP-Adresse mehr zuweisen (generierte IPv6 link-local Adressen durch ipv6_activate_all_interfaces)!

(If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces.)

Punkt 4: /etc/rc.firewall.local

$
vi /etc/rc.firewall.local

#!/bin/sh
### ### ### PLITC // ### ### ###
/sbin/ipfw -q flush
/sbin/ipfw -q pipe flush
/sbin/ipfw -q queue flush
/sbin/ipfw -q /etc/firewall.rules
### ### ### // PLITC ### ### ###
# EOF
$
$
chmod 755 /etc/rc.firewall.local
$

Punkt 5: /etc/firewall.rules

$
vi /etc/firewall.rules

### ### ### Firewall // ### ### ###
### default // ###
add 60100 allow ip from any to any via lo0
add 60200 deny ip from any to 127.0.0.0/8
add 60300 deny ip from 127.0.0.0/8 to any
add 60400 deny ip from any to ::1
add 60500 deny ip from ::1 to any
add 60600 allow ipv6-icmp from :: to ff02::/16
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
add 65000 allow ip from any to any
### // default ###
### ### ### // Firewall ### ### ###
# EOF
$

Punkt 6: HOST SYSCTLs setzen

$
vi /etc/sysctl.conf

### ### ### PLITC ### ### ###
#net.inet6.ip6.accept_rtadv=1
#net.inet6.ip6.auto_linklocal=1
### !!! // ###
#net.link.vlan.soft_pad=0
### // !!! ###
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=0
net.inet6.ip6.forwarding=1
net.add_addr_allfibs=16
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
### TAP // ###
net.link.tap.up_on_open=1
net.link.tap.user_open=1
### // TAP ###
### BridgeFirewall // ###
net.link.bridge.log_stp=1
net.inet.ip.fw.enable=1
#net.inet.ip.fw.one_pass=0
net.link.ether.ipfw=1
net.link.bridge.ipfw=1
net.link.bridge.ipfw_arp=1
### // BridgeFirewall ###
### not important when if/bridge mac was reversed manually // ###
net.link.bridge.inherit_mac=0
### // not important when if/bridge mac was reversed manually ###
### ### ### PLITC ### ### ###
# EOF
$

Punkt 7: IPFW Filtering Layer2/Layer3 Beispiel

$
vi /etc/firewall.rules

### ### ### PLITC // ### ### ###

### stage0 // ###
add 00001 check-state
### // stage0 ###

### stage1 - Uplink Filter // ###
# Throw away RFC 1918 networks (only for server with public ip)
## // add 10 drop all from 10.0.0.0/8 to any via lagg0
## // add 11 drop all from 172.16.0.0/12 to any via lagg0
## // add 12 drop all from 192.168.0.0/16 to any via lagg0
### // stage1 - Uplink Filter ###

### stage2 // ###
add 00050 allow ip from me to any keep-state
add 00051 allow ip6 from me6 to any keep-state
### // stage2 ###

### stage3 - Admin SSH // ###
### // add   allow tcp from any to any established
### // add   allow tcp from any to me 22 in setup keep-state
### // add   allow ipv6-icmp from any to me6 ip6 in
#
add 00100 allow tcp from 80.XXX.XXX.XXX to 192.168.0.1 22 setup in via epair1a keep-state
add 00101 allow tcp from 2a01:eeee:eeee:eeee::/64 to 2001:aaaa:bbbb:cccc::1 22 setup in via epair1a keep-state
#
add 00198 deny tcp from any to 192.168.0.1 22 in via epair1a
add 00199 deny tcp from any to 2001:aaaa:bbbb:cccc::1 22 in via epair1a
### // stage3 - Admin SSH ###


### Dummynet QoS // ###
### // Dummynet QoS ###


### stage4 // ### --- ### ### ###
#
# filter for vswitch0 (uplink/physical interface)
#
# filter for vswitch1 (host)
#
# filter for vswitch2 (vmaschine)
#
# filter for vswitch3 (jails)
#
# filter for vswitch10 (jail1)
#
# filter for vswitch11 (jail2)
### ### ### --- --- --- ### ### ###
add 11001 deny ip4 from any to any src-ip 192.168.0.101 layer2 not MAC any CA:FE:BA:BE:51:0A via epair51b
add 11002 deny ip6 from any to any src-ip6 2001:aaaa:bbbb:cccc::101:1 layer2 not MAC any CA:FE:BA:BE:51:0A via epair51b
### ### ### --- --- --- ### ### ###
#
# filter for vswitch12 (jail3)
#
### count
add 12500 count all from any to any via epair51b
add 12501 count all from any to any via epair52b
### deny carp multicast
## // add   deny log logamount 10 ip4 from any to 224.0.0.0/4 in via epair11b
## // add   deny log logamount 10 ip4 from any to 224.0.0.18 in via epair11b
add 12999 deny vrrp from any to any via epair11b
#

### <--- --- ---> ###

### default // ###
add 65001 allow ip from any to any via lo0
add 65002 deny ip from any to 127.0.0.0/8
add 65003 deny ip from 127.0.0.0/8 to any
add 65004 deny ip from any to ::1
add 65005 deny ip from ::1 to any
add 65006 allow ipv6-icmp from :: to ff02::/16
add 65007 allow ipv6-icmp from fe80::/10 to fe80::/10
add 65008 allow ipv6-icmp from fe80::/10 to ff02::/16
add 65009 allow ipv6-icmp from any to any ip6 icmp6types 1
add 65010 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
### // default ###

### default ipv4/ipv6 // ###
add 65500 allow ipv4 from any to any
add 65501 allow ipv6 from any to any
### // default ipv4/ipv6 ###

### ### ### // PLITC ### ### ###
# EOF
$

Ergänzungen:
16.09.2014 – die Tap Devices dienen primär für Bhyve, VirtualBox VMs lassen sich auch mit Hilfe von epairs verbinden

That’s FreeBSD

2 Gedanken zu „FreeBSD 10: komplexe Bridge Zones (mit lacp uplink)

Schreibe einen Kommentar