ovn安全組總結(jié)

本文將針對(duì)ovn實(shí)現(xiàn)安全組進(jìn)行技術(shù)總結(jié),分為ovn插件安全組實(shí)現(xiàn),ovn邏輯流表,openflow流表三部分進(jìn)行介紹,其中還會(huì)補(bǔ)充介紹ovn相關(guān)的一些協(xié)議和技術(shù)。

ovn基礎(chǔ)概念

開頭部分介紹幾個(gè)ovn(ovs)的基礎(chǔ)概念。

ovn-arch

tunnel_key

ovn會(huì)在創(chuàng)建ovn datapath的時(shí)候,為它們分配一個(gè)唯一的tunnel _key,并同步到南向流表(詳見ovn代碼build_datapath函數(shù)),如下datapath邏輯路由器和邏輯網(wǎng)絡(luò),可以看到share_router的key是3,share_net的key是1:

()[root@ovn-ovsdb-sb-0 /]# ovn-sbctl list Datapath_Binding
_uuid               : 51e7ecae-4935-4fba-a68e-b385297f8c74
external_ids        : {logical-router="0c532506-992e-4430-aea2-c60ee0ffa364", name=neutron-3f26be47-1e01-44b5-b74f-b025f82bb0b6, name2=share_router}
tunnel_key          : 3

_uuid               : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {logical-switch="301f9dc3-66c1-4667-9ddb-63bc8e2f2d6f", name=neutron-1489889a-d027-462d-8d17-014852f27b5a, name2=share_net}
tunnel_key          : 1

創(chuàng)建ovn port時(shí),為port分配其所在datapath下唯一的tunnel_key,并同步到南向流表(詳見ovn代碼build_ports函數(shù)),如下port在南向的數(shù)據(jù),三張網(wǎng)卡屬于同一個(gè)switch,其中兩個(gè)是子網(wǎng)接口:

()[root@ovn-ovsdb-sb-0 /]# ovn-sbctl list Port_Binding 
_uuid               : d48080ec-8563-43f7-ba5d-8e5ff87045ec
datapath            : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {"neutron:cidrs"="192.168.111.1/24", "neutron:device_id"="3f26be47-1e01-44b5-b74f-b025f82bb0b6", "neutron:device_owner"="network:router_interface", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_name"="", "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="3", "neutron:security_group_ids"=""}
logical_port        : "a7e8a001-4c92-4eb9-95ac-7696993ae9b2"
mac                 : [router]
options             : {peer=lrp-a7e8a001-4c92-4eb9-95ac-7696993ae9b2}
tunnel_key          : 1
type                : patch

_uuid               : 05870332-50f9-4122-a123-21b1c465272b
datapath            : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {"neutron:cidrs"="192.168.222.1/24", "neutron:device_id"="3f26be47-1e01-44b5-b74f-b025f82bb0b6", "neutron:device_owner"="network:router_interface", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_name"="", "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="3", "neutron:security_group_ids"=""}
logical_port        : "cabdccc3-8a9c-428f-a678-5fed80d72d17"
mac                 : [router]
options             : {peer=lrp-cabdccc3-8a9c-428f-a678-5fed80d72d17}
tunnel_key          : 5
type                : patch

_uuid               : 93eb8dd5-0071-4ee9-8c31-371a95f2db57
chassis             : 8209d6dc-0809-416b-a1a9-0f4f5a0e617f
datapath            : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {name=instance-DNWPye_share_net_5a03dfba, "neutron:cidrs"="192.168.111.175/24", "neutron:device_id"="ab98829d-26c0-439a-b930-dd24ccad78d7", "neutron:device_owner"="compute:default-az", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_fip"="172.16.10.101", "neutron:port_name"=instance-DNWPye_share_net_5a03dfba, "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="5", "neutron:security_group_ids"="fac16449-d03f-4880-b361-383b3c893ee0"}
logical_port        : "b5ca6f69-eb6d-4496-8df0-e558e1552167"
mac                 : ["fa:16:3e:e8:dd:6b 192.168.111.175"]
options             : {requested-chassis=node-1.domain.tld}
tunnel_key          : 2
type                : ""

以上資源歸納如下:

資源

tunnel_key在ovn流表中起到了標(biāo)識(shí)流的來(lái)源和去向的作用,怎么理解呢,ovn使用了如下三個(gè)寄存器:

  • reg14:logical input port field,標(biāo)識(shí)入口tunnel_key
  • reg15:logical output port field,標(biāo)識(shí)出口tunnel_key
  • metadata:logical datapath field,標(biāo)識(shí)所屬的datapath的tunnel_key

ovn-controller在轉(zhuǎn)換成openflow流表時(shí),通過metadata+reg14標(biāo)識(shí)流的來(lái)源,通過metadata+reg15標(biāo)識(shí)流的去向。
舉個(gè)例子:上面提到的網(wǎng)卡b5ca6f69-eb6d-4496-8df0-e558e1552167的tunnel_key是2,所屬datapath的tunnel_key是1,上聯(lián)的是tapb5ca6f69。

在openflow table0中標(biāo)記了入口reg14=0x2,metadata=0x1:

cookie=0x0, duration=967010.862s, table=0, n_packets=93, n_bytes=16890, priority=100,
 in_port="tapb5ca6f69-eb" actions=load:0xc->NXM_NX_REG13[],load:0x5->NXM_NX_REG11[],
 load:0x6->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],
 load:0x2->NXM_NX_REG14[],resubmit(,8)

在table25標(biāo)記了出口reg15=0x2:

cookie=0x0, duration=1057442.127s, table=65, n_packets=118, n_bytes=19390, priority=100,
 reg15=0x2,metadata=0x1 actions=output:"tapb5ca6f69-eb"

logical port

上面提到的logical port,這種port主要是通過neutron create_port方式創(chuàng)建后的端口。
除此之外還有以下類型的端口,需要注意:

  • localport端口:邏輯交換機(jī)和VIF之間的本地連接點(diǎn)。比如說使用Localport端口將metedata提供給駐留在每個(gè)hypervisor上的虛擬機(jī)。
  • localnet端口:邏輯交換機(jī)和物理網(wǎng)絡(luò)之間的連接點(diǎn)。即連接br-xx和br-int的patch端口,比如創(chuàng)建vlan network后,會(huì)生成命名為provnet-xxx的邏輯port(geneve網(wǎng)絡(luò)沒有),在ovs上會(huì)看到br-int與br-xx建立了patch。該patch就用于與物理網(wǎng)絡(luò)通信。
  • patch端口:表示邏輯交換機(jī)和邏輯路由器之間的連接點(diǎn),比如創(chuàng)建子網(wǎng)接口后,會(huì)自動(dòng)生成邏輯path端口用于子網(wǎng)和路由器,目前看來(lái)邏輯patch不會(huì)在ovs上生成。

pipeline

ovn通過流水線pipleline的方式處理邏輯流表,分為ingress和egress兩個(gè)階段:

  • ingress的邏輯流表從table0開始(對(duì)應(yīng)ovs流表從table8開始),安全組部分從table0~table6會(huì)涉及
  • egress的邏輯流表從table0開始(對(duì)應(yīng)ovs流表從table40開始),安全組部分從table0~table4會(huì)涉及

邏輯flow標(biāo)記了所處的stage(ovn源碼PIPELINE_STAGES),通過stage名稱可以幫助了解flow的作用,類似這種:
table=0 (ls_in_port_sec_l2 )

ovs conntrack

ovs-conntrack

ovs的conntrack功能增加了ct流表的概念,將需要跟蹤狀態(tài)的報(bào)文提交進(jìn)ct里去,標(biāo)記連接狀態(tài),供后續(xù)報(bào)文查詢連接狀態(tài)使用。


conntrack-fileds

每個(gè)以"+“為前綴的標(biāo)志,表示必須設(shè)置,或者以”-"為前綴的標(biāo)志表示不能設(shè)置。這里面的zone用來(lái)隔離不同的跟蹤會(huì)話,避免與其他會(huì)話沖突,ovn同步給ovs時(shí)使用reg13標(biāo)記zone:

  • reg13:Logical conntrack zone for lports
    不過報(bào)文不走ct會(huì)對(duì)性能有很大提升,所以對(duì)性能有要求的場(chǎng)景建議使用無(wú)狀態(tài)的acl。

ovn插件實(shí)現(xiàn)安全組

最新neutron已經(jīng)將networking-ovn插件合并,納入為一種ml2 driver,并實(shí)現(xiàn)了安全組功能。安全組的實(shí)現(xiàn)里引入了ovn的port group的功能。

ovn ml2 driver會(huì)在創(chuàng)建安全組的過程中,先創(chuàng)建好port group,然后配置acl規(guī)則到該port group,新增或刪除port的時(shí)候,都會(huì)調(diào)用port group命令調(diào)整內(nèi)部列表。所以port就不會(huì)直接與安全組打交道,而只是在port group內(nèi)進(jìn)行增刪。

創(chuàng)建安全組:
_create_security_group
-->create_security_group
 -->txn.add(self._nb_idl.pg_add(                         添加命名qg-安全組id的port group
                name=name, acls=[], external_ids=ext_ids))
 -->add_acls_for_sg_port_group                            給port group配置acl規(guī)則
 ------------------------------------------------------------------------------------------
 創(chuàng)建port配置安全組:
 注意會(huì)先過濾掉device_owner為"network:"的port,然后將符合條件的port添加進(jìn)port group里
                 txn.add(self._nb_idl.pg_add_ports(
                    utils.ovn_port_group_name(sg), port_cmd))

接下來(lái),介紹幾個(gè)處理細(xì)節(jié)。

規(guī)則direction

社區(qū)的安全組規(guī)則對(duì)應(yīng)到ovn的acl時(shí),實(shí)際的acl是作用到虛機(jī)上聯(lián)的br-int上,所以作用的方向需要注意,常見的ovn acl命令如下:

from-lport  1002 (inport == @pg_99ead3ac_2539_49d2_b8fa_f46116a22955 && ip4) allow-related
to-lport  1002 (outport == @pg_99ead3ac_2539_49d2_b8fa_f46116a22955 && ip4 && ip4.src == $pg_99ead3ac_2539_49d2_b8fa_f46116a22955_ip4) allow-related

虛機(jī)端口出來(lái)的流量即egress,對(duì)應(yīng)logic port就是入方向,到acl上是from-lport并指定logic port為inport;
進(jìn)入虛機(jī)端口的流量即ingress,對(duì)應(yīng)logic port就是出方向,到acl上是to-lport并指定logic port為outport。

規(guī)則優(yōu)先級(jí)

安全組規(guī)則在配置給ovn時(shí),指定了一個(gè)較高的優(yōu)先級(jí),目前插件側(cè)設(shè)置為:

ACL_PRIORITY_ALLOW = 1002
ACL_PRIORITY_DROP = 1001

這里有個(gè)需要注意的地方,查看acl規(guī)則對(duì)應(yīng)logic流表,會(huì)發(fā)現(xiàn)優(yōu)先級(jí)變成了2002和2001:

table=4 (ls_out_acl), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_f3a6bf24_858f_482f_81e8_eb450c527605 && ip4 && ip4.src == $pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4)), action=(next;)

原因是ovn進(jìn)行了修改增加了1000,避免與其它硬編碼的flow優(yōu)先級(jí)沖突:

/* Due to various hard-coded priorities need to implement ACLs, the
 * northbound database supports a smaller range of ACL priorities than
 * are available to logical flows.  This value is added to an ACL
 * priority to determine the ACL's logical flow priority. */
#define OVN_ACL_PRI_OFFSET 1000

allowed_address_pairs

插件調(diào)用ovn_client處理create_port時(shí),會(huì)先獲取port的addresses列表,包括allowed_address_pairs。
在調(diào)用ovn-client進(jìn)行port創(chuàng)建/更新時(shí),會(huì)將address配置進(jìn)logic port里去。所以在ovn實(shí)現(xiàn)安全防護(hù)的時(shí)候,它只會(huì)允許addresses列表里的ip/mac通過。
舉個(gè)例子,給port配置了allowed_address_pairs地址為10.0.0.3:

()[root@busybox-openstack-74787f576-pkffm /]# neutron port-show instance-DNWPye_share_net_5a03dfba -c allowed_address_pairs -c fixed_ips
+-----------------------+----------------------------------------------------------------------------------------+
| Field                 | Value                                                                                  |
+-----------------------+----------------------------------------------------------------------------------------+
| allowed_address_pairs | {"ip_address": "10.0.0.3", "mac_address": "fa:16:3e:e8:dd:6b"}                         |
| fixed_ips             | {"subnet_id": "d39ae184-1c71-4aff-a4ba-9efad08e32ce", "ip_address": "192.168.111.175"} |
+-----------------------+----------------------------------------------------------------------------------------+

然后查看logic 流表,生成了允許10.0.0.3和192.168.111.175通過的規(guī)則,其余ip將被丟棄:

ingress:
table=1 (ls_in_port_sec_ip  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == {192.168.111.175, 10.0.0.3}), action=(next;)
table=1 (ls_in_port_sec_ip  ), priority=80   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip), action=(drop;)
egress:
table=8 (ls_out_port_sec_ip ), priority=90   , match=(outport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.dst == fa:16:3e:e8:dd:6b && ip4.dst == {255.255.255.255, 224.0.0.0/4, 192.168.111.175, 10.0.0.3}), action=(next;)
table=8 (ls_out_port_sec_ip ), priority=80   , match=(outport == "c4c13c68-b786-4859-aded-131a4ac44897" && eth.dst == fa:16:3e:95:34:c5 && ip), action=(drop;)

remote_group_id

插件配置遠(yuǎn)端安全組時(shí),通過獲取遠(yuǎn)端安全組的port group,然后將遠(yuǎn)端安全組的ip集合作為匹配規(guī)則中源ip和目的ip,類似這樣‘‘pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4’’:

match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_f3a6bf24_858f_482f_81e8_eb450c527605 && ip4 && ip4.src == $pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4)))

遠(yuǎn)端安全組的ip集合命名如下:

def ovn_pg_addrset_name(sg_id, ip_version):
    # The name of the address set for the given security group id modelled as a
    # Port Group and ip version. The format is:
    #   pg-<security group uuid>-<ip version>
    # with all '-' replaced with '_'. This replacement is necessary
    # because OVN doesn't support '-' in an address set name.
    return ('pg-%s-%s' % (sg_id, ip_version)).replace('-', '_')

neutron_pg_drop

插件啟動(dòng)之初,也就是進(jìn)程pre_fork階段,會(huì)首先創(chuàng)建一個(gè)名為neutron_pg_drop的port group,配置的acl動(dòng)作是drop。加入該port group需要滿足以下條件:

  • 非trusted port,即device_owner不為空,且值不是以network:開頭的
  • port _security為enable

總結(jié)來(lái)說,虛機(jī)的port是會(huì)被納入到neutron_pg_drop中的,當(dāng)訪問虛機(jī)相關(guān)的流量沒有匹配到安全組規(guī)則時(shí),將會(huì)匹配neutron_pg_drop對(duì)應(yīng)的規(guī)則,即報(bào)文丟棄。不過該設(shè)計(jì)會(huì)導(dǎo)致單個(gè)pg_drop性能問題,我們對(duì)其進(jìn)行了修改,不使用唯一port-group去存,而是以network為單位創(chuàng)建pg_drop。

邏輯流表實(shí)現(xiàn)安全組

以網(wǎng)卡b5ca6f69-eb6d-4496-8df0-e558e1552167為例子,reg14=0x2,metadata=0x1,分析ingress邏輯流表。
table0(ls_in_port_sec_l2),ovs參照table8:

build_lswitch_lflows_admission_control:
  源地址多播/組播丟棄:
  table=0 (ls_in_port_sec_l2  ), priority=100  , match=(eth.src[40]), action=(drop;)   
  vlan透?jìng)鲌?bào)文丟棄(未啟用vlan pass的話):
  table=0 (ls_in_port_sec_l2  ), priority=100  , match=(vlan.present), action=(drop;)  
build_port_security_l2:
  允許網(wǎng)卡eth.src報(bào)文通過:
  table=0 (ls_in_port_sec_l2  ), priority=50   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == {fa:16:3e:e8:dd:6b}), action=(next;)

table1(ls_in_port_sec_ip),ovs參照table9:

build_port_security_ip(port_security,allowed-address-pairs):
  允許dhcp報(bào)文和allowed-address-pairs,其余ip報(bào)文丟棄:
  table=1 (ls_in_port_sec_ip  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(next;)
  table=1 (ls_in_port_sec_ip  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == {192.168.111.175, 10.0.0.3}), action=(next;)
  table=1 (ls_in_port_sec_ip  ), priority=80   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip), action=(drop;)
build_lswitch_input_port_sec_od:
  table=1 (ls_in_port_sec_ip  ), priority=0    , match=(1), action=(next;)

table2(ls_in_port_sec_nd),ovs參照table10:

build_port_security_nd:
  虛機(jī)發(fā)出的arp報(bào)文必須和allowed-address-pairs匹配,否則丟棄,防止arp欺騙:
  table=2 (ls_in_port_sec_nd  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && arp.sha == fa:16:3e:e8:dd:6b && arp.spa == {192.168.111.175,10.0.0.3}), action=(next;)
  table=2 (ls_in_port_sec_nd  ), priority=80   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && (arp || nd)), action=(drop;)
build_lswitch_input_port_sec_od:
  table=2 (ls_in_port_sec_nd  ), priority=0    , match=(1), action=(next;)

table3(ls_in_pre_acl),ovs參照table11:

build_pre_acls:
  子網(wǎng)接口將跳過狀態(tài)acl,它們作為ingress的reg14分別為0x5和0x1:
  table=3 (ls_in_pre_acl      ), priority=110  , match=(ip && inport == "a7e8a001-4c92-4eb9-95ac-7696993ae9b2"), action=(next;)     
  table=3 (ls_in_pre_acl      ), priority=110  , match=(ip && inport == "cabdccc3-8a9c-428f-a678-5fed80d72d17"), action=(next;) 
  ipv6鄰居協(xié)議,路由協(xié)議報(bào)文,icmp4/6不可達(dá)報(bào)文,tcp rst報(bào)文將跳過狀態(tài)acl:
  table=3 (ls_in_pre_acl      ), priority=110  , match=(nd || nd_rs || nd_ra || icmp4.type == 3 || icmp6.type == 1 || (tcp && tcp.flags == 4)), action=(next;)
  狀態(tài)acl預(yù)處理,reg0[0]賦值1(REGBIT_CONNTRACK_DEFRAG標(biāo)記ip分片重組):
  table=3 (ls_in_pre_acl      ), priority=100  , match=(ip), action=(reg0[0] = 1; next;)
  table=3 (ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)

table4(ls_in_pre_lb),ovs參照table12:

build_pre_lb:
  table=4 (ls_in_pre_lb       ), priority=110  , match=(nd || nd_rs || nd_ra), action=(next;)
  table=4 (ls_in_pre_lb       ), priority=0    , match=(1), action=(next;)

table5(ls_in_pre_stateful),ovs參照table13:

build_pre_stateful:
  標(biāo)記過reg0[0]的報(bào)文納入狀態(tài)跟蹤:
  table=5 (ls_in_pre_stateful ), priority=100  , match=(reg0[0] == 1), action=(ct_next;)
  table=5 (ls_in_pre_stateful ), priority=0    , match=(1), action=(next;)

table6(ls_in_acl),ovs參照table14:

build_acls:
  創(chuàng)建最高優(yōu)先級(jí)的acl,允許與已存在的狀態(tài)跟蹤相關(guān)的報(bào)文通過:
  table=6 (ls_in_acl          ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
  創(chuàng)建最高優(yōu)先級(jí)的acl,允許已建立狀態(tài)跟蹤的回復(fù)報(bào)文通過:
  table=6 (ls_in_acl          ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
  創(chuàng)建最高優(yōu)先級(jí)的acl,丟棄無(wú)效狀態(tài)的報(bào)文:
  table=6 (ls_in_acl          ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
  table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
  
  創(chuàng)建安全組規(guī)則的acl,允許inport為安全組port group的報(bào)文通過:
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip4)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip6)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip4)), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip6)), action=(reg0[1] = 1; next;)
  創(chuàng)建安全組規(guī)則的acl,丟棄inport來(lái)自neutron_pg_drop的報(bào)文:
  table=6 (ls_in_acl          ), priority=2001 , match=((!ct.est || (ct.est && ct_label.blocked == 1)) && (inport == @neutron_pg_drop && ip)), action=(/* drop */)
  table=6 (ls_in_acl          ), priority=2001 , match=(ct.est && ct_label.blocked == 0 && (inport == @neutron_pg_drop && ip)), action=(ct_commit(ct_label=1/1); /* drop */)
  
  table=6 (ls_in_acl          ), priority=1    , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=0    , match=(1), action=(next;)

ovs流表實(shí)現(xiàn)安全組

上文提到的邏輯流表,對(duì)照openflow流表如下:

 table8:
 源地址多播/組播丟棄:
 cookie=0x6f1dbc42, duration=966129.895s, table=8, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
 vlan透?jìng)鲌?bào)文丟棄(未啟用vlan pass的話):
 cookie=0x35965f1e, duration=966203.206s, table=8, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop (https://blog.csdn.net/u012124304/article/details/103211105)
 允許該網(wǎng)卡的eth.src報(bào)文通過:
 cookie=0xd2362303, duration=966463.937s, table=8, n_packets=93, n_bytes=16890, idle_age=4216, hard_age=65534, priority=50,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b actions=resubmit(,9)
 

 table9:
 允許該網(wǎng)的卡dhcp報(bào)文和allowed-address-pairs,其余ip報(bào)文丟棄:
 cookie=0x6953fb29, duration=968411.177s, table=9, n_packets=0, n_bytes=0, priority=90,udp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=resubmit(,10)
 cookie=0x120781d1, duration=968411.185s, table=9, n_packets=49, n_bytes=15332, priority=90,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=192.168.111.175 actions=resubmit(,10)
 cookie=0x2ff58c89, duration=49.356s,     table=9, n_packets=0, n_bytes=0,      priority=90,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=10.0.0.3 actions=resubmit(,10)                    
 cookie=0x1fab468e, duration=968411.188s, table=9, n_packets=0, n_bytes=0, priority=80,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b actions=drop
 cookie=0xfbeb7eae, duration=968411.192s, table=9, n_packets=192, n_bytes=68946, priority=0,metadata=0x1 actions=resubmit(,10)              

 table10:
 虛機(jī)發(fā)出的arp報(bào)文必須和allowed-address-pairs匹配,否則丟棄,防止arp欺騙:
 cookie=0xbf374718, duration=968411.182s, table=10, n_packets=46, n_bytes=1932, priority=90,arp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,arp_spa=192.168.111.175,arp_sha=fa:16:3e:e8:dd:6b actions=resubmit(,11)
 cookie=0xed2936cb, duration=23433.135s, table=10, n_packets=0, n_bytes=0, priority=90,arp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,arp_spa=10.0.0.3,arp_sha=fa:16:3e:e8:dd:6b actions=resubmit(,11)
 cookie=0xe858f8f3, duration=968411.185s, table=10, n_packets=0, n_bytes=0, priority=80,arp,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x53f76439, duration=968411.188s, table=10, n_packets=195, n_bytes=82346, priority=0,metadata=0x1 actions=resubmit(,11)

 table11:
 兩個(gè)子網(wǎng)接口ingress時(shí)reg14=0x1和reg14=0x5,ovn將跳過對(duì)其進(jìn)行狀態(tài)acl:
 cookie=0x14018c1f, duration=1057442.112s, table=11, n_packets=167, n_bytes=95460, priority=110,ip,reg14=0x1,metadata=0x1 actions=resubmit(,12)
 cookie=0x3380f1d7, duration=948268.302s, table=11, n_packets=351, n_bytes=162148, priority=110,ip,reg14=0x5,metadata=0x1 actions=resubmit(,12)
 ipv6鄰居協(xié)議,路由協(xié)議報(bào)文,icmp4/6不可達(dá)報(bào)文,tcp rst報(bào)文將跳過狀態(tài)acl:
 cookie=0xab9fff1, duration=968411.193s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.188s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=134,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.185s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=133,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.183s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.191s, table=11, n_packets=0, n_bytes=0, priority=110,tcp6,metadata=0x1,tcp_flags=rst actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.188s, table=11, n_packets=0, n_bytes=0, priority=110,tcp,metadata=0x1,tcp_flags=rst actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.190s, table=11, n_packets=2, n_bytes=226, priority=110,icmp,metadata=0x1,icmp_type=3 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.181s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,icmp_type=1 actions=resubmit(,12)
 狀態(tài)acl預(yù)處理,reg0[0]賦值1(REGBIT_CONNTRACK_DEFRAG標(biāo)記ip分片重組):
 cookie=0x7d898487, duration=968411.187s, table=11, n_packets=49, n_bytes=15332, priority=100,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
 cookie=0x7d898487, duration=968411.182s, table=11, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
 cookie=0x293449e5, duration=968411.193s, table=11, n_packets=46, n_bytes=1932, priority=0,metadata=0x1 actions=resubmit(,12)

 table12:
 cookie=0xa4a37e36, duration=1034058.339s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=133,icmp_code=0 actions=resubmit(,13)
 cookie=0xa4a37e36, duration=1034058.336s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=134,icmp_code=0 actions=resubmit(,13)
 cookie=0xa4a37e36, duration=1034058.336s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,13)
 cookie=0xa4a37e36, duration=1034058.328s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,13)
 cookie=0x8c6fe364, duration=1034058.337s, table=12, n_packets=247, n_bytes=85400, priority=0,metadata=0x1 actions=resubmit(,13)

 table13:
 標(biāo)記過reg0[0]的報(bào)文納入狀態(tài)跟蹤,reg13標(biāo)記zone:
 cookie=0x24a1efe4, duration=1034058.328s, table=13, n_packets=52, n_bytes=16328, priority=100,ip,reg0=0x1/0x1,metadata=0x1 actions=ct(table=14,zone=NXM_NX_REG13[0..15])
 cookie=0x2201969c, duration=1034058.334s, table=13, n_packets=195, n_bytes=69072, priority=0,metadata=0x1 actions=resubmit(,14)

 table14:
 創(chuàng)建最高優(yōu)先級(jí)的acl,允許與已存在的狀態(tài)跟蹤相關(guān)的報(bào)文通過:
 cookie=0xf82466f5, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=-new-est+rel-inv+trk,ct_label=0/0x1,metadata=0x1 actions=resubmit(,15)
 創(chuàng)建最高優(yōu)先級(jí)的acl,允許已建立狀態(tài)跟蹤的回復(fù)報(bào)文通過:
 cookie=0xea74928f, duration=1057442.122s, table=14, n_packets=4, n_bytes=392, priority=65535,ct_state=-new+est-rel+rpl-inv+trk,ct_label=0/0x1,metadata=0x1 actions=resubmit(,15)
 創(chuàng)建最高優(yōu)先級(jí)的acl,丟棄無(wú)效狀態(tài)的報(bào)文:
 cookie=0xf5b4b6e8, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=+inv+trk,metadata=0x1 actions=drop
 cookie=0xf5b4b6e8, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=+est+rpl+trk,ct_label=0x1/0x1,metadata=0x1 actions=drop
 cookie=0xd4194ce2, duration=1057442.119s, table=14, n_packets=0, n_bytes=0, priority=65535,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,15)
 cookie=0xd4194ce2, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=65535,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,15)
 創(chuàng)建安全組規(guī)則的acl,允許來(lái)自該網(wǎng)卡匹配規(guī)則的報(bào)文通過:
 cookie=0x30990bd9, duration=1057442.121s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=+new-est+trk,ipv6,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0xd96dfb12, duration=1057442.119s, table=14, n_packets=49, n_bytes=16268, priority=2002,ct_state=+new-est+trk,ip,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0xd96dfb12, duration=1057442.119s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0x1/0x1,ip,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0x31749d4e, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0/0x1,ip,reg14=0x2,metadata=0x1 actions=resubmit(,15)
 cookie=0x30990bd9, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0x1/0x1,ipv6,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0x296730c6, duration=1057442.107s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0/0x1,ipv6,reg14=0x2,metadata=0x1 actions=resubmit(,15)
 創(chuàng)建默認(rèn)丟棄的流表(對(duì)應(yīng)邏輯流表中inport為neutron_pg_drop的流表):
 cookie=0x3d47ccf1, duration=1057442.116s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x3d47ccf1, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=+est+trk,ct_label=0x1/0x1,ip,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x3d47ccf1, duration=1057442.118s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=-est+trk,ip,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x3d47ccf1, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=-est+trk,ipv6,reg14=0x2,metadata=0x1 actions=drop
 
 cookie=0x1454342d, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0x1454342d, duration=1057442.121s, table=14, n_packets=0, n_bytes=0, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)

 cookie=0x16579627, duration=1057442.121s, table=14, n_packets=575, n_bytes=260428, priority=0,metadata=0x1 actions=resubmit(,15)

個(gè)人分析,歡迎指正,若轉(zhuǎn)載請(qǐng)注明出處!歡迎訪問我的主頁(yè)

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 場(chǎng)景描述: 通過附件[1]的腳本分別在兩個(gè)節(jié)點(diǎn)上各創(chuàng)建同一子網(wǎng)下的port,分析兩個(gè)port之間流量互通。 OVN...
    Shawn_Lu_0127閱讀 1,081評(píng)論 0 0
  • ACL & 安全組 同大部分使用OVS實(shí)現(xiàn)安全組功能的方案一樣,OVN通過流表實(shí)現(xiàn)進(jìn)出VM流量的有狀態(tài)的ACL控制...
    蘇蘇林閱讀 2,938評(píng)論 0 0
  • 拓?fù)?配置一個(gè)簡(jiǎn)單的L2 和 L3 Network 測(cè)試拓?fù)?,包含兩個(gè)L2 Network(logic switc...
    蘇蘇林閱讀 3,274評(píng)論 0 1
  • 報(bào)文跟蹤 我們知道linuxbridge,是純粹的根據(jù)MAC轉(zhuǎn)發(fā),橋內(nèi)的轉(zhuǎn)發(fā)問題通常我們看看fdb表項(xiàng)正確,ebt...
    蘇蘇林閱讀 3,640評(píng)論 0 1
  • Open vSwitch介紹 在過去,數(shù)據(jù)中心的服務(wù)器是直接連在硬件交換機(jī)上,后來(lái)VMware實(shí)現(xiàn)了服務(wù)器虛擬化技...
    殺破魂閱讀 25,136評(píng)論 1 18

友情鏈接更多精彩內(nèi)容