[Openstack-operators] Is it possible to port mirror to a vm?
Yaron Illouz
yaroni at radcom.com
Mon Feb 16 07:26:29 UTC 2015
Please read the mail content and not only the title
This is what I tried to do, Thank you for your answer
________________________________
From: George Shuklin [mailto:george.shuklin at gmail.com]
Sent: Sunday, February 15, 2015 9:13 PM
To: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] Is it possible to port mirror to a
vm?
The answer is 'yes' and 'no'.
No, openstack (neutron/nova-networks) have no such abstraction.
Yes, you can do it with openvswitch at the compute host manually (until
VM reboot).
Quote from ovs-vsctl manpage:
Port Mirroring
Mirror all packets received or sent on eth0 or eth1 onto eth2,
assuming
that all of those ports exist on bridge br0 (as a side-effect
this
causes any packets received on eth2 to be ignored):
ovs-vsctl -- set Bridge br0 mirrors=@m \
-- --id=@eth0 get Port eth0 \
-- --id=@eth1 get Port eth1 \
-- --id=@eth2 get Port eth2 \
-- --id=@m create Mirror name=mymirror
select-dst-
port=@eth0, at eth1 select-src-port=@eth0, at eth1
output-port=@eth2
On 02/15/2015 07:34 PM, Yaron Illouz wrote:
Hi
Is it possible to port mirror to a vm?
I generate traffic from vm1 to vm2, and I am trying to mirror
traffic of vm1 to vm3
I want vm3 to receive traffic that is not destinated for him -
not ip and not mac address
I am trying to do port mirroring between vms created with
openstack.
I did it with the openvswitch.
Packet are copied to the mirrored qvo, qvb, and qbr but don't
reach the tap.
From iptable output it dosen't seem to be drop in one of the
chain or in fallback.
The problem: I do see the mirrored traffic in qvo,and qvb, qbr
(in tcpdump) but it doesn't pass to the tap
I tried to insert allowed-pairs to the port, but what I really
need is define it in "promiscuous" mode. But even with allowed-pairs,
traffic don't reach vm3.
I also tried to hairpin but it didn't help.
brctl hairpin qbr3ede5b3e tap3ede5b3e on
Here are some details about my test
Openstack RDO juno on Centos 7
Neutron port list
| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | |
fa:16:3e:3b:34:de | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.2"} |
| 435f35c6-80be-47ee-b30f-8376e1ea78d9 | |
fa:16:3e:41:fd:59 | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.5"} |
| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | |
fa:16:3e:f7:4f:ea | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.3"} |
Command that I ran to do the port mirroring
ovs-vsctl -- set Bridge br-int mirrors=@m --
--id=@qvobd80bab5-42 get Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39
get Port qvo3ede5b3e-39 -- --id=@m create Mirror name=mymirror
select-dst-port=@qvobd80bab5-42 select-src-port=@qvobd80bab5-42
output-port=@qvo3ede5b3e-39
This is iptables output filtered, you can see I added a allowed
address pair.
3 3518 919K neutron-openvswi-sg-chain all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged
4 4 1358 neutron-openvswi-sg-chain all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
Chain neutron-openvswi-INPUT (1 references)
--
2 0 0 neutron-openvswi-o3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
3 0 0 neutron-openvswi-o7e200e92-4 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap7e200e92-44 --physdev-is-bridged
4 0 0 neutron-openvswi-o435f35c6-8 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap435f35c6-80 --physdev-is-bridged
5 0 0 neutron-openvswi-o6a1bb345-9 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap6a1bb345-93 --physdev-is-bridged
6 0 0 neutron-openvswi-ofc0a7800-a all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tapfc0a7800-a0 --physdev-is-bridged
Chain neutron-openvswi-OUTPUT (1 references)
num pkts bytes target prot opt in out source
destination
Chain neutron-openvswi-i3ede5b3e-3 (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
2 91 8550 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 RETURN udp -- * * 10.67.82.4
0.0.0.0/0 udp spt:67 dpt:68
4 0 0 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp multiport dports 1:65535
6 3416 907K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 match-set IPv4ecb94f49-0fdd-4f6f-b src
7 9 3054 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0 0.0.0.0/0
--
Chain neutron-openvswi-o3ede5b3e-3 (2 references)
num pkts bytes target prot opt in out source
destination
1 4 1358 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:68 dpt:67
2 0 0 neutron-openvswi-s3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0
3 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
4 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
5 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
6 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
7 0 0 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0 0.0.0.0/0
--
Chain neutron-openvswi-s3ede5b3e-3 (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * *
10.67.82.0/24 0.0.0.0/0 MAC FA:16:3E:41:FD:59
2 0 0 RETURN all -- * * 10.67.82.2
0.0.0.0/0 MAC FA:16:3E:3B:34:DE
3 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
--
3 3518 919K neutron-openvswi-i3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged
4 4 1358 neutron-openvswi-o3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
.
13 397M 1617G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
--
error=`neutron-openvswi-i3ede5b3e-3'
Entry 63 (19664):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
--
error=`neutron-openvswi-o3ede5b3e-3'
Entry 119 (32280):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 17
Flags: 00
Invflags: 00
Counters: 4 packets, 1358 bytes
Cache: 00000000
--
error=`neutron-openvswi-s3ede5b3e-3'
Entry 173 (43608):
SRC IP: 10.67.82.0/255.255.255.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
The tcpdump traces show proper traffic flow from MAC/IP
fa:16:3e:f7:4f:ea/10.67.82.3 to fa:16:3e:41:fd:59/10.67.82.5 going into
a bridge/switch that has a nic with mac/IP of
fa:16:3e:3b:34:de/10.67.82.2 connected to its other port
I though the allowed address pair I added will allow this
traffic -> you can see it in neutron-openvswi-s3ede5b3e-3 (1 0
0 RETURN all -- * * 10.67.82.0/24 0.0.0.0/0
MAC FA:16:3E:41:FD:59).
In tcpdump
tcpdump -e -n -vvv -i qbr3ede5b3e-39 | more
tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB
(Ethernet), capture size 65535 bytes
08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags
[none], proto UDP (
17), length 76)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 48
08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags
[none], proto UDP (17
), length 42)
10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum
ok] UDP, length 14
08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags
[none], proto UDP
tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more
tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB
(Ethernet), capture size 65535 bytes
08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags
[none], proto UDP
(17), length 111)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 83
08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags
[none], proto UDP
(17), length 612)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 584
08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags
[none], proto UDP
(17), length 612)
tcpdump -e -n -vvv -i qvb3ede5b3e-39 | more
tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB
(Ethernet), capture size 65535 bytes
08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags
[none], proto UDP (
17), length 84)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 56
08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags
[none], proto UDP (1
7), length 76)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 48
08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags
[none], proto UDP (
17), length 84)
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150216/2f089359/attachment.html>
More information about the OpenStack-operators
mailing list