Neutron 启用Security Group时, 会打开anti snoop功能。但是应用可能会maintain自己的VIP,这就需要用到allow address pairs功能。
这个功能是利用iptables实现的,iptables规则如下:
# iptables -nvL neutron-openvswi-o08ccf4de-f Chain neutron-openvswi-o08ccf4de-f (2 references) pkts bytes target prot opt in out source destination 8 2716 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 119K 11M neutron-openvswi-s08ccf4de-f all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 116K 9490K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1906 1356K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 # iptables -nvL neutron-openvswi-s08ccf4de-f Chain neutron-openvswi-s08ccf4de-f (1 references) pkts bytes target prot opt in out source destination 53112 6436K RETURN all -- * * 10.224.148.51 0.0.0.0/0 MAC FA:16:3E:38:38:90 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
10.224.148.51是这个VM的IP,我们可以看到,这个IP以外的源地址都会被丢弃。
allow address pairs扩展API文档如下:
http://docs.openstack.org/api/openstack-network/2.0/content/allowed_address_pair_ext.html
我测试时使用了以下API设置allow address pair:
curl -i https://10.224.159.113:443/v2.0/ports/08ccf4de-f6e2-4d4d-bcdf-55532e93f32f -X PUT -d '{"port":{"allowed_address_pairs":[{"ip_address": "10.224.148.59"}]}}' -H "X-Auth-Token: 1969e5caed5949b98c64a2556d5b43e2" -H "Accept: application/json" -H "Content-Type: application/json"
CLI:
neutron port-update 08ccf4de-d6e2-4d4d-bcdf-55532e93f32f --allowed-address-pairs type=dict list=true ip_address=10.224.148.59
设置后使用port-list可以看到allowed_address_pairs信息:
+-----------------------+--------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | {"ip_address": "10.224.148.59", "mac_address": "fa:16:3e:38:38:90"} | | binding:capabilities | {"port_filter": true} | | binding:host_id | ci91szcmp004.webex.com | | binding:vif_type | ovs | | device_id | 232e6621-69cc-4631-8996-732d32e9e5a4 | | device_owner | compute:nova | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "bf4e762a-b4b4-4f03-80ea-20dd30ba7159", "ip_address": "10.224.148.51"} | | id | 08ccf4de-f6e2-4d4d-bcdf-55532e93f32f | | mac_address | fa:16:3e:38:38:90 | | name | | | network_id | 218203a4-bc92-4c0e-a245-654e0e3ccefe | | security_groups | 6fbd7353-ccfa-4e16-864b-79b74409d39f | | status | ACTIVE | | tenant_id | 097ee4a7afe0436d8c261dd0aa131fd5 | +-----------------------+--------------------------------------------------------------------------------------+
# iptables -nvL neutron-openvswi-s08ccf4de-f Chain neutron-openvswi-s08ccf4de-f (1 references) pkts bytes target prot opt in out source destination 3 252 RETURN all -- * * 10.224.148.59 0.0.0.0/0 MAC FA:16:3E:38:38:90 53112 6436K RETURN all -- * * 10.224.148.51 0.0.0.0/0 MAC FA:16:3E:38:38:90 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0