ovs contrack

[root@bogon SOURCES]# ovs-vsctl add-br br0
[root@bogon SOURCES]# ovs-vsctl add-port br0 veth_l0
[root@bogon SOURCES]# ovs-vsctl add-port br0 veth_r0
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack 
tcp,orig=(src=10.10.16.81,dst=10.10.16.81,sport=38860,dport=3306),reply=(src=10.10.16.81,dst=10.10.16.81,sport=3306,dport=38860),protoinfo=(state=ESTABLISHED)
tcp,orig=(src=10.10.16.81,dst=10.10.16.81,sport=39296,dport=3306),reply=(src=10.10.16.81,dst=10.10.16.81,sport=3306,dport=39296),protoinfo=(state=ESTABLISHED)
tcp,orig=(src=10.10.16.81,dst=10.10.16.81,sport=39110,dport=3306),reply=(src=10.10.16.81,dst=10.10.16.81,sport=3306,dport=39110),protoinfo=(state=ESTABLISHED)
tcp,orig=(src=10.10.16.81,dst=10.10.16.81,sport=48988,dport=5672),reply=(src=10.10.16.81,dst=10.10.16.81,sport=5672,dport=48988),protoinfo=(state=ESTABLISHED)
[root@bogon SOURCES]# ovs-vsctl show
73abacde-40c6-4c72-959a-4e4b32e76e04
    Bridge "br0"
        Port "br0"
            Interface "br0"
                type: internal
        Port "veth_l0"
            Interface "veth_l0"
        Port "veth_r0"
            Interface "veth_r0"
    ovs_version: "2.12.0"
[root@bogon SOURCES]# ovs-ofctl add-flow br0 
>          "table=0, priority=10, in_port=veth_l0, actions=veth_r0"
You have mail in /var/spool/mail/root
[root@bogon SOURCES]# ovs-ofctl add-flow br0 
>          "table=0, priority=10, in_port=veth_r0, actions=veth_l0"
[root@bogon SOURCES]# 
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
 
[root@bogon SOURCES]# 
[root@bogon SOURCES]# ovs-ofctl dump-flows br0 
 cookie=0x0, duration=954.189s, table=0, n_packets=0, n_bytes=0, priority=10,in_port="veth_l0" actions=output:"veth_r0"
 cookie=0x0, duration=946.078s, table=0, n_packets=0, n_bytes=0, priority=10,in_port="veth_r0" actions=output:"veth_l0"
 cookie=0x0, duration=1269.463s, table=0, n_packets=0, n_bytes=0, priority=0 actions=NORMAL
[root@bogon SOURCES]#

再添加两条流

[root@bogon SOURCES]# ovs-ofctl add-flow br0 
>    "table=0, priority=50, ct_state=-trk, tcp, in_port=veth_l0, actions=ct(table=0)"
[root@bogon SOURCES]# ovs-ofctl add-flow br0 
>     "table=0, priority=50, ct_state=+trk+new, tcp, in_port=veth_l0, actions=ct(commit),veth_r0"
[root@bogon SOURCES]# 
[root@bogon ~]# ip netns exec left bash
ABRT has detected 1 problem(s). For more info run: abrt-cli list --since 1627875894
[root@bogon ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
245: veth_l1@if246: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ae:ca:dd:d3:fa:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.2/24 scope global veth_l1
       valid_lft forever preferred_lft forever
[root@bogon ~]# ip link set veth_l1 up
[root@bogon ~]# scapy
INFO: Can't import matplotlib. Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
WARNING: IPython not available. Using standard Python shell instead.
AutoCompletion, History are disabled.
                                      
                     aSPY//YASa       
             apyyyyCY//////////YCa       |
            sY//////YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.3
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyP////C   | Have fun!
              p///Ac            sC///a   |
              P////YCpc           A//A   | Craft me if you can.
       scccccp///pSP///p          p//Y   |                   -- IPv6 layer
      sY/////////y  caa           S//P   |
       cayCyayP//Ya              pY/Ya
        sY/PsY////YCc          aC//Yp 
         sc  sccaCY//PCypaapyCP//YSs  
                  spCPY//////YPSps    
                       ccaacs         
                                      
>>> sendp(Ether()/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x02, seq=100), iface="veth_l1")
WARNING: No route found (no default route?)
WARNING: No route found (no default route?)
.
Sent 1 packets.
>>>

添加路由

[root@bogon ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
245: veth_l1@if246: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    link/ether ae:ca:dd:d3:fa:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.2/24 scope global veth_l1
       valid_lft forever preferred_lft forever
[root@bogon ~]# ip r add 0.0.0.0/0 dev veth_l1 scope link
[root@bogon ~]# ip r
default dev veth_l1 scope link linkdown 
192.168.0.0/24 dev veth_l1 proto kernel scope link src 192.168.0.2 linkdown 
You have new mail in /var/spool/mail/root
[root@bogon ~]# ip link set veth_l1 up
[root@bogon ~]# ip r
default dev veth_l1 scope link linkdown 
192.168.0.0/24 dev veth_l1 proto kernel scope link src 192.168.0.2 linkdown 
[root@bogon ~]# 
>>> sendp(Ether()/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x02, seq=100), iface="veth_l1")
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.

没有匹配

[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"

原来是veth处于down转态

[root@bogon SOURCES]# ip link set  veth_l0 up
[root@bogon SOURCES]# ip link set  veth_r0 up
>>> import binascii
>>> from scapy.all import*>>> a=Ether()/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x02, seq=100)
>>> print binascii.hexlify(str(a))
WARNING: Mac address to reach destination not found. Using broadcast.
ffffffffffffaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
>>> 
>>> a=Ether(dst="82:a7:5a:70:7f:dc",src="ae:ca:dd:d3:fa:05")/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x02, seq=100)
>>> print binascii.hexlify(str(a))
82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
>>> 
[root@bogon SOURCES]# ovs-vsctl    --columns=external_ids,name,ofport list  interface  veth_l0
external_ids        : {}
name                : "veth_l0"
ofport              : 1
[root@bogon SOURCES]# ovs-ofctl packet-out br0 1  "normal"  f41d6b87532a48570264ea1b080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ovs-ofctl packet-out br0 1  "normal"  f41d6b87532a48570264ea1b080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ip netns exec left ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
245: veth_l1@if246: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    link/ether ae:ca:dd:d3:fa:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.2/24 scope global veth_l1
       valid_lft forever preferred_lft forever
[root@bogon SOURCES]# ovs-ofctl packet-out br0 1  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
You have mail in /var/spool/mail/root
[root@bogon SOURCES]# ovs-vsctl    --columns=external_ids,name,ofport list  interface  veth_r0
external_ids        : {}
name                : "veth_r0"
ofport              : 2
[root@bogon SOURCES]# ovs-ofctl packet-out br0 2  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ovs-ofctl packet-out br0 2  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ovs-ofctl packet-out br0 2  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ip a | grep veth
25: veth1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP group default qlen 1000
246: veth_l0@if245: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master ovs-system state DOWN group default qlen 1000
248: veth_r0@if247: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master ovs-system state DOWN group default qlen 1000
[root@bogon SOURCES]# ip link set  veth_l0 up
[root@bogon SOURCES]# ip link set  veth_r0 up
[root@bogon SOURCES]# ip a | grep veth
25: veth1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP group default qlen 1000
246: veth_l0@if245: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP group default qlen 1000
248: veth_r0@if247: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP group default qlen 1000
port 2注入包是错误的
[root@bogon SOURCES]# ovs-ofctl packet-out br0 2  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ovs-ofctl packet-out br0 2  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
port 1
[root@bogon SOURCES]# ovs-ofctl packet-out br0 1  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# ovs-ofctl packet-out br0 1  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
[root@bogon SOURCES]# 

ovs-ofctl packet-out br0 1  "normal"  82a75a707fdcaecaddd3fa05080045000028000100004006b023c0a800020a00000204000800000000640000000050022000b8d20000
进行tcpdump
[root@bogon ~]# tcpdump -i veth_r1 tcp  -eennv
tcpdump: listening on veth_r1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:36:52.975188 ae:ca:dd:d3:fa:05 > 82:a7:5a:70:7f:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
    192.168.0.2.1024 > 10.0.0.2.2048: Flags [S], cksum 0xb8d2 (correct), seq 100, win 8192, length 0
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168."
tcp,orig=(src=192.168.117.51,dst=10.10.16.81,sport=52914,dport=22),reply=(src=10.10.16.81,dst=192.168.117.51,sport=22,dport=52914),protoinfo=(state=ESTABLISHED)
[root@bogon SOURCES]# 
[root@bogon SOURCES]# ovs-appctl ofproto/trace br0 tcp,in_port=1,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,,tcp_flags=syn
Flow: tcp,in_port=1,vlan_tci=0x0000,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,tcp_flags=syn

bridge("br0")
-------------
 0. ct_state=-trk,tcp,in_port=1, priority 50
    ct(table=0)
    drop
     -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 0.
     -> Sets the packet to an untracked state, and clears all the conntrack fields.

Final flow: unchanged
Megaflow: recirc_id=0,ct_state=-trk,eth,tcp,in_port=1,nw_frag=no
Datapath actions: ct,recirc(0x1)

===============================================================================
recirc(0x1) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)
===============================================================================

Flow: recirc_id=0x1,ct_state=new|trk,eth,tcp,in_port=1,vlan_tci=0x0000,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,tcp_flags=syn

bridge("br0")
-------------
    thaw
        Resuming from table 0
 0. ct_state=+new+trk,tcp,in_port=1, priority 50
    ct(commit)
    drop
     -> Sets the packet to an untracked state, and clears all the conntrack fields.
    output:2

Final flow: recirc_id=0x1,eth,tcp,in_port=1,vlan_tci=0x0000,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,tcp_flags=syn
Megaflow: recirc_id=0x1,ct_state=+new+trk,eth,tcp,in_port=1,nw_frag=no
Datapath actions: ct(commit),3
You have mail in /var/spool/mail/root


[root@bogon SOURCES]# ovs-appctl ofproto/trace br0 tcp,in_port=1,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,,tcp_flags=syn
Flow: tcp,in_port=1,vlan_tci=0x0000,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,tcp_flags=syn

bridge("br0")
-------------
 0. ct_state=-trk,tcp,in_port=1, priority 50
    ct(table=0)
    drop
     -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 0.
     -> Sets the packet to an untracked state, and clears all the conntrack fields.

Final flow: unchanged
Megaflow: recirc_id=0,ct_state=-trk,eth,tcp,in_port=1,nw_frag=no
Datapath actions: ct,recirc(0x2)

===============================================================================
recirc(0x2) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)
===============================================================================

Flow: recirc_id=0x2,ct_state=new|trk,eth,tcp,in_port=1,vlan_tci=0x0000,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,tcp_flags=syn

bridge("br0")
-------------
    thaw
        Resuming from table 0
 0. ct_state=+new+trk,tcp,in_port=1, priority 50
    ct(commit)
    drop
     -> Sets the packet to an untracked state, and clears all the conntrack fields.
    output:2

Final flow: recirc_id=0x2,eth,tcp,in_port=1,vlan_tci=0x0000,dl_src=ae:ca:dd:d3:fa:05,dl_dst=82:a7:5a:70:7f:dc,nw_src=192.168.0.2,nw_dst=10.0.0.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1024,tp_dst=2048,tcp_flags=syn
Megaflow: recirc_id=0x2,ct_state=+new+trk,eth,tcp,in_port=1,nw_frag=no
Datapath actions: ct(commit),3
[root@bogon SOURCES]#

跟踪syn + ack

添加流表

[root@bogon SOURCES]# ovs-ofctl add-flow br0 
>     "table=0, priority=50, ct_state=-trk, tcp, in_port=veth_r0, actions=ct(table=0)"
[root@bogon SOURCES]# ovs-ofctl add-flow br0 
>     "table=0, priority=50, ct_state=+trk+est, tcp, in_port=veth_r0, actions=veth_l0"
[root@bogon SOURCES]# 
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
[root@bogon SOURCES]#

先发送syn

>>> sendp(Ether()/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x02, seq=100), iface="veth_l1")
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.
>>> 
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
tcp,orig=(src=192.168.0.2,dst=10.0.0.2,sport=1024,dport=2048),reply=(src=10.0.0.2,dst=192.168.0.2,sport=2048,dport=1024),protoinfo=(state=SYN_SENT)
[root@bogon SOURCES]#

从right发送

>>> sendp(Ether()/IP(src="10.0.0.2", dst="192.168.0.2")/TCP(sport=2048, dport=1024, flags=0x12, seq=200, ack=101), iface="veth_r1")
.
Sent 1 packets.
>>>

流表变成establish转态

[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
tcp,orig=(src=192.168.0.2,dst=10.0.0.2,sport=1024,dport=2048),reply=(src=10.0.0.2,dst=192.168.0.2,sport=2048,dport=1024),protoinfo=(state=SYN_SENT)
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
tcp,orig=(src=192.168.0.2,dst=10.0.0.2,sport=1024,dport=2048),reply=(src=10.0.0.2,dst=192.168.0.2,sport=2048,dport=1024),protoinfo=(state=ESTABLISHED)
[root@bogon SOURCES]#

 规则老化

[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"

 右边发送

Sent 1 packets.
>>> sendp(Ether()/IP(src="10.0.0.2", dst="192.168.0.2")/TCP(sport=2048, dport=1024, flags=0x12, seq=200, ack=101), iface="veth_r1")
.
Sent 1 packets.
>>>

左边还是能接收

[root@bogon ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
245: veth_l1@if246: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ae:ca:dd:d3:fa:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.2/24 scope global veth_l1
       valid_lft forever preferred_lft forever
    inet6 fe80::acca:ddff:fed3:fa05/64 scope link 
       valid_lft forever preferred_lft forever
[root@bogon ~]# tcpdump -i veth_l1 tcp -eennvv
tcpdump: listening on veth_l1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:08:44.974695 82:a7:5a:70:7f:dc > ae:ca:dd:d3:fa:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
    10.0.0.2.2048 > 192.168.0.2.1024: Flags [S.], cksum 0xb7f9 (correct), seq 200, ack 101, win 8192, length 0

 left 发送 syn

>>> sendp(Ether(
>>> sendp(Ether()/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x02, seq=100), iface="veth_l1")
WARNING: Mac address to reach destination not found. Using broadcast.

right发送syn ack

>>> sendp(Ether()/IP(src="10.0.0.2", dst="192.168.0.2")/TCP(sport=2048, dport=1024, flags=0x12, seq=200, ack=101), iface="veth_r1")
.
Sent 1 packets.

left 发送ack
.
Sent 1 packets.
>>> sendp(Ether()/IP(src="192.168.0.2", dst="10.0.0.2")/TCP(sport=1024, dport=2048, flags=0x10, seq=101, ack=201), iface="veth_l1")
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.
>>>

查看状态表

syn
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
tcp,orig=(src=192.168.0.2,dst=10.0.0.2,sport=1024,dport=2048),reply=(src=10.0.0.2,dst=192.168.0.2,sport=2048,dport=1024),protoinfo=(state=SYN_SENT)
You have mail in /var/spool/mail/root
syn + ack
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
tcp,orig=(src=192.168.0.2,dst=10.0.0.2,sport=1024,dport=2048),reply=(src=10.0.0.2,dst=192.168.0.2,sport=2048,dport=1024),protoinfo=(state=ESTABLISHED)
ack
[root@bogon SOURCES]# ovs-appctl dpctl/dump-conntrack | grep "192.168.0.2"
tcp,orig=(src=192.168.0.2,dst=10.0.0.2,sport=1024,dport=2048),reply=(src=10.0.0.2,dst=192.168.0.2,sport=2048,dport=1024),protoinfo=(state=ESTABLISHED)
[root@bogon SOURCES]# 
[root@bogon SOURCES]# ovs-ofctl dump-flows br0 
 cookie=0x0, duration=4094.193s, table=0, n_packets=3, n_bytes=162, priority=50,ct_state=-trk,tcp,in_port="veth_l0" actions=ct(table=0)
 cookie=0x0, duration=1328.624s, table=0, n_packets=4, n_bytes=216, priority=50,ct_state=-trk,tcp,in_port="veth_r0" actions=ct(table=0)
 cookie=0x0, duration=4083.407s, table=0, n_packets=2, n_bytes=108, priority=50,ct_state=+new+trk,tcp,in_port="veth_l0" actions=ct(commit),output:"veth_r0"
 cookie=0x0, duration=1322.225s, table=0, n_packets=2, n_bytes=108, priority=50,ct_state=+est+trk,tcp,in_port="veth_r0" actions=output:"veth_l0"
 cookie=0x0, duration=5099.968s, table=0, n_packets=35, n_bytes=1998, priority=10,in_port="veth_l0" actions=output:"veth_r0"
 cookie=0x0, duration=5091.857s, table=0, n_packets=30, n_bytes=1920, priority=10,in_port="veth_r0" actions=output:"veth_l0"
 cookie=0x0, duration=5415.242s, table=0, n_packets=0, n_bytes=0, priority=0 actions=NORMAL
[root@bogon SOURCES]#

 ovs自动回复arp和icmp请求

添加流表

[root@bogon SOURCES]# ovs-ofctl add-flow br0 "table=0,in_port=1,arp,arp_tpa=10.10.0.2,arp_op=1,
>  actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:82:a7:5a:70:7f:dc,load:0x02->NXM_OF_ARP_OP[],
>  move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],load:0x82a75a707fdc->NXM_NX_ARP_SHA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xA0A0002->NXM_OF_ARP_SPA[],in_port"
[root@bogon ~]# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.029 ms
^C
--- 192.168.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1034ms
rtt min/avg/max/mdev = 0.029/0.032/0.036/0.006 ms
[root@bogon ~]# ip n
10.0.0.2 dev veth_l1  FAILED
114.144.114.114 dev veth_l1  FAILED
10.10.0.2 dev veth_l1 lladdr 82:a7:5a:70:7f:dc STALE
8.8.8.8 dev veth_l1  FAILED
[root@bogon ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 veth_l1
[root@bogon ~]# ip r del 0.0.0.0/0 dev veth_l1 scope link
RTNETLINK answers: No such process
[root@bogon ~]# ip r add  0.0.0.0/0 dev veth_l1 scope link
[root@bogon ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 veth_l1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 veth_l1
[root@bogon ~]# ip r del 0.0.0.0/0 dev veth_l1 scope link
[root@bogon ~]#

ovs-ofctl add-flow br0 "table=0,in_port=1,arp,arp_tpa=10.10.0.2,arp_op=1,
actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:82:a7:5a:70:7f:dc,load:0x02->NXM_OF_ARP_OP[],
move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],load:0x82a75a707fdc->NXM_NX_ARP_SHA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xA0A0002->NXM_OF_ARP_SPA[],in_port"

解析

  • move:"NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[]" 将请求的源mac作为reply的目标mac
  • mod_dl_src:"82:a7:5a:70:7f:dc" 修改reply的源mac为虚拟网关的mac
  • load:"0x02->NXM_OF_ARP_OP[]" 修改arp包类型为reply包
  • move:"NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[]" 将request包中的源mac赋值给reply的目标mac
  • load:"x82a75a707fdc->NXM_NX_ARP_SHA[]" 设置reply的源mac
  • move:"NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[]" 将request包中的源ip赋值给reply的目标ip
  • load:"0xA0A0002->NXM_OF_ARP_SPA[]" 设置reply包的源ip 为虚拟网关的ip,格式为十进制转换为对应的16进制
  • in_port 从进入端口发回去



OVS Conntrack Tutorial

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/dream397/p/15089362.html