1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
#!/bin/bash
NIC=tap0
PEER_IP=172.16.2.1
LOCAL_IP=172.16.2.2
LOCAL_MAC=fe:65:b7:00:00:01
container=tfe-container-v4.4
exposedockernetns ()
{
pid=`docker inspect -f '{{.State.Pid}}' $1`
ln -s /proc/$pid/ns/net /var/run/netns/$1
echo "netns of ${1} exposed as /var/run/netns/${1}"
}
dockerrmf ()
{
docker kill `docker ps --no-trunc -aq`
docker rm `docker ps --no-trunc -aq`
}
cp tfe_sysctl.conf /etc/sysctl.d/
sysctl -p /etc/sysctl.d/tfe_sysctl.conf
#dockerrmf
#ip tuntap del dev ${NIC} mode tap
#ip tuntap add dev ${NIC} mode tap one_queue
ip netns list
###############################################################################
# 注意:需要停止 tfe-env 脚本
# cd /home/lwp/tsg_container
# docker-compose up tfe
###############################################################################
rm -Rf /var/run/netns/*
mkdir -p /var/run/netns
exposedockernetns ${container}
ip link set ${NIC} netns ${container}
ip netns exec ${container} ip link set ${NIC} address ${LOCAL_MAC}
ip netns exec ${container} ip link set ${NIC} up
# IPv4 策略路由
ip netns exec ${container} ip addr add ${LOCAL_IP}/24 dev ${NIC}
ip netns exec ${container} ip rule add iif ${NIC} tab 100
ip netns exec ${container} ip route add local default dev lo table 100
ip netns exec ${container} ip rule add fwmark 0x65 lookup 101
ip netns exec ${container} ip route add default dev ${NIC} via ${PEER_IP} table 101
# IPv6 策略路由
ip netns exec ${container} ip addr add fd00::02/64 dev ${NIC}
ip netns exec ${container} ip -6 route add default via fd00::01
ip netns exec ${container} ip -6 rule add iif ${NIC} tab 102
ip netns exec ${container} ip -6 route add local default dev lo table 102
# iptables
ip netns exec ${container} iptables -A INPUT -i ${NIC} -m bpf \
--bytecode '14,48 0 0 0,84 0 0 240,21 0 10 64,48 0 0 9,21 0 8 6,40 0 0 6,69 6 0 8191,177 0 0 0,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' \
-j NFQUEUE --queue-num 1
echo "================ run 'ip addr list' in container ================"
ip netns exec ${container} ip addr list
echo "================ run 'ip rule list' in container ================"
ip netns exec ${container} ip rule list
echo "================ run 'ip route list' in container ================"
ip netns exec ${container} ip route list
echo "================ run 'iptables' in container ================"
ip netns exec ${container} iptables -L
echo "================ run 'ping' in container ================"
ip netns exec ${container} ping -c10 ${PEER_IP}
|
