Support for bonding interfaces is currently available only for Linux firewalls. A generated iptables script can incrementally update bonding interfaces:
The generated script includes shell code to manage bonding interfaces if the checkbox "Configure bonding interfaces" is turned on in the "Script" tab of the firewall object "advanced" settings dialog. By default, it is turned off.
The script uses ifenslave tool which should be present on the firewall. The script checks if it is available and aborts if it cannot find it.
The script creates new bonding interfaces with parameters configured in the GUI if the module 'bonding' is not loaded. This is what happens if the Firewall Builder script runs after reboot.
if there are no bonding interfaces in fwbuilder configuration, the script removes the bonding module to kill any bonding interfaces that might exist on the machine.
If you add a second bonding interface in Firewall Builder, the script checks if it exists on the machine. It will not create it because to do so, it would have to remove the module, which kills other bonding interfaces. If this second bonding interface exists, it will be configured with slaves and addresses. If it does not exist, the script aborts. In this case you need to either (1) reload the module manually or (2) add max_bonds=2 to /etc/modules.conf and reboot or (3) unload the module and run the Firewall Builder script again (if module is not loaded, the script loads it with correct max_bonds parameter)
If a bonding interface exists on the machine but not in Firewall Builder configuration, the script removes all slaves from it and brings it down. It cannot delete it because to do so it would need to remove the module, which kills other bonding interfaces.
There is a limitation in the current implementation in that all bonding interfaces will use the same protocol parameters. This is because module loading with parameter "-obond1" that is supposed to be the way to obtain more than one bonding interface and also the way to specify different parameters for different interfaces causes kernel panic in my tests. (Tested with bonding module v3.5.0 and kernel 2.6.29.4-167.fc11.i686.PAE on Fedora Core 11.) The only working way to get two bonding interfaces I could find is to load the module with parameter max_bonds=2, but this means all bonding interfaces work with the same protocol parameters. If bond interfaces are configured with different parameters in fwbuilder, the compiler uses the first and issues a warning for others.
To configure bonding interface, we start with an interface object with name "bond0". Create this interface as usual, open it in the editor by double clicking it in the tree, rename it, and then and click "Advanced Interface Settings" button. Set the type to "Bonding" in the drop-down list and set the other parameters:
To add regular Ethernet interfaces as slaves to a bonding inetrface, copy and paste (or create) them so they become child objects of a bonding interface. A bonding interface needs an IP address as any other regular interface. Final configuration looks like shown in Figure 9.39:
If you only want to be able to use the bonding interface in rules, then this is sufficient configuration. You can go ahead and add rules and place object "bond0" in "Source", "Destination" or "Interface" column of policy rules. If you want Firewall Builder to generate a script that creates and configures this interface, then you need to enable support for this by turning the checkbox "Configure bonding interfaces" on in the "Script" tab of the firewall object settings dialog:
Now compile the firewall object, copy the generated script to the firewall machine and run it there. If the script is started using the command-line parameter "interfaces", it only configures interfaces and IP addresses but does not load iptables rules. Here is how it looks:
root@linux-test-1:~# /etc/fw/linux-test-bond-1.fw interfaces # Add bonding interface slave: bond0 eth2 # Add bonding interface slave: bond0 eth3 # Adding ip address: bond0 10.1.1.1/24
Interface configuration after the script run looks like this:
root@linux-test-1:~# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0 inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:be brd ff:ff:ff:ff:ff:ff 5: eth3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP qlen 1000 link/ether 00:0c:29:1e:dc:be brd ff:ff:ff:ff:ff:ff 6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:0c:29:1e:dc:be brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 scope global bond0 inet6 fe80::20c:29ff:fe1e:dcbe/64 scope link valid_lft forever preferred_lft forever
root@linux-test-1:~# cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.3.0 (June 10, 2008) Bonding Mode: IEEE 802.3ad Dynamic link aggregation Transmit Hash Policy: layer2 (0) MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 0 Down Delay (ms): 0 802.3ad info LACP rate: slow Active Aggregator Info: Aggregator ID: 1 Number of ports: 1 Actor Key: 9 Partner Key: 1 Partner Mac Address: 00:00:00:00:00:00 Slave Interface: eth2 MII Status: up Link Failure Count: 0 Permanent HW addr: 00:0c:29:1e:dc:be Aggregator ID: 1 Slave Interface: eth3 MII Status: up Link Failure Count: 0 Permanent HW addr: 00:0c:29:1e:dc:c8 Aggregator ID: 2
Running the script a second time does nothing because interface bond0 already exists and its configuration matches the one defined in Firewall Builder:
root@linux-test-1:~# /etc/fw/linux-test-bond-1.fw interfaces root@linux-test-1:~#
Unfortunately, the generated script cannot manage bonding interface parameters. If you change a bonding policy in the GUI, recompile it, and run the script on the firewall, nothing will happen. You need to either manually unload the module or reboot the machine. However, if you add or remove Ethernet interfaces under the bonding interface, the script will update its configuration accordingly without the need to unload the module or reboot the machine.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.