ovs conntrack based firewall driver (by quqi99)

作者:张华  发表于:2016-04-20
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

( http://blog.csdn.net/quqi99 )

我们知道,Neutron security group特性是基于iptables实现的,iptables规则只能作用于linux bridge,不能作用于ovs bridge上,所以在VM port和ovs br-int之前又多弄了一个linux bridge (qbr-xxx),这会极大影响性能。如今openvswitch 2.5 (需使用linux kernel 4.3+) (sudo add-apt-repository cloud-archive:mitaka && sudo apt-get install openvswitch-switch)已经支持conntract特性,neutron也在Mitaka中实现了这一特性[1]. 创建两个虚机之后查看它的流表如下,解释见内联注释。

cookie=0xb7d7ed46110fd50e, duration=10510.153s, table=0, n_packets=6, n_bytes=582, idle_age=886, priority=2,in_port=1 actions=drop

# Table 0是分类表,reg5用于存储port_id (出口流量使用port_id标识,入口流量采用mac_address标识。出口与入口以虚机为基准), reg6用于存储zone避免不同的port可能出现conntrack参数相同的情况。出口流量转到table 71, 入口流量转到table 81
 cookie=0xb7d7ed46110fd50e, duration=10155.140s, table=0, n_packets=25, n_bytes=2332, idle_age=9619, priority=100,in_port=13 actions=load:0xd->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,71)
 cookie=0xb7d7ed46110fd50e, duration=10155.041s, table=0, n_packets=97, n_bytes=12752, idle_age=9617, priority=100,in_port=10 actions=load:0xa->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,71)
 cookie=0xb7d7ed46110fd50e, duration=10155.140s, table=0, n_packets=12, n_bytes=1489, idle_age=10143, priority=90,dl_dst=fa:16:3e:e9:f9:c8 actions=load:0xd->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,81)
 cookie=0xb7d7ed46110fd50e, duration=10155.040s, table=0, n_packets=118, n_bytes=21821, idle_age=9617, priority=90,dl_dst=fa:16:3e:5c:25:9d actions=load:0xa->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,81)

# 对从int-br-phy (在br-int与br-phy中的一个ovs patch port)进br-int的入虚机流量将vlan 1053换成local vlan 1.
 cookie=0xb7d7ed46110fd50e, duration=10447.209s, table=0, n_packets=0, n_bytes=0, idle_age=10447, priority=3,in_port=1,dl_vlan=1053 actions=mod_vlan_vid:1,NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10510.260s, table=0, n_packets=19, n_bytes=1554, idle_age=10383, priority=0 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10510.252s, table=23, n_packets=0, n_bytes=0, idle_age=10510, priority=0 actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10510.244s, table=24, n_packets=0, n_bytes=0, idle_age=10510, priority=0 actions=drop

# Allow ICMPv6 traffic for multicast listeners, neighbour solicitation and neighbour advertisement for egress flow.
 cookie=0xb7d7ed46110fd50e, duration=10155.140s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xd,in_port=13,icmp_type=130 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.140s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xd,in_port=13,icmp_type=131 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.139s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xd,in_port=13,icmp_type=132 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.139s, table=71, n_packets=1, n_bytes=78, idle_age=10147, priority=95,icmp6,reg5=0xd,in_port=13,icmp_type=135 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.139s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xd,in_port=13,icmp_type=136 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.040s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xa,in_port=10,icmp_type=130 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.039s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xa,in_port=10,icmp_type=131 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.039s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xa,in_port=10,icmp_type=132 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.039s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xa,in_port=10,icmp_type=135 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.039s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=95,icmp6,reg5=0xa,in_port=10,icmp_type=136 actions=NORMAL

# 在table 71中对出虚机的流量做arp spoofing protection
 cookie=0xb7d7ed46110fd50e, duration=10155.139s, table=71, n_packets=7, n_bytes=294, idle_age=9619, priority=95,arp,reg5=0xd,in_port=13,dl_src=fa:16:3e:e9:f9:c8,arp_spa=10.0.1.8 actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.039s, table=71, n_packets=7, n_bytes=294, idle_age=9617, priority=95,arp,reg5=0xa,in_port=10,dl_src=fa:16:3e:5c:25:9d,arp_spa=10.0.1.7 actions=NORMAL

# 充许端口为68,67, 546, 547(dhcp, dhcpv6, slaas, ndp)的流量出虚机, but DHCP servers are blocked on instances.
 cookie=0xb7d7ed46110fd50e, duration=10155.138s, table=71, n_packets=2, n_bytes=668, idle_age=10148, priority=80,udp,reg5=0xd,in_port=13,tp_src=68,tp_dst=67 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.138s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=80,udp6,reg5=0xd,in_port=13,tp_src=546,tp_dst=547 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.137s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=70,udp,reg5=0xd,in_port=13,tp_src=67,tp_dst=68 actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.137s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=70,udp6,reg5=0xd,in_port=13,tp_src=547,tp_dst=546 actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.038s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=80,udp,reg5=0xa,in_port=10,tp_src=68,tp_dst=67 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.038s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=80,udp6,reg5=0xa,in_port=10,tp_src=546,tp_dst=547 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.037s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=70,udp,reg5=0xa,in_port=10,tp_src=67,tp_dst=68 actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.037s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=70,udp6,reg5=0xa,in_port=10,tp_src=547,tp_dst=546 actions=drop

# 对-trk状态的出虚机流量转到table 72继续处理,并使用ip+mac从内核的conntrack中获取conntrack的相关信息,drop其他流量
 cookie=0xb7d7ed46110fd50e, duration=10155.138s, table=71, n_packets=10, n_bytes=902, idle_age=9619, priority=65,ct_state=-trk,ip,reg5=0xd,in_port=13,dl_src=fa:16:3e:e9:f9:c8,nw_src=10.0.1.8 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.039s, table=71, n_packets=90, n_bytes=12458, idle_age=9619, priority=65,ct_state=-trk,ip,reg5=0xa,in_port=10,dl_src=fa:16:3e:5c:25:9d,nw_src=10.0.1.7 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.138s, table=71, n_packets=4, n_bytes=300, idle_age=10138, priority=65,ct_state=-trk,ipv6,reg5=0xd,in_port=13,dl_src=fa:16:3e:e9:f9:c8,ipv6_src=fe80::f816:3eff:fee9:f9c8 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.038s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=65,ct_state=-trk,ipv6,reg5=0xa,in_port=10,dl_src=fa:16:3e:5c:25:9d,ipv6_src=fe80::f816:3eff:fe5c:259d actions=ct(table=72,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.136s, table=71, n_packets=1, n_bytes=90, idle_age=10148, priority=10,ct_state=-trk,reg5=0xd,in_port=13 actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.037s, table=71, n_packets=0, n_bytes=0, idle_age=10155, priority=10,ct_state=-trk,reg5=0xa,in_port=10 actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10509.934s, table=71, n_packets=0, n_bytes=0, idle_age=10509, priority=0 actions=drop

# tables 72表接受established (est-rel-rpl) or related (-new-est+rel-inv, +est-rel+rpl) or new (new-est)状态的出虚机流量, drop掉invalid (inv+trk, ct_mark=0x1)状态的流量.并且这里实现用户自定义的security group规则。 
 cookie=0xb7d7ed46110fd50e, duration=10155.129s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,ipv6,reg5=0xd,dl_src=fa:16:3e:e9:f9:c8 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.129s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,ip,reg5=0xd,dl_src=fa:16:3e:e9:f9:c8 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.029s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,ipv6,reg5=0xa,dl_src=fa:16:3e:5c:25:9d actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.028s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,ip,reg5=0xa,dl_src=fa:16:3e:5c:25:9d actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.129s, table=72, n_packets=4, n_bytes=300, idle_age=10138, 
priority=70,ct_state=+new-est,ipv6,reg5=0xd,dl_src=fa:16:3e:e9:f9:c8 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.129s, table=72, n_packets=7, n_bytes=608, idle_age=10148, priority=70,ct_state=+new-est,ip,reg5=0xd,dl_src=fa:16:3e:e9:f9:c8 actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.029s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+new-est,ipv6,reg5=0xa,dl_src=fa:16:3e:5c:25:9d actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.028s, table=72, n_packets=3, n_bytes=294, idle_age=9619, priority=70,ct_state=+new-est,ip,reg5=0xa,dl_src=fa:16:3e:5c:25:9d actions=resubmit(,73)
 cookie=0xb7d7ed46110fd50e, duration=10155.031s, table=72, n_packets=0, n_bytes=0, idle_age=10155, 
priority=50,ct_state=+inv+trk actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.131s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_mark=0x1,reg5=0xd actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.031s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_mark=0x1,reg5=0xa actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.131s, table=72, n_packets=3, n_bytes=294, idle_age=9619, priority=50,ct_state=+est-rel+rpl,ct_zone=1,ct_mark=0,reg5=0xd actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.031s, table=72, n_packets=87, n_bytes=12164, idle_age=9619, priority=50,ct_state=+est-rel+rpl,ct_zone=1,ct_mark=0,reg5=0xa actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.130s, table=72, n_packets=0, n_bytes=0, idle_age=10155, 
priority=50,ct_state=-new-est+rel-inv,ct_zone=1,ct_mark=0,reg5=0xd actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.030s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_state=-new-est+rel-inv,ct_zone=1,ct_mark=0,reg5=0xa actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.130s, table=72, n_packets=0, n_bytes=0, idle_age=10155, 
priority=40,ct_state=-est,reg5=0xd actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.130s, table=72, n_packets=0, n_bytes=0, idle_age=10155,

# In the following flows are marked established connections that weren’t matched in the previous flows, which means they don’t have accepting security group rule anymore.
priority=40,ct_state=+est,reg5=0xd actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
 cookie=0xb7d7ed46110fd50e, duration=10155.030s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=40,ct_state=-est,reg5=0xa actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.030s, table=72, n_packets=0, n_bytes=0, idle_age=10155, priority=40,ct_state=+est,reg5=0xa actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
 cookie=0xb7d7ed46110fd50e, duration=10509.925s, table=72, n_packets=0, n_bytes=0, idle_age=10509, priority=0 actions=drop

# 处理入口流量
 cookie=0xb7d7ed46110fd50e, duration=10155.136s, table=73, n_packets=3, n_bytes=294, idle_age=9619, priority=100,dl_dst=fa:16:3e:e9:f9:c8 actions=load:0xd->NXM_NX_REG5[],resubmit(,81)
 cookie=0xb7d7ed46110fd50e, duration=10155.037s, table=73, n_packets=0, n_bytes=0, idle_age=10155, priority=100,dl_dst=fa:16:3e:5c:25:9d actions=load:0xa->NXM_NX_REG5[],resubmit(,81)
 cookie=0xb7d7ed46110fd50e, duration=10155.136s, table=73, n_packets=11, n_bytes=908, idle_age=10138, priority=90,ct_state=+new-est,reg5=0xd actions=ct(commit,zone=NXM_NX_REG6[0..15]),NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.036s, table=73, n_packets=0, n_bytes=0, idle_age=10155, priority=90,ct_state=+new-est,reg5=0xa actions=ct(commit,zone=NXM_NX_REG6[0..15]),NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.136s, table=73, n_packets=2, n_bytes=668, idle_age=10148, priority=80,reg5=0xd actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10155.036s, table=73, n_packets=0, n_bytes=0, idle_age=10155, priority=80,reg5=0xa actions=NORMAL
 cookie=0xb7d7ed46110fd50e, duration=10509.917s, table=73, n_packets=0, n_bytes=0, idle_age=10509, priority=0 actions=drop

# Table 81 is for ingress traffic, accepts arp response, icmp6 response and udp response.
 cookie=0xb7d7ed46110fd50e, duration=10155.135s, table=81, n_packets=3, n_bytes=126, idle_age=10143, priority=100,arp,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.035s, table=81, n_packets=3, n_bytes=126, idle_age=9617, priority=100,arp,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.135s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,icmp_type=130 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.135s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,icmp_type=131 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.135s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,icmp_type=132 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.135s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,icmp_type=135 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.134s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,icmp_type=136 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.035s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,icmp_type=130 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.035s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,icmp_type=131 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.034s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,icmp_type=132 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.033s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,icmp_type=135 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.033s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=100,icmp6,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,icmp_type=136 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.133s, table=81, n_packets=2, n_bytes=755, idle_age=10148, 
priority=95,udp,reg5=0xd,tp_src=67,tp_dst=68 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.133s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=95,udp6,reg5=0xd,tp_src=547,tp_dst=546 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.033s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=95,udp,reg5=0xa,tp_src=67,tp_dst=68 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.033s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=95,udp6,reg5=0xa,tp_src=547,tp_dst=546 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.133s, table=81, n_packets=7, n_bytes=608, idle_age=10148,

# Table 81 is for ingress traffic, indentifies not tracked ingress connections.
priority=90,ct_state=-trk,ip,reg5=0xd actions=ct(table=82,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.133s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=90,ct_state=-trk,ipv6,reg5=0xd actions=ct(table=82,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.033s, table=81, n_packets=115, n_bytes=21695, idle_age=9619, priority=90,ct_state=-trk,ip,reg5=0xa actions=ct(table=82,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=90,ct_state=-trk,ipv6,reg5=0xa actions=ct(table=82,zone=NXM_NX_REG6[0..15])
 cookie=0xb7d7ed46110fd50e, duration=10155.132s, table=81, n_packets=3, n_bytes=294, idle_age=9619, priority=80,ct_state=+trk,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8 actions=resubmit(,82)
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=81, n_packets=0, n_bytes=0, idle_age=10155, priority=80,ct_state=+trk,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d actions=resubmit(,82)
 cookie=0xb7d7ed46110fd50e, duration=10509.910s, table=81, n_packets=0, n_bytes=0, idle_age=10509, priority=0 actions=drop

# Table 82接受new (new-est) and established (est-rel-rpl, +est) and related (est-rel+rpl, -new-est+rel-inv)状态的入口流量. 也包括用户自定义的一些流量,如 (nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0).
 cookie=0xb7d7ed46110fd50e, duration=10155.130s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,tcp,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,tp_dst=0x16/0xfffe actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.030s, table=82, n_packets=112, n_bytes=21473, idle_age=9619, priority=70,ct_state=+est-rel-rpl,tcp,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,tp_dst=0x16/0xfffe actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.130s, table=82, n_packets=0, n_bytes=0, idle_age=10155, 
priority=70,ct_state=+new-est,tcp,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,tp_dst=0x16/0xfffe actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.030s, table=82, n_packets=3, n_bytes=222, idle_age=9622, priority=70,ct_state=+new-est,tcp,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,tp_dst=0x16/0xfffe actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.129s, table=82, n_packets=0, n_bytes=0, idle_age=10155, 
priority=70,ct_state=+est-rel-rpl,icmp,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.028s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.129s, table=82, n_packets=3, n_bytes=294, idle_age=9619, priority=70,ct_state=+new-est,icmp,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:13
cookie=0xb7d7ed46110fd50e, duration=10155.028s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+new-est,icmp,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.128s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,ip,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,nw_src=10.0.1.7 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.028s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+est-rel-rpl,ip,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,nw_src=10.0.1.8 actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.128s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+new-est,ip,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8,nw_src=10.0.1.7 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.028s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=70,ct_state=+new-est,ip,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d,nw_src=10.0.1.8 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.132s, table=82, n_packets=7, n_bytes=608, idle_age=10148, priority=50,ct_state=+est-rel+rpl,ct_zone=1,ct_mark=0,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_state=+est-rel+rpl,ct_zone=1,ct_mark=0,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.132s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_state=-new-est+rel-inv,ct_zone=1,ct_mark=0,reg5=0xd,dl_dst=fa:16:3e:e9:f9:c8 actions=strip_vlan,output:13
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_state=-new-est+rel-inv,ct_zone=1,ct_mark=0,reg5=0xa,dl_dst=fa:16:3e:5c:25:9d actions=strip_vlan,output:10
 cookie=0xb7d7ed46110fd50e, duration=10155.131s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=40,ct_state=-est,reg5=0xd actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.131s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=40,ct_state=+est,reg5=0xd actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=40,ct_state=-est,reg5=0xa actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.031s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=40,ct_state=+est,reg5=0xa actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))

# Table 82 accepts drops invalid ingress connections.
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_state=+inv+trk actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.132s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_mark=0x1,reg5=0xd actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10155.032s, table=82, n_packets=0, n_bytes=0, idle_age=10155, priority=50,ct_mark=0x1,reg5=0xa actions=drop
 cookie=0xb7d7ed46110fd50e, duration=10509.902s, table=82, n_packets=0, n_bytes=0, idle_age=10509, priority=0 actions=drop

[1] https://review.openstack.org/#/c/302766/

时间: 2024-10-07 03:57:13

ovs conntrack based firewall driver (by quqi99)的相关文章

安装配置openstack 中的 Open vSwitch (OVS) service

?          # yum install openstack-neutronopenstack-neutron-ml2 openstack-neutron- openvswitch Edit the/etc/neutron/plugins/ml2/ml2_conf.ini file and complete the fol-lowing actions: a. In the [ml2] section,enable the flat and generic routingencapsul

neutron firewall当vpn和l3重启时会影响其他租户的网络

本人新开博客,主要从事openstack的二次开发,熟悉各个模块.博客主要会写一些平时遇到的问题及解决办法,希望能够帮到初涉云计算尤其是openstack的朋友,如果需要转载请注明出处:http://blog.csdn.net/ivy_feifei,有什么问题欢迎留言讨论,如博文有误,欢迎指出,谢谢! bug描述:在租户a中创建防火墙,之后重启l3agent,会在其他租户的router里的iptables的filter表中加入l3的防火墙规则,重启vpn agent会在其他租户的router里的

OpenStack: OVS安装

> OVS安装:1. Install the Open vSwitch plug-in and its dependencies:# apt-get install \neutron-plugin-openvswitch-agent \openvswitch-datapath-dkms \ 2. Restart Open vSwitch:# service openvswitch-switch restart 3. You must set some common configuration o

Ubuntu 12.04 Server OpenStack Havana多节点(OVS+GRE)安装

1.需求 节点角色 NICs 控制节点 eth0(10.10.10.51)eth1(192.168.100.51) 网络节点 eth0(10.10.10.52)eth1(10.20.20.52)eth2(192.168.100.52) 计算结点 eth0(10.10.10.53)eth1(10.20.20.53) 注意1:你总是可以使用dpkg -s <packagename>确认你是用的是Havana版本 注意2:这个是当前网络架构 2.控制节点 2.1.准备Ubuntu 安装好Ubuntu

cinder glusterfs driver代码结构

glusterfs.py文件 cinder/volume/drivers/glusterfs.py就是cinder调用glusterfs的驱动了 glusterfs.py只有一个GlusterfsDriver class,如下图所示 from os_brick.remotefs import remotefs as remotefs_brick # client端操作 from oslo_concurrency import processutils from oslo_config impor

Adaptive Server Enterprise ODBC driver connection strings

Adaptive Server Enterprise 15.0 Driver={Adaptive Server Enterprise};app=myAppName;server=myServerAddress;port=myPortnumber;db=myDataBase;uid=myUsername;pwd=myPassword; Standard Sybase System 12 Enterprise Open Client Driver={SYBASE ASE ODBC Driver};S

2月技术周 | OVS实现安全组,你需要知道这些!

防火墙 防火墙是避免网络信息基础设施免受复杂网络环境中安全***的必要设施.高效的防火墙则更需要实时跟踪来往于不同网络设备间的各类网络连接,即"有状态防火墙".对于实际的硬件物理网络基础设施需要防火墙,对于虚拟网络设备,openstack在这样的云平台亦需要同样的防火墙进行网络保护. 在Openstack中,防火墙由"Security Group"和"FWaas"两大服务组成.其中Security Group在port级别提供对VM网络通信的访问

Neutron:Firewall as a Service(FWaaS)

用户可以用它来创建和管理防火墙,在 subnet 的边界上对 layer 3 和 layer 4 的流量进行过滤. 传统网络中的防火墙一般放在网关上,用来控制子网之间的访问. FWaaS 的原理也一样,是在 Neutron 虚拟 router 上应用防火墙规则,控制进出租户网络的数据. FWaaS 有三个重要概念: Firewall.Policy 和 Rule. Firewall 租户能够创建和管理的逻辑防火墙资源. Firewall 必须关联某个 Policy,因此必须先创建 Policy.

KVM 介绍(8):使用 libvirt 迁移 QEMU/KVM 虚机和 Nova 虚机 [Nova Libvirt QEMU/KVM Live Migration]

学习 KVM 的系列文章: (1)介绍和安装 (2)CPU 和 内存虚拟化 (3)I/O QEMU 全虚拟化和准虚拟化(Para-virtulizaiton) (4)I/O PCI/PCIe设备直接分配和 SR-IOV (5)libvirt 介绍 (6)Nova 通过 libvirt 管理 QEMU/KVM 虚机 (7)快照 (snapshot) (8)迁移 (migration) 1. QEMU/KVM 迁移的概念 迁移(migration)包括系统整体的迁移和某个工作负载的迁移.系统整理迁移