看下docker中是怎么配置的网络
在虚机中访问外网:设定了qemu,在主机上添加路由:sudo iptables -t nat -I POSTROUTING -s 192.168.1.110 -j SNAT --to-source 192.168.0.108
设置了这句话就可以访问外网了。
设置了两个虚拟机:
tap0 (192.168.129.1) --->
tap1 (192,168.130.1) --->
增加nat的NAT的表项设置: sudo iptables -t nat -I POSTROUTING -s 192.168.128.0/20 -j SNAT --to-source 192.168.0.108
同时去访问我的云主机:121.X.X.X,从两个主机中都能ping得通,这说明在NAT记录了这个地址,记录着
两个典型包:
192.168.129.110 --->云主机 ( 192.168.0.108 ---> 云主机)
192.168.130.110 --->云主机 ( 192.168.0.108 ---> 云主机)
NAT内部是怎么记录的这个转换?是记录咋的?从云主机IP中回来了一个包,目的地址是192.168.0.108,怎么分别分流到 192.168.129.110 和 192.168.130.110 两个 IP地址中。
难道是端口的信息在里面?接受数据包的流程
#0 icmp_rcv (skb=0xffff88007c9efc00) at net/ipv4/icmp.c:973 #1 0xffffffff816d97af in ip_local_deliver_finish (net=0xffffffff81ed8680 <init_net>, sk=<optimized out>, skb=0xffff88007c9efc00) at net/ipv4/ip_input.c:216 #2 0xffffffff816d9e45 in NF_HOOK_THRESH (thresh=<optimized out>, okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:232 #3 NF_HOOK (okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:255 #4 ip_local_deliver (skb=0xffff88007c9efc00)at net/ipv4/ip_input.c:257 #5 0xffffffff816d9a7b in dst_input (skb=<optimized out>)at ./include/net/dst.h:507 #6 ip_rcv_finish (net=0xffffffff81ed8680 <init_net>, sk=<optimized out>, skb=0xffff88007c9efc00)at net/ipv4/ip_input.c:396 #7 0xffffffff816da11e in NF_HOOK_THRESH (thresh=<optimized out>, okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:232 #8 NF_HOOK (okfn=<optimized out>, out=<optimized out>, in=<optimized out>, skb=<optimized out>, sk=<optimized out>, net=<optimized out>, hook=<optimized out>, pf=<optimized out>)at ./include/linux/netfilter.h:255 #9 ip_rcv (skb=0xffff88007c9efc00, dev=0xffff88007c530000, pt=<optimized out>, orig_dev=<optimized out>)at net/ipv4/ip_input.c:487 #10 0xffffffff81684eea in __netif_receive_skb_core (skb=0xffff88007c9efc00, pfmemalloc=<optimized out>)at net/core/dev.c:4211 #11 0xffffffff816878cd in __netif_receive_skb (skb=<optimized out>)at net/core/dev.c:4249 #12 0xffffffff8168793d in netif_receive_skb_internal (skb=0xffff88007c9efc00) at net/core/dev.c:4277 #13 0xffffffff81688582 in napi_skb_finish (skb=<optimized out>, ret=<optimized out>) at net/core/dev.c:4626 ---Type <return> to continue, or q <return> to quit--- #14 napi_gro_receive (napi=0xffff88007c530b70, skb=0xffff88007c9efc00)at net/core/dev.c:4658 #15 0xffffffff81532db1 in e1000_receive_skb (skb=<optimized out>, vlan=<optimized out>, status=<optimized out>, adapter=<optimized out>)at drivers/net/ethernet/intel/e1000/e1000_main.c:4035 #16 e1000_clean_rx_irq (adapter=0xffff88007c5308c0, rx_ring=<optimized out>, work_done=<optimized out>, work_to_do=<optimized out>)at drivers/net/ethernet/intel/e1000/e1000_main.c:4491 #17 0xffffffff81531bb0 in e1000_clean (napi=0xffff88007c530b70, budget=64) at drivers/net/ethernet/intel/e1000/e1000_main.c:3836 #18 0xffffffff8168968a in napi_poll (repoll=<optimized out>, n=<optimized out>) at net/core/dev.c:5158 #19 net_rx_action (h=<optimized out>) at net/core/dev.c:5223 #20 0xffffffff8187c0d9 in __do_softirq () at kernel/softirq.c:284 #21 0xffffffff81058f70 in invoke_softirq () at kernel/softirq.c:364 #22 irq_exit () at kernel/softirq.c:405 #23 0xffffffff8187be94 in exiting_irq ()at ./arch/x86/include/asm/apic.h:659 #24 do_IRQ (regs=0xffffc9000006be08) at arch/x86/kernel/irq.c:251 #25 0xffffffff8187a4bf in common_interrupt ()at arch/x86/entry/entry_64.S:520 #26 0xffffc9000006be08 in ?? () #27 0x0000000000000000 in ?? ()
设置完SNAT后接收icmp包: NAT是
当服务器14.17.88.99回复了一个数据包后(src=14.17.88.99 dst=115.22.112.12),进入到wan侧接口的PRE_ROUTING链时,
则在调用其nat相关的hook函数后,会调用函数ip_nat_packet获取到 origin tuple 值,然后再根据 origin tuple,计算出反方向的tuple,
即为new_tuple.src = 14.17.88.99 new_tuple.dst = 192.168.1.123,然后就会根据这个新的tuple修改其目的ip地址,
修改后的数据包的目的地址即为192.168.1.123 。然后再查找路由,将数据发送到正常的lan口。这就是nat的De-SNAT
路由地址:
ipt_do_table -->
nf_nat_ipv4_fn
在nf_nat_ipv4_fn函数中,首先上来是:nf_ct_get,ct: conntrack, 其中涉及到的数据结构有:
ip_conntrace_info / nf_conn_nat
下面的链接中有一个,详细解释了当设置SNAT之后,出包和进包的一个流程
当数据到达路由器的wan0口,进入到PRE_ROUTING时,会先建立一个nf_conn结构,和两个nf_conntrack_tuple(origin 与reply)
问题
1)prerouting 在哪里?
2)postrouting的代码在哪里?
nf_conntrack_l3proto_ipv4_init 初始化的啥东西?
链接跟踪正是在相应的函数中注册了相应的函数:nf_conntrack_l3proto_ipv4_init函数,
ipv4_conntrack_in -->
