<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE> qvb level filter</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<BR>
<P><FONT SIZE=2>Hi<BR>
<BR>
<BR>
<BR>
I am trying to do port mirroring between vms.<BR>
<BR>
I did it with the openvswitch.<BR>
<BR>
Packet are copied to the mirrored qvo, but then stop at the qvb Rx. I don't see where it is stuck.<BR>
<BR>
>From iptable output it dosen't seem to be drop in one of the chain or many packet in fallback.<BR>
<BR>
Iptables are at qvb level? If not so what block my packets<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
You can see only 201 packet reach qbr but more than 72 Million packet arrived to qvb<BR>
<BR>
ifconfig | grep -A 5 3ede5b3<BR>
<BR>
qbr3ede5b3e-39: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500<BR>
<BR>
inet6 fe80::e4ae:56ff:fe5f:137d prefixlen 64 scopeid 0x20<link><BR>
<BR>
ether aa:8c:e8:75:72:d2 txqueuelen 0 (Ethernet)<BR>
<BR>
RX packets 201 bytes 16528 (16.1 KiB)<BR>
<BR>
RX errors 0 dropped 0 overruns 0 frame 0<BR>
<BR>
TX packets 8 bytes 648 (648.0 B)<BR>
<BR>
--<BR>
<BR>
qvb3ede5b3e-39: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500<BR>
<BR>
inet6 fe80::a88c:e8ff:fe75:72d2 prefixlen 64 scopeid 0x20<link><BR>
<BR>
ether aa:8c:e8:75:72:d2 txqueuelen 1000 (Ethernet)<BR>
<BR>
RX packets 72789130 bytes 20271610754 (18.8 GiB)<BR>
<BR>
RX errors 0 dropped 0 overruns 0 frame 0<BR>
<BR>
TX packets 30 bytes 3394 (3.3 KiB)<BR>
<BR>
--<BR>
<BR>
qvo3ede5b3e-39: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500<BR>
<BR>
inet6 fe80::c70:cff:fef0:d432 prefixlen 64 scopeid 0x20<link><BR>
<BR>
ether 0e:70:0c:f0:d4:32 txqueuelen 1000 (Ethernet)<BR>
<BR>
RX packets 30 bytes 3394 (3.3 KiB)<BR>
<BR>
RX errors 0 dropped 0 overruns 0 frame 0<BR>
<BR>
TX packets 72789140 bytes 20271612780 (18.8 GiB)<BR>
<BR>
--<BR>
<BR>
tap3ede5b3e-39: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500<BR>
<BR>
inet6 fe80::fc16:3eff:fe3b:34de prefixlen 64 scopeid 0x20<link><BR>
<BR>
ether fe:16:3e:3b:34:de txqueuelen 500 (Ethernet)<BR>
<BR>
RX packets 15 bytes 2188 (2.1 KiB)<BR>
<BR>
RX errors 0 dropped 0 overruns 0 frame 0<BR>
<BR>
TX packets 3526 bytes 966661 (944.0 KiB)<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Neutron port list<BR>
<BR>
| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | | fa:16:3e:3b:34:de | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.2"} |<BR>
<BR>
| 435f35c6-80be-47ee-b30f-8376e1ea78d9 | | fa:16:3e:41:fd:59 | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.5"} |<BR>
<BR>
| 89193daa-bf67-4237-8045-30a6e3c107a2 | | fa:16:3e:a5:56:38 | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.4"} |<BR>
<BR>
| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | | fa:16:3e:f7:4f:ea | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.3"} |<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Command that I ran<BR>
<BR>
ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvobd80bab5-42 get Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39 -- --id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42 select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
This is iptables output filtered, you can see I added a allowed address pair.<BR>
<BR>
3 3518 919K neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged<BR>
<BR>
4 4 1358 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged<BR>
<BR>
<BR>
<BR>
Chain neutron-openvswi-INPUT (1 references)<BR>
<BR>
--<BR>
<BR>
2 0 0 neutron-openvswi-o3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged<BR>
<BR>
3 0 0 neutron-openvswi-o7e200e92-4 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap7e200e92-44 --physdev-is-bridged<BR>
<BR>
4 0 0 neutron-openvswi-o435f35c6-8 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap435f35c6-80 --physdev-is-bridged<BR>
<BR>
5 0 0 neutron-openvswi-o6a1bb345-9 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap6a1bb345-93 --physdev-is-bridged<BR>
<BR>
6 0 0 neutron-openvswi-ofc0a7800-a all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfc0a7800-a0 --physdev-is-bridged<BR>
<BR>
<BR>
<BR>
Chain neutron-openvswi-OUTPUT (1 references)<BR>
<BR>
num pkts bytes target prot opt in out source destination<BR>
<BR>
<BR>
<BR>
Chain neutron-openvswi-i3ede5b3e-3 (1 references)<BR>
<BR>
num pkts bytes target prot opt in out source destination<BR>
<BR>
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<BR>
<BR>
2 91 8550 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED<BR>
<BR>
3 0 0 RETURN udp -- * * 10.67.82.4 0.0.0.0/0 udp spt:67 dpt:68<BR>
<BR>
4 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
5 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 1:65535<BR>
<BR>
6 3416 907K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set IPv4ecb94f49-0fdd-4f6f-b src<BR>
<BR>
7 9 3054 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
<BR>
<BR>
--<BR>
<BR>
Chain neutron-openvswi-o3ede5b3e-3 (2 references)<BR>
<BR>
num pkts bytes target prot opt in out source destination<BR>
<BR>
1 4 1358 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67<BR>
<BR>
2 0 0 neutron-openvswi-s3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
3 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68<BR>
<BR>
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<BR>
<BR>
5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED<BR>
<BR>
6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
7 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
<BR>
<BR>
--<BR>
<BR>
Chain neutron-openvswi-s3ede5b3e-3 (1 references)<BR>
<BR>
num pkts bytes target prot opt in out source destination<BR>
<BR>
1 0 0 RETURN all -- * * 10.67.82.0/24 0.0.0.0/0 MAC FA:16:3E:41:FD:59<BR>
<BR>
2 0 0 RETURN all -- * * 10.67.82.2 0.0.0.0/0 MAC FA:16:3E:3B:34:DE<BR>
<BR>
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
--<BR>
<BR>
3 3518 919K neutron-openvswi-i3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged<BR>
<BR>
4 4 1358 neutron-openvswi-o3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged<BR>
<BR>
.<BR>
<BR>
13 397M 1617G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0<BR>
<BR>
<BR>
<BR>
--<BR>
<BR>
error=`neutron-openvswi-i3ede5b3e-3'<BR>
<BR>
<BR>
<BR>
Entry 63 (19664):<BR>
<BR>
SRC IP: 0.0.0.0/0.0.0.0<BR>
<BR>
DST IP: 0.0.0.0/0.0.0.0<BR>
<BR>
Interface: `'/................to `'/................<BR>
<BR>
Protocol: 0<BR>
<BR>
Flags: 00<BR>
<BR>
Invflags: 00<BR>
<BR>
Counters: 0 packets, 0 bytes<BR>
<BR>
Cache: 00000000<BR>
<BR>
--<BR>
<BR>
error=`neutron-openvswi-o3ede5b3e-3'<BR>
<BR>
<BR>
<BR>
Entry 119 (32280):<BR>
<BR>
SRC IP: 0.0.0.0/0.0.0.0<BR>
<BR>
DST IP: 0.0.0.0/0.0.0.0<BR>
<BR>
Interface: `'/................to `'/................<BR>
<BR>
Protocol: 17<BR>
<BR>
Flags: 00<BR>
<BR>
Invflags: 00<BR>
<BR>
Counters: 4 packets, 1358 bytes<BR>
<BR>
Cache: 00000000<BR>
<BR>
--<BR>
<BR>
error=`neutron-openvswi-s3ede5b3e-3'<BR>
<BR>
<BR>
<BR>
Entry 173 (43608):<BR>
<BR>
SRC IP: 10.67.82.0/255.255.255.0<BR>
<BR>
DST IP: 0.0.0.0/0.0.0.0<BR>
<BR>
Interface: `'/................to `'/................<BR>
<BR>
Protocol: 0<BR>
<BR>
Flags: 00<BR>
<BR>
Invflags: 00<BR>
<BR>
Counters: 0 packets, 0 bytes<BR>
<BR>
Cache: 00000000<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>