目標(biāo)
使用ovs構(gòu)建出以上的網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu),通過配置流表,使用conntrack實(shí)現(xiàn)以下功能
????1.vm1可以ping通vm2
? ? 2.vm2不可ping通vm1
實(shí)驗(yàn)環(huán)境
CentOS Linux release 7.2.1511 (Core)
構(gòu)建基礎(chǔ)環(huán)境
git clone?https://github.com/cao19881125/ovn_lab.git
cd ovn_lab/docker
docker build -t ovn_lab:v1 .
yum install package/openvswitch-kmod-2.7.90-1.el7.centos.x86_64.rpm
啟動容器
cd ovn_lab
OVN_LAB_DIR=`pwd` docker run -it -d --privileged -v $OVN_LAB_DIR/lesson:/root/ovn_lab/lesson --name 'ovn_lab' ovn_lab:v1 bash
docker exec -it ovn_lab bash
創(chuàng)建網(wǎng)絡(luò)拓?fù)?/h2>
start_ovs.sh
/root/ovn_lab/lesson/list/lesson1/create_topo.sh
添加流表
ovs-ofctl add-flow br-int table=0,priority=100,arp,action=normal
ovs-ofctl add-flow br-int table=0,priority=100,ip,ct_state=-trk,action=ct\(table=1\)
ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+new,action=ct\(commit\),2
ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+est,action=2
ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+new,action=drop
ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+est,action=1
測試
vm1 ping vm2
# ip netns exec vm1 ping 10.0.0.20
PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.314 ms
64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.217 ms
vm2 ping vm1
# ip netns exec vm2 ping 10.0.0.10 -w 3
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
--- 10.0.0.10 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
start_ovs.sh
/root/ovn_lab/lesson/list/lesson1/create_topo.sh
ovs-ofctl add-flow br-int table=0,priority=100,arp,action=normal
ovs-ofctl add-flow br-int table=0,priority=100,ip,ct_state=-trk,action=ct\(table=1\)
ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+new,action=ct\(commit\),2
ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+est,action=2
ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+new,action=drop
ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+est,action=1
# ip netns exec vm1 ping 10.0.0.20
PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.314 ms
64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.217 ms
# ip netns exec vm2 ping 10.0.0.10 -w 3
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
--- 10.0.0.10 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
流表解析
1. table=0,arp,action=normal
????允許arp協(xié)議通過
2. table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
????untrack狀態(tài)的ip包送到conntrack并處理后發(fā)到1表
3. table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2?
? ??vm1進(jìn)來的new狀態(tài)的ip包c(diǎn)ommit到conntrack并發(fā)到2端口
4.?table=1,in_port=1,ip,ct_state=+trk+est,action=2
? ??vm1進(jìn)來的est狀態(tài)的包發(fā)到2端口
5.?table=1,in_port=2,ip,ct_state=+trk+new,action=drop
? ??vm2進(jìn)來的new狀態(tài)的包直接drop
6.?table=1,in_port=2,ip,ct_state=+trk+est,action=1
? ??vm2進(jìn)來的est狀態(tài)的包發(fā)到1端口
