On 10.07.2023 07:09, Marc Chamberlin via openSUSE Users wrote:
Andrei Borzenkov wrote:
On 09.07.2023 00:37, Marc Chamberlin via openSUSE Users wrote:
Andrei Borzenkov wrote: On 08.07.2023 00:21, Marc Chamberlin via openSUSE Users wrote: ipv4 nat PREROUTING 2 -d 111.111.111.112 -i eth0:novaExt -j DNAT --to-destination 192.168.10.210 Interface "eth0:novaExt" does not exist so this rule will never match. Andrei - You have lost me here, what do you mean "eth0:novaExt" does not exist? Show output of ip a
Thanks Andrei for helping me to understand what is going on with my network, much appreciate it. OK here is the output from "ip a" with my actual internet addresses obscured...
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/32 scope host lo valid_lft forever preferred_lft forever 2: p3p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:13:3b:2f:d4:66 brd ff:ff:ff:ff:ff:ff altname enp10s0 inet 192.168.10.100/25 brd 192.168.10.127 scope global p3p1 valid_lft forever preferred_lft forever 3: p3p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:13:3b:2f:d4:67 brd ff:ff:ff:ff:ff:ff altname enp11s0 inet 192.168.10.200/25 brd 192.168.10.255 scope global p3p2 valid_lft forever preferred_lft forever 4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 98:90:96:e4:28:bd brd ff:ff:ff:ff:ff:ff altname enp0s25 inet 111.111.111.18/29 brd 111.111.111.23 scope global eth0 valid_lft forever preferred_lft forever inet 111.111.111.19/29 brd 111.111.111.23 scope global secondary eth0:bigbangExt valid_lft forever preferred_lft forever inet 111.111.111.20/29 brd 111.111.111.23 scope global secondary eth0:darkstarEx valid_lft forever preferred_lft forever inet 111.111.111.21/29 brd 111.111.111.23 scope global secondary eth0:novaExt valid_lft forever preferred_lft forever inet 111.111.111.22/29 brd 111.111.111.23 scope global secondary eth0:quasarExt valid_lft forever preferred_lft forever
I created this interface with YaST2->System->Network Settings->Overview tab->Edit eth0->Address tab->Additional Addresses->Add and filled in the popup dialog fields for "Address label", "IP Address", and "Subnet Mask". Doesn't YaST2 set this up as an additional interface using the "Address label" name I gave it, which in this case was "novaExt"? No. It adds an additional address to the interface eth0. Kernel does not create new interface in this case.
Why not? Why not have the Kernel simply create a new virtual interface?
Because kernel does not do it when requested to add an address to an interface.
Or have YaST2/Firewalld create them for the Kernel to use?
You requested YaST to add an address and YaST added the address. You did not request YaST to create new interface.
Are you implying that I need to add 4 NICs to my system, instead of just the one NIC I now have?
I do not imply anything.
If so, then I am not sure what value there is to adding additional addresses to an interface?
First, there is life beyond your use case. Second, source interface is not the only possible way to match incoming packets in netfilter. Third, if you insist, you could create additional interfaces of type macvlan or ipvlan on top of your physical interface. I have no idea whether YaST and better wicked support them. Quick grep for "macvlan" in wicked sources shows that it probably does; there is no match for "ipvlan".
The derived name for this interface then became "eth0:novaExt". I can certainly ping it and do other network tasks via this interface label. So in many ways, at least, this label for a network interface does feel like it exists! Which does not make it the true real interface,
And now I am even more confused! What good is it to be able to give multiple IP addresses to an interface if one cannot use those addresses in a manner that is consistent with any other address? In object oriented design/programming if one builds an object and then extends that object with a child object then the child inherits all the capabilities of the parent. Why isn't this principal being applied to these so-called "fake" non-real IP addresses? Are you telling me that the interface model isn't a well thought out consistent design, but just another example of a bad hack job?
No, I am not telling you that.
I've never dug into the Linux kernel code myself, but from my experiences and all the hype about it, I thought it was designed using well thought out OO models that are consistent, maybe I am wrong?
Anywise, I don't want to be told that I am simply doing things the wrong way nor argue about the design of Linux. If I cannot divine the way Linux interfaces work, then I really need examples of how to achieve my goal using the tools supplied by my distro.
Thanks again for your thoughts, much appreciated! Marc...