Re: Network Alias

From: Yannick MOLINET <yannick adn-systemes fr>
To: Bjørn Mork <bjorn mork no>
Cc: Thomas Haller <thaller redhat com>, "networkmanager-list gnome org" <networkmanager-list gnome org>
Subject: Re: Network Alias
Date: Thu, 26 Sep 2019 18:15:51 +0000

Iptables is not only the input chain.
I use label to maintain trafic Flow in Nat table.

Cordialement,
Yannick MOLINET

Envoyé depuis mon mobile.

De : Bjørn Mork <bjorn mork no>
Envoyé : jeudi 26 septembre 2019 20:11
À : Yannick MOLINET
Cc: Thomas Haller; networkmanager-list gnome org
Objet : Re: Network Alias

Yannick MOLINET <yannick adn-systemes fr> writes:

> In some case, i use iptables rules based on device... Using
> label. Multiple IP don't work in this case.

Do labels work in this case?

I tried this:

# ifconfig wlan0:0 192.168.2.77/24
# ifconfig wlan0:1 192.168.2.78/24
# iptables -A INPUT -i wlan0:0 -j LOG
# iptables -A INPUT -i wlan0:1 -j LOG
# iptables -A INPUT -i wlan0 -d 192.168.2.77 -j LOG
# iptables -A INPUT -i wlan0 -d 192.168.2.78 -j LOG

ending up with:

# ip addr show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 44:85:00:11:26:e6 brd ff:ff:ff:ff:ff:ff
    inet 148.122.252.4/29 brd 148.122.252.7 scope global dynamic noprefixroute wlan0
       valid_lft 426130sec preferred_lft 426130sec
    inet 192.168.2.77/24 brd 192.168.2.255 scope global wlan0:0
       valid_lft forever preferred_lft forever
    inet 192.168.2.78/24 brd 192.168.2.255 scope global secondary wlan0:1
       valid_lft forever preferred_lft forever
    inet6 2001:4641:0:2:7627:374e:db74:e353/64 scope global dynamic noprefixroute
       valid_lft 86356sec preferred_lft 14356sec
    inet6 fe80::b0c3:cd67:ca54:e36f/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

or if you prefer:

# ifconfig wlan0:0
wlan0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.2.77 netmask 255.255.255.0 broadcast 192.168.2.255
        ether 44:85:00:11:26:e6 txqueuelen 1000 (Ethernet)

# ifconfig wlan0:1
wlan0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.2.78 netmask 255.255.255.0 broadcast 192.168.2.255
        ether 44:85:00:11:26:e6 txqueuelen 1000 (Ethernet)

And 4 LOG rules:

# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
2705 218K REJECT     all -- *      *       0.0.0.0/0            0.0.0.0/0            match-set f2b-sshd src reject-with icmp-port-unreachable
    0     0 LOG        all -- wlan0:0 *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
    0     0 LOG        all -- wlan0:1 *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
    0     0 LOG        all -- wlan0 *       0.0.0.0/0            192.168.2.77         LOG flags 0 level 4
    0     0 LOG        all -- wlan0 *       0.0.0.0/0            192.168.2.78         LOG flags 0 level 4

I'd now expect packets arriving at 192.168.2.77 or 192.168.2.78 to be
counted in two rules each. But pinging 192.168.2.77 from the other
end results in:

root@miraculix:/tmp# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
2705 218K REJECT     all -- *      *       0.0.0.0/0            0.0.0.0/0            match-set f2b-sshd src reject-with icmp-port-unreachable
    0     0 LOG        all -- wlan0:0 *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
    0     0 LOG        all -- wlan0:1 *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
    4   336 LOG        all -- wlan0 *       0.0.0.0/0            192.168.2.77         LOG flags 0 level 4
    0     0 LOG        all -- wlan0 *       0.0.0.0/0            192.168.2.78         LOG flags 0 level 4

Nothing ever matches the aliases. I could be wrong, but I don't think
iptables will consider labels. It matches on netdev only. Or did I do
something wrong here?

Bjørn

> Envoyé depuis mon mobile.
> ________________________________
> De : Thomas Haller <thaller redhat com>
> Envoyé : samedi 21 septembre 2019 16:40
> À : Yannick MOLINET; networkmanager-list gnome org
> Objet : Re: Network Alias
>
> On Mon, 2019-09-16 at 06:04 +0000, Yannick MOLINET wrote:
>> Hi all,
>>
>> I’m searching how to add an network alias (and not a secondary ip) on
>> a network interface, like eth0:0 or ens3:1 or dummy0:4, with Network
>> Manager (nmcli).
>
> Hi,
>
>
> These "aliases" are implemented by kernel by attaching a "label" to the address (IFA_LABEL).
> This is what you see in the deprecated `ifconfig` command line tool. But beyond that, the label is
> not really useful (is it?) and only partly supported by NetworkManager. But multiple IP addresses work,
> of course.
>
> Why do you need the label? Just configure multiple IP addresses:
>
> $ nmcli connection modify "$PROFILE" ipv4.addresses "192.168.5.100/24,192.168.6.100/24"
> $ nmcli connection modify "$PROFILE" +ipv4.addresses "192.168.7.100/24"
>
>
> Note that the ifcfg-rh settings plugin of NetworkManager supports the
> label, but the keyfile plugin does not. That's
> a severe limitation, to the point where it's not useful. Also, nmcli
> does not support the label...
>
>
>
> best,
> Thomas
> _______________________________________________
> networkmanager-list mailing list
> networkmanager-list gnome org
> https://office365.eu.vadesecure.com/safeproxy/v3?f=O6bC-AXOI2bts7BFEppdnqgJlVrlv2svw9JgZyU2GpE&i=O5oDBjlIbXFx_WQCpNiLsMqjGH7iPCKseHJmZ-kmm1XUmTJ0LZqNBsZ-g9zKWWljaDpJPZ_UKqCDgu9AHZvEZA&k=pe2g&r=-ipHikBaoLwHPVu2Rw2Jo-N3vgDvfCsoCpgYlWUaULireMRCbURXRWES10MTr-0J&u=https%3A%2F%2Fmail.gnome.org%2Fmailman%2Flistinfo%2Fnetworkmanager-list

References:
- Network Alias
  - From: Yannick MOLINET
- Re: Network Alias
  - From: Thomas Haller
- Re: Network Alias
  - From: Yannick MOLINET

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]