目標(biāo)
使用ovs構(gòu)建如下拓?fù)?/p>
ovs-bridge:br-int
|
vm1(10.0.0.10)
- 使用流表構(gòu)建一個(gè)虛擬的網(wǎng)關(guān),支持
- vm1向10.0.0.1發(fā)送arp請(qǐng)求,br-int自動(dòng)回復(fù)
- vm1向10.0.0.1發(fā)送icmp請(qǐng)求,br-int自動(dòng)回復(fù)
實(shí)驗(yàn)環(huán)境
CentOS Linux release 7.2.1511 (Core)
構(gòu)建基礎(chǔ)環(huán)境
git clone https://github.com/cao19881125/ovn_lab.git
cd ovn_lab/docker
docker build -t ovn_lab:v1 .
yum install package/openvswitch-kmod-2.7.90-1.el7.centos.x86_64.rpm
啟動(dòng)容器
cd ovn_lab
OVN_LAB_DIR=`pwd` docker run -it -d --privileged -v $OVN_LAB_DIR/lesson:/root/ovn_lab/lesson --name 'ovn_lab' ovn_lab:v1 bash
docker exec -it ovn_lab bash
創(chuàng)建網(wǎng)絡(luò)拓?fù)?/h2>
start_ovs.sh
/root/ovn_lab/lesson/list/lesson2/create_topo.sh
添加流表
arp reply
add flow
ovs-ofctl add-flow br-int table=0,in_port=1,arp,arp_tpa=10.0.0.1,arp_op=1,actions=move:"NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[]",mod_dl_src:"02:ac:10:ff:01:01",load:"0x02->NXM_OF_ARP_OP[]",move:"NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[]",load:"0x02ac10ff0101->NXM_NX_ARP_SHA[]",move:"NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[]",load:"0x0a000001->NXM_OF_ARP_SPA[]",in_port
測(cè)試
# ip netns exec vm1 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
# ip netns exec vm1 ip neigh
10.0.0.1 dev vm1 lladdr 02:ac:10:ff:01:01 REACHABLE
start_ovs.sh
/root/ovn_lab/lesson/list/lesson2/create_topo.sh
ovs-ofctl add-flow br-int table=0,in_port=1,arp,arp_tpa=10.0.0.1,arp_op=1,actions=move:"NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[]",mod_dl_src:"02:ac:10:ff:01:01",load:"0x02->NXM_OF_ARP_OP[]",move:"NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[]",load:"0x02ac10ff0101->NXM_NX_ARP_SHA[]",move:"NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[]",load:"0x0a000001->NXM_OF_ARP_SPA[]",in_port
# ip netns exec vm1 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
# ip netns exec vm1 ip neigh
10.0.0.1 dev vm1 lladdr 02:ac:10:ff:01:01 REACHABLE
可以看到vm1成功拿到了10.0.0.1的虛擬mac地址
解析
- move:"NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[]" 將請(qǐng)求的源mac作為reply的目標(biāo)mac
- mod_dl_src:"02:ac:10:ff:01:01" 修改reply的源mac為虛擬網(wǎng)關(guān)的mac
- load:"0x02->NXM_OF_ARP_OP[]" 修改arp包類(lèi)型為reply包
- move:"NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[]" 將request包中的源mac賦值給reply的目標(biāo)mac
- load:"0x02ac10ff0101->NXM_NX_ARP_SHA[]" 設(shè)置reply的源mac
- move:"NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[]" 將request包中的源ip賦值給reply的目標(biāo)ip
- load:"0x0a000001->NXM_OF_ARP_SPA[]" 設(shè)置reply包的源ip 為虛擬網(wǎng)關(guān)的ip,格式為十進(jìn)制轉(zhuǎn)換為對(duì)應(yīng)的16進(jìn)制
- in_port 從進(jìn)入端口發(fā)回去
icmp reply
add flow
ovs-ofctl add-flow br-int table=0,in_port=1,icmp,nw_dst=10.0.0.1,icmp_type=8,icmp_code=0,actions=push:"NXM_OF_ETH_SRC[]",push:"NXM_OF_ETH_DST[]",pop:"NXM_OF_ETH_SRC[]",pop:"NXM_OF_ETH_DST[]",push:"NXM_OF_IP_SRC[]",push:"NXM_OF_IP_DST[]",pop:"NXM_OF_IP_SRC[]",pop:"NXM_OF_IP_DST[]",load:"0xff->NXM_NX_IP_TTL[]",load:"0->NXM_OF_ICMP_TYPE[]",in_port
測(cè)試
# ip netns exec vm1 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.343 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.160 ms
解析
- push:"NXM_OF_ETH_SRC[]" 將源mac push到棧頂
- push:"NXM_OF_ETH_DST[]" 將目標(biāo)mac push到棧頂
- pop:"NXM_OF_ETH_SRC[]" 從棧頂取一個(gè)mac賦值給源mac
- pop:"NXM_OF_ETH_DST[]" 從棧頂取一個(gè)mac賦值給目標(biāo)mac
以上的這四步完成了源mac和目標(biāo)mac的互換,后面的源ip于目標(biāo)ip的互換同理
