https://www.jianshu.com/p/ffd9675f6f41
# ip link add name br0 type bridge
# ip link add name veth11 type veth peer veth12
# ip link set veth11 master br0
# ip addr add 192.168.0.1/24 dev br0
# ip link set veth11 up
# ip link set veth12 up
# ip link set br0 up
# ip netns add ns1
# ip netns add ns2
# ip netns add ns3
# ip netns exec ns1 ip link set lo up
# ip netns exec ns2 ip link set lo up
# ip netns exec ns3 ip link set lo up
# ip link add veth12.1 link veth12 type macvlan mode bridge
# ip link add veth12.2 link veth12 type macvlan mode bridge
# ip link set netns ns1 veth12.1
# ip link set netns ns2 veth12.2
# ip link set netns ns3 veth12
# ip netns exec ns1 ip link set veth12.1 name eth0
# ip netns exec ns2 ip link set veth12.2 name eth0
# ip netns exec ns3 ip link set veth12 name eth0
# ip netns exec ns1 ip addr add 192.168.0.11/24 dev eth0
# ip netns exec ns2 ip addr add 192.168.0.12/24 dev eth0
# ip netns exec ns3 ip addr add 192.168.0.254/24 dev eth0
# ip netns exec ns1 ip link set eth0 up
# ip netns exec ns2 ip link set eth0 up
# ip netns exec ns3 ip link set eth0 up
# ip netns exec ns1 ping -c 1 192.168.0.1
通
# ip netns exec ns1 ping -c 1 192.168.0.254
不通
# ip netns exec ns1 ping -c 1 192.168.0.12
通
# ip netns exec ns1 ip link | grep ether
link/ether 62:92:4b:81:85:fe brd ff:ff:ff:ff:ff:ff link-netns ns3
# ip netns exec ns2 ip link | grep ether
link/ether 76:ed:9e:2e:5f:a4 brd ff:ff:ff:ff:ff:ff link-netns ns3
# bridge fdb
...
62:92:4b:81:85:fe dev dev veth11 master br0
7e:fc:bf:1f:ce:58 dev dev veth11 master br0
...
# ip link set veth11 down
//down一个veth,peer也会down
# ip netns exec ns3 ip link show type veth
19: eth0@if20: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
link/ether 7e:fc:bf:1f:ce:58 brd ff:ff:ff:ff:ff:ff link-netnsid 0
# ip netns exec ns1 ping -c 1 192.168.0.12
不通
# ip link set veth11 up
此模式下macvlan之间是隔离的,需要交换机支持hairpin功能才能通信
# ip netns exec ns1 ip link set eth0 type macvlan mode vepa
# ip netns exec ns1 ip link set eth0 type macvlan mode vepa
# ip netns exec ns1 ping -c 1 192.168.0.1
通
# ip netns exec ns1 ping -c 1 192.168.0.12
不通
# ip netns exec ns1 ping -c 1 192.168.0.254
不通
# tcpdump -i veth11 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
05:21:06.824252 IP 192.168.0.11 > 192.168.0.12: ICMP echo request, id 33858, seq 717, length 64
05:21:07.848077 IP 192.168.0.11 > 192.168.0.12: ICMP echo request, id 33858, seq 718, length 64
05:21:08.871927 IP 192.168.0.11 > 192.168.0.12: ICMP echo request, id 33858, seq 719, length 64
隔离功能比VPEA更强,阻断了广播和组播,即使交换机开启hairpin也无法通信
# ip netns exec ns1 ip link set eth0 type macvlan mode private
# ip netns exec ns1 ip link set eth0 type macvlan mode private
# ip netns exec ns1 ping -c 1 192.168.0.1
通
# ip netns exec ns1 ping -c 1 192.168.0.12
不通
# ip netns exec ns1 ping -c 1 192.168.0.254
不通
# tcpdump -i veth11
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
05:29:10.280539 ARP, Request who-has 192.168.0.12 tell 192.168.0.11, length 28
05:29:10.280587 ARP, Request who-has 192.168.0.12 tell 192.168.0.11, length 28
05:29:11.304232 ARP, Request who-has 192.168.0.12 tell 192.168.0.11, length 28
# ip netns exec ns3 ip link | grep ether
link/ether 7e:fc:bf:1f:ce:58 brd ff:ff:ff:ff:ff:ff link-netnsid 0
# ip netns exec ns2 ip link delete eth0
# ip netns exec ns1 ip link delete eth0
# ip netns exec ns3 ip link add eth0.11 link eth0 type macvlan mode passthru
# ip netns exec ns3 ip link set eth0.11 netns ns1
# ip netns exec ns1 ip link set eth0.11 name eth0
# ip netns exec ns1 ip addr add 192.168.0.11/24 dev eth0
# ip netns exec ns1 ip link | grep ether
link/ether 7e:fc:bf:1f:ce:58 brd ff:ff:ff:ff:ff:ff link-netns ns3
# ip netns exec ns1 ip link set eth0 up
# ip netns exec ns1 ping -c 1 192.168.0.1
通
# ip netns exec ns1 ping -c 1 192.168.0.254
不通
# ip netns exec ns1 ip link delete eth0
# ip netns exec ns3 ip link add eth0.11 link eth0 type macvlan mode source macaddr add 36:50:43:11:71:c0
# ip netns exec ns3 ip link set eth0.11 netns ns1
# ip netns exec ns1 ip link set eth0.11 name eth0
# ip netns exec ns1 ip addr add 192.168.0.11/24 dev eth0
# ip netns exec ns1 ip link | grep ether
link/ether 5e:32:45:fa:21:d3 brd ff:ff:ff:ff:ff:ff link-netns ns3
# ip netns exec ns1 ip link set eth0 up
# ip netns exec ns1 ping -c 1 192.168.0.1
通
# ip netns exec ns1 ping -c 1 192.168.0.254
不通
