Useful links SRext - a Linux kernel module that implements different SR proxy behaviours.
https://github.com/netgroup/SRv6-net-prog SERA - a SEgment Routing Aware Firewall. SR-iptables - an extended version of iptables userspace utility that allows adding SR-aware iptables rules. SR-snort - an SR-aware version of snort. SR-tcpdump - an SR-extended version of tcpdump able to parse SRH information.
root@mpls2:~# sysctl -w net.ipv6.ip6t_seg6=1 sysctl: cannot stat /proc/sys/net/ipv6/ip6t_seg6: No such file or directory root@mpls2:~#
root@mpls1:~# ip -6 rule 0: from all lookup local 32766: from all lookup main root@mpls1:~# ip -6 route show table srv6
root@mpls1:~# ip6tables -L -nvx
root@mpls1:~# srconf localsid show Command 'srconf' not found, did you mean: command 'srconv' from deb csound-utils command 'sfconf' from deb sendfile
root@mpls1:~# cat /etc/snort/rules/local.rule cat: /etc/snort/rules/local.rule: No such file or directory root@mpls1:~#
参考 https://qiita.com/makotaka/items/072158975643c045332e 和https://qiita.com/makotaka/items/072158975643c045332e、https://blog.icttoracon.net/2019/03/21/ictsc2018-f-12/
18.04
# apt update # apt -y install gcc make git # git clone https://github.com/netgroup/SRv6-net-prog # cd SRv6-net-prog/ # git checkout 76a6d8398bfb12b801a74de71897159b0aa8ad34 # cd srext # make # make install # depmod -a # modprobe srext
18.10
# apt update # apt -y install gcc make git # git clone https://github.com/netgroup/SRv6-net-prog # cd SRv6-net-prog/srext # make # make install # depmod -a # modprobe srext
SRv6有効化 /etc/sysctl.conf に下記を追加 # Alibaba CloudはデフォルトでIPv6がdisableになってるので下記4行で有効化する。AWSは不要。 net.ipv6.conf.all.disable_ipv6=0 net.ipv6.conf.default.disable_ipv6=0 net.ipv6.conf.lo.disable_ipv6=0 net.ipv6.conf.eth0.disable_ipv6 =0 # Segment routing 有効化、hmacは面倒なので今は無効化 net.ipv6.conf.all.seg6_require_hmac = 0 net.ipv6.conf.all.seg6_enabled=1 net.ipv6.conf.default.seg6_enabled=1 net.ipv6.conf.eth0.seg6_enabled=1 net.ipv6.conf.lo.seg6_enabled=1 # forwarding有効化 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 /etc/sysctl.conf の設定を反映させる # sysctl -p
I. Compilation and Installation
Clone srv6-net-prog repository in your machine:
$ git clone https://github.com/netgroup/SRv6-net-prog
Compile srext module and CLI
$ cd srv6-net-prog/srext/
$ sudo make make[2]: Entering directory '/root/SRv6-net-prog/srext/kernel' make[2]: *** /lib/modules/4.15.0-112-generic/build: No such file or directory. Stop. make[2]: Leaving directory '/root/SRv6-net-prog/srext/kernel' Makefile:12: recipe for target 'default' failed make[1]: *** [default] Error 2 make[1]: Leaving directory '/root/SRv6-net-prog/srext/kernel' Makefile:3: recipe for target 'default' failed make: *** [default] Error 2 root@mininet-vm:~/SRv6-net-prog/srext# apt-get -y install linux-headers-4.15.0-112-generic
/root/SRv6-net-prog/srext/kernel/hook_v4.c: In function ‘ip6_route_input’: /root/SRv6-net-prog/srext/kernel/hook_v4.c:47:66: warning: passing argument 4 of ‘ip6_route_input_lookup’ makes integer from pointer without a cast [-Wint-conversion] skb_dst_set(skb, ip6_route_input_lookup(net, skb->dev, &fl6, skb, flags)); ^ In file included from /root/SRv6-net-prog/srext/kernel/hook_v4.c:17:0: ./include/net/ip6_route.h:70:19: note: expected ‘int’ but argument is of type ‘struct sk_buff *’ struct dst_entry *ip6_route_input_lookup(struct net *net, ^ /root/SRv6-net-prog/srext/kernel/hook_v4.c:47:22: error: too many arguments to function ‘ip6_route_input_lookup’ skb_dst_set(skb, ip6_route_input_lookup(net, skb->dev, &fl6, skb, flags)); ^ In file included from /root/SRv6-net-prog/srext/kernel/hook_v4.c:17:0: ./include/net/ip6_route.h:70:19: note: declared here struct dst_entry *ip6_route_input_lookup(struct net *net, ^ scripts/Makefile.build:330: recipe for target '/root/SRv6-net-prog/srext/kernel/hook_v4.o' failed make[3]: *** [/root/SRv6-net-prog/srext/kernel/hook_v4.o] Error 1 Makefile:1582: recipe for target '_module_/root/SRv6-net-prog/srext/kernel' failed make[2]: *** [_module_/root/SRv6-net-prog/srext/kernel] Error 2 make[2]: Leaving directory '/usr/src/linux-headers-4.15.0-112-generic' Makefile:12: recipe for target 'default' failed make[1]: *** [default] Error 2 make[1]: Leaving directory '/root/SRv6-net-prog/srext/kernel' Makefile:3: recipe for target 'default' failed make: *** [default] Error 2
/** * ip6_route_input() * used to input packets, after applying encap behavior, into the routing subsystem */ void ip6_route_input(struct sk_buff *skb) { const struct ipv6hdr *iph = ipv6_hdr(skb); struct net *net = dev_net(skb->dev); int flags = RT6_LOOKUP_F_HAS_SADDR; struct flowi6 fl6 = { .flowi6_iif = skb->dev->ifindex, .daddr = iph->daddr, .saddr = iph->saddr, .flowlabel = ip6_flowinfo(iph), .flowi6_mark = skb->mark, .flowi6_proto = iph->nexthdr, }; skb_dst_set(skb, ip6_route_input_lookup(net, skb->dev, &fl6, flags)); //skb_dst_set(skb, ip6_route_input_lookup(net, skb->dev, &fl6, skb, flags)); }
root@mininet-vm:~/SRv6-net-prog/srext# make install make -C kernel/ install make[1]: Entering directory '/root/SRv6-net-prog/srext/kernel' make -C /lib/modules/4.15.0-112-generic/build M=/root/SRv6-net-prog/srext/kernel modules_install make[2]: Entering directory '/usr/src/linux-headers-4.15.0-112-generic' INSTALL /root/SRv6-net-prog/srext/kernel/srext.ko At main.c:160: - SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72 - SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79 sign-file: certs/signing_key.pem: No such file or directory DEPMOD 4.15.0-112-generic make[2]: Leaving directory '/usr/src/linux-headers-4.15.0-112-generic' make[1]: Leaving directory '/root/SRv6-net-prog/srext/kernel' make -C tools/ install make[1]: Entering directory '/root/SRv6-net-prog/srext/tools' cp ../bin/srconf /usr/bin make[1]: Leaving directory '/root/SRv6-net-prog/srext/tools' root@mininet-vm:~/SRv6-net-prog/srext# depmod -a root@mininet-vm:~/SRv6-net-prog/srext# modprobe srext
root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid Usage: srconf localsid { help | flush } srconf localsid { show | clear-counters } [SID] srconf localsid del SID srconf localsid add SID BEHAVIOUR BEHAVIOUR:= { end | end.dx2 TARGETIF | end.dx4 NEXTHOP4 TARGETIF | { end.x | end.dx6 } NEXTHOP6 TARGETIF | { end.ad4 | end.ead4 } NEXTHOP4 TARGETIF SOURCEIF | { end.am | end.ad6 | end.ead6 } NEXTHOP6 TARGETIF SOURCEIF | end.as4 NEXTHOP4 TARGETIF SOURCEIF src ADDR segs SIDLIST left SEGMENTLEFT } end.as6 NEXTHOP6 TARGETIF SOURCEIF src ADDR segs SIDLIST left SEGMENTLEFT | NEXTHOP4:= { ip IPv4-ADDR | mac MAC-ADDR } NEXTHOP6:= { ip IPv6-ADDR | mac MAC-ADDR } root@mininet-vm:~/SRv6-net-prog/srext#
root@mininet-vm:~/SRv6-net-prog/srext# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether fa:16:3e:33:92:f5 brd ff:ff:ff:ff:ff:ff inet 10.10.18.156/24 brd 10.10.18.255 scope global ens3 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe33:92f5/64 scope link valid_lft forever preferred_lft forever root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid add 2406::10 end.dx4 ip 10.0.0.70 ens3 SREXT answers: OK. root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid show SRv6 - MY LOCALSID TABLE: ================================================== SID : 2406::10 Behavior: end.dx4 Next hop: 10.0.0.70 OIF : ens3 Good traffic: [0 packets : 0 bytes] Bad traffic: [0 packets : 0 bytes] ------------------------------------------------------ root@mininet-vm:~/SRv6-net-prog/srext#
root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid add 2406::10 end.dx4 ip 10.0.0.70 ens3 SREXT answers: OK. root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid show SRv6 - MY LOCALSID TABLE: ================================================== SID : 2406::10 Behavior: end.dx4 Next hop: 10.0.0.70 OIF : ens3 Good traffic: [0 packets : 0 bytes] Bad traffic: [0 packets : 0 bytes] ------------------------------------------------------ root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid add fc00:5::bb end.ad4 ip 192.168.1.2 ens3 lo SREXT answers: OK. root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid show SRv6 - MY LOCALSID TABLE: ================================================== SID : 2406::10 Behavior: end.dx4 Next hop: 10.0.0.70 OIF : ens3 Good traffic: [0 packets : 0 bytes] Bad traffic: [0 packets : 0 bytes] ------------------------------------------------------ SID : fc00:5::bb Behavior: end.ad4 Next hop: 192.168.1.2 OIF : ens3 IIF : lo Good traffic: [0 packets : 0 bytes] Bad traffic: [0 packets : 0 bytes] ------------------------------------------------------ root@mininet-vm:~/SRv6-net-prog/srext#
root@mininet-vm:~/SRv6-net-prog/srext# srconf localsid show fc00:5::bb SRv6 - MY LOCALSID TABLE: ================================================== SID : fc00:5::bb Behavior: end.ad4 Next hop: 192.168.1.2 OIF : ens3 IIF : lo Good traffic: [0 packets : 0 bytes] Bad traffic : [0 packets : 0 bytes] ------------------------------------------------------ root@mininet-vm:~/SRv6-net-prog/srext#
root@mininet-vm:~/SRv6-net-prog/srext# ip -6 r fe80::/64 dev ens3 proto kernel metric 256 pref medium root@mininet-vm:~/SRv6-net-prog/srext#
root@mininet-vm:~# ip route add 20.20.20.0/24 encap seg6 mode encap segs 3000::2,3000::4 dev ens3 table srv6 root@mininet-vm:~# srconf localsid add 20.20.20.0/24 encap seg6 mode encap segs 3000::2,3000::4 dev ens3 Error: inet6 prefix is expected rather than "20.20.20.0/24". root@mininet-vm:~# srconf localsid add 20.20.20.0/24 encap seg6 mode encap segs 3000::2,3000::4 dev ens3 Error: inet6 prefix is expected rather than "20.20.20.0/24". root@mininet-vm:~# srconf localsid add 2000:2001::1001/128 encap seg6 mode encap segs 3000::2,3000::4 dev ens3 Error: inet6 prefix is expected rather than "2000:2001::1001/128". root@mininet-vm:~# srconf localsid add 2000:2001::1001 encap seg6 mode encap segs 3000::2,3000::4 dev ens3 SRv6 behavior "encap" is not supported root@mininet-vm:~#
root@mininet-vm:~/srv6_Sandbox# srconf localsid add 2000:2001::1001 end.dx4 ip 10.10.27.18 ens3 SREXT answers: OK. root@mininet-vm:~/srv6_Sandbox# ping6 2000:2001::1001 connect: Network is unreachable root@mininet-vm:~/srv6_Sandbox# ip -6 r add 2000:2001::1001/128 dev ens3
root@mininet-vm:~# ip -6 r
2000:2001::1001 dev ens3 metric 1024 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
root@mininet-vm:~#
root@mininet-vm:~/srv6_Sandbox# ping6 2000:2001::1001 PING 2000:2001::1001(2000:2001::1001) 56 data bytes From fe80::f816:3eff:fe33:92f5%ens3 icmp_seq=1 Destination unreachable: Address unreachable From fe80::f816:3eff:fe33:92f5%ens3 icmp_seq=2 Destination unreachable: Address unreachable