[Openstack-operators] Is it possible to port mirror to a vm?
Yaron Illouz
yaroni at radcom.com
Sun Feb 15 17:34:18 UTC 2015
Hi
Is it possible to port mirror to a vm?
I generate traffic from vm1 to vm2, and I am trying to mirror traffic
of vm1 to vm3
I want vm3 to receive traffic that is not destinated for him - not ip
and not mac address
I am trying to do port mirroring between vms created with openstack.
I did it with the openvswitch.
Packet are copied to the mirrored qvo, qvb, and qbr but don't reach the
tap.
>From iptable output it dosen't seem to be drop in one of the chain or in
fallback.
The problem: I do see the mirrored traffic in qvo,and qvb, qbr (in
tcpdump) but it doesn't pass to the tap
I tried to insert allowed-pairs to the port, but what I really need is
define it in "promiscuous" mode. But even with allowed-pairs, traffic
don't reach vm3.
I also tried to hairpin but it didn't help.
brctl hairpin qbr3ede5b3e tap3ede5b3e on
Here are some details about my test
Openstack RDO juno on Centos 7
Neutron port list
| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | | fa:16:3e:3b:34:de |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.2"} |
| 435f35c6-80be-47ee-b30f-8376e1ea78d9 | | fa:16:3e:41:fd:59 |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.5"} |
| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | | fa:16:3e:f7:4f:ea |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.3"} |
Command that I ran to do the port mirroring
ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvobd80bab5-42 get
Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39 --
--id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42
select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39
This is iptables output filtered, you can see I added a allowed address
pair.
3 3518 919K neutron-openvswi-sg-chain all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged
4 4 1358 neutron-openvswi-sg-chain all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
Chain neutron-openvswi-INPUT (1 references)
--
2 0 0 neutron-openvswi-o3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
3 0 0 neutron-openvswi-o7e200e92-4 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap7e200e92-44 --physdev-is-bridged
4 0 0 neutron-openvswi-o435f35c6-8 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap435f35c6-80 --physdev-is-bridged
5 0 0 neutron-openvswi-o6a1bb345-9 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap6a1bb345-93 --physdev-is-bridged
6 0 0 neutron-openvswi-ofc0a7800-a all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tapfc0a7800-a0 --physdev-is-bridged
Chain neutron-openvswi-OUTPUT (1 references)
num pkts bytes target prot opt in out source
destination
Chain neutron-openvswi-i3ede5b3e-3 (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
2 91 8550 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 RETURN udp -- * * 10.67.82.4
0.0.0.0/0 udp spt:67 dpt:68
4 0 0 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp multiport dports 1:65535
6 3416 907K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 match-set IPv4ecb94f49-0fdd-4f6f-b src
7 9 3054 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0 0.0.0.0/0
--
Chain neutron-openvswi-o3ede5b3e-3 (2 references)
num pkts bytes target prot opt in out source
destination
1 4 1358 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:68 dpt:67
2 0 0 neutron-openvswi-s3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0
3 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
4 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
5 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
6 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
7 0 0 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0 0.0.0.0/0
--
Chain neutron-openvswi-s3ede5b3e-3 (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 10.67.82.0/24
0.0.0.0/0 MAC FA:16:3E:41:FD:59
2 0 0 RETURN all -- * * 10.67.82.2
0.0.0.0/0 MAC FA:16:3E:3B:34:DE
3 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
--
3 3518 919K neutron-openvswi-i3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged
4 4 1358 neutron-openvswi-o3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
.
13 397M 1617G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
--
error=`neutron-openvswi-i3ede5b3e-3'
Entry 63 (19664):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
--
error=`neutron-openvswi-o3ede5b3e-3'
Entry 119 (32280):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 17
Flags: 00
Invflags: 00
Counters: 4 packets, 1358 bytes
Cache: 00000000
--
error=`neutron-openvswi-s3ede5b3e-3'
Entry 173 (43608):
SRC IP: 10.67.82.0/255.255.255.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
The tcpdump traces show proper traffic flow from MAC/IP
fa:16:3e:f7:4f:ea/10.67.82.3 to fa:16:3e:41:fd:59/10.67.82.5 going into
a bridge/switch that has a nic with mac/IP of
fa:16:3e:3b:34:de/10.67.82.2 connected to its other port
I though the allowed address pair I added will allow this traffic -> you
can see it in neutron-openvswi-s3ede5b3e-3 (1 0 0 RETURN
all -- * * 10.67.82.0/24 0.0.0.0/0 MAC
FA:16:3E:41:FD:59).
In tcpdump
tcpdump -e -n -vvv -i qbr3ede5b3e-39 | more
tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB (Ethernet),
capture size 65535 bytes
08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags
[none], proto UDP (
17), length 76)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48
08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags [none],
proto UDP (17
), length 42)
10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum ok] UDP,
length 14
08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags
[none], proto UDP
tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more
tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB (Ethernet),
capture size 65535 bytes
08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags
[none], proto UDP
(17), length 111)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 83
08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags
[none], proto UDP
(17), length 612)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length
584
08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags
[none], proto UDP
(17), length 612)
tcpdump -e -n -vvv -i qvb3ede5b3e-39 | more
tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB (Ethernet),
capture size 65535 bytes
08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags
[none], proto UDP (
17), length 84)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 56
08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags
[none], proto UDP (1
7), length 76)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48
08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags
[none], proto UDP (
17), length 84)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150215/405bce33/attachment.html>
More information about the OpenStack-operators
mailing list