macvlan是kernel提供的一種網(wǎng)卡虛擬化技術(shù)，可以將網(wǎng)卡(不一定是真是的物理網(wǎng)卡，virtio等虛擬網(wǎng)卡也可以)虛擬出多個(gè)接口，這個(gè)網(wǎng)卡稱為master或者父接口，這些虛擬接口和外面環(huán)境通信都是通過(guò)父接口。作用的話比如用于k8s的macvlan cni。

macvlan提供了五種模式: bridge, vepa, private, passthrough和source

private mode:

這種模式下，同一父接口下的子接口之間彼此隔離，不能通信。即

使從外部的交換機(jī)導(dǎo)流再次被父接口接收，也會(huì)被無(wú)情地丟掉。

vepa mode:

這種模式下，子接口之間的通信流量需要導(dǎo)到外部支持

802.1Qbg/VPEA 功能的交換機(jī)上(可以是物理的或者虛擬的)，

經(jīng)由外部交換機(jī)轉(zhuǎn)發(fā)，再繞回來(lái)。

注：802.1Qbg/VPEA 功能簡(jiǎn)單說(shuō)就是交換機(jī)要支持 發(fā)夾

(hairpin) 功能，也就是數(shù)據(jù)包從一個(gè)接口上收上來(lái)之后還能再扔

回去。

bridge mode:

這種模式下，模擬的是 Linux bridge 的功能，但比 bridge 要好的一

點(diǎn)是每個(gè)接口的 MAC 地址是已知的，不用學(xué)習(xí)。所以，這種模式

下，子接口之間就是直接可以通信的。

passthru mode:

這種模式，只允許單個(gè)子接口連接父接口。

source mode:

這種模式，只接收源mac為指定的mac地址的報(bào)文。

下面圖片是在網(wǎng)上截圖的，各個(gè)模式下，數(shù)據(jù)如何轉(zhuǎn)發(fā)。不管哪種模式，子接口都不能和父接口通信。

image.png

下面是通過(guò)ip命令創(chuàng)建macvlan接口的help信息

root@node2:~# ip link add link ens8 dev macvlan1 type macvlan help

Usage: ... macvlan mode MODE [flag MODE_FLAG] MODE_OPTS

MODE: private | vepa | bridge | passthru | source

MODE_FLAG: null | nopromisc -->只針對(duì)passthru模式

MODE_OPTS: for mode "source": -->只針對(duì)source模式

macaddr { { add | del } | set [ [ ... ] ] | flush }

有兩個(gè)選項(xiàng)需要注意:

a. nopromisc 配置只針對(duì)passthru模式

b. 添加macaddr的選項(xiàng)只針對(duì)source模式，以便在source模式下只接收從外部接收的源mac這些設(shè)定的值的報(bào)文

如何查看父接口和子接口的對(duì)應(yīng)關(guān)系

a. 如果子接口和父接口都在同一個(gè)namespace，比如都在root namespace，則可以通過(guò)查看 /sys/class/net/xxx/下的鏈接文件獲知。

注意兩個(gè)前綴lower和upper，對(duì)于macvlan，從層級(jí)上看，父接口是網(wǎng)卡，子接口是虛擬出來(lái)的，所以父接口在下面，子接口在上面，所以lower表示父接口，而upper表示子接口。

#查看macvlan子接口的父接口(macvlan1的父接口為ens8)

root@node2:~# ls -l /sys/class/net/macvlan1/lower*

lrwxrwxrwx 1 root root 0 Oct 27 13:55 /sys/class/net/macvlan1/lower_ens8 -> ../../../pci0000:00/0000:00:08.0/net/ens8

#查看父接口的macvlan子接口(ens8有兩個(gè)子接口: macvlan1和macvlan2)

root@node2:~# ls -l /sys/class/net/ens8/upper*

lrwxrwxrwx 1 root root 0 Oct 27 13:55 /sys/class/net/ens8/upper_macvlan1 -> ../../../../virtual/net/macvlan1

lrwxrwxrwx 1 root root 0 Oct 27 13:56 /sys/class/net/ens8/upper_macvlan2 -> ../../../../virtual/net/macvlan2

b. 如果子接口和父接口不在同一個(gè)namespace，比如將子接口放在其他namespace，方法a就不生效了。可查看網(wǎng)卡名字@后面的數(shù)字，比如下面的macvlan1@if3和macvlan2@if3，@后面的if3，表示對(duì)應(yīng)root namespace的網(wǎng)卡索引，即ens8的索引號(hào)。

root@node2:~# ip netns exec test1 ip a

...

8308: macvlan1@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000

link/ether ce:dc:2c:c2:e3:ca brd ff:ff:ff:ff:ff:ff link-netnsid 0

inet 1.1.1.3/24 scope global macvlan1

valid_lft forever preferred_lft forever

inet6 fe80::ccdc:2cff:fec2:e3ca/64 scope link

valid_lft forever preferred_lft forever

root@node2:~# ip netns exec test2 ip a

...

8309: macvlan2@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000

link/ether 22:c1:18:2a:68:25 brd ff:ff:ff:ff:ff:ff link-netnsid 0

inet 1.1.1.4/24 scope global macvlan2

valid_lft forever preferred_lft forever

inet6 fe80::20c1:18ff:fe2a:6825/64 scope link

valid_lft forever preferred_lft forever

root@node2:~# ip a

...

3: ens8: mtu 1500 qdisc fq_codel state UP group default qlen 1000

link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff

inet 1.1.1.2/24 scope global ens8

valid_lft forever preferred_lft forever

inet6 fe80::5054:ff:fe55:4ef8/64 scope link

valid_lft forever preferred_lft forever

c. 不論父子接口是否在同一個(gè)ns，都可以通過(guò)查看父接口的fdb表得知，一般會(huì)把macvlan子接口的mac地址添加到父接口中

root@node2:~# bridge fdb show dev ens8

ce:dc:2c:c2:e3:ca self permanent --->macvlan1的mac

22:c1:18:2a:68:25 self permanent --->macvlan2的mac

33:33:00:00:00:01 self permanent

01:00:5e:00:00:01 self permanent

33:33:ff:55:4e:f8 self permanent

33:33:ff:c2:e3:ca self permanent

33:33:ff:2a:68:25 self permanent

關(guān)于 nopromisc

#nopromisc 沒(méi)有此標(biāo)志時(shí)，父接口 ens8 會(huì)默認(rèn)使能混雜模式(promiscuity 為1)

ip link add link ens8 dev macvlan1 type macvlan mode passthru

ip link set dev macvlan1 up

root@node2:~# ip -d link

1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

2: ens3: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

link/ether 52:54:00:bd:2b:7d brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

3: ens8: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

25: macvlan1@ens8: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000

link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 4096

macvlan mode passthru addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

#nopromisc 加上此標(biāo)志后，父接口 ens8 就不會(huì)使能混雜模式(promiscuity 為0)

ip link add link ens8 dev macvlan1 type macvlan mode passthru nopromisc

ip link set dev macvlan1 up

root@node2:~# ip -d link

1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

2: ens3: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

link/ether 52:54:00:bd:2b:7d brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

3: ens8: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

26: macvlan1@ens8: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000

link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 4096

macvlan mode passthru nopromisc addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

實(shí)踐

在host上創(chuàng)建VM，此VM有兩個(gè)網(wǎng)卡ens3和ens8，網(wǎng)卡在host上分別對(duì)應(yīng)vnet0和vnet1，vnet0添加在默認(rèn)網(wǎng)橋virbr0，vnet1添加在新建網(wǎng)橋br1上。下面創(chuàng)建macvlan子接口和namespace的操作都在VM內(nèi)部完全。

a. bridge

//設(shè)置父接口ip

ip link set dev ens8 up

ip address add dev ens8 1.1.1.2/24

//創(chuàng)建兩個(gè)macvlan子接口，模式為bridge

ip link add link ens8 dev macvlan1 type macvlan mode bridge

ip link add link ens8 dev macvlan2 type macvlan mode bridge

//創(chuàng)建兩個(gè)namespace

ip netns add test1

ip netns add test2

//將兩個(gè)macvlan子接口分別放在namespace中

ip link set dev macvlan1 netns test1

ip link set dev macvlan2 netns test2

//在namespace中分別配置兩個(gè)子接口ip

ip netns exec test1 ip link set dev lo up

ip netns exec test1 ip link set dev macvlan1 up

ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24

ip netns exec test2 ip link set dev lo up

ip netns exec test2 ip link set dev macvlan2 up

ip netns exec test2 ip address add dev macvlan2 1.1.1.4/24

root@node2:~# ip netns exec test1 ip a

1: lo: mtu 65536 qdisc noop state UP group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

92: macvlan1@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000

link/ether ae:f3:a6:e4:72:5f brd ff:ff:ff:ff:ff:ff link-netnsid 0

inet 1.1.1.3/24 scope global macvlan1

valid_lft forever preferred_lft forever

inet6 fe80::acf3:a6ff:fee4:725f/64 scope link

valid_lft forever preferred_lft forever

root@node2:~# ip netns exec test2 ip a

1: lo: mtu 65536 qdisc noop state UP group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

93: macvlan2@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000

link/ether ba:11:1e:65:b6:89 brd ff:ff:ff:ff:ff:ff link-netnsid 0

inet 1.1.1.4/24 scope global macvlan2

valid_lft forever preferred_lft forever

inet6 fe80::b811:1eff:fe65:b689/64 scope link

valid_lft forever preferred_lft forever

#ping 父接口 不通

root@node2:~# ip netns exec test2 ping 1.1.1.2

PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

^C

--- 1.1.1.2 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

#test1 ping test2 可以通

root@node2:~# ip netns exec test2 ping 1.1.1.3

PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.

64 bytes from 1.1.1.3: icmp_seq=1 ttl=64 time=0.450 ms

^C

--- 1.1.1.3 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.450/0.450/0.450/0.000 ms

b. private

//設(shè)置父接口ip

ip link set dev ens8 up

ip address add dev ens8 1.1.1.2/24

//創(chuàng)建兩個(gè)macvlan子接口，模式為private

ip link add link ens8 dev macvlan1 type macvlan mode private

ip link add link ens8 dev macvlan2 type macvlan mode private

//創(chuàng)建兩個(gè)namespace

ip netns add test1

ip netns add test2

//將兩個(gè)macvlan子接口分別放在namespace中

ip link set dev macvlan1 netns test1

ip link set dev macvlan2 netns test2

//在namespace中分別配置兩個(gè)子接口ip

ip netns exec test1 ip link set dev lo up

ip netns exec test1 ip link set dev macvlan1 up

ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24

ip netns exec test2 ip link set dev lo up

ip netns exec test2 ip link set dev macvlan2 up

ip netns exec test2 ip address add dev macvlan2 1.1.1.4/24

#ping 主接口不通

root@node2:~# ip netns exec test2 ping 1.1.1.2

PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

^C

--- 1.1.1.2 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

#test2 ping test1 不通

root@node2:~# ip netns exec test2 ping 1.1.1.3

PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.

^C

--- 1.1.1.3 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1001ms

vepa

//設(shè)置父接口ip

ip link set dev ens8 up

ip address add dev ens8 1.1.1.2/24

//創(chuàng)建兩個(gè)macvlan子接口，模式為vepa

ip link add link ens8 dev macvlan1 type macvlan mode vepa

ip link add link ens8 dev macvlan2 type macvlan mode vepa

//創(chuàng)建兩個(gè)namespace

ip netns add test1

ip netns add test2

//將兩個(gè)macvlan子接口分別放在namespace中

ip link set dev macvlan1 netns test1

ip link set dev macvlan2 netns test2

//在namespace中分別配置兩個(gè)子接口ip

ip netns exec test1 ip link set dev lo up

ip netns exec test1 ip link set dev macvlan1 up

ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24

ip netns exec test2 ip link set dev lo up

ip netns exec test2 ip link set dev macvlan2 up

ip netns exec test2 ip address add dev macvlan2 1.1.1.4/24

#ping 父接口不通

root@node2:~# ip netns exec test2 ping 1.1.1.2

PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

^C

--- 1.1.1.2 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

#test2 ping test1 不通

root@node2:~# ip netns exec test2 ping 1.1.1.3

PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.

^C

--- 1.1.1.3 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

passthru

//設(shè)置父接口ip

ip link set dev ens8 up

ip address add dev ens8 1.1.1.2/24

ip link add link ens8 dev macvlan1 type macvlan mode passthru

#只能添加一個(gè)passthru模式的子接口，再次添加報(bào)錯(cuò)(添加其他模式也不行)

ip link add link ens8 dev macvlan2 type macvlan mode passthru

RTNETLINK answers: File exists

ip netns add test1

ip link set dev macvlan1 netns test1

ip netns exec test1 ip link set dev lo up

ip netns exec test1 ip link set dev macvlan1 up

ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24

#ping 父接口不通

root@node2:~# ip netns exec test1 ping 1.1.1.2

PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

^C

--- 1.1.1.2 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

source

//br1在host上，VM內(nèi)部的網(wǎng)卡ens8在host上對(duì)應(yīng)的vnet1加在網(wǎng)橋br1上。

//給br1配置ip 1.1.1.9

root@ubuntu:~# ip address show dev br1

25: br1: mtu 1500 qdisc noqueue state UP group default qlen 1000

link/ether 5e:88:02:89:d5:51 brd ff:ff:ff:ff:ff:ff

inet 1.1.1.9/24 brd 1.1.1.255 scope global br1

valid_lft forever preferred_lft forever

inet6 fe80::5c88:2ff:fe89:d551/64 scope link

valid_lft forever preferred_lft forever

root@ubuntu:~# brctl show

bridge name bridge id STP enabled interfaces

br1 8000.5e880289d550 no vnet1 ---> vnet1對(duì)應(yīng)VM內(nèi)部ens8

//vm內(nèi)部執(zhí)行下面幾條命令

//創(chuàng)建macvlan1接口，模式為source，指定mac地址為br1的mac地址

ip link add link ens8 dev macvlan1 type macvlan mode source macaddr add 5e:88:02:89:d5:50

ip link set dev macvlan1 up

ip address add dev macvlan1 1.1.1.4/24

//vm內(nèi)部ping br1是可以通的

root@node2:~# ping 1.1.1.9

PING 1.1.1.9 (1.1.1.9) 56(84) bytes of data.

64 bytes from 1.1.1.9: icmp_seq=1 ttl=64 time=1.45 ms

64 bytes from 1.1.1.9: icmp_seq=2 ttl=64 time=0.300 ms

64 bytes from 1.1.1.9: icmp_seq=3 ttl=64 time=0.339 ms

^C

--- 1.1.1.9 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2005ms

rtt min/avg/max/mdev = 0.300/0.696/1.450/0.533 ms

//在host修改br1的mac地址

root@ubuntu:~# ip link set dev br1 address 5e:88:02:89:d5:51

//在vm內(nèi)部再次ping就不通了

root@node2:~# ping 1.1.1.9

PING 1.1.1.9 (1.1.1.9) 56(84) bytes of data.

^C

--- 1.1.1.9 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1028ms

參考

總結(jié)

以上是生活随笔為你收集整理的linux修改vlan子接口mac地址,macvlan虚拟接口的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。