Linux策略路由使用场景及验证

实验环境：CentOS7 + OVS2.4.0

原理图

拓扑图

1、如拓扑，各个端口组、虚拟机配置对应的IP

2、qos_pri和policy_bridge两个网桥使用patch_port连接起来

       ovs-vsctladd-portpolicy_bridgepatch_to_qos

        ovs-vsctl set Interface patch_to_qostype=patch

       ovs-vsctlsetInterface patch_to_qosoptions:peer=patch_to_policy

       ovs-vsctlshow

       ovs-vsctladd-portpatch_to_policyqos_pri

       ovs-vsctladd-portqos_pripatch_to_policy

       ovs-vsctlsetInterface patch_to_policytype=patch

       ovs-vsctlsetInterface patch_to_policyoptions:peer=patch_to_qos

未配置策略路由也未配置patch_port的情况下

vm到两个端口组都不通，原因是默认172.168.1.0网段报文会走test_pg接口，但是vm的报文只能到qos_pri桥就终止了转发

[root@localhost ~]#route -n

Kernel IP routing table

Destination     Gateway         Genmask        Flags Metric Ref    Use Iface

0.0.0.0         100.5.4.254     0.0.0.0         UG   100    0        0 eno1

100.5.4.0       0.0.0.0         255.255.252.0   U    100    0        0 eno1

172.168.1.0     0.0.0.0         255.255.255.0   U    0      0        0 test_pg

172.168.1.0     0.0.0.0         255.255.255.0   U    0      0        0 qos_pg

192.168.10.0    0.0.0.0         255.255.255.0   U    0      0        0 br-test

192.168.122.0   0.0.0.0         255.255.255.0   U    0      0        0 virbr0

未配置策略路由，配置patch port后

VM变换ping 1.15和1.10，在两个端口组抓报文

tcpdump   -i    qos_pg    -n –nn

抓不到任何报文

tcpdump  -i      test_pg  -n  -nn

可以抓到1.15和1.10的请求回应报文

16:41:50.438155 IP172.168.1.12 > 172.168.1.15: ICMP echo request, id 14797, seq 16,length 64

16:41:50.438205 IP 172.168.1.15 >172.168.1.12: ICMP echo reply, id 14797, seq 16, length 64

16:41:21.217165 IP 172.168.1.12 >172.168.1.10: ICMP echo request, id 14585, seq 1209, length 64

16:41:21.217226 IP 172.168.1.10 >172.168.1.12: ICMP echo reply, id 14585, seq 1209, length 64

配置策略路由配置patchport

[root@localhost ~]# iproute add 172.168.1.0 via 172.168.1.15 devqos_pg table 11

[root@localhost ~]# iproute add default via 172.168.1.15 devqos_pg table 11

[root@localhost ~]# ip ruleadd from 172.168.1.15  table 11

[root@localhost ~]# tcpdump -i qos_pg -n -nn

tcpdump: verbose output suppressed, use -v or -vv forfull protocol decode

listening on qos_pg,link-type EN10MB (Ethernet), capture size 65535 bytes

16:45:35.441155 IP 172.168.1.12 >172.168.1.15: ICMP echo request, id 14797, seq 241, length 64

16:45:35.441214 IP 172.168.1.15 >172.168.1.12: ICMP echo reply, id 14797, seq 241, length 64

[root@localhost ~]# tcpdump -i test_pg -n -nn

tcpdump: verbose output suppressed, use -v or -vv forfull protocol decode

listening on test_pg,link-type EN10MB (Ethernet), capture size 65535 bytes

16:46:13.504134 IP 172.168.1.12 >172.168.1.10: ICMP echo request, id 14842, seq 8, length 64

16:46:13.504214 IP 172.168.1.10 >172.168.1.12: ICMP echo reply, id 14842, seq 8, length 64

报文转发原理

[root@localhost ~]# ip ruleshow

0:  fromall lookup local

32764:  from172.168.1.15 lookup 11

32765:  from10.1.1.3 lookup 10

32766:  fromall lookup main

32767:  fromall lookup default

 [root@localhost ~]# iproute show table 11

default via 172.168.1.15 devqos_pg

172.168.1.0 via 172.168.1.15 devqos_pg

报文查找路由表有一个优先级，根据添加的路由规则，源地址172.168.1.15的报文会去table11中查找路由，table11路由表设置出接口是qos_pg即可