Convergent Gateways in Da Place

some kind of a FUCK Software Defined Network project

IMAGE HERE

description

in a nutshell - consider two bridges connected to each other, and two groups of clients, some connected to bridge1 and some to bridge2. now briges also act as outbound gateways, with internal interface 10.1.1.254 (duplicate) blocking ARPs from one bridge to another allows the clients to use the closest gw, while being able to communicate among each others, incl. from the clients connected to the other bridge.

this PoC goes with only two systems/bridges but the concept can be extended to a larger cluster.

warning // lessons learned

the arp table only deals with the local system apparently – and I should use the netdev family instead
netdev didn’t seem to work when device is a linux bridge – works when I tackle the interface within

setup

gns3 + two debian dom0s + booting xen + bridges

static name resolution is always a good thing to have

vi /etc/hosts

# communicate through the front door
# as we are filtering the back door
192.168.122.11  bookworm-1
192.168.122.12  bookworm-2

poc1 with VPCS

vi /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto eth2
iface eth2 inet manual

auto xenbr0
iface xenbr0 inet static
        bridge_ports eth0
        bridge_hw eth0
        # node1
    address 192.168.122.11/24
    # node2
        #address 192.168.122.12/24
        gateway 192.168.122.1

auto guestbr0
iface guestbr0 inet static
        bridge_ports eth1 eth2
        bridge_hw eth1
    # duplicate on both nodes
        address 10.1.1.254/24

prevent the guest bridge from sending its own ARP replies to the other guest bridges

vi /etc/nftables.conf

flush ruleset

table ip nat {
    chain postrouting {
        type nat hook postrouting priority srcnat;

        # node1
        ip saddr 10.1.1.0/24 oif xenbr0 snat 192.168.122.11;

        # node2
        #ip saddr 10.1.1.0/24 oif xenbr0 snat 192.168.122.12;
    }
}

table netdev filter {
        chain egress {
                type filter hook egress device eth1 priority -500; policy accept;

        # node1
                arp saddr ether 0a:00:00:00:00:01 drop

        # node2
                #arp saddr ether 0e:00:00:00:00:01 drop
        }
}

acceptance

sniff the link between node1 and VPCS1 – should see replies only from 0a:00:00:00:00:01

even better, now sniff the link between node1 and node2 – should not see any reply at all

also vpcs1 should be able to ping vpcs2

resources

https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families

https://netfilter.org/projects/nftables/manpage.html