Openstack 安全组的实现

2019-10-10 本文已影响0人圣地亚哥_SVIP

首先创建一个安全组Exam1，如下：

neutron_securitygroup

首先虚机在计算节点上的网卡连接情况如下：

instance_port

创建一台虚机，指定此虚机的安全组为Exam1，查看虚机的xml文件，关注其网卡部分，如下：

<interface type='bridge'>
  <mac address='fa:16:3e:85:de:e9'/>
  <source bridge='qbrb0720a65-4a'/>
  <target dev='tapb0720a65-4a'/>
  <model type='virtio'/>
  <driver name='qemu'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

虚机所连接的网桥为：qbrb0720a65-4a，对应的接口名称为：tapb0720a65-4a
查看计算节点的linux bridge:

[root@compute1 ~]# brctl show
bridge name bridge id       STP enabled interfaces
qbrb0720a65-4a      8000.f2c519de1624   no      qvbb0720a65-4a
                                                tapb0720a65-4a
virbr0      8000.525400eadc06   yes     virbr0-nic

网桥qbrb0720a65-4a，有两个网口，分别为：qvbb0720a65-4a，tapb0720a65-4a；其中tapb0720a65-4a连接的就是计算实例；qvbb0720a65-4a：连接的是br-int桥。

[root@compute1 ~]# ovs-vsctl list-ports br-int
patch-tun
qvob0720a65-4a

br-int是ovs桥，其中qvob0720a65-4a对应的是qvbb0720a65-4a口。计算节点上的ovs桥的结构如下：

Manager "ptcp:6640:127.0.0.1"
    is_connected: true
Bridge br-tun
    Controller "tcp:127.0.0.1:6633"
        is_connected: true
    fail_mode: secure
    Port "vxlan-c0a8000a"
        Interface "vxlan-c0a8000a"
            type: vxlan
            options: {df_default="true", in_key=flow, local_ip="192.168.0.11", out_key=flow, remote_ip="192.168.0.10"}
    Port br-tun
        Interface br-tun
            type: internal
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
Bridge br-int
    Controller "tcp:127.0.0.1:6633"
        is_connected: true
    fail_mode: secure
    Port br-int
        Interface br-int
            type: internal
    Port "qvob0720a65-4a"
        tag: 1
        Interface "qvob0720a65-4a"
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}

如上，qvob0720a65-4a是与linux bridge qbrb0720a65-4a连接的口，patch-tun连接的br-tun桥，由于我们采用的vxlan的结构，所有需要br-tun作为此计算节点的vxlan的tunnel end。

安全组
安全组即是基于iptables，作用在linxu bridge tapb0720a65-4a口上的，这是linux bridge在openstack中存在的意义。
查看iptables的规则，查看与此虚机相关的iptables rules：

*raw 表
:PREROUTING ACCEPT [41317:5066793]
:OUTPUT ACCEPT [34856:6828423]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-openvswi-PREROUTING -m physdev --physdev-in qvbb0720a65-4a -m comment --comment "Set zone for 0a65-4a86-4e75-8ec6-1661402a1b0a" -j CT --zone 4117
-A neutron-openvswi-PREROUTING -i qvbb0720a65-4a -m comment --comment "Set zone for 0a65-4a86-4e75-8ec6-1661402a1b0a" -j CT --zone 4117
-A neutron-openvswi-PREROUTING -m physdev --physdev-in tapb0720a65-4a -m comment --comment "Set zone for 0a65-4a86-4e75-8ec6-1661402a1b0a" -j CT --zone 4117

ipables四个表的优先级raw-->mangle-->nat-->filter；上述的RAW表中，主要为此实例进出的数据包设置zone id。

安全组作用于filter表中forward链：

数据包->prerouting/raw -> prerouting(mangle/raw，实际实例的数据传输中不作用)->forward/filter->postrouting(mangle/raw) -> out

查看filter表中相关的规则：

:INPUT ACCEPT [44285:5662535]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42549:8101485]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-ib0720a65-4 - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-ob0720a65-4 - [0:0]
:neutron-openvswi-sb0720a65-4 - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
#1. INPUT交由neutron-openvswi-INPUT处理，很少会匹配到
-A INPUT -j neutron-openvswi-INPUT   
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
#2. FORWARD 交由 neutron-openvswi-FORWARD链处理，承担所有流量
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
#dhcp流量
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-ob0720a65-4
-A neutron-openvswi-ib0720a65-4 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-ib0720a65-4 -d 10.120.1.10/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ib0720a65-4 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ib0720a65-4 -m set --match-set NIPv4fede6705-f4ed-42a7-9e3a- src -j RETURN
-A neutron-openvswi-ib0720a65-4 -s 1.1.1.0/24 -p tcp -m tcp --dport 8080 -j RETURN
-A neutron-openvswi-ib0720a65-4 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-ib0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-ob0720a65-4 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-ob0720a65-4 -j neutron-openvswi-sb0720a65-4
-A neutron-openvswi-ob0720a65-4 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-ob0720a65-4 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-ob0720a65-4 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-ob0720a65-4 -j RETURN
-A neutron-openvswi-ob0720a65-4 -d 2.2.2.0/24 -p tcp -m tcp --dport 8080 -j RETURN
-A neutron-openvswi-ob0720a65-4 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-ob0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sb0720a65-4 -s 10.120.1.10/32 -m mac --mac-source FA:16:3E:85:DE:E9 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-sb0720a65-4 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ib0720a65-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ob0720a65-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP

整理数据的处理流程：

#1. INPUT交由neutron-openvswi-INPUT处理，很少会匹配到
-A INPUT -j neutron-openvswi-INPUT

#2. FORWARD 交由 neutron-openvswi-FORWARD链处理，承担所有流量
-A FORWARD -j neutron-openvswi-FORWARD

#明确规定指定的接口tapb0720a65-4a，进出流量交由指定的链neutron-openvswi-sg-chain进行处理
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain

#neutron-openvswi-sg-chain链，从tapb0720a65-4a出的流量交由neutron-openvswi-ib0720a65-4链处理，入的流量neutron-openvswi-ob0720a65-4链处理
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ib0720a65-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ob0720a65-4

#neutron-openvswi-ib0720a65-4
-A neutron-openvswi-ib0720a65-4 -s 1.1.1.0/24 -p tcp -m tcp --dport 8080 -j RETURN  //可以看到此链显示的放开8080端口（return到main链，实际是放开）
#neutron-openvswi-ob0720a65-4
-A neutron-openvswi-ob0720a65-4 -d 2.2.2.0/24 -p tcp -m tcp --dport 8080 -j RETURN //放通了8080端口
#匹配到的流量到此链处理
-A neutron-openvswi-sg-chain -j ACCEPT

对于未匹配的流量，则由以下规则处理，显示的丢弃：
-A neutron-openvswi-ib0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-ob0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP 

最后所有数据流量到达：
-A OUTPUT -j neutron-openvswi-OUTPUT //filter中OUTPUT默认ACCEPT

Openstack 安全组的实现

猜你喜欢

热点阅读