我们有一个设置,在一个Linux服务器上的程序控制其下属的Linux(通过TCP和UDP谈话)。
有几组下属。 每个组通过以太网连接到服务器上的单个networking接口卡。
把这些团体分开是非常重要的。
下属可能会失踪(他们坏了),应该是热插拔的(破损的被replace为新的,服务器应该在一分钟内看到他们)。
通常我们只有几个下属(1-5)。
做这种发现的最佳做法是什么?
我的第一个尝试是简单地ping通和过滤结果
ping6 ff02::1%wlp3s0 但只有服务器本身正在回答。 奇怪的是,它可以在我的android平板电脑上运行,wireshark也可以看到来自其他设备的ping回复,但ping输出中没有任何内容。 我可以ping单播。 (我在我的薄荷笔记本上testing过,但是为什么如果它不在testing机器上,那么为什么它在ubuntu服务器上是可靠的呢?可以依靠nic驱动吗?有时候我有wifi问题。
我也试图发送一个多播的udp包(甚至有可能?),但是即使在本地也是不成功的:
// terminal a: $ nc -6luv 10000 Listening on [:::] (family 10, port 10000) //terminal b: $ echo "blah" | nc -6uv "ff01::1%wlp3s0" 10000 nc: getaddrinfo: Name or service not known $ echo "blah" | nc -6uv -q1 "ff02::1%wlp3s0" 10000 Connection to ff02::1%wlp3s0 10000 port [udp/*] succeeded! // nothing on terminal a
任何其他的想法?
有人在评论中说可能是ip6tables规则。 我没有更改默认的linux mint规则,ip6tables的输出在这里:这是相当长的,我没有阅读它的经验。 任何帮助?
Chain INPUT (policy DROP) target prot opt source destination ufw6-before-logging-input all anywhere anywhere ufw6-before-input all anywhere anywhere ufw6-after-input all anywhere anywhere ufw6-after-logging-input all anywhere anywhere ufw6-reject-input all anywhere anywhere ufw6-track-input all anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw6-before-logging-forward all anywhere anywhere ufw6-before-forward all anywhere anywhere ufw6-after-forward all anywhere anywhere ufw6-after-logging-forward all anywhere anywhere ufw6-reject-forward all anywhere anywhere ufw6-track-forward all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw6-before-logging-output all anywhere anywhere ufw6-before-output all anywhere anywhere ufw6-after-output all anywhere anywhere ufw6-after-logging-output all anywhere anywhere ufw6-reject-output all anywhere anywhere ufw6-track-output all anywhere anywhere Chain ufw6-after-forward (1 references) target prot opt source destination Chain ufw6-after-input (1 references) target prot opt source destination ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-ns ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:netbios-dgm ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:netbios-ssn ufw6-skip-to-policy-input tcp anywhere anywhere tcp dpt:microsoft-ds ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-client ufw6-skip-to-policy-input udp anywhere anywhere udp dpt:dhcpv6-server Chain ufw6-after-logging-forward (1 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw6-after-logging-input (1 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw6-after-logging-output (1 references) target prot opt source destination Chain ufw6-after-output (1 references) target prot opt source destination Chain ufw6-before-forward (1 references) target prot opt source destination DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ufw6-user-forward all anywhere anywhere Chain ufw6-before-input (1 references) target prot opt source destination ACCEPT all anywhere anywhere DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED ufw6-logging-deny all anywhere anywhere ctstate INVALID DROP all anywhere anywhere ctstate INVALID ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 144 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 145 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 146 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 147 ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client ACCEPT udp anywhere ff02::fb udp dpt:mdns ACCEPT udp anywhere ff02::f udp dpt:1900 ufw6-user-input all anywhere anywhere Chain ufw6-before-logging-forward (1 references) target prot opt source destination Chain ufw6-before-logging-input (1 references) target prot opt source destination Chain ufw6-before-logging-output (1 references) target prot opt source destination Chain ufw6-before-output (1 references) target prot opt source destination ACCEPT all anywhere anywhere DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 HL match HL == 255 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1 ACCEPT ipv6-icmp fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1 ufw6-user-output all anywhere anywhere Chain ufw6-logging-allow (0 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw6-logging-deny (1 references) target prot opt source destination RETURN all anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw6-reject-forward (1 references) target prot opt source destination Chain ufw6-reject-input (1 references) target prot opt source destination Chain ufw6-reject-output (1 references) target prot opt source destination Chain ufw6-skip-to-policy-forward (0 references) target prot opt source destination DROP all anywhere anywhere Chain ufw6-skip-to-policy-input (6 references) target prot opt source destination DROP all anywhere anywhere Chain ufw6-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all anywhere anywhere Chain ufw6-track-forward (1 references) target prot opt source destination Chain ufw6-track-input (1 references) target prot opt source destination Chain ufw6-track-output (1 references) target prot opt source destination ACCEPT tcp anywhere anywhere ctstate NEW ACCEPT udp anywhere anywhere ctstate NEW Chain ufw6-user-forward (1 references) target prot opt source destination Chain ufw6-user-input (1 references) target prot opt source destination ACCEPT udp anywhere anywhere multiport dports 1714:1764 ACCEPT tcp anywhere anywhere multiport dports 1714:1764 Chain ufw6-user-limit (0 references) target prot opt source destination LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all anywhere anywhere reject-with icmp6-port-unreachable Chain ufw6-user-limit-accept (0 references) target prot opt source destination ACCEPT all anywhere anywhere Chain ufw6-user-logging-forward (0 references) target prot opt source destination Chain ufw6-user-logging-input (0 references) target prot opt source destination Chain ufw6-user-logging-output (0 references) target prot opt source destination Chain ufw6-user-output (1 references) target prot opt source destination
我试图通过sudo ufw disable ufw防火墙,ping开始工作。 我很快就会报告Ubuntu的一个bug,但是ping是一个很好的办法吗?
我在LEDE防火墙上遇到了类似的问题。 链路本地多播ping(例如到ff02 :: 1)没有得到应答,因为回应应答已经由ctstate INVALID的输出规则丢弃。 单播ping(本地链接和ULA)工作正常。
我怀疑conntrack系统在这里丢失了一个技巧 – 因为请求的(多播)目的地不同于应答(单播)源,它不认为它们是相关的 – 尽pipe它应该。