Re: [gentoo-user] iproute2 reference
On Sunday, 29 July 2018 12:17:39 BST Andrew Savchenko wrote: > On Sun, 10 Jun 2018 14:15:03 +0100 Peter Humphrey wrote: > > Hello list, > > > > I'm trying to learn how to use the "ip" command to manage routing on one > > of my boxes, which has two Ethernet interfaces. > > > > Can anyone recommend suitable reading material? I don't mind paying for > > a > > book, provided that it's reasonably up to date and won't bury me in a > > morass of bit patterns, OSI transport layers and so on. Just the stuff > > that a network admin would need. > > The best howto on iproute I ever saw: > https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/ Thanks Andrew. I already have that one and I'm working my way through parts of it. -- Regards, Peter.
Re: [gentoo-user] iproute2 reference
On Sun, 10 Jun 2018 14:15:03 +0100 Peter Humphrey wrote: > Hello list, > > I'm trying to learn how to use the "ip" command to manage routing on one of > my > boxes, which has two Ethernet interfaces. > > Can anyone recommend suitable reading material? I don't mind paying for a > book, provided that it's reasonably up to date and won't bury me in a morass > of bit patterns, OSI transport layers and so on. Just the stuff that a > network > admin would need. The best howto on iproute I ever saw: https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/ Best regards, Andrew Savchenko pgp0DOHxbcIuy.pgp Description: PGP signature
Re: [gentoo-user] iproute2 reference
On Sunday, 10 June 2018 17:58:35 BST Grant Taylor wrote: --->8 much detail that makes me feel a bit faint... > IMHO the biggest issue is that you have to understand what you want to do > and then translate it to the proper ip commands to do it. You need that > high level blueprint (if you will) so that you can then implement it with > the "ip" command. This is why you need at least a basic understanding of > networking to fully take advantage of the "ip" command. Quite so. Understanding is dawning, but slowly these days, and starting from deep darkness. The lartc website has been down for a few days now, but I'd already got hold of the howto. I've just sent a subscription request to the mailing list. Many thanks for your help, Grant. -- Regards, Peter.
Re: [gentoo-user] iproute2 reference
On 06/10/2018 01:13 PM, Grant Taylor wrote:
I'll respond later with more details as to what I do to run various
things in Network Namespaces.
I create the following directories ("mkdir -p" type thing):
- /run/mountns/$NSname
- /run/netns/$NSname
- /utsns/$NSname
First I create the Namespace:
unshare --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /bin/true
Then I change the hostname inside of the Namespace:
nsenter --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /bin/hostname $NSname
Then I start what ever process I want to inside of the Namespace:
nsenter --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /path/to/daemon…
I reuse the nsenter methodology above to go into the Namespace and run
what ever I want. I can enter an interactive shell inside of the
Namespace using the following:
nsenter --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /bin/bash
I see no reason that you couldn't run a VPN inside of a Namespace. It
might actually make things easier. The VPN could route everything (from
that Namespace) through the VPN. Then you just need to pick what you
route to the VPN's Namespace.
Note: What I'm doing is quite similar to containers with the major
exception that all of the files are based on the parent (default / main
/ unnamed) Namespace. (It's my understanding that…) Containers use this
same methodology with namespaces, just with a full file system that is
an OS image unto themselves. Which means that they need to be
maintained as separate OS images and have the proper care and feeding.
My preferred method means that the Namespaces inherit all the files from
the parent (…) Namespace. (Sort of like Solaris's sparse zones.)
--
Grant. . . .
unix || die
Re: [gentoo-user] iproute2 reference
On 06/10/2018 12:22 PM, Andrew Udvare wrote: Is it possible to have a VPN clent set up in one of these namespaces and route certain traffic through it from the main stack? I see no reason why it couldn't. It may be entertaining to start and stop the VPN client. I'll respond later with more details as to what I do to run various things in Network Namespaces. Aside: Containers are functionally similar to, and use, Network Namespaces as well as other namespaces; process, uts, mount, etc. -- Grant. . . . unix || die
Re: [gentoo-user] iproute2 reference
On 06/10/2018 12:58 PM, Grant Taylor wrote: > It helps if I actually add the foot note. > > On 06/10/2018 10:38 AM, Grant Taylor wrote: >> I will say that you'll likely need other systems [1] to test things >> like tunnels to / between. > > [1] You can easily have one machine be multiple systems via Network > Namespaces. > > I routinely use Network Namespaces to mess with networking in my > virtualization lab. Think of Network Namespaces as micro TCP/IP stacks > in the Linux kernel. Each can be configured completely independent of > the others. Is it possible to have a VPN clent set up in one of these namespaces and route certain traffic through it from the main stack? signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] iproute2 reference
It helps if I actually add the foot note. On 06/10/2018 10:38 AM, Grant Taylor wrote: I will say that you'll likely need other systems [1] to test things like tunnels to / between. [1] You can easily have one machine be multiple systems via Network Namespaces. I routinely use Network Namespaces to mess with networking in my virtualization lab. Think of Network Namespaces as micro TCP/IP stacks in the Linux kernel. Each can be configured completely independent of the others. I was using Network Namespaces about 12 hours ago to test what I determined was a bug in VirtualBox. (KVM didn't exhibit the same behavior.) I used the "ip" command to create a pair of vEth (virtual Ethernet) links: ip link add veth0 type veth peer name veth1 ip link add veth2 type veth peer name veth3 I then created a new Network Namespace: ip netns add myNetNS Then I moved two of the vEth interfaces to the vEth links into myNetNS. ip link set veth1 netns myNetNS ip link set veth3 netns myNetNS Then I brought all the interfaces up: ip link set veth0 up ip link set veth2 up ip netns exec myNetNS ip link set veth1 up ip netns exec myNetNS ip link set veth3 up Then I bound IPs to three of the vEth interfaces: ip addr add 192.0.2.1/24 dev veth0 ip netns exec myNetNS ip addr add 192.0.2.254/24 dev veth1 ip netns exec myNetNS ip addr add 198.51.100.254/24 dev veth3 Then I added a route to my workstation (main / default / nameless NetNS) to point to the remote 198.51.100.0/24 network: ip route add 198.51.100.0/24 via 192.0.2.254 That gave me what I needed to continue troubleshooting my VirtualBox issue. I was able to have both VBox and KVM glom onto the veth2 interface and put the guest at 198.51.100.1/24 IP address using 198.51.100.254 as it's default gateway. This meant that I had a micro routed connection from my workstation (main / default / nameless NetNS) to the VM that I was testing. I do things like this weekly. Almost all of the configuration uses the "ip" command. IMHO the biggest issue is that you have to understand what you want to do and then translate it to the proper ip commands to do it. You need that high level blueprint (if you will) so that you can then implement it with the "ip" command. This is why you need at least a basic understanding of networking to fully take advantage of the "ip" command. -- Grant. . . . unix || die
Re: [gentoo-user] iproute2 reference
On 06/10/2018 07:15 AM, Peter Humphrey wrote: Hello list, Hi, I'm trying to learn how to use the "ip" command to manage routing on one of my boxes, which has two Ethernet interfaces. Cool. There's a LOT that you can do. I will say that you'll likely need other systems [1] to test things like tunnels to / between. There's a LOT that you can do with ip & ilk. Fair warning, you're getting close to "tc". ;-) Can anyone recommend suitable reading material? I don't mind paying for a book, provided that it's reasonably up to date and won't bury me in a morass of bit patterns, OSI transport layers and so on. Just the stuff that a network admin would need. I don't know of anything that focuses on the "ip" command in particular. But I always found the old Linux Networking HOWTO (NET3-4-HOWTO) to be a good place to start for networking concepts. Then you can fairly easily map them to the "ip" command. The "ip" command can also get into things like bridging which can be fun. Proxy ARP is directly related, but I think outside the scope of the "ip" command. If you thing you're going to be messing with a lot of this and have questions I'd recommend that you join the Linux Advanced Routing and Traffic Control (LARTC) mailing list. It's not as active as it was a decade ago, but there are a few of us regularly answering questions there. If you care about IPv6 (IMHO you should at least familiarize yourself with it) I'd suggest going through the free training that Hurricane Electric offers. You can also get a free tunnel from them to be able to play with IPv6. You'll likely end up using the "ip" command to establish said tunnel. ;-) TiA. You're welcome. Feel free to drop me an email if you have questions. -- Grant. . . . unix || die
Re: [gentoo-user] iproute2 reference
On Sunday, 10 June 2018 16:52:48 BST Mick wrote: > On Sunday, 10 June 2018 16:22:18 BST Andrew Udvare wrote: > > > On 2018-06-10, at 09:15, Peter Humphrey wrote: --->8 > To thumb through the man pages you need to extend man ip with the OBJECT. > Same applies with --help pages. > > For example, to read the help page of 'ip address': > > ip address help > > the corresponding man page is: > > man ip-address Yes, I've explored what's installed with iproute2, and no, Andrew, I'm not using systemd - thanks anyway. I want to control routing, specifically, on a multi-home box. Distilling the man pages is going to take me a long time and a lot of effort, which is why I hoped to find an easier way to absorb what I need to know. -- Regards, Peter.
Re: [gentoo-user] iproute2 reference
On Sunday, 10 June 2018 16:22:18 BST Andrew Udvare wrote: > > On 2018-06-10, at 09:15, Peter Humphrey wrote: > > > > Hello list, > > > > I'm trying to learn how to use the "ip" command to manage routing on one > > of my boxes, which has two Ethernet interfaces. > > If you're using systemd, you can set it up with systemd.network in > /etc/systemd/network. I do this on my router. However I was unable to get > my IPv6 6rd tunnel working this way. For IPv4 DHCP or static it works fine. > > https://www.freedesktop.org/software/systemd/man/systemd.network.html > https://wiki.archlinux.org/index.php/Systemd-networkd#Configuration_examples > > Can anyone recommend suitable reading material? I don't mind paying for a > > book, provided that it's reasonably up to date and won't bury me in a > > morass of bit patterns, OSI transport layers and so on. Just the stuff > > that a network admin would need. > > man ip (relatively minimal, but not as minimal as ip --help) > > https://www.cyberciti.biz/faq/linux-ip-command-examples-usage-syntax/ is in > my bookmarks > > https://access.redhat.com/sites/default/files/attachments/rh_ip_command_chea > tsheet_1214_jcs_print.pdf > > bash-completion comes with ip command support. > > My script to set up my IPv6 6rd tunnel on my router: > > ip tunnel del sit-6rd > ip tunnel add sit-6rd mode sit local "$IPV4_ADDR" ttl 64 dev enp1s0f0 > ip tunnel 6rd dev sit-6rd 6rd-prefix 2602::/24 > > ip link set sit-6rd mtu 1480 > ip link set sit-6rd up > > ip -6 addr add "$IPV6_ADDR" dev sit-6rd > ip -6 route add 2000::/3 via "::$IPV4_BR_ADDR" > ip -6 route add default via "::$IPV4_BR_ADDR" > > Andrew To thumb through the man pages you need to extend man ip with the OBJECT. Same applies with --help pages. For example, to read the help page of 'ip address': ip address help the corresponding man page is: man ip-address -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iproute2 reference
> On 2018-06-10, at 09:15, Peter Humphrey wrote: > > Hello list, > > I'm trying to learn how to use the "ip" command to manage routing on one of > my > boxes, which has two Ethernet interfaces. If you're using systemd, you can set it up with systemd.network in /etc/systemd/network. I do this on my router. However I was unable to get my IPv6 6rd tunnel working this way. For IPv4 DHCP or static it works fine. https://www.freedesktop.org/software/systemd/man/systemd.network.html https://wiki.archlinux.org/index.php/Systemd-networkd#Configuration_examples > > Can anyone recommend suitable reading material? I don't mind paying for a > book, provided that it's reasonably up to date and won't bury me in a morass > of bit patterns, OSI transport layers and so on. Just the stuff that a > network > admin would need. man ip (relatively minimal, but not as minimal as ip --help) https://www.cyberciti.biz/faq/linux-ip-command-examples-usage-syntax/ is in my bookmarks https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf bash-completion comes with ip command support. My script to set up my IPv6 6rd tunnel on my router: ip tunnel del sit-6rd ip tunnel add sit-6rd mode sit local "$IPV4_ADDR" ttl 64 dev enp1s0f0 ip tunnel 6rd dev sit-6rd 6rd-prefix 2602::/24 ip link set sit-6rd mtu 1480 ip link set sit-6rd up ip -6 addr add "$IPV6_ADDR" dev sit-6rd ip -6 route add 2000::/3 via "::$IPV4_BR_ADDR" ip -6 route add default via "::$IPV4_BR_ADDR" Andrew
[gentoo-user] iproute2 reference
Hello list, I'm trying to learn how to use the "ip" command to manage routing on one of my boxes, which has two Ethernet interfaces. Can anyone recommend suitable reading material? I don't mind paying for a book, provided that it's reasonably up to date and won't bury me in a morass of bit patterns, OSI transport layers and so on. Just the stuff that a network admin would need. TiA. -- Regards, Peter.
