ovn vm 中使用下一跳路由,抓包简记
2021-12-30 本文已影响0人
cloudFans
环境:
准备两台vpc vm ,
情景1: 安全组默认有开启
在vm1 配置 下一跳路由,目标网段可以为任意网段,下一跳路由via vm2 的eth0 ip,在vm2抓包观察包的内容
源ip 源mac,目标ip, 目标mac
vm1
# 配置下一跳路由所在机器信息
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:ee:29:ec brd ff:ff:ff:ff:ff:ff
inet 10.220.2.248/20 brd 10.220.15.255 scope global dynamic noprefixroute eth0
valid_lft 42483sec preferred_lft 42483sec
inet6 fe80::f816:3eff:feee:29ec/64 scope link
valid_lft forever preferred_lft forever
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.220.0.1 0.0.0.0 UG 100 0 0 eth0
10.220.0.0 0.0.0.0 255.255.240.0 U 100 0 0 eth0
169.254.169.254 10.220.0.10 255.255.255.255 UGH 100 0 0 eth0
# 配置下一跳路由
ip route add 192.168.1.0/24 via 10.220.0.211 dev eth0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.220.0.1 0.0.0.0 UG 100 0 0 eth0
10.220.0.0 0.0.0.0 255.255.240.0 U 100 0 0 eth0
169.254.169.254 10.220.0.10 255.255.255.255 UGH 100 0 0 eth0
192.168.1.0 10.220.0.211 255.255.255.0 UG 0 0 0 eth0
# 监听本地发出的包
# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
# 在另一个窗口 进行ping 测试
vm2
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:2c:9d:3e brd ff:ff:ff:ff:ff:ff
inet 10.220.0.211/20 brd 10.220.15.255 scope global dynamic noprefixroute eth0
valid_lft 41916sec preferred_lft 41916sec
inet6 fe80::f816:3eff:fe2c:9d3e/64 scope link
valid_lft forever preferred_lft forever
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.220.0.1 0.0.0.0 UG 100 0 0 eth0
10.220.0.0 0.0.0.0 255.255.240.0 U 100 0 0 eth0
169.254.169.254 10.220.0.10 255.255.255.255 UGH 100 0 0 eth0
# 监听
# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
结果分析
# 发起端: vm1
# ping -c 1 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
--- 192.168.1.10 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
fa:16:3e:ee:29:ec > fa:16:3e:2c:9d:3e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 38788, offset 0, flags [DF], proto ICMP (1), length 84)
10.220.2.248 > 192.168.1.10: ICMP echo request, id 13279, seq 1, length 64
##可以看到node vm1内有发出包
## 但是对端是没有收到包的, 也就是说由于安全组的缘故,包被ovn丢掉了,
## 因为 fa:16:3e:2c:9d:3e 对应的ip不是192.168.1.10,且没有添加地址对支持。
# 接收端 vm2
]# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
# 始终没有收到包
情景2: 关闭安全组
(py3env) [root@control01 ~]# openstack port list | grep -E "10.220.2.248|10.220.0.211"
| 40f37d49-c16c-4de7-acbe-ea047cd8de1e| fa:16:3e:ee:29:ec | ip_address='10.220.2.248', subnet_id='4e16a01d-8195-4232-b6e2-d7f1c26a0a68' | ACTIVE |
| ee5bcfb8-7c7d-4734-9e68-60ef6742c13a | fa:16:3e:2c:9d:3e | ip_address='10.220.0.211', subnet_id='4e16a01d-8195-4232-b6e2-d7f1c26a0a68' | ACTIVE |
(py3env) [root@control01 ~]# openstack port set --no-security-group 40f37d49-c16c-4de7-acbe-ea047cd8de1e
(py3env) [root@control01 ~]# openstack port set --no-security-group ee5bcfb8-7c7d-4734-9e68-60ef6742c13a
(py3env) [root@control01 ~]# openstack port set --disable-port-security 40f37d49-c16c-4de7-acbe-ea047cd8de1e
(py3env) [root@control01 ~]# openstack port set --disable-port-security ee5bcfb8-7c7d-4734-9e68-60ef6742c13a
结果分析
# 发起端: vm1
# ping -c 1 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
--- 192.168.1.10 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
fa:16:3e:ee:29:ec > fa:16:3e:2c:9d:3e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 38788, offset 0, flags [DF], proto ICMP (1), length 84)
10.220.2.248 > 192.168.1.10: ICMP echo request, id 13279, seq 1, length 64
##可以看到node vm1内有发出包
# 接收端 vm2
[root@zbb1 centos]# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
fa:16:3e:ee:29:ec > fa:16:3e:2c:9d:3e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 57422, offset 0, flags [DF], proto ICMP (1), length 84)
10.220.2.248 > 192.168.1.10: ICMP echo request, id 13290, seq 1, length 64
# 可以看到有收到包
小结: 下一跳路由的包,会用目标ip的mac作为目的mac,但是ovn流表安全组启用后会对ip和mac进行校验,一旦不匹配就会触发丢包,所以下一跳路由对应的机器是收不到包的。
