Wer eine Einführung benötigt kann sich folgende Blogeinträge anschauen:
1: FreeBSD 10: VIMAGE (virtualized network stack) mit if_bridge & epair
2: FreeBSD 10: LACP failover, Multiple Bridge, in-Kernel IPFW NAT und CARP in der Jail
WARNING: VIMAGE (virtualized network stack) is a highly experimental feature.
Gewünscht sind folgende Funktionen:
– Link Aggregation and Failover LACP für beide Netzwerkkarten
– LACP mit Spanning Tree Protocol
– Multiple Bridge:
-> bridge0 (vswitch0) mit lagg0 (sowie stp), epair0a, epair2a, epair3a, epair4a, epair5a, epair6a, epair7a, epair8a, epair9a
-> bridge1 (vswitch1) verbindet epair0b und epair1b
-> HOST Interface mit epair1a, tap0, tun0, enc0, gif0-25 und einem vlan interface
-> bridge2 (vswitch2) soll tap1-25 für VirtualBox vMaschinen verbinden
-> brdige3 (vswitch3) verteilt:
–> epair10 – vswitch10 – epair50 bis epair49 – vswitch49 – epair89
–> weitere epairs ab 90+ können beliebig verwendet werden
-> tagged vlan über lagg0 an vswitch5-9 (vswitch4 läuft im Leerlauf)
-> das HOST Interface/alle JAILs sollen ein epairNa bekommen
-> der FreeBSD HOST nutzt IPFW mit in-Kernel NAT (ohne IPDIVERT und Userland NATd)
-> Jails mit CARP (für high availability)
-> IPFW zur Filterung auf Layer2 und Layer3 Ebene
-> Kernel FLOWTABLE Support für “per-cpu routing cache”
-> Kernel ROUTETABLES=16 Support für (Forward Information Base/multiple routing tables)
-> statisch definierte MAC-Adressen
-> Kernel IPSTEALTH Support für forward packets without decrementing the time to live (TTL) counter
komplexe Bridge Zones (mit lacp uplink)
Punkt 1: neuer Kernel für VIMAGE, IPFW mit in-Kernel NAT, LACP, CARP, BRIDGE, FLOWTABLE, ROUTETABLES, IPSTEALTH und weiteren Modulen
Dummynet (QoS) funktioniert NICHT in der Jail, jedoch kann man mit speziellen Einstellungen direkt das Bridge-Interface, auf dem HOST, filtern!
$ cd /usr/ports/devel/subversion/ && make install clean zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj cd /usr chflags -R noschg /usr/obj/* rm -rfv /usr/obj/* rm -rfv /usr/src/* rm -rfv /usr/src/.svn cd /usr/src svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src svn up /usr/src $
$ cd /usr/src/sys/amd64/conf mkdir /root/kernels cp GENERIC /root/kernels/BRIDGEZONES ln -s /root/kernels/BRIDGEZONES vi /root/kernels/BRIDGEZONES $
$ ### ### ### PLITC ### ### ### # cpu HAMMER ident BRIDGEZONES makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support ### < --- --- --- > ### options IPFIREWALL # enables IPFW options IPFIREWALL_VERBOSE # enables logging for rules with log keyword options IPFIREWALL_VERBOSE_LIMIT=256 # limits number of logged packets per-entry options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied ### options IPDIVERT # enables NATd Support options IPFIREWALL_NAT # IPFW in-Kernel NAT support options LIBALIAS # required for in-Kernel NAT / replacement for NATd options DUMMYNET # traffic shaper, bandwidth manager and delay emulator options HZ=1000 # strongly recommended device carp device lagg device enc device gre options XBONEHACK options TCP_SIGNATURE # include support for RFC 2385 options VIMAGE # Network Stack Virtualization options NULLFS # NULL filesystem ### VIMAGE - if_bridge/epair virtualization // ### device if_bridge device epair ### // VIMAGE - if_bridge/epair virtualization ### ### VIMAGE - netgraph virtualization // ### options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_BRIDGE options NETGRAPH_EIFACE options NETGRAPH_SOCKET ### // VIMAGE - netgraph virtualization ### device tap # virtual link layer 2 device options VFS_AIO ### DEFAULT ### options TCP_OFFLOAD # TCP offload options RACCT # Resource accounting options RCTL # Controls resource limits device crypto # core crypto support device cryptodev # /dev/crypto for access to h/w device rndtest # FIPS 140-2 entropy tester device hifn # Hifn 7951, 7781, etc. options HIFN_DEBUG # enable debugging support: hw.hifn.debug options HIFN_RNDTEST # enable rndtest support device ubsec # Broadcom 5501, 5601, 58xx options UBSEC_DEBUG # enable debugging support: hw.ubsec.debug options UBSEC_RNDTEST # enable rndtest support options IPSEC # IP security (requires device crypto) options IPSEC_NAT_T # NAT-T support, UDP encap of ESP options IPSEC_FILTERTUNNEL # options FDESCFS # File descriptor filesystem ### NOT WITH VIMAGE ### device pf ### NOT WITH VIMAGE ### device pflog ### NOT WITH VIMAGE ### device pfsync ### NOT WITH VIMAGE ### options ALTQ ### NOT WITH VIMAGE ### options KTR_ALQ ### NOT WITH VIMAGE ### options ALTQ_CBQ # Class Based Queueing ### NOT WITH VIMAGE ### options ALTQ_RED # Random Early Detection ### NOT WITH VIMAGE ### options ALTQ_RIO # RED In/Out ### NOT WITH VIMAGE ### options ALTQ_HFSC # Hierarchical Packet Scheduler ### NOT WITH VIMAGE ### options ALTQ_CDNR # Traffic conditioner ### NOT WITH VIMAGE ### options ALTQ_PRIQ # Priority Queueing ### NOT WITH VIMAGE ### options ALTQ_NOPCC # Required if the TSC is unusable ### NOT WITH VIMAGE ### options MROUTING # multicast routing ### NOT WITH VIMAGE ### options ROUTETABLES=15 # max 16 FIB (Forward Information Base/multiple routing tables) support # options FLOWTABLE # per-cpu routing cache options IPSTEALTH # forward packets without decrementing the time to live (TTL) counter # ### colors // ### options SC_PIXEL_MODE options SC_NORM_ATTR=(FG_CYAN|BG_BLACK) # The normal text will be blue on black background options SC_KERNEL_CONS_ATTR=(FG_RED|BG_BLACK) # Kernel message will be red on black background ### // colors ### # ### options DEVICE_POLLING # compatible with bge # ### ### ### PLITC ### ### ### $
Punkt 2: Kernel bauen/installieren
$ cd /usr/src time make buildkernel KERNCONF=BRIDGEZONES time make installkernel KERNCONF=BRIDGEZONES reboot $
Punkt 3: /etc/rc.conf
$ vi /etc/rc.conf ### ### ### PLITC ### ### ### # ### LACP // ### ## // ifconfig_bge0="ether CA:FE:BA:BE:00:0E polling up" ## // ifconfig_bge1="ether CA:FE:BA:BE:00:0E polling up" ifconfig_bge0="ether CA:FE:BA:BE:00:0E up" ifconfig_bge1="ether CA:FE:BA:BE:00:0E up" ifconfig_lagg0="laggproto lacp laggport em0 laggport em1 lagghash l3" ### // LACP ### ### VIMAGE // ### # cloned_interfaces="lagg0 vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 bridge0 bridge1 bridge2 bridge3 bridge4 bridge5 bridge6 bridge7 bridge8 bridge9 bridge10 bridge11 bridge12 bridge13 bridge14 bridge15 bridge16 bridge17 bridge18 bridge19 bridge20 bridge21 bridge22 bridge23 bridge24 bridge25 bridge26 bridge27 bridge28 bridge29 bridge30 bridge31 bridge32 bridge33 bridge34 bridge35 bridge36 bridge37 bridge38 bridge39 bridge40 bridge41 bridge42 bridge43 bridge44 bridge45 bridge46 bridge47 bridge48 bridge49 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 tap10 tap11 tap12 tap13 tap14 tap15 tap16 tap17 tap18 tap19 tap20 tap21 tap22 tap23 tap24 tap25 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11 tun12 tun13 tun14 tun15 tun16 tun17 tun18 tun19 tun20 tun21 tun22 tun23 tun24 tun25 gif0 gif1 gif2 gif3 gif4 gif5 gif6 gif7 gif8 gif9 gif10 gif11 gif12 gif13 gif14 gif15 gif16 gif17 gif18 gif19 gif20 gif21 gif22 gif23 gif24 gif25 epair0 epair1 epair2 epair3 epair4 epair5 epair6 epair7 epair8 epair9 epair10 epair11 epair12 epair13 epair14 epair15 epair16 epair17 epair18 epair19 epair20 epair21 epair22 epair23 epair24 epair25 epair26 epair27 epair28 epair29 epair30 epair31 epair32 epair33 epair34 epair35 epair36 epair37 epair38 epair39 epair40 epair41 epair42 epair43 epair44 epair45 epair46 epair47 epair48 epair49 epair50 epair51 epair52 epair53 epair54 epair55 epair56 epair57 epair58 epair59 epair60 epair61 epair62 epair63 epair64 epair65 epair66 epair67 epair68 epair69 epair70 epair71 epair72 epair73 epair74 epair75 epair76 epair77 epair78 epair79 epair80 epair81 epair82 epair83 epair84 epair85 epair86 epair87 epair88 epair89" # ifconfig_tap0="ether CA:FE:BA:BA:01:00 up" ifconfig_tap1="ether CA:FE:BA:BA:01:01 up" ifconfig_tap2="ether CA:FE:BA:BA:01:02 up" ifconfig_tap3="ether CA:FE:BA:BA:01:03 up" ifconfig_tap4="ether CA:FE:BA:BA:01:04 up" ifconfig_tap5="ether CA:FE:BA:BA:01:05 up" ifconfig_tap6="ether CA:FE:BA:BA:01:06 up" ifconfig_tap7="ether CA:FE:BA:BA:01:07 up" ifconfig_tap8="ether CA:FE:BA:BA:01:08 up" ifconfig_tap9="ether CA:FE:BA:BA:01:09 up" ifconfig_tap10="ether CA:FE:BA:BA:01:10 up" ifconfig_tap11="ether CA:FE:BA:BA:01:11 up" ifconfig_tap12="ether CA:FE:BA:BA:01:12 up" ifconfig_tap13="ether CA:FE:BA:BA:01:13 up" ifconfig_tap14="ether CA:FE:BA:BA:01:14 up" ifconfig_tap15="ether CA:FE:BA:BA:01:15 up" ifconfig_tap16="ether CA:FE:BA:BA:01:16 up" ifconfig_tap17="ether CA:FE:BA:BA:01:17 up" ifconfig_tap18="ether CA:FE:BA:BA:01:18 up" ifconfig_tap19="ether CA:FE:BA:BA:01:19 up" ifconfig_tap20="ether CA:FE:BA:BA:01:20 up" ifconfig_tap21="ether CA:FE:BA:BA:01:21 up" ifconfig_tap22="ether CA:FE:BA:BA:01:22 up" ifconfig_tap23="ether CA:FE:BA:BA:01:23 up" ifconfig_tap24="ether CA:FE:BA:BA:01:24 up" ifconfig_tap25="ether CA:FE:BA:BA:01:25 up" # ifconfig_tun0="up" ifconfig_tun1="up" ifconfig_tun2="up" ifconfig_tun3="up" ifconfig_tun4="up" ifconfig_tun5="up" ifconfig_tun6="up" ifconfig_tun7="up" ifconfig_tun8="up" ifconfig_tun9="up" ifconfig_tun10="up" ifconfig_tun11="up" ifconfig_tun12="up" ifconfig_tun13="up" ifconfig_tun14="up" ifconfig_tun15="up" ifconfig_tun16="up" ifconfig_tun17="up" ifconfig_tun18="up" ifconfig_tun19="up" ifconfig_tun20="up" ifconfig_tun21="up" ifconfig_tun22="up" ifconfig_tun23="up" ifconfig_tun24="up" ifconfig_tun25="up" # ifconfig_gif0="up" ifconfig_gif1="up" ifconfig_gif2="up" ifconfig_gif3="up" ifconfig_gif4="up" ifconfig_gif5="up" ifconfig_gif6="up" ifconfig_gif7="up" ifconfig_gif8="up" ifconfig_gif9="up" ifconfig_gif10="up" ifconfig_gif11="up" ifconfig_gif12="up" ifconfig_gif13="up" ifconfig_gif14="up" ifconfig_gif15="up" ifconfig_gif16="up" ifconfig_gif17="up" ifconfig_gif18="up" ifconfig_gif19="up" ifconfig_gif20="up" ifconfig_gif21="up" ifconfig_gif22="up" ifconfig_gif23="up" ifconfig_gif24="up" ifconfig_gif25="up" # ### HOST // ### ifconfig_epair0a="ether CA:FE:BA:BE:00:0A up" ifconfig_epair0b="ether CA:FE:BA:BE:00:0B up" ### HOST Interface // ### ifconfig_epair1a="ether CA:FE:BA:BE:01:0A up" ifconfig_epair1a_alias0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_epair1a_ipv6="inet6 auto_linklocal accept_rtadv" ifconfig_epair1a_alias1="inet6 2001:aaaa:bbbb:cccc::1 prefixlen 64" ### // HOST Interface ### ifconfig_epair1b="ether CA:FE:BA:BE:01:0B up" ### // HOST ### # ### VirtualMachine // ### ifconfig_epair2a="ether CA:FE:BA:BE:02:0A up" ifconfig_epair2b="ether CA:FE:BA:BE:02:0B up" ### // VirtualMachine ### # ### vswitch - Jails // ### ifconfig_epair3a="ether CA:FE:BA:BE:03:0A up" ifconfig_epair3b="ether CA:FE:BA:BE:03:0B up" ### // vswitch - Jails ### # ### Jails - vswitch // ### ifconfig_epair10a="ether CA:FE:BA:BE:10:0A up" ifconfig_epair10b="ether CA:FE:BA:BE:10:0B up" ifconfig_epair11a="ether CA:FE:BA:BE:11:0A up" ifconfig_epair11b="ether CA:FE:BA:BE:11:0B up" ifconfig_epair12a="ether CA:FE:BA:BE:12:0A up" ifconfig_epair12b="ether CA:FE:BA:BE:12:0B up" ifconfig_epair13a="ether CA:FE:BA:BE:13:0A up" ifconfig_epair13b="ether CA:FE:BA:BE:13:0B up" ifconfig_epair14a="ether CA:FE:BA:BE:14:0A up" ifconfig_epair14b="ether CA:FE:BA:BE:14:0B up" ifconfig_epair15a="ether CA:FE:BA:BE:15:0A up" ifconfig_epair15b="ether CA:FE:BA:BE:15:0B up" ifconfig_epair16a="ether CA:FE:BA:BE:16:0A up" ifconfig_epair16b="ether CA:FE:BA:BE:16:0B up" ifconfig_epair17a="ether CA:FE:BA:BE:17:0A up" ifconfig_epair17b="ether CA:FE:BA:BE:17:0B up" ifconfig_epair18a="ether CA:FE:BA:BE:18:0A up" ifconfig_epair18b="ether CA:FE:BA:BE:18:0B up" ifconfig_epair19a="ether CA:FE:BA:BE:19:0A up" ifconfig_epair19b="ether CA:FE:BA:BE:19:0B up" ifconfig_epair20a="ether CA:FE:BA:BE:20:0A up" ifconfig_epair20b="ether CA:FE:BA:BE:20:0B up" ifconfig_epair21a="ether CA:FE:BA:BE:21:0A up" ifconfig_epair21b="ether CA:FE:BA:BE:21:0B up" ifconfig_epair22a="ether CA:FE:BA:BE:22:0A up" ifconfig_epair22b="ether CA:FE:BA:BE:22:0B up" ifconfig_epair23a="ether CA:FE:BA:BE:23:0A up" ifconfig_epair23b="ether CA:FE:BA:BE:23:0B up" ifconfig_epair24a="ether CA:FE:BA:BE:24:0A up" ifconfig_epair24b="ether CA:FE:BA:BE:24:0B up" ifconfig_epair25a="ether CA:FE:BA:BE:25:0A up" ifconfig_epair25b="ether CA:FE:BA:BE:25:0B up" ifconfig_epair26a="ether CA:FE:BA:BE:26:0A up" ifconfig_epair26b="ether CA:FE:BA:BE:26:0B up" ifconfig_epair27a="ether CA:FE:BA:BE:27:0A up" ifconfig_epair27b="ether CA:FE:BA:BE:27:0B up" ifconfig_epair28a="ether CA:FE:BA:BE:28:0A up" ifconfig_epair28b="ether CA:FE:BA:BE:28:0B up" ifconfig_epair29a="ether CA:FE:BA:BE:29:0A up" ifconfig_epair29b="ether CA:FE:BA:BE:29:0B up" ifconfig_epair30a="ether CA:FE:BA:BE:30:0A up" ifconfig_epair30b="ether CA:FE:BA:BE:30:0B up" ifconfig_epair31a="ether CA:FE:BA:BE:31:0A up" ifconfig_epair31b="ether CA:FE:BA:BE:31:0B up" ifconfig_epair32a="ether CA:FE:BA:BE:32:0A up" ifconfig_epair32b="ether CA:FE:BA:BE:32:0B up" ifconfig_epair33a="ether CA:FE:BA:BE:33:0A up" ifconfig_epair33b="ether CA:FE:BA:BE:33:0B up" ifconfig_epair34a="ether CA:FE:BA:BE:34:0A up" ifconfig_epair34b="ether CA:FE:BA:BE:34:0B up" ifconfig_epair35a="ether CA:FE:BA:BE:35:0A up" ifconfig_epair35b="ether CA:FE:BA:BE:35:0B up" ifconfig_epair36a="ether CA:FE:BA:BE:36:0A up" ifconfig_epair36b="ether CA:FE:BA:BE:36:0B up" ifconfig_epair37a="ether CA:FE:BA:BE:37:0A up" ifconfig_epair37b="ether CA:FE:BA:BE:37:0B up" ifconfig_epair38a="ether CA:FE:BA:BE:38:0A up" ifconfig_epair38b="ether CA:FE:BA:BE:38:0B up" ifconfig_epair39a="ether CA:FE:BA:BE:39:0A up" ifconfig_epair39b="ether CA:FE:BA:BE:39:0B up" ifconfig_epair40a="ether CA:FE:BA:BE:40:0A up" ifconfig_epair40b="ether CA:FE:BA:BE:40:0B up" ifconfig_epair41a="ether CA:FE:BA:BE:41:0A up" ifconfig_epair41b="ether CA:FE:BA:BE:41:0B up" ifconfig_epair42a="ether CA:FE:BA:BE:42:0A up" ifconfig_epair42b="ether CA:FE:BA:BE:42:0B up" ifconfig_epair43a="ether CA:FE:BA:BE:43:0A up" ifconfig_epair43b="ether CA:FE:BA:BE:43:0B up" ifconfig_epair44a="ether CA:FE:BA:BE:44:0A up" ifconfig_epair44b="ether CA:FE:BA:BE:44:0B up" ifconfig_epair45a="ether CA:FE:BA:BE:45:0A up" ifconfig_epair45b="ether CA:FE:BA:BE:45:0B up" ifconfig_epair46a="ether CA:FE:BA:BE:46:0A up" ifconfig_epair46b="ether CA:FE:BA:BE:46:0B up" ifconfig_epair47a="ether CA:FE:BA:BE:47:0A up" ifconfig_epair47b="ether CA:FE:BA:BE:47:0B up" ifconfig_epair48a="ether CA:FE:BA:BE:48:0A up" ifconfig_epair48b="ether CA:FE:BA:BE:48:0B up" ifconfig_epair49a="ether CA:FE:BA:BE:49:0A up" ifconfig_epair49b="ether CA:FE:BA:BE:49:0B up" ### // Jails - vswitch ### # ### Jails // ### ifconfig_epair50a="ether CA:FE:BA:BE:50:0A up" ifconfig_epair50b="ether CA:FE:BA:BE:50:0B up" ifconfig_epair51a="ether CA:FE:BA:BE:51:0A up" ifconfig_epair51b="ether CA:FE:BA:BE:51:0B up" ifconfig_epair52a="ether CA:FE:BA:BE:52:0A up" ifconfig_epair52b="ether CA:FE:BA:BE:52:0B up" ifconfig_epair53a="ether CA:FE:BA:BE:53:0A up" ifconfig_epair53b="ether CA:FE:BA:BE:53:0B up" ifconfig_epair54a="ether CA:FE:BA:BE:54:0A up" ifconfig_epair54b="ether CA:FE:BA:BE:54:0B up" ifconfig_epair55a="ether CA:FE:BA:BE:55:0A up" ifconfig_epair55b="ether CA:FE:BA:BE:55:0B up" ifconfig_epair56a="ether CA:FE:BA:BE:56:0A up" ifconfig_epair56b="ether CA:FE:BA:BE:56:0B up" ifconfig_epair57a="ether CA:FE:BA:BE:57:0A up" ifconfig_epair57b="ether CA:FE:BA:BE:57:0B up" ifconfig_epair58a="ether CA:FE:BA:BE:58:0A up" ifconfig_epair58b="ether CA:FE:BA:BE:58:0B up" ifconfig_epair59a="ether CA:FE:BA:BE:59:0A up" ifconfig_epair59b="ether CA:FE:BA:BE:59:0B up" ifconfig_epair60a="ether CA:FE:BA:BE:60:0A up" ifconfig_epair60b="ether CA:FE:BA:BE:60:0B up" ifconfig_epair61a="ether CA:FE:BA:BE:61:0A up" ifconfig_epair61b="ether CA:FE:BA:BE:61:0B up" ifconfig_epair62a="ether CA:FE:BA:BE:62:0A up" ifconfig_epair62b="ether CA:FE:BA:BE:62:0B up" ifconfig_epair63a="ether CA:FE:BA:BE:63:0A up" ifconfig_epair63b="ether CA:FE:BA:BE:63:0B up" ifconfig_epair64a="ether CA:FE:BA:BE:64:0A up" ifconfig_epair64b="ether CA:FE:BA:BE:64:0B up" ifconfig_epair65a="ether CA:FE:BA:BE:65:0A up" ifconfig_epair65b="ether CA:FE:BA:BE:65:0B up" ifconfig_epair66a="ether CA:FE:BA:BE:66:0A up" ifconfig_epair66b="ether CA:FE:BA:BE:66:0B up" ifconfig_epair67a="ether CA:FE:BA:BE:67:0A up" ifconfig_epair67b="ether CA:FE:BA:BE:67:0B up" ifconfig_epair68a="ether CA:FE:BA:BE:68:0A up" ifconfig_epair68b="ether CA:FE:BA:BE:68:0B up" ifconfig_epair69a="ether CA:FE:BA:BE:69:0A up" ifconfig_epair69b="ether CA:FE:BA:BE:69:0B up" ifconfig_epair70a="ether CA:FE:BA:BE:70:0A up" ifconfig_epair70b="ether CA:FE:BA:BE:70:0B up" ifconfig_epair71a="ether CA:FE:BA:BE:71:0A up" ifconfig_epair71b="ether CA:FE:BA:BE:71:0B up" ifconfig_epair72a="ether CA:FE:BA:BE:72:0A up" ifconfig_epair72b="ether CA:FE:BA:BE:72:0B up" ifconfig_epair73a="ether CA:FE:BA:BE:73:0A up" ifconfig_epair73b="ether CA:FE:BA:BE:73:0B up" ifconfig_epair74a="ether CA:FE:BA:BE:74:0A up" ifconfig_epair74b="ether CA:FE:BA:BE:74:0B up" ifconfig_epair75a="ether CA:FE:BA:BE:75:0A up" ifconfig_epair75b="ether CA:FE:BA:BE:75:0B up" ifconfig_epair76a="ether CA:FE:BA:BE:76:0A up" ifconfig_epair76b="ether CA:FE:BA:BE:76:0B up" ifconfig_epair77a="ether CA:FE:BA:BE:77:0A up" ifconfig_epair77b="ether CA:FE:BA:BE:77:0B up" ifconfig_epair78a="ether CA:FE:BA:BE:78:0A up" ifconfig_epair78b="ether CA:FE:BA:BE:78:0B up" ifconfig_epair79a="ether CA:FE:BA:BE:79:0A up" ifconfig_epair79b="ether CA:FE:BA:BE:79:0B up" ifconfig_epair80a="ether CA:FE:BA:BE:80:0A up" ifconfig_epair80b="ether CA:FE:BA:BE:80:0B up" ifconfig_epair81a="ether CA:FE:BA:BE:81:0A up" ifconfig_epair81b="ether CA:FE:BA:BE:81:0B up" ifconfig_epair82a="ether CA:FE:BA:BE:82:0A up" ifconfig_epair82b="ether CA:FE:BA:BE:82:0B up" ifconfig_epair83a="ether CA:FE:BA:BE:83:0A up" ifconfig_epair83b="ether CA:FE:BA:BE:83:0B up" ifconfig_epair84a="ether CA:FE:BA:BE:84:0A up" ifconfig_epair84b="ether CA:FE:BA:BE:84:0B up" ifconfig_epair85a="ether CA:FE:BA:BE:85:0A up" ifconfig_epair85b="ether CA:FE:BA:BE:85:0B up" ifconfig_epair86a="ether CA:FE:BA:BE:86:0A up" ifconfig_epair86b="ether CA:FE:BA:BE:86:0B up" ifconfig_epair87a="ether CA:FE:BA:BE:87:0A up" ifconfig_epair87b="ether CA:FE:BA:BE:87:0B up" ifconfig_epair88a="ether CA:FE:BA:BE:88:0A up" ifconfig_epair88b="ether CA:FE:BA:BE:88:0B up" ifconfig_epair89a="ether CA:FE:BA:BE:89:0A up" ifconfig_epair89b="ether CA:FE:BA:BE:89:0B up" ### // Jails ### # # 802.1q VLANs ifconfig_vlan0="ether CA:FE:BA:BE:02:00 vlan 100 vlandev lagg0 up" ifconfig_vlan0_alias0="inet 192.168.100.1 netmask 255.255.255.0" # ifconfig_vlan1="ether CA:FE:BA:BE:02:01 vlan 101 vlandev lagg0 up" ifconfig_vlan2="ether CA:FE:BA:BE:02:02 vlan 102 vlandev lagg0 up" ifconfig_vlan3="ether CA:FE:BA:BE:02:03 vlan 103 vlandev lagg0 up" ifconfig_vlan4="ether CA:FE:BA:BE:02:04 vlan 104 vlandev lagg0 up" ifconfig_vlan5="ether CA:FE:BA:BE:02:05 vlan 105 vlandev lagg0 up" # ### Gateway // ### defaultrouter="192.168.0.254" ipv6_defaultrouter="fe80::aaaa:bbbb:dddd%epair1a" ip6addrctl_policy="ipv6_prefer" ### // Gateway ### # ifconfig_bridge0_name="vswitch0" ifconfig_vswitch0="ether CA:FE:BA:BE:00:00 addm lagg0 stp lagg0 addm epair0a addm epair2a addm epair3a up" # ifconfig_bridge1_name="vswitch1" ifconfig_vswitch1="ether CA:FE:BA:BE:00:01 addm epair0b stp epair0b addm epair1b up" # ifconfig_bridge2_name="vswitch2" ifconfig_vswitch2="ether CA:FE:BA:BE:00:02 addm epair2b stp epair2b addm tap1 addm tap2 addm tap3 addm tap4 addm tap5 addm tap6 addm tap7 addm tap8 addm tap9 addm tap10 addm tap11 addm tap12 addm tap13 addm tap14 addm tap15 addm tap16 addm tap17 addm tap18 addm tap19 addm tap20 addm tap21 addm tap22 addm tap23 addm tap24 addm tap25 up" # ifconfig_bridge3_name="vswitch3" ifconfig_vswitch3="ether CA:FE:BA:BE:00:03 addm epair3b stp epair3b addm epair10a addm epair11a addm epair12a addm epair13a addm epair14a addm epair15a addm epair16a addm epair17a addm epair18a addm epair19a addm epair20a addm epair21a addm epair22a addm epair23a addm epair24a addm epair25a addm epair26a addm epair27a addm epair28a addm epair29a addm epair30a addm epair31a addm epair32a addm epair33a addm epair34a addm epair35a addm epair36a addm epair37a addm epair38a addm epair39a addm epair40a addm epair41a addm epair42a addm epair43a addm epair44a addm epair45a addm epair46a addm epair47a addm epair48a addm epair49a up" ifconfig_vswitch3_alias0="inet 192.168.1.1 netmask 255.255.255.0" ifconfig_vswitch3_ipv6="inet6 auto_linklocal" ifconfig_vswitch3_alias1="inet6 2001:aaaa:bbbb:ffff::1 prefixlen 64" # ifconfig_bridge4_name="vswitch4" ## // ifconfig_vswitch4="ether CA:FE:BA:BE:00:04 addm vlan0 addm epair4b up" # ifconfig_bridge5_name="vswitch5" ifconfig_vswitch5="ether CA:FE:BA:BE:00:05 addm vlan1 addm epair5b up" # ifconfig_bridge6_name="vswitch6" ifconfig_vswitch6="ether CA:FE:BA:BE:00:06 addm vlan2 addm epair6b up" # ifconfig_bridge7_name="vswitch7" ifconfig_vswitch7="ether CA:FE:BA:BE:00:07 addm vlan3 addm epair7b up" # ifconfig_bridge8_name="vswitch8" ifconfig_vswitch8="ether CA:FE:BA:BE:00:08 addm vlan4 addm epair8b up" # ifconfig_bridge9_name="vswitch9" ifconfig_vswitch9="ether CA:FE:BA:BE:00:09 addm vlan5 addm epair9b up" # ### Jails // ### # ### jail1 ifconfig_bridge10_name="vswitch10" ifconfig_vswitch10="ether CA:FE:BA:BE:00:10 addm epair10b stp epair10b addm epair50b up" # ### jail2/jail3 CARP ifconfig_bridge11_name="vswitch11" ifconfig_vswitch11="ether CA:FE:BA:BE:00:11 addm epair11b stp epair11b addm epair51b addm epair52b up" # ### jail3 ifconfig_bridge12_name="vswitch12" ## // ifconfig_vswitch12="ether CA:FE:BA:BE:00:12 addm epair12b stp epair12b addm epair52b up" # ### // VIMAGE ### ### Firewall // ### firewall_enable="YES" #firewall_type="open" firewall_logging="YES" firewall_type="/etc/firewall.rules" firewall_script="/etc/rc.firewall.local" # pf_enable="NO" # PF aktivieren (Modul, wenn noetig, aktivieren) pf_rules="/etc/pf.conf" # Datei mit Regeldefinitionen fuer pf pf_flags="" # zusaetzliche Parameter fuer den Start von pfctl pflog_enable="NO" # starte pflogd(8) pflog_logfile="/var/log/pflog" # wo soll pflogd die Protokolldatei speichern pflog_flags="" # zusaetzliche Parameter fuer den Start von pflogd ### // Firewall ### # ### ### ### PLITC ### ### ### $
Auf keinen Fall darf die Option: ipv6_activate_all_interfaces=”YES” verwendet werden, dies führt zu einem Kernelcrash!
lagg0: IPv6 address on bge0 have been removed before adding it as a member to prevent IPv6 address scope violation
Verwendet man direkt eine IP-Adresse auf dem Bridge-Interface (z.B. zum ipfw filtern für Dummynet QoS), darf man allen Bridge-Membern keine direkte IP-Adresse mehr zuweisen (generierte IPv6 link-local Adressen durch ipv6_activate_all_interfaces)!
(If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces.)
Punkt 4: /etc/rc.firewall.local
$ vi /etc/rc.firewall.local #!/bin/sh ### ### ### PLITC // ### ### ### /sbin/ipfw -q flush /sbin/ipfw -q pipe flush /sbin/ipfw -q queue flush /sbin/ipfw -q /etc/firewall.rules ### ### ### // PLITC ### ### ### # EOF $
$ chmod 755 /etc/rc.firewall.local $
Punkt 5: /etc/firewall.rules
$ vi /etc/firewall.rules ### ### ### Firewall // ### ### ### ### default // ### add 60100 allow ip from any to any via lo0 add 60200 deny ip from any to 127.0.0.0/8 add 60300 deny ip from 127.0.0.0/8 to any add 60400 deny ip from any to ::1 add 60500 deny ip from ::1 to any add 60600 allow ipv6-icmp from :: to ff02::/16 add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10 add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16 add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1 add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 add 65000 allow ip from any to any ### // default ### ### ### ### // Firewall ### ### ### # EOF $
Punkt 6: HOST SYSCTLs setzen
$ vi /etc/sysctl.conf ### ### ### PLITC ### ### ### #net.inet6.ip6.accept_rtadv=1 #net.inet6.ip6.auto_linklocal=1 ### !!! // ### #net.link.vlan.soft_pad=0 ### // !!! ### net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=0 net.inet6.ip6.forwarding=1 net.add_addr_allfibs=16 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 ### TAP // ### net.link.tap.up_on_open=1 net.link.tap.user_open=1 ### // TAP ### ### BridgeFirewall // ### net.link.bridge.log_stp=1 net.inet.ip.fw.enable=1 #net.inet.ip.fw.one_pass=0 net.link.ether.ipfw=1 net.link.bridge.ipfw=1 net.link.bridge.ipfw_arp=1 ### // BridgeFirewall ### ### not important when if/bridge mac was reversed manually // ### net.link.bridge.inherit_mac=0 ### // not important when if/bridge mac was reversed manually ### ### ### ### PLITC ### ### ### # EOF $
Punkt 7: IPFW Filtering Layer2/Layer3 Beispiel
$ vi /etc/firewall.rules ### ### ### PLITC // ### ### ### ### stage0 // ### add 00001 check-state ### // stage0 ### ### stage1 - Uplink Filter // ### # Throw away RFC 1918 networks (only for server with public ip) ## // add 10 drop all from 10.0.0.0/8 to any via lagg0 ## // add 11 drop all from 172.16.0.0/12 to any via lagg0 ## // add 12 drop all from 192.168.0.0/16 to any via lagg0 ### // stage1 - Uplink Filter ### ### stage2 // ### add 00050 allow ip from me to any keep-state add 00051 allow ip6 from me6 to any keep-state ### // stage2 ### ### stage3 - Admin SSH // ### ### // add allow tcp from any to any established ### // add allow tcp from any to me 22 in setup keep-state ### // add allow ipv6-icmp from any to me6 ip6 in # add 00100 allow tcp from 80.XXX.XXX.XXX to 192.168.0.1 22 setup in via epair1a keep-state add 00101 allow tcp from 2a01:eeee:eeee:eeee::/64 to 2001:aaaa:bbbb:cccc::1 22 setup in via epair1a keep-state # add 00198 deny tcp from any to 192.168.0.1 22 in via epair1a add 00199 deny tcp from any to 2001:aaaa:bbbb:cccc::1 22 in via epair1a ### // stage3 - Admin SSH ### ### Dummynet QoS // ### ### // Dummynet QoS ### ### stage4 // ### --- ### ### ### # # filter for vswitch0 (uplink/physical interface) # # filter for vswitch1 (host) # # filter for vswitch2 (vmaschine) # # filter for vswitch3 (jails) # # filter for vswitch10 (jail1) # # filter for vswitch11 (jail2) ### ### ### --- --- --- ### ### ### add 11001 deny ip4 from any to any src-ip 192.168.0.101 layer2 not MAC any CA:FE:BA:BE:51:0A via epair51b add 11002 deny ip6 from any to any src-ip6 2001:aaaa:bbbb:cccc::101:1 layer2 not MAC any CA:FE:BA:BE:51:0A via epair51b ### ### ### --- --- --- ### ### ### # # filter for vswitch12 (jail3) # ### count add 12500 count all from any to any via epair51b add 12501 count all from any to any via epair52b ### deny carp multicast ## // add deny log logamount 10 ip4 from any to 224.0.0.0/4 in via epair11b ## // add deny log logamount 10 ip4 from any to 224.0.0.18 in via epair11b add 12999 deny vrrp from any to any via epair11b # ### <--- --- ---> ### ### default // ### add 65001 allow ip from any to any via lo0 add 65002 deny ip from any to 127.0.0.0/8 add 65003 deny ip from 127.0.0.0/8 to any add 65004 deny ip from any to ::1 add 65005 deny ip from ::1 to any add 65006 allow ipv6-icmp from :: to ff02::/16 add 65007 allow ipv6-icmp from fe80::/10 to fe80::/10 add 65008 allow ipv6-icmp from fe80::/10 to ff02::/16 add 65009 allow ipv6-icmp from any to any ip6 icmp6types 1 add 65010 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 ### // default ### ### default ipv4/ipv6 // ### add 65500 allow ipv4 from any to any add 65501 allow ipv6 from any to any ### // default ipv4/ipv6 ### ### ### ### // PLITC ### ### ### # EOF $
Ergänzungen:
16.09.2014 – die Tap Devices dienen primär für Bhyve, VirtualBox VMs lassen sich auch mit Hilfe von epairs verbinden
That’s FreeBSD
2 Gedanken zu „FreeBSD 10: komplexe Bridge Zones (mit lacp uplink)“