ovn vm 中使用下一跳路由，抓包简记

环境：

准备两台vpc vm ，

情景1： 安全组默认有开启

在vm1 配置 下一跳路由，目标网段可以为任意网段，下一跳路由via vm2 的eth0 ip，在vm2抓包观察包的内容

源ip 源mac，目标ip， 目标mac

vm1

# 配置下一跳路由所在机器信息

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:ee:29:ec brd ff:ff:ff:ff:ff:ff
    inet 10.220.2.248/20 brd 10.220.15.255 scope global dynamic noprefixroute eth0
       valid_lft 42483sec preferred_lft 42483sec
    inet6 fe80::f816:3eff:feee:29ec/64 scope link 
       valid_lft forever preferred_lft forever


# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.220.0.1      0.0.0.0         UG    100    0        0 eth0
10.220.0.0      0.0.0.0         255.255.240.0   U     100    0        0 eth0
169.254.169.254 10.220.0.10     255.255.255.255 UGH   100    0        0 eth0


# 配置下一跳路由

ip route add 192.168.1.0/24 via 10.220.0.211 dev eth0



#  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.220.0.1      0.0.0.0         UG    100    0        0 eth0
10.220.0.0      0.0.0.0         255.255.240.0   U     100    0        0 eth0
169.254.169.254 10.220.0.10     255.255.255.255 UGH   100    0        0 eth0
192.168.1.0     10.220.0.211    255.255.255.0   UG    0      0        0 eth0


# 监听本地发出的包
#  tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

# 在另一个窗口 进行ping 测试

vm2

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:2c:9d:3e brd ff:ff:ff:ff:ff:ff
    inet 10.220.0.211/20 brd 10.220.15.255 scope global dynamic noprefixroute eth0
       valid_lft 41916sec preferred_lft 41916sec
    inet6 fe80::f816:3eff:fe2c:9d3e/64 scope link 
       valid_lft forever preferred_lft forever


# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.220.0.1      0.0.0.0         UG    100    0        0 eth0
10.220.0.0      0.0.0.0         255.255.240.0   U     100    0        0 eth0
169.254.169.254 10.220.0.10     255.255.255.255 UGH   100    0        0 eth0



# 监听


# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

结果分析

# 发起端： vm1

# ping -c 1 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.

--- 192.168.1.10 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


#  tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
fa:16:3e:ee:29:ec > fa:16:3e:2c:9d:3e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 38788, offset 0, flags [DF], proto ICMP (1), length 84)
    10.220.2.248 > 192.168.1.10: ICMP echo request, id 13279, seq 1, length 64


##可以看到node vm1内有发出包

## 但是对端是没有收到包的， 也就是说由于安全组的缘故，包被ovn丢掉了，

## 因为  fa:16:3e:2c:9d:3e 对应的ip不是192.168.1.10，且没有添加地址对支持。


# 接收端 vm2

]# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

# 始终没有收到包

情景2： 关闭安全组

(py3env) [root@control01 ~]# openstack port list | grep -E "10.220.2.248|10.220.0.211"
| 40f37d49-c16c-4de7-acbe-ea047cd8de1e| fa:16:3e:ee:29:ec | ip_address='10.220.2.248', subnet_id='4e16a01d-8195-4232-b6e2-d7f1c26a0a68'    | ACTIVE |
| ee5bcfb8-7c7d-4734-9e68-60ef6742c13a | fa:16:3e:2c:9d:3e | ip_address='10.220.0.211', subnet_id='4e16a01d-8195-4232-b6e2-d7f1c26a0a68'    | ACTIVE |


(py3env) [root@control01 ~]# openstack port set --no-security-group 40f37d49-c16c-4de7-acbe-ea047cd8de1e
(py3env) [root@control01 ~]# openstack port set --no-security-group ee5bcfb8-7c7d-4734-9e68-60ef6742c13a
(py3env) [root@control01 ~]# openstack port set --disable-port-security 40f37d49-c16c-4de7-acbe-ea047cd8de1e
(py3env) [root@control01 ~]# openstack port set --disable-port-security ee5bcfb8-7c7d-4734-9e68-60ef6742c13a

结果分析

# 发起端： vm1

# ping -c 1 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.

--- 192.168.1.10 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

#  tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
fa:16:3e:ee:29:ec > fa:16:3e:2c:9d:3e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 38788, offset 0, flags [DF], proto ICMP (1), length 84)
    10.220.2.248 > 192.168.1.10: ICMP echo request, id 13279, seq 1, length 64

##可以看到node vm1内有发出包




# 接收端 vm2

[root@zbb1 centos]# tcpdump -i eth0 host 192.168.1.10 and icmp -netvv
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
fa:16:3e:ee:29:ec > fa:16:3e:2c:9d:3e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 57422, offset 0, flags [DF], proto ICMP (1), length 84)
    10.220.2.248 > 192.168.1.10: ICMP echo request, id 13290, seq 1, length 64


# 可以看到有收到包

小结: 下一跳路由的包，会用目标ip的mac作为目的mac，但是ovn流表安全组启用后会对ip和mac进行校验，一旦不匹配就会触发丢包，所以下一跳路由对应的机器是收不到包的。