目标
使用ovs构建出以上的网络拓扑结构,通过配置流表,使用conntrack实现以下功能
1.vm1可以ping通vm2
2.vm2不可ping通vm1
实验环境
CentOS Linux release 7.2.1511 (Core)
构建基础环境
git clone https://github.com/cao19881125/ovn_lab.git
cd ovn_lab/docker
docker build -t ovn_lab:v1 .
yum install package/openvswitch-kmod-2.7.90-1.el7.centos.x86_64.rpm
启动容器
cd ovn_lab
OVN_LAB_DIR=`pwd` docker run -it -d --privileged -v $OVN_LAB_DIR/lesson:/root/ovn_lab/lesson --name 'ovn_lab' ovn_lab:v1 bash
docker exec -it ovn_lab bash
创建网络拓扑
start_ovs.sh
/root/ovn_lab/lesson/list/lesson1/create_topo.sh
添加流表
ovs-ofctl add-flow br-int table=0,priority=100,arp,action=normal
ovs-ofctl add-flow br-int table=0,priority=100,ip,ct_state=-trk,action=ct\(table=1\)
ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+new,action=ct\(commit\),2
ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+est,action=2
ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+new,action=drop
ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+est,action=1
测试
vm1 ping vm2
# ip netns exec vm1 ping 10.0.0.20
PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.314 ms
64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.217 ms
vm2 ping vm1
# ip netns exec vm2 ping 10.0.0.10 -w 3
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
--- 10.0.0.10 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
流表解析
1. table=0,arp,action=normal
允许arp协议通过
2. table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
untrack状态的ip包送到conntrack并处理后发到1表
3. table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
vm1进来的new状态的ip包commit到conntrack并发到2端口
4. table=1,in_port=1,ip,ct_state=+trk+est,action=2
vm1进来的est状态的包发到2端口
5. table=1,in_port=2,ip,ct_state=+trk+new,action=drop
vm2进来的new状态的包直接drop
6. table=1,in_port=2,ip,ct_state=+trk+est,action=1
vm2进来的est状态的包发到1端口
