[Openstack-operators] Is it possible to port mirror to a vm?
George Shuklin
george.shuklin at gmail.com
Sun Feb 15 19:12:57 UTC 2015
The answer is 'yes' and 'no'.
No, openstack (neutron/nova-networks) have no such abstraction.
Yes, you can do it with openvswitch at the compute host manually (until
VM reboot).
Quote from ovs-vsctl manpage:
*Port* *Mirroring*
Mirror all packets received or sent on*eth0* or*eth1* onto*eth2*, assuming
that all of those ports exist on bridge*br0* (as a side-effect this
causes any packets received on*eth2* to be ignored):
*ovs-vsctl* *--* *set* *Bridge* *br0* *mirrors=@m* *\*
*--* *--id=@eth0* *get* *Port* *eth0* *\*
*--* *--id=@eth1* *get* *Port* *eth1* *\*
*--* *--id=@eth2* *get* *Port* *eth2* *\*
*--* *--id=@m* *create* *Mirror* *name=mymirror* *select-dst-*
*port=@eth0, at eth1* *select-src-port=@eth0, at eth1* *output-port=@eth2*
On 02/15/2015 07:34 PM, Yaron Illouz wrote:
>
> Hi
>
> *_Is it possible to port mirror to a vm?_*
>
> I generate traffic from vm1 to vm2, and I am trying to mirror traffic
> of vm1 to vm3
> I want vm3 to receive traffic that is not destinated for him - not ip
> and not mac address
> I am trying to do port mirroring between vms created with openstack.
> I did it with the openvswitch.
> Packet are copied to the mirrored qvo, qvb, and qbr but don't reach
> the tap.
>
> From iptable output it dosen't seem to be drop in one of the chain or
> in fallback.
> The problem: I do see the mirrored traffic in qvo,and qvb, qbr (in
> tcpdump) but it doesn't pass to the tap
> I tried to insert allowed-pairs to the port, but what I really need is
> define it in "promiscuous" mode. But even with allowed-pairs, traffic
> don't reach vm3.
>
> I also tried to hairpin but it didn’t help.
>
> brctl hairpin qbr3ede5b3etap3ede5b3e on
>
> Here are some details about my test
>
> Openstack RDO juno on Centos 7
>
> Neutron port list
> | 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | | fa:16:3e:3b:34:de |
> {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
> "10.67.82.2"} |
> | 435f35c6-80be-47ee-b30f-8376e1ea78d9 | | fa:16:3e:41:fd:59 |
> {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
> "10.67.82.5"} |
> | bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | | fa:16:3e:f7:4f:ea |
> {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
> "10.67.82.3"} |
>
> Command that I ran to do the port mirroring
> ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvobd80bab5-42 get
> Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39
> -- --id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42
> select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39
>
> This is iptables output filtered, you can see I added a allowed
> address pair.
> 3 3518 919K neutron-openvswi-sg-chain all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged
> 4 4 1358 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged
>
> Chain neutron-openvswi-INPUT (1 references)
> --
> 2 0 0 neutron-openvswi-o3ede5b3e-3 all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
> tap3ede5b3e-39 --physdev-is-bridged
> 3 0 0 neutron-openvswi-o7e200e92-4 all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap7e200e92-44
> --physdev-is-bridged
> 4 0 0 neutron-openvswi-o435f35c6-8 all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap435f35c6-80
> --physdev-is-bridged
> 5 0 0 neutron-openvswi-o6a1bb345-9 all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap6a1bb345-93
> --physdev-is-bridged
> 6 0 0 neutron-openvswi-ofc0a7800-a all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfc0a7800-a0
> --physdev-is-bridged
>
> Chain neutron-openvswi-OUTPUT (1 references)
> num pkts bytes target prot opt in out source destination
>
> Chain neutron-openvswi-i3ede5b3e-3 (1 references)
> num pkts bytes target prot opt in out source destination
> 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state
> INVALID
> 2 91 8550 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 3 0 0 RETURN udp -- * * 10.67.82.4
> 0.0.0.0/0 udp spt:67 dpt:68
> 4 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
> 5 0 0 RETURN tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp multiport dports 1:65535
> 6 3416 907K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set
> IPv4ecb94f49-0fdd-4f6f-b src
> 7 9 3054 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> --
> Chain neutron-openvswi-o3ede5b3e-3 (2 references)
> num pkts bytes target prot opt in out source destination
> 1 4 1358 RETURN udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:68 dpt:67
> 2 0 0 neutron-openvswi-s3ede5b3e-3 all -- * *
> 0.0.0.0/0 0.0.0.0/0
> 3 0 0 DROP udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:67 dpt:68
> 4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state
> INVALID
> 5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
> 7 0 0 neutron-openvswi-sg-fallback all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> --
> Chain neutron-openvswi-s3ede5b3e-3 (1 references)
> num pkts bytes target prot opt in out source destination
> 1 0 0 RETURN all -- * * 10.67.82.0/24
> 0.0.0.0/0 MAC FA:16:3E:41:FD:59
> 2 0 0 RETURN all -- * * 10.67.82.2
> 0.0.0.0/0 MAC FA:16:3E:3B:34:DE
> 3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
>
> --
> 3 3518 919K neutron-openvswi-i3ede5b3e-3 all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged
> 4 4 1358 neutron-openvswi-o3ede5b3e-3 all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39
> --physdev-is-bridged
> .
> 13 397M 1617G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> --
> error=`neutron-openvswi-i3ede5b3e-3'
>
> Entry 63 (19664):
> SRC IP: 0.0.0.0/0.0.0.0
> DST IP: 0.0.0.0/0.0.0.0
> Interface: `'/................to `'/................
> Protocol: 0
> Flags: 00
> Invflags: 00
> Counters: 0 packets, 0 bytes
> Cache: 00000000
> --
> error=`neutron-openvswi-o3ede5b3e-3'
>
> Entry 119 (32280):
> SRC IP: 0.0.0.0/0.0.0.0
> DST IP: 0.0.0.0/0.0.0.0
> Interface: `'/................to `'/................
> Protocol: 17
> Flags: 00
> Invflags: 00
> Counters: 4 packets, 1358 bytes
> Cache: 00000000
> --
> error=`neutron-openvswi-s3ede5b3e-3'
>
> Entry 173 (43608):
> SRC IP: 10.67.82.0/255.255.255.0
> DST IP: 0.0.0.0/0.0.0.0
> Interface: `'/................to `'/................
> Protocol: 0
> Flags: 00
> Invflags: 00
> Counters: 0 packets, 0 bytes
> Cache: 00000000
>
> The tcpdump traces show proper traffic flow from MAC/IP
> fa:16:3e:f7:4f:ea/10.67.82.3 to fa:16:3e:41:fd:59/10.67.82.5 going
> into a bridge/switch that has a nic with mac/IP of
> fa:16:3e:3b:34:de/10.67.82.2 connected to its other port
>
> I though the allowed address pair I added will allow this traffic ->
> you can see it in neutron-openvswi-s3ede5b3e-3 (1 0 0 RETURN
> all -- * * 10.67.82.0/24 0.0.0.0/0 MAC FA:16:3E:41:FD:59).
>
> In tcpdump
>
> tcpdump -e -n -vvv -i qbr3ede5b3e-39 | more
> tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned
> tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB (Ethernet),
> capture size 65535 bytes
> 08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags
> [none], proto UDP (
> 17), length 76)
> 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48
> 08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags
> [none], proto UDP (17
> ), length 42)
> 10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum ok] UDP,
> length 14
> 08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags
> [none], proto UDP
>
>
> tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more
> tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned
> tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB (Ethernet),
> capture size 65535 bytes
> 08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags
> [none], proto UDP
> (17), length 111)
> 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 83
> 08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags
> [none], proto UDP
> (17), length 612)
> 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 584
> 08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags
> [none], proto UDP
> (17), length 612)
>
> tcpdump -e -n -vvv -i qvb3ede5b3e-39 | more
> tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned
> tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB (Ethernet),
> capture size 65535 bytes
> 08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags
> [none], proto UDP (
> 17), length 84)
> 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 56
> 08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags
> [none], proto UDP (1
> 7), length 76)
> 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48
> 08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
> (0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags
> [none], proto UDP (
> 17), length 84)
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150215/70a09afa/attachment.html>
More information about the OpenStack-operators
mailing list