Linux:如何强制使用特定的网络接口? [英] Linux: How do I force a specific network interface to be used?

问题描述

这可以看作是理想情况下，无论如何，我都想将进程仅监禁使用某个接口.它将建立TCP连接，发送UDP数据报，并监听UDP广播.目前，我正在做的是:

Ideally, I'd like to jail a process into only using a certain interface, no matter what. It will be making TCP connections, sending UDP datagrams, and listening for UDP broadcasts. Currently, what I am doing is:

1. 确定要使用的接口的IP.
2. 创建IP策略规则，以将来自接口的所有数据包路由到该IP
3. 创建另一个IP策略规则，将来自该IP的所有数据包路由到该接口
4. 为每个规则设置默认路由表

现在，这在大多数情况下都有效，但是客户端进程也必须愿意参与.也就是说，它需要绑定到它想使用的接口的特定IP，我想我也需要设置SO_BINDTODEVICE. (但是，在使用TCP或UDP时，我一直在阅读有关SO_BINDTODEVICE是否真正起作用的信息.)幸运的是，客户端应用程序是Python，并且我可以扩展套接字类以透明地完成所有这些工作.但是我不确定这是否是完整的解决方案，尤其是在接收广播方面.

Now, this works, mostly, but the client process has to also be willing to play along. That is, it needs to bind to the specific IP of the interface it wants to use, and I think I need to set SO_BINDTODEVICE as well. (However, I keep reading conflicting information about whether SO_BINDTODEVICE actually works when using TCP or UDP.) Luckily, the client application is Python, and I can extend the socket class to do all of this transparently. But I'm not sure it is a complete solution, especially with regard to receiving broadcasts.

我的问题是:

1. SO_BINDTODEVICE可以在这里做什么吗?还是仅对原始套接字有效?有人评论说:套接字上的SO_BINDTODEVICE不能保证套接字仅接收到达该物理接口的电线/天线上的数据包."如果确实如此，那么会做什么 SO_BINDTODEVICE会做什么?

1. Does SO_BINDTODEVICE do what I want here? Or is it only effective for raw sockets? Someone commented that, "SO_BINDTODEVICE on a socket doesn't guarantee the socket will only receive packets that arrived on that physical interface's wire/antenna." If this is indeed true, then what does SO_BINDTODEVICE do?

有没有一种方法可以使本地IP不必唯一?除了一个接口上的DHCP服务器可能会为它分配另一个接口正在使用的IP，从而使路由表混乱之外，这将不是一个问题.

Is there a way to do this such that the local IP doesn't have to be unique? This wouldn't be a problem other than the fact that the DHCP server on one interface may allocate it an IP that is in use by another interface, thus confusing the routing table.

如何仅从特定界面接收广播?绑定到特定IP似乎会使它忽略广播，这是有道理的，但并不是我想要的.

How do I receive broadcasts only from a specific interface? Binding to a specific IP seems to make it ignore broadcasts, which makes sense, but isn't quite what I'm looking for.

我正在Linux内核2.6.26的Ubuntu 8.04上运行.能够通过两个不同的接口同时访问两个不同的网络上的同一子网是不可协商的要求，因此(主要)使其不受不要那样做"的影响. :)

I'm running on Ubuntu 8.04 w/ Linux kernel 2.6.26. Being able to access the same subnet on two different networks through two different interfaces simultaneously is a non-negotiable requirement, thus making it (mostly) immune to "don't do that." :)

推荐答案

在一个艰苦的周末之后，我很高兴为您提供一个解决方案，该解决方案可以解决我先前讨论的大多数问题，而几乎没有什么麻烦.

After a hard-fought weekend, I'm pleased to present a solution that addresses most of what I've previously discussed with almost zero hassle.

有一个名为net.ipv4.conf.all.rp_filter的sysctl，可以将其设置为0以禁用源验证:

There is a sysctl called net.ipv4.conf.all.rp_filter that can be set to 0 to disable source validation:

    rp_filter - INTEGER
         2 - do source validation by reversed path, as specified in RFC1812
             Recommended option for single homed hosts and stub network
             routers. Could cause troubles for complicated (not loop free)
             networks running a slow unreliable protocol (sort of RIP),
             or using static routes.

         1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
             that look as sourced at a directly connected interface, but
             were input from another interface.

         0 - No source validation.

也可以使用/proc/sys/net/ipv4/conf/<interface>/rp_filter在每个接口上进行设置.

This can also be set on a per interface basis using /proc/sys/net/ipv4/conf/<interface>/rp_filter.

正如一位发布者所解释的那样，从某种意义上说，它不能保证IP路由的确定性降低，因为不能保证来自一个子网的数据包总是出自同一接口.在这种情况下，这正是需要的.请进行其他研究，以确定这是否真的是您想要的.

As one poster explained it, it makes IP routing "less deterministic" in the sense that packets coming from one subnet aren't guaranteed to always go out the same interface. In this instance, this is exactly what it is needed. Please do additional research to determine if this is really what you want.

由于我不了解的原因，广播仍然存在问题，但我最终对此感到满意，希望对其他人有所帮助.

Broadcasts are still problematic for reasons I do not understand, but I am finally satisfied with this issue and I hope it helps others.

这篇关于Linux:如何强制使用特定的网络接口?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！