【博客456】OVN (Open Virtual Network)实现三层网络平面连通性控制

OVN (Open Virtual Network)实现网络隔离

实验准备：

下面master-ip指master节点ip，node-ip指node节点ip

两台node，一台作为ovn master，一台作为ovn node

每台机器环境准备

apt-get update
apt-get -y install build-essential fakeroot
sudo apt-get install python-six openssl -y
sudo apt-get install openvswitch-switch openvswitch-common -y
sudo apt-get install ovn-central ovn-common ovn-host -y
sudo apt-get install ovn-host ovn-common -y

master配置ovn

ovn-nbctl set-connection ptcp:6641:master-ip
ovn-sbctl set-connection ptcp:6642:master-ip

ovs-vsctl set open . external-ids:ovn-remote=tcp:master-ip:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=master-ip

slaver配置ovn

ovs-vsctl set open . external-ids:ovn-remote=tcp:master-ip:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=node-ip

OVN Chassis设置参数解析

在这里插入图片描述

创建一个ovn逻辑交换机连通两个node上的network namespace

所有ovn-nbctl操作都在ovn-master节点上执行

//创建logical switch
ovn-nbctl ls-add ls1
 
// 创建 logical port
ovn-nbctl lsp-add ls1 ls1-vm1
ovn-nbctl lsp-set-addresses ls1-vm1 02:ac:10:ff:00:11
ovn-nbctl lsp-set-port-security ls1-vm1 02:ac:10:ff:00:11
 
// 创建 logical port
ovn-nbctl lsp-add ls1 ls1-vm2
ovn-nbctl lsp-set-addresses ls1-vm2 02:ac:10:ff:00:22
ovn-nbctl lsp-set-port-security ls1-vm2 02:ac:10:ff:00:22
 
// master node上
ip netns add vm1
ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
ip link set vm1 netns vm1
ip netns exec vm1 ip link set vm1 address 02:ac:10:ff:00:11
ip netns exec vm1 ip addr add 172.16.255.11/24 dev vm1
ip netns exec vm1 ip link set vm1 up
ovs-vsctl set Interface vm1 external_ids:iface-id=ls1-vm1

// node上
ip netns add vm2
ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
ip link set vm2 netns vm2
ip netns exec vm2 ip link set vm2 address 02:ac:10:ff:00:22
ip netns exec vm2 ip addr add 172.16.255.22/24 dev vm2
ip netns exec vm2 ip link set vm2 up
ovs-vsctl set Interface vm2 external_ids:iface-id=ls1-vm2

// 连通性测试
// master ns ping node ns
ip netns exec vm1 ping 172.16.255.22
PING 172.16.255.22 (172.16.255.22) 56(84) bytes of data.
64 bytes from 172.16.255.22: icmp_seq=1 ttl=64 time=0.134 ms
64 bytes from 172.16.255.22: icmp_seq=2 ttl=64 time=0.259 ms
^C
--- 172.16.255.22 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1008ms
rtt min/avg/max/mdev = 0.134/0.196/0.259/0.062 ms

// node ns ping master ns
ip netns exec vm2 ping 172.16.255.11
PING 172.16.255.11 (172.16.255.11) 56(84) bytes of data.
64 bytes from 172.16.255.11: icmp_seq=1 ttl=64 time=1.39 ms
64 bytes from 172.16.255.11: icmp_seq=2 ttl=64 time=0.263 ms
^C
--- 172.16.255.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.263/0.826/1.390/0.563 ms

// 结果展示
// master（10.231.2.197）
root@10-231-2-197:/home/ubuntu# ovs-vsctl show
42100764-a244-4f7c-b4d6-2a647ed870cf
    Bridge br-int
        fail_mode: secure
        Port vm1
            Interface vm1
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port ovn-3373db-0
            Interface ovn-3373db-0
                type: geneve
                options: {csum="true", key=flow, remote_ip="10.231.2.198"}
    ovs_version: "2.13.5"

root@10-231-2-197:/home/ubuntu# ovn-nbctl show
switch 4b14b3f0-9427-452f-8830-c49d3a467fcd (ls1)
    port ls1-vm1
        addresses: ["02:ac:10:ff:00:11"]
    port ls1-vm2
        addresses: ["02:ac:10:ff:00:22"]

root@10-231-2-197:/home/ubuntu# ovn-sbctl show
Chassis "3373db29-21f4-4296-ad04-6706e4211ad1"
    hostname: "10-231-2-198"
    Encap geneve
        ip: "10.231.2.198"
        options: {csum="true"}
    Port_Binding ls1-vm2
Chassis "7556c850-e327-46ed-bd55-1d8d71f8f83a"
    hostname: "10-231-2-197"
    Encap geneve
        ip: "10.231.2.197"
        options: {csum="true"}
    Port_Binding ls1-vm1

// node（10.231.2.198）
root@10-231-2-198:/home/ubuntu# ovs-vsctl show
2276a1b7-7b90-4a23-8e25-5db1da514406
    Bridge br-int
        fail_mode: secure
        Port ovn-7556c8-0
            Interface ovn-7556c8-0
                type: geneve
                options: {csum="true", key=flow, remote_ip="10.231.2.197"}
        Port br-int
            Interface br-int
                type: internal
        Port vm2
            Interface vm2
                type: internal
    ovs_version: "2.13.5"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

创建ACL规则，丢弃两个ns之间的icmp报文

// create acl
ovn-nbctl acl-add ls1 to-lport 998 "outport == \"ls1-vm1\" && icmp" drop

// list acl
ovn-nbctl acl-list ls1

to-lport   998 (outport == "ls1-vm1" && icmp) drop

// check if drop
ip netns exec vm1 ping 172.16.255.22
PING 172.16.255.22 (172.16.255.22) 56(84) bytes of data.
^C
--- 172.16.255.22 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1016ms

// delete acl
ovn-nbctl acl-del ls1 to-lport 998 "outport == \"ls1-vm1\" && icmp" 

// check if pass
ip netns exec vm1 ping 172.16.255.22
PING 172.16.255.22 (172.16.255.22) 56(84) bytes of data.
64 bytes from 172.16.255.22: icmp_seq=1 ttl=64 time=1.03 ms
64 bytes from 172.16.255.22: icmp_seq=2 ttl=64 time=0.234 ms
^C
--- 172.16.255.22 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.234/0.630/1.027/0.396 ms
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

创建逻辑路由器和两个交换机，每个交换机下挂两个ns

注意与上面的实验区分，上面的交换机实验也用了ls1，如果紧接着上一个实验往下做的话，需要将下面命令中的ls1，ls2改为ls-1，ls-2这种，以防止互相影响

所有ovn-nbctl操作都在ovn-master节点上执行

请添加图片描述

创建2个逻辑交换机及port

// 创建logical switch
ovn-nbctl ls-add ls1
ovn-nbctl ls-add ls2

// 创建 logical port ls1-veth1
ovn-nbctl lsp-add ls1 ls1-veth1
ovn-nbctl lsp-set-addresses ls1-veth1 "aa:aa:aa:11:11:aa 1.1.1.100"

// 创建 logical port ls1-veth3
ovn-nbctl lsp-add ls1 ls1-veth3
ovn-nbctl lsp-set-addresses ls1-veth3 "aa:aa:aa:11:11:bb 1.1.1.200"

// 创建 logical port ls2-veth5
ovn-nbctl lsp-add ls2 ls2-veth5
ovn-nbctl lsp-set-addresses ls2-veth5 "aa:aa:aa:22:22:aa 2.1.1.100"

// 创建 logical port ls2-veth7
ovn-nbctl lsp-add ls2 ls2-veth7
ovn-nbctl lsp-set-addresses ls2-veth7 "aa:aa:aa:22:22:bb 2.1.1.200"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

创建逻辑路由器及port

// 创建逻辑路由器
ovn-nbctl lr-add lr

// 创建逻辑路由器port
ovn-nbctl lrp-add lr lr1-port 00:00:00:00:10:00 1.1.1.1/24

// 创建逻辑交换机port并关联路由器port
ovn-nbctl lsp-add ls1 ls1-port
ovn-nbctl lsp-set-type ls1-port router

ovn-nbctl lsp-set-addresses ls1-port "00:00:00:00:10:00 1.1.1.1"
ovn-nbctl lsp-set-options ls1-port router-port=lr1-port

// 创建逻辑路由器port
ovn-nbctl lrp-add lr lr2-port 00:00:00:00:20:00 2.1.1.1/24

// 创建逻辑交换机port并关联路由器port
ovn-nbctl lsp-add ls2 ls2-port
ovn-nbctl lsp-set-type ls2-port router

ovn-nbctl lsp-set-addresses ls2-port "00:00:00:00:20:00 2.1.1.1"
ovn-nbctl lsp-set-options ls2-port router-port=lr2-port
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

配置网络命名空间

// ovn-master上执行
ip netns add ns1
ip link add veth1 type veth peer name veth2
ifconfig veth1 up
ifconfig veth2 up
ip link set veth2 netns ns1
ip netns exec ns1 ip link set veth2 address aa:aa:aa:11:11:aa
ip netns exec ns1 ip addr add 1.1.1.100/24 dev veth2
ip netns exec ns1 ip link set veth2 up
ip netns exec ns1 ip r add default via 1.1.1.1

ovs-vsctl add-port br-int  veth1
ovs-vsctl set Interface veth1 external_ids:iface-id=ls1-veth1 

ip netns exec ns1 ip addr show

// ovn-master上执行
ip netns add ns2
ip link add veth3 type veth peer name veth4
ifconfig veth3 up
ifconfig veth4 up
ip link set veth4 netns ns2
ip netns exec ns2 ip link set veth4 address aa:aa:aa:11:11:bb
ip netns exec ns2 ip addr add 1.1.1.200/24 dev veth4
ip netns exec ns2 ip link set veth4 up
ip netns exec ns2 ip r add default via 1.1.1.1

ovs-vsctl add-port br-int  veth3 
ovs-vsctl set Interface veth3 external_ids:iface-id=ls1-veth3 

ip netns exec ns2 ip addr show

// ovn-node上执行
ip netns add ns3
ip link add veth5 type veth peer name veth6
ifconfig veth5 up
ifconfig veth6 up
ip link set veth6 netns ns3
ip netns exec ns3 ip link set veth6 address aa:aa:aa:22:22:aa
ip netns exec ns3 ip addr add 2.1.1.100/24 dev veth6
ip netns exec ns3 ip link set veth6 up
ip netns exec ns3 ip r add default via 2.1.1.1

ovs-vsctl add-port br-int  veth5
ovs-vsctl set Interface veth5 external_ids:iface-id=ls2-veth5

ip netns exec ns3 ip addr show

// ovn-node上执行
ip netns add ns4
ip link add veth7 type veth peer name veth8
ifconfig veth7 up
ifconfig veth8 up
ip link set veth8 netns ns4
ip netns exec ns4 ip link set veth8 address aa:aa:aa:22:22:bb
ip netns exec ns4 ip addr add 2.1.1.200/24 dev veth8
ip netns exec ns4 ip link set veth8 up
ip netns exec ns4 ip r add default via 2.1.1.1

ovs-vsctl add-port br-int  veth7
ovs-vsctl set Interface veth7 external_ids:iface-id=ls2-veth7 

ip netns exec ns4 ip addr show
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

查看配置

下面结果展示部分ls1和ls2可能有时候变成ls-1，ls-2，因为防止与上述实验冲突，逻辑交换机的名字由ls1，ls2改成了ls-1，ls-2，展示的时候部分结果部分取自ls1，ls2做出的实验，部分取自ls-1，ls-2做出的实验

// ovn-nbctl show
switch bfeecb70-d36e-479a-9050-567c40d5fe2b (ls1)
    port ls1-veth3
        addresses: ["aa:aa:aa:11:11:bb 1.1.1.200"]
    port ls1-port
        type: router
        addresses: ["00:00:00:00:10:00 1.1.1.1"]
        router-port: lr1-port
    port ls1-veth1
        addresses: ["aa:aa:aa:11:11:aa 1.1.1.100"]
switch 8f43cfaf-ce6b-48f9-a0f3-9bc3104c1feb (ls2)
    port ls2-veth7
        addresses: ["aa:aa:aa:22:22:bb 2.1.1.200"]
    port ls2-veth5
        addresses: ["aa:aa:aa:22:22:aa 2.1.1.100"]
    port ls2-port
        type: router
        addresses: ["00:00:00:00:20:00 2.1.1.1"]
        router-port: lr2-port
router 4e7e7acc-9cbc-4be8-b1db-f8003a20b6ec (lr)
    port lr1-port
        mac: "00:00:00:00:10:00"
        networks: ["1.1.1.1/24"]
    port lr2-port
        mac: "00:00:00:00:20:00"
        networks: ["2.1.1.1/24"]
        
// ovn-sbctl show
Chassis "3373db29-21f4-4296-ad04-6706e4211ad1"
    hostname: "10-231-2-198"
    Encap geneve
        ip: "10.231.2.198"
        options: {csum="true"}
    Port_Binding ls1-vm2
    Port_Binding ls2-veth7
    Port_Binding ls2-veth5
Chassis "7556c850-e327-46ed-bd55-1d8d71f8f83a"
    hostname: "10-231-2-197"
    Encap geneve
        ip: "10.231.2.197"
        options: {csum="true"}
    Port_Binding ls1-veth3
    Port_Binding ls1-vm1
    Port_Binding ls1-veth1

// ovn-nbctl show
switch e2ccac1c-9dc2-4bfc-98a4-90b208631939 (ls-1)
    port ls1-veth3
        addresses: ["aa:aa:aa:11:11:bb 1.1.1.200"]
    port ls1-veth1
        addresses: ["aa:aa:aa:11:11:aa 1.1.1.100"]
    port ls1-port
        type: router
        addresses: ["00:00:00:00:10:00 1.1.1.1"]
        router-port: lr1-port
switch 62d4017d-7235-40dd-ac01-acae8d19689c (ls-2)
    port ls2-port
        type: router
        addresses: ["00:00:00:00:20:00 2.1.1.1"]
        router-port: lr2-port
    port ls2-veth5
        addresses: ["aa:aa:aa:22:22:aa 2.1.1.100"]
    port ls2-veth7
        addresses: ["aa:aa:aa:22:22:bb 2.1.1.200"]
router 2cb4fb72-04ea-41d1-8efd-4599811850aa (lr)
    port lr2-port
        mac: "00:00:00:00:20:00"
        networks: ["2.1.1.1/24"]
    port lr1-port
        mac: "00:00:00:00:10:00"
        networks: ["1.1.1.1/24"]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

测试连通性

// ns1 ping ns2
[root@ovn-master ~]# ip netns exec ns1 ping 1.1.1.200
PING 1.1.1.200 (1.1.1.200) 56(84) bytes of data.
64 bytes from 1.1.1.200: icmp_seq=1 ttl=64 time=0.397 ms
64 bytes from 1.1.1.200: icmp_seq=2 ttl=64 time=0.054 ms

// ns1 ping ns3
[root@ovn-master ~]# ip netns exec ns1 ping 2.1.1.100
PING 2.1.1.100 (2.1.1.100) 56(84) bytes of data.
64 bytes from 2.1.1.100: icmp_seq=1 ttl=63 time=13.5 ms
64 bytes from 2.1.1.100: icmp_seq=2 ttl=63 time=0.290 ms

// ns1 ping ns4
[root@ovn-master ~]# ip netns exec ns1 ping 2.1.1.200
PING 2.1.1.200 (2.1.1.200) 56(84) bytes of data.
64 bytes from 2.1.1.200: icmp_seq=1 ttl=63 time=1.03 ms
64 bytes from 2.1.1.200: icmp_seq=2 ttl=63 time=0.274 ms

// ls1 的 ns1 上启动web服务，ovn-master 节点上执行
rm /tmp/www -rf
mkdir -p /tmp/www
echo "i am ns1" > /tmp/www/index.html
cd /tmp/www
ip netns exec ns1 python2.7 -m SimpleHTTPServer 8000


// 服务连通性验证
// 客户端
[root@ovn-node1 ~]# ip netns exec ns3 curl 1.1.1.100:8000
i am ns1
[root@ovn-node1 ~]# ip netns exec ns4 curl 1.1.1.100:8000
i am ns1

// 服务端
[root@ovn-master www]# ip netns exec ns1 python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
1.1.1.200 - - [22/Jul/2022 14:09:34] "GET / HTTP/1.1" 200 -
2.1.1.100 - - [22/Jul/2022 14:09:46] "GET / HTTP/1.1" 200 -
2.1.1.200 - - [22/Jul/2022 14:09:50] "GET / HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

配置ACL

// 从ls1-ns1发出和发往ls1-vm1的ip报文默认drop：
ovn-nbctl acl-add ls1 to-lport 0 'outport == "ls1-veth1" && ip' drop
ovn-nbctl acl-add ls1 from-lport 0 'inport == "ls1-veth1" && ip' drop

// 验证
// 客户端
[root@ovn-node1 ~]# ip netns exec ns3 curl 1.1.1.100:8000
curl: (7) Failed connect to 1.1.1.100:8000; Connection timed out
[root@ovn-node1 ~]# ip netns exec ns4 curl 1.1.1.100:8000
curl: (7) Failed connect to 1.1.1.100:8000; Connection timed out
// 服务端
[root@ovn-master ~]# ip netns exec ns2 curl 1.1.1.100:8000
curl: (7) Failed connect to 1.1.1.100:8000; Connection timed out

// 再添加一个高优先级的acl规则，使ls2上的两个ns可以访问web服务
// 只允许 2.1.1.0/24 网段的ip访问8000服务，优先级是1000
ovn-nbctl acl-add ls1 to-lport 1000 'outport == "ls1-veth1" && ip4.src == 2.1.1.0/24 && tcp.dst == 8000' allow-related

// 验证
// 客户端
[root@ovn-node1 ~]# ip netns exec ns4 curl 1.1.1.100:8000
i am ns1
[root@ovn-node1 ~]# ip netns exec ns3 curl 1.1.1.100:8000
i am ns1
// 服务端
[root@ovn-master ~]# ip netns exec ns2 curl 1.1.1.100:8000
curl: (7) Failed connect to 1.1.1.100:8000; Connection timed out

// 查看ACL
[root@ovn-master ~]# ovn-nbctl acl-list ls1
from-lport     0 (inport == "ls1-veth1" && ip) drop
  to-lport  1000 (outport == "ls1-veth1" && ip4.src == 2.1.1.0/24 && tcp.dst == 8000) allow-related
  to-lport     0 (outport == "ls1-veth1" && ip) drop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

ovn-trace 分析路径

访问不存在的ip地址和mac地址：00:00:00:00:70:00 和 1.1.1.101 ：流量被丢弃

root@10-231-2-197:/home/ubuntu# ovn-trace --detailed ls-2 'inport == "ls2-veth5" && eth.src == aa:aa:aa:22:22:aa && ip4.src == 1.1.1.100 && eth.dst == 00:00:00:00:70:00 && ip4.dst == 1.1.1.101 && ip.ttl == 64 && tcp.dst == 8000'
# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=aa:aa:aa:22:22:aa,dl_dst=00:00:00:00:70:00,nw_src=1.1.1.100,nw_dst=1.1.1.101,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=8000,tcp_flags=0

ingress(dp="ls-2", inport="ls2-veth5")
--------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4547): inport == "ls2-veth5", priority 50, uuid 072f9a21
    next;
19. ls_in_l2_lkup: no match (implicit drop)
1
2
3
4
5
6
7
8

流量从ls2-veth5口进入访问1.1.1.100地址：能通，记得目的mac是ls2-veth5口网关的mac，不是1.1.1.100的mac，不然就找不到被丢弃了

root@10-231-2-197:/home/ubuntu# ovn-trace --detailed ls-2 'inport == "ls2-veth5" && eth.src == aa:aa:aa:22:22:aa && ip4.src == 2.1.1.100 && eth.dst == 00:00:00:00:20:00 && ip4.dst == 1.1.1.100 && ip.ttl == 64 && tcp.dst == 8000'
# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=aa:aa:aa:22:22:aa,dl_dst=00:00:00:00:20:00,nw_src=2.1.1.100,nw_dst=1.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=8000,tcp_flags=0

// 流量先从ls2-veth5口进入交换机
ingress(dp="ls-2", inport="ls2-veth5")
--------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4547): inport == "ls2-veth5", priority 50, uuid 072f9a21
    next;
19. ls_in_l2_lkup (ovn-northd.c:6817): eth.dst == 00:00:00:00:20:00, priority 50, uuid 25631cb2
    outport = "ls2-port";
    output;

// 根据目的mac，流量从交换机的ls2-port口出去，进入到路由器
egress(dp="ls-2", inport="ls2-veth5", outport="ls2-port")
---------------------------------------------------------
 9. ls_out_port_sec_l2 (ovn-northd.c:4613): outport == "ls2-port", priority 50, uuid ce78246f
    output;
    /* output to "ls2-port", type "patch" */

// 来自交换机ls2-port口的流量来到路由器lr2-port口
ingress(dp="lr", inport="lr2-port")
-----------------------------------
 0. lr_in_admission (ovn-northd.c:7877): eth.dst == 00:00:00:00:20:00 && inport == "lr2-port", priority 50, uuid 3cfc8f33
    next;
 1. lr_in_lookup_neighbor (ovn-northd.c:7926): 1, priority 0, uuid 1f0219bb
    reg9[3] = 1;
    next;
 2. lr_in_learn_neighbor (ovn-northd.c:7931): reg9[3] == 1 || reg9[2] == 1, priority 100, uuid 1917fd6b
    next;
 9. lr_in_ip_routing (ovn-northd.c:7504): ip4.dst == 1.1.1.0/24, priority 49, uuid 49d26e69
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = ip4.dst;
    reg1 = 1.1.1.1;
    eth.src = 00:00:00:00:10:00;
    outport = "lr1-port";
    flags.loopback = 1;
    next;
10. lr_in_ip_routing_ecmp (ovn-northd.c:9421): reg8[0..15] == 0, priority 150, uuid 1806d3bc
    next;
12. lr_in_arp_resolve (ovn-northd.c:9682): outport == "lr1-port" && reg0 == 1.1.1.100, priority 100, uuid 3d562d88
    eth.dst = aa:aa:aa:11:11:aa;
    next;
16. lr_in_arp_request (ovn-northd.c:10101): 1, priority 0, uuid e06c24f5
    output;

// 流量从路由器的lr2-port口进入，从lr1-port口出去，到达交换机ls-1
egress(dp="lr", inport="lr2-port", outport="lr1-port")
------------------------------------------------------
 3. lr_out_delivery (ovn-northd.c:10146): outport == "lr1-port", priority 100, uuid 2cbd65cd
    output;
    /* output to "lr1-port", type "patch" */

// 流量从交换机ls1-port口进入
ingress(dp="ls-1", inport="ls1-port")
-------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4547): inport == "ls1-port", priority 50, uuid d701d026
    next;
 3. ls_in_pre_acl (ovn-northd.c:4688): ip && inport == "ls1-port", priority 110, uuid cb1da5fe
    next;
19. ls_in_l2_lkup (ovn-northd.c:6817): eth.dst == aa:aa:aa:11:11:aa, priority 50, uuid 970493fd
    outport = "ls1-veth1";
    output;

// 流量从交换机ls1-veth1口出去，到达veth1设备
egress(dp="ls-1", inport="ls1-port", outport="ls1-veth1")
---------------------------------------------------------
 1. ls_out_pre_acl (ovn-northd.c:4738): ip, priority 100, uuid de86b516
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (ovn-northd.c:4925): reg0[0] == 1, priority 100, uuid 0ed09d27
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 4. ls_out_acl (ovn-northd.c:5116): (!ct.trk || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0)) && (outport == "ls1-veth1" && ip4.src == 2.1.1.0/24 && tcp.dst == 8000), priority 2000, uuid 0694676a
    next;
 9. ls_out_port_sec_l2 (ovn-northd.c:4613): outport == "ls1-veth1", priority 50, uuid 779f258d
    output;
    /* output to "ls1-veth1", type "" */
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

other acl example

// 允许来自交换机“ls1”上端口“ls1-vm1”的所有ip流量，同时允许相关回包通过
ovn-nbctl acl-add ls1 from-lport 1000 "inport == "ls1-vm1" && ip" allow-related
 
// 允许 ssh 到 ls1-vm1
ovn-nbctl acl-add ls1 to-lport 999 "outport == "ls1-vm1" && tcp.dst == 22" allow-related
 
// 阻止所有到ls1-vm1的IPv4/IPv6流量
ovn-nbctl acl-add ls1 to-lport 998 "outport == "ls1-vm1" && ip" drop
1
2
3
4
5
6
7
8

IP地址集

// 创建ip地址集合
ovn-nbctl create Address_Set name=ns_2_ipset addresses='2.1.1.100 2.1.1.200'

// 使用地址集，允许地址集中的ns1访问8000端口
ovn-nbctl  acl-add  ls1 to-lport 1000 'outport == "ls1-veth1" && ip4.src == $ns_2_ipset && tcp.dst == 8000' allow-related
1
2
3
4
5

相关阅读:
微服务中间件
 Docker安装入门教程
 用python把所有出现snprintf的c文件添加_snprintf
Spring整合RabbitMQ-配制文件方式-2-推模式消费者
 如何使用Iptables在Linux网关上转发端口
 Docker部署Tomcat
我不知道的那些HTML和CSS知识（一）
招投标系统简介招投标系统源码 java招投标系统招投标系统功能设计
 什么是JavaScript的事件驱动编程（event-driven programming）？
ChatGPT对软件测试的影响
原文地址：https://blog.csdn.net/qq_43684922/article/details/126412847