lesson1 ovs conntrack实现单向ip通讯

拓扑图

目标

使用ovs构建出以上的网络拓扑结构，通过配置流表，使用conntrack实现以下功能

    1.vm1可以ping通vm2

    2.vm2不可ping通vm1

实验环境

CentOS Linux release 7.2.1511 (Core)

构建基础环境

git clone https://github.com/cao19881125/ovn_lab.git

cd ovn_lab/docker

docker build -t ovn_lab:v1 .

yum install package/openvswitch-kmod-2.7.90-1.el7.centos.x86_64.rpm

---

启动容器

cd ovn_lab

OVN_LAB_DIR=`pwd` docker run -it -d --privileged -v $OVN_LAB_DIR/lesson:/root/ovn_lab/lesson --name 'ovn_lab' ovn_lab:v1 bash

docker exec -it ovn_lab bash

创建网络拓扑

start_ovs.sh

/root/ovn_lab/lesson/list/lesson1/create_topo.sh

添加流表

ovs-ofctl add-flow br-int table=0,priority=100,arp,action=normal

ovs-ofctl add-flow br-int table=0,priority=100,ip,ct_state=-trk,action=ct\(table=1\)

ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+new,action=ct\(commit\),2

ovs-ofctl add-flow br-int table=1,in_port=1,ip,ct_state=+trk+est,action=2

ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+new,action=drop

ovs-ofctl add-flow br-int table=1,in_port=2,ip,ct_state=+trk+est,action=1

测试

vm1 ping vm2

# ip netns exec vm1 ping 10.0.0.20

PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.

64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.314 ms

64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.217 ms

vm2 ping vm1

# ip netns exec vm2 ping 10.0.0.10 -w 3

PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.

--- 10.0.0.10 ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 2999ms

流表解析

1. table=0,arp,action=normal

    允许arp协议通过

2. table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)

    untrack状态的ip包送到conntrack并处理后发到1表

3. table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2 

    vm1进来的new状态的ip包commit到conntrack并发到2端口

4. table=1,in_port=1,ip,ct_state=+trk+est,action=2

    vm1进来的est状态的包发到2端口

5. table=1,in_port=2,ip,ct_state=+trk+new,action=drop

    vm2进来的new状态的包直接drop

6. table=1,in_port=2,ip,ct_state=+trk+est,action=1

    vm2进来的est状态的包发到1端口