OpenStack 南北流量分析没有浮动IP

作者: hamburger01 | 来源:发表于2018-06-23 13:15 被阅读0次

DVR 模式不绑定浮动IP的情况下


[root@controller ~] openstack network agent list --router  router_snat   # 查看  router 所在节点
+--------------------------------------+------------+----------------+-------------------+-------+-------+------------------+
| ID                                   | Agent Type | Host           | Availability Zone | Alive | State | Binary           |
+--------------------------------------+------------+----------------+-------------------+-------+-------+------------------+
| 352a9d63-4f63-4cea-8e3c-523b5506a186 | L3 agent   | network 1| nova              | :-)   | UP    | neutron-l3-agent |
+--------------------------------------+------------+----------------+-------------------+-------+-------+------------------+

[root@controller ~] openstack   network  agent list --agent-type dhcp --network tenant-net    #查看 dhcp agent 所在节点
+--------------------------------------+------------+---------------+-------------------+-------+-------+--------------------+
| ID                                   | Agent Type | Host          | Availability Zone | Alive | State | Binary             |
+--------------------------------------+------------+---------------+-------------------+-------+-------+--------------------+
| 0b511ea5-fcee-4340-923b-d1f4a4d11e48 | DHCP agent | network1 | nova              | :-)   | UP    | neutron-dhcp-agent |
| d317b747-4c4c-4cbb-9826-5054192aa835 | DHCP agent | network2 | nova              | :-)   | UP    | neutron-dhcp-agent |
+--------------------------------------+------------+---------------+-------------------+-------+-------+--------------------+

从虚拟机内部 ping 114.114.114.114

[root@vm-hanbo ~] route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.10.1      0.0.0.0         UG    0      0        0 eth0   
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.169.254 10.10.10.1      255.255.255.255 UGH   0      0        0 eth0
[root@vm-snat ~]  ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=83 time=31.4 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=83 time=32.9 ms

虚机（10.10.10.12） ping 114.114.114.114 的包, 先发给 10.10.10.1 （ qrouter 的qr-bfa48add-83 ）

查看计算节点 route 信息


# ip netns exec qrouter-d02c9901-d249-4189-a286-1477b7522d0a   ip a
[root@compute ~]  ip netns exec qrouter-d02c9901-d249-4189-a286-1477b7522d0a   ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: rfp-d02c9901-d@if94: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 9a:63:cc:54:99:0f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.124.74/31 scope global rfp-d02c9901-d
       valid_lft forever preferred_lft forever
    inet6 fe80::9863:ccff:fe54:990f/64 scope link 
       valid_lft forever preferred_lft forever
362: qr-bfa48add-83: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:ff:e8:26 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global qr-bfa48add-83
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:feff:e826/64 scope link 
       valid_lft forever preferred_lft forever

[root@compute ~]  ip netns exec qrouter-d02c9901-d249-4189-a286-1477b7522d0a   ip rule   
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
168430081:  from 10.10.10.1/24 lookup 168430081 

[root@network1 ~]  ip netns exec qrouter-d02c9901-d249-4189-a286-1477b7522d0a   ip route list table 168430081
default via 10.10.10.5 dev qr-bfa48add-83 
[root@network1 ~]

查看路由规则，网络包通过 qr-bfa48add-83 这个端口发向 10.10.10.5 （网络节点上的 SNAT ）

查看网络节点 snat netns信息：


[root@network ~] ip netns |grep d02c9901-d249-4189-a286-1477b7522d0a    #  router_id
snat-d02c9901-d249-4189-a286-1477b7522d0a
qrouter-d02c9901-d249-4189-a286-1477b7522d0a

[root@network ~] ip netns exec snat-d02c9901-d249-4189-a286-1477b7522d0a ip a   
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
22: qg-a3ffe4e8-f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:b1:af:36 brd ff:ff:ff:ff:ff:ff
    inet 172.28.16.18/24 brd 172.28.16.255 scope global qg-a3ffe4e8-f2
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:feb1:af36/64 scope link 
       valid_lft forever preferred_lft forever
24: sg-da6ace76-34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:47:d9:c0 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.5/24 brd 10.10.10.255 scope global sg-da6ace76-34
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe47:d9c0/64 scope link 
       valid_lft forever preferred_lft forever


[root@network1 ~] ip netns exec snat-d02c9901-d249-4189-a286-1477b7522d0a ip route list table main
default via 172.28.17.254 dev qg-a3ffe4e8-f2         ## 匹配默认路由  
8.1.0.0/16 dev qg-a3ffe4e8-f2  scope link 
10.10.10.0/24 dev sg-da6ace76-34  proto kernel  scope link  src 10.10.10.5 
172.28.16.0/24 dev qg-a3ffe4e8-f2  proto kernel  scope link  src 172.28.16.18     # 
172.28.17.254 dev qg-a3ffe4e8-f2  scope link 

[root@network1 ~] ip netns exec snat-d02c9901-d249-4189-a286-1477b7522d0a iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING 
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-a3ffe4e8-f2 ! -o qg-a3ffe4e8-f2 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-a3ffe4e8-f2 -j SNAT --to-source 172.28.16.18     ## 修改源 IP
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.28.16.18
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat

把源 IP 10.10.10.12 修改为 172.28.16.18 通过 qg-a3ffe4e8-f2 发往 172.28.17.254（外网网关）

计算节点抓包验证情况：

[root@compute ~]  tcpdump -i tapcbfca678-e4  dst 114.114.114.114
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tapcbfca678-e4, link-type EN10MB (Ethernet), capture size 262144 bytes
19:14:56.607664 IP 10.10.10.12 > public1.114dns.com: ICMP echo request, id 7614, seq 49, length 64
19:14:57.608807 IP 10.10.10.12 > public1.114dns.com: ICMP echo request, id 7614, seq 50, length 64
19:14:58.610665 IP 10.10.10.12 > public1.114dns.com: ICMP echo request, id 7614, seq 51, length 64
19:14:59.611877 IP 10.10.10.12 > public1.114dns.com: ICMP echo request, id 7614, seq 52, length 64


[root@compute ~]  tcpdump -i br-int  dst 114.114.114.114      #   br-int  >> br-ex >> bond1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-int, link-type EN10MB (Ethernet), capture size 262144 bytes
19:15:23.649931 IP 10.10.10.12 > public1.114dns.com: ICMP echo request, id 7614, seq 76, length 64
19:15:24.651296 IP 10.10.10.12 > public1.114dns.com: ICMP echo request, id 7614, seq 77, length 64
## 网络节点抓包情况
[root@network1 ~] tcpdump -i bond1 src 172.28.16.18      
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:20:50.260082 IP 172.28.16.18 > public1.114dns.com: ICMP echo request, id 7665, seq 58, length 64
19:20:50.293420 ARP, Request who-has 8.1.6.240 tell 172.28.16.18, length 28
19:20:51.260141 IP 172.28.16.18 > public1.114dns.com: ICMP echo request, id 7665, seq 59, length 64
19:20:51.295072 ARP, Request who-has 8.1.6.240 tell 172.28.16.18, length 28
19:20:52.260064 IP 172.28.16.18 > public1.114dns.com: ICMP echo request, id 7665, seq 60, length 64
19:20:52.296957 ARP, Request who-has 8.1.6.240 tell 172.28.16.18, length 28

br-vlan 接口是 bond2 接口是 bond1

Bridge br-ex
        Controller "tcp:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        Port phy-br-ex
            Interface phy-br-ex
                type: patch
                options: {peer=int-br-ex}
        Port br-ex
            Interface br-ex
                type: internal
        Port "bond1"
            Interface "bond1"

总结：虚机（10.10.10.12） ping 114.114.114.114 的包, 通过先发给 10.10.10.1 （ qrouter 的qr-bfa48add-83 ），网络包通过 qr-bfa48add-83 这个端口发向 10.10.10.5 （网络节点上的 snat-netns ），之后 snat IPtables 把网络包源IP修改为 172.28.16.18（ snat qg-a3ffe4e8-f2 的IP ）， snat 路由规则是来源172.28.16.18 的 IP 会通过 qg-a3ffe4e8-f2 发到 br-ex, 最终通过 bond1 发出。

OpenStack 南北流量分析没有浮动IP

DVR 模式不绑定浮动IP的情况下

从虚拟机内部 ping 114.114.114.114

查看计算节点 route 信息

查看网络节点 snat netns信息：

计算节点抓包验证情况：

br-vlan 接口是 bond2 接口是 bond1

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读