美文网首页
openstack 网桥 & 流表

openstack 网桥 & 流表

作者: 苏苏林 | 来源:发表于2022-02-04 17:28 被阅读0次

openstack的网桥

image.png
网桥名称 作用
物理网桥 * flat、vpc、public网络跨主机流量转发物理网桥,外接eth口或者bond口;
* 每Ethernet/Bond接口一个;
* 既可以接收带vlan tag的网络报文,也可以接收不带vlan tag的网络报文。
tunnel网桥 * 作用同物理网桥,提供主机间互联,只不过物理网桥提供underlay方案,而tunnel网桥提供overlay方案;
* 所有tunnel口使用一个tunnel网桥;
集成网桥 * vm、router、service netns互联内部网桥,不同网络内部vlan隔离;
* 本机的网络功能和本机内流量转发全部在集成网桥上实现。

其中物理网桥和tunnel网桥一起可以看成是外部网桥,用来完成进出节点流量转发。
markdown的表格编辑不友好,这里直接截图了。

流表分析

这里只看较为复杂的集成网桥br-int的流表,物理网桥和tunnel网桥较为简单,且网上资料较多。


image.png image.png
大概的分层设计:
image.png
流表解读
### 
#  tap939d0ce5-a8   network-vlan1001 dhcp ns tap nic ,   tag=2,
#  tap8d442e03-f5   vm3 vnic                         ,   tag=2,
#  tap44a2f223-19   the other network dhcp ns tap nic,   tag=1,
#  int-br-eth0      vlan-br 接入口
#  reg5=in_port or out_port, reg6=vlan tag
 1(patch-tun): addr:4a:8a:5f:df:61:75
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 3(int-br-eth0): addr:72:12:5b:05:d9:7e
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 4(tap44a2f223-19): addr:fa:16:3e:f6:98:b3
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 5(int-br-eth2): addr:46:6e:da:f6:0e:aa
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 6(tap939d0ce5-a8): addr:fa:16:3e:49:7f:80
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 7(tap8d442e03-f5): addr:fe:16:3e:43:03:5a
     config:     0
     state:      0
     current:    10MB-FD COPPER
     speed: 10 Mbps now, 0 Mbps max
###


[root@controller ~]# ovs-ofctl dump-flows br-int
 #### 1、有效vlan是1-4094,4095无效,drop
 cookie=0xcedae18f46b0a9c1, duration=15025.933s, table=0, n_packets=0, n_bytes=0, priority=65535,vlan_tci=0x0fff/0x1fff actions=drop
 #### 2、vlan bridge过来的报文,做vlan转换,外转内,未知vlan报文drop
 cookie=0xcedae18f46b0a9c1, duration=15024.747s, table=0, n_packets=14, n_bytes=2668, priority=3,in_port="int-br-eth0",dl_vlan=1001 actions=mod_vlan_vid:2,resubmit(,60)
 cookie=0xcedae18f46b0a9c1, duration=15025.914s, table=0, n_packets=0, n_bytes=0, priority=2,in_port="int-br-eth0" actions=drop
 #### 3、其他接口直接送 table60
 cookie=0xcedae18f46b0a9c1, duration=15025.935s, table=0, n_packets=35, n_bytes=5634, priority=0 actions=resubmit(,60)
 cookie=0xcedae18f46b0a9c1, duration=15025.936s, table=23, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xcedae18f46b0a9c1, duration=15025.934s, table=24, n_packets=0, n_bytes=0, priority=0 actions=drop

 #### 4、dhcp ns出来的包,设置reg5(inport)和reg6(vlan tag),resubmit 73
 cookie=0xcedae18f46b0a9c1, duration=15023.082s, table=60, n_packets=0, n_bytes=0, priority=100,in_port="tap44a2f223-19" actions=load:0x4->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,73)
 cookie=0xcedae18f46b0a9c1, duration=15023.082s, table=60, n_packets=9, n_bytes=2352, priority=100,in_port="tap939d0ce5-a8" actions=load:0x6->NXM_NX_REG5[],load:0x2->NXM_NX_REG6[],resubmit(,73)
 #### 5、vm出来的包,设置reg5(inport)和reg6(vlan tag),resubmit 71
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=60, n_packets=8, n_bytes=1160, priority=100,in_port="tap8d442e03-f5" actions=load:0x7->NXM_NX_REG5[],load:0x2->NXM_NX_REG6[],resubmit(,71)
 
 #### 6、外部网桥进来的流量,直接设置了out put,送table 81转发了,去掉vlan(为什么???)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=60, n_packets=5, n_bytes=454, priority=90,dl_vlan=2,dl_dst=fa:16:3e:43:03:5a actions=load:0x7->NXM_NX_REG5[],load:0x2->NXM_NX_REG6[],strip_vlan,resubmit(,81)
 ###  6.1 其他节点发过来的未知单播、广播,全部 NORMAL
 cookie=0xcedae18f46b0a9c1, duration=15025.934s, table=60, n_packets=33, n_bytes=4588, priority=3 actions=NORMAL
 
 ####  #### 一个保护,table 71之前不会有进入ct的情况,如果有,ct_clear 重新来一次
 cookie=0xcedae18f46b0a9c1, duration=15025.428s, table=71, n_packets=0, n_bytes=0, priority=110,ct_state=+trk actions=ct_clear,resubmit(,71)
 
 #### 7、vm 出来的arp报文,resubmit 94,table94中做normal处理,vlan类型的网络没有arp代答功能; (reg5=0x7,in_port="tap8d442e03-f5"为重复匹配,没有必要)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=71, n_packets=2, n_bytes=84, priority=95,arp,reg5=0x7,in_port="tap8d442e03-f5",dl_src=fa:16:3e:43:03:5a,arp_spa=10.1.1.113 actions=resubmit(,94)
 
 #### 8、ct建好了走ct,zone id使用vlan tag
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=71, n_packets=4, n_bytes=392, priority=65,ip,reg5=0x7,in_port="tap8d442e03-f5",dl_src=fa:16:3e:43:03:5a,nw_src=10.1.1.113 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
 
 #### 9、dhcp报文 request
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=71, n_packets=2, n_bytes=684, priority=80,udp,reg5=0x7,in_port="tap8d442e03-f5",tp_src=68,tp_dst=67 actions=resubmit(,73)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=71, n_packets=0, n_bytes=0, priority=70,udp,reg5=0x7,in_port="tap8d442e03-f5",tp_src=67,tp_dst=68 actions=resubmit(,93)

 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=71, n_packets=0, n_bytes=0, priority=10,reg5=0x7,in_port="tap8d442e03-f5" actions=ct_clear,resubmit(,93)
 cookie=0xcedae18f46b0a9c1, duration=15025.524s, table=71, n_packets=0, n_bytes=0, priority=0 actions=drop
 
 #### 10、本地vm发出的数据报文
 ### 10.1、正向,非首包
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=3, n_bytes=294, priority=74,ct_state=+est-rel-rpl,ip,reg5=0x7 actions=resubmit(,73)
 ### 10.2、正向,首包
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=1, n_bytes=98, priority=74,ct_state=+new-est,ip,reg5=0x7 actions=resubmit(,73)
 ### 10.3 无效包、非法的包(ct_mark=1)丢弃。
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=0, n_bytes=0, priority=50,ct_state=+inv+trk actions=resubmit(,93)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=0, n_bytes=0, priority=50,ct_mark=0x1,reg5=0x7 actions=resubmit(,93)
 
 #### 10.4、回程反向
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=0, n_bytes=0, priority=50,ct_state=+est-rel+rpl,ct_zone=2,ct_mark=0,reg5=0x7 actions=resubmit(,94)
 
 #### 10.5、ct关联流,比如icmp不可达消息或者ftp的数据流,走NORMAL
 cookie=0xceae18f46b0a9c1, duration=1805.563s, table=72, n_packets=0, n_bytes=0, priority=50,ct_state=-new-est+rel-inv,ct_zone=2,ct_mark=0,reg5=0x7 actions=resubmit(,94)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=0, n_bytes=0, priority=40,ct_state=-est,reg5=0x7 actions=resubmit(,93)
 #### 10.6、+est+rel 等,标记ct_mark=1后,这种状态是非法的,由于没有后续处理,本次报文drop,同时由于ct commit了,下次可以匹配到mark标记
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=72, n_packets=0, n_bytes=0, priority=40,ct_state=+est,ip,reg5=0x7 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
 cookie=0xcedae18f46b0a9c1, duration=15025.505s, table=72, n_packets=0, n_bytes=0, priority=0 actions=drop
 
 
 
 #### 11、本节点上vm、ns发往本地vm的包,这里确认out_port,进入 table 81,egress
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=73, n_packets=3, n_bytes=784, priority=100,reg6=0x2,dl_dst=fa:16:3e:43:03:5a actions=load:0x7->NXM_NX_REG5[],resubmit(,81)
 #### 12、本节点上vm 发往remote 或 local ns,首包,ct commit 之后,走table91,94 NORMAL发出
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=73, n_packets=1, n_bytes=98, priority=90,ct_state=+new-est,ip,reg5=0x7 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
 #### 13、本节点上 ns 发往remote,非首包;发往local的未知单播(非vm mac)和广播,NORMAL
 cookie=0xcedae18f46b0a9c1, duration=15023.082s, table=73, n_packets=0, n_bytes=0, priority=80,reg5=0x4 actions=resubmit(,94)
 cookie=0xcedae18f46b0a9c1, duration=15023.082s, table=73, n_packets=6, n_bytes=1568, priority=80,reg5=0x6 actions=resubmit(,94)
 #### 13.1、本节点上,vm 发往 remote,发往local的未知单播(非vm mac)和广播,非首包;,NORMAL
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=73, n_packets=5, n_bytes=978, priority=80,reg5=0x7 actions=resubmit(,94)
 cookie=0xcedae18f46b0a9c1, duration=15025.487s, table=73, n_packets=0, n_bytes=0, priority=0 actions=drop



#### table81 开始做egress 方向转发处理
#### 确认了出接口的控制报文,arp reply、dhcp(offer+ack) 回程包
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=81, n_packets=2, n_bytes=88, priority=100,arp,reg5=0x7 actions=output:"tap8d442e03-f5"
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=81, n_packets=2, n_bytes=742, priority=95,udp,reg5=0x7,tp_src=67,tp_dst=68 actions=output:"tap8d442e03-f5"
#### 13.5 其他节点通过物理 bridge(vlan-br)进来的包 或者 本机ns进来的包,match ct_state=-trk
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=81, n_packets=4, n_bytes=408, priority=90,ct_state=-trk,ip,reg5=0x7 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
 
 #### 14、local to local,从 11 过来
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=81, n_packets=0, n_bytes=0, priority=80,ct_state=+trk,reg5=0x7 actions=resubmit(,82)
 cookie=0xcedae18f46b0a9c1, duration=15025.467s, table=81, n_packets=0, n_bytes=0, priority=0 actions=drop
 
 
 
 
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+est-rel-rpl,ip,reg5=0x7 actions=conjunction(16,2/2)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+new-est,ip,reg5=0x7 actions=conjunction(17,2/2)
 
 #### conjunctive flow的意义:两个纬度 [(from)vm ip, (to)vm port] 的任意组合,本文档由于本机只有一台vm,所以纬度2不明显。
 #### 将流表数量从 [ m * n ] 减少为 [ 2*m + n ],n为 port数量,n为vm ip数量
 #### 15、1)local to local,转发,非首包 2)外部进来的包,转发,首包
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=70,conj_id=16,ct_state=+est-rel-rpl,ip,reg5=0x7 actions=load:0x10->NXM_NX_REG7[],output:"tap8d442e03-f5"
 
 #### 16、1)local to local,转发,首包; 2)外部进来的包,转发,首包。
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=70,conj_id=17,ct_state=+new-est,ip,reg5=0x7 actions=load:0x11->NXM_NX_REG7[],ct(commit,zone=NXM_NX_REG6[0..15]),output:"tap8d442e03-f5",resubmit(,92)
 
 cookie=0xcedae18f46b0a9c1, duration=1807.543s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+est-rel-rpl,ip,reg6=0x2,nw_src=10.1.1.125 actions=conjunction(16,1/2)
 cookie=0xcedae18f46b0a9c1, duration=1807.543s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+est-rel-rpl,ip,reg6=0x2,nw_src=10.1.1.113 actions=conjunction(16,1/2)
 cookie=0xcedae18f46b0a9c1, duration=1807.543s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+est-rel-rpl,ip,reg6=0x2,nw_src=10.1.1.123 actions=conjunction(16,1/2)
 cookie=0xcedae18f46b0a9c1, duration=1807.543s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+new-est,ip,reg6=0x2,nw_src=10.1.1.125 actions=conjunction(17,1/2)
 cookie=0xcedae18f46b0a9c1, duration=1807.543s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+new-est,ip,reg6=0x2,nw_src=10.1.1.113 actions=conjunction(17,1/2)
 cookie=0xcedae18f46b0a9c1, duration=1807.543s, table=82, n_packets=0, n_bytes=0, priority=70,ct_state=+new-est,ip,reg6=0x2,nw_src=10.1.1.123 actions=conjunction(17,1/2)
 #### 17、无效和非法的包,drop
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=50,ct_state=+inv+trk actions=resubmit(,93)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=50,ct_mark=0x1,reg5=0x7 actions=resubmit(,93)
 #### 18、这里应该是local vm<-->remote 的反向回程流表,local vm<-->local vm 在 10.4 完成。
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=4, n_bytes=392, priority=50,ct_state=+est-rel+rpl,ct_zone=2,ct_mark=0,reg5=0x7 actions=output:"tap8d442e03-f5"
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=50,ct_state=-new-est+rel-inv,ct_zone=2,ct_mark=0,reg5=0x7 actions=output:"tap8d442e03-f5"
 
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=40,ct_state=-est,reg5=0x7 actions=resubmit(,93)
 cookie=0xcedae18f46b0a9c1, duration=1805.563s, table=82, n_packets=0, n_bytes=0, priority=40,ct_state=+est,ip,reg5=0x7 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
 cookie=0xcedae18f46b0a9c1, duration=15025.448s, table=82, n_packets=0, n_bytes=0, priority=0 actions=drop
 
 
 cookie=0xcedae18f46b0a9c1, duration=15025.392s, table=91, n_packets=1, n_bytes=98, priority=1 actions=resubmit(,94)
 cookie=0xcedae18f46b0a9c1, duration=15025.374s, table=92, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xcedae18f46b0a9c1, duration=15025.355s, table=93, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xcedae18f46b0a9c1, duration=15025.410s, table=94, n_packets=14, n_bytes=2728, priority=1 actions=NORMAL

相关文章

网友评论

      本文标题:openstack 网桥 & 流表

      本文链接:https://www.haomeiwen.com/subject/dahskrtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|openstack 网桥 & 流表|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!