[Openstack-operators] Is it possible to port mirror to a vm?

Yaron Illouz yaroni at radcom.com
Mon Feb 16 07:26:29 UTC 2015


Please read the mail content and not only the title

This is what I tried to do, Thank you for your answer

 

________________________________

From: George Shuklin [mailto:george.shuklin at gmail.com] 
Sent: Sunday, February 15, 2015 9:13 PM
To: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] Is it possible to port mirror to a
vm?

 

The answer is 'yes' and 'no'. 

No, openstack (neutron/nova-networks) have no such abstraction. 
Yes, you can do it with openvswitch at the compute host manually (until
VM reboot).

Quote from ovs-vsctl manpage:

   Port Mirroring
       Mirror all packets received or sent on eth0 or eth1 onto eth2,
assuming
       that all of those ports exist on bridge  br0  (as  a  side-effect
this
       causes any packets received on eth2 to be ignored):
 
              ovs-vsctl -- set Bridge br0 mirrors=@m \
 
              -- --id=@eth0 get Port eth0 \
 
              -- --id=@eth1 get Port eth1 \
 
              -- --id=@eth2 get Port eth2 \
 
              --    --id=@m    create    Mirror    name=mymirror
select-dst-
              port=@eth0, at eth1 select-src-port=@eth0, at eth1
output-port=@eth2
 
  

 

On 02/15/2015 07:34 PM, Yaron Illouz wrote:

	Hi
	
	
	

	Is it possible to port mirror to a vm?

	I generate traffic from vm1 to vm2,  and I am trying to mirror
traffic of vm1 to vm3
	I want vm3 to receive traffic that is not destinated for him -
not ip and not mac address
	I am trying to do port mirroring between vms created with
openstack.
	I did it with the openvswitch.
	Packet are copied to the mirrored qvo, qvb, and qbr but don't
reach the tap.

	From iptable output it dosen't seem to be drop in one of the
chain or in fallback.
	The problem: I do see the mirrored traffic in qvo,and qvb, qbr
(in tcpdump) but it doesn't pass to the tap
	I tried to insert allowed-pairs to the port, but what I really
need is define it in "promiscuous" mode. But even with allowed-pairs,
traffic don't reach vm3.

	I also tried to hairpin but it didn't help.

	brctl hairpin qbr3ede5b3e tap3ede5b3e on

	 

	Here are some details about my test

	Openstack RDO juno on Centos 7

	Neutron port list
	| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe |      |
fa:16:3e:3b:34:de | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.2"}  |
	| 435f35c6-80be-47ee-b30f-8376e1ea78d9 |      |
fa:16:3e:41:fd:59 | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.5"}  |
	| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 |      |
fa:16:3e:f7:4f:ea | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.3"}  |
	
	
	

	Command that I ran to do the port mirroring
	ovs-vsctl -- set Bridge br-int mirrors=@m  --
--id=@qvobd80bab5-42 get Port  qvobd80bab5-42 -- --id=@qvo3ede5b3e-39
get Port qvo3ede5b3e-39 -- --id=@m create Mirror name=mymirror
select-dst-port=@qvobd80bab5-42 select-src-port=@qvobd80bab5-42
output-port=@qvo3ede5b3e-39
	
	
	

	This is iptables output filtered, you can see I added a allowed
address pair.
	3     3518  919K neutron-openvswi-sg-chain  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged
	4        4  1358 neutron-openvswi-sg-chain  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
	
	Chain neutron-openvswi-INPUT (1 references)
	--
	2        0     0 neutron-openvswi-o3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
	3        0     0 neutron-openvswi-o7e200e92-4  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap7e200e92-44 --physdev-is-bridged
	4        0     0 neutron-openvswi-o435f35c6-8  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap435f35c6-80 --physdev-is-bridged
	5        0     0 neutron-openvswi-o6a1bb345-9  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap6a1bb345-93 --physdev-is-bridged
	6        0     0 neutron-openvswi-ofc0a7800-a  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tapfc0a7800-a0 --physdev-is-bridged
	
	Chain neutron-openvswi-OUTPUT (1 references)
	num   pkts bytes target     prot opt in     out     source
destination
	
	Chain neutron-openvswi-i3ede5b3e-3 (1 references)
	num   pkts bytes target     prot opt in     out     source
destination
	1        0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            state INVALID
	2       91  8550 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0            state RELATED,ESTABLISHED
	3        0     0 RETURN     udp  --  *      *       10.67.82.4
0.0.0.0/0            udp spt:67 dpt:68
	4        0     0 RETURN     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
	5        0     0 RETURN     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp multiport dports 1:65535
	6     3416  907K RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set IPv4ecb94f49-0fdd-4f6f-b src
	7        9  3054 neutron-openvswi-sg-fallback  all  --  *      *
0.0.0.0/0            0.0.0.0/0
	
	--
	Chain neutron-openvswi-o3ede5b3e-3 (2 references)
	num   pkts bytes target     prot opt in     out     source
destination
	1        4  1358 RETURN     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp spt:68 dpt:67
	2        0     0 neutron-openvswi-s3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0
	3        0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp spt:67 dpt:68
	4        0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            state INVALID
	5        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0            state RELATED,ESTABLISHED
	6        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0
	7        0     0 neutron-openvswi-sg-fallback  all  --  *      *
0.0.0.0/0            0.0.0.0/0
	
	--
	Chain neutron-openvswi-s3ede5b3e-3 (1 references)
	num   pkts bytes target     prot opt in     out     source
destination
	1        0     0 RETURN     all  --  *      *
10.67.82.0/24        0.0.0.0/0            MAC FA:16:3E:41:FD:59
	2        0     0 RETURN     all  --  *      *       10.67.82.2
0.0.0.0/0            MAC FA:16:3E:3B:34:DE
	3        0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0
	
	
	--
	3     3518  919K neutron-openvswi-i3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged
	4        4  1358 neutron-openvswi-o3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
	.
	13    397M 1617G ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0
	
	--
	error=`neutron-openvswi-i3ede5b3e-3'
	
	Entry 63 (19664):
	SRC IP: 0.0.0.0/0.0.0.0
	DST IP: 0.0.0.0/0.0.0.0
	Interface: `'/................to `'/................
	Protocol: 0
	Flags: 00
	Invflags: 00
	Counters: 0 packets, 0 bytes
	Cache: 00000000
	--
	error=`neutron-openvswi-o3ede5b3e-3'
	
	Entry 119 (32280):
	SRC IP: 0.0.0.0/0.0.0.0
	DST IP: 0.0.0.0/0.0.0.0
	Interface: `'/................to `'/................
	Protocol: 17
	Flags: 00
	Invflags: 00
	Counters: 4 packets, 1358 bytes
	Cache: 00000000
	--
	error=`neutron-openvswi-s3ede5b3e-3'
	
	Entry 173 (43608):
	SRC IP: 10.67.82.0/255.255.255.0
	DST IP: 0.0.0.0/0.0.0.0
	Interface: `'/................to `'/................
	Protocol: 0
	Flags: 00
	Invflags: 00
	Counters: 0 packets, 0 bytes
	Cache: 00000000

	 

	 

	The tcpdump traces show proper traffic flow from  MAC/IP
fa:16:3e:f7:4f:ea/10.67.82.3 to fa:16:3e:41:fd:59/10.67.82.5 going into
a bridge/switch that has a nic with mac/IP of
	fa:16:3e:3b:34:de/10.67.82.2 connected to its other port

	I though the allowed address pair I added will allow this
traffic -> you can see it in neutron-openvswi-s3ede5b3e-3 (1        0
0 RETURN     all  --  *      *       10.67.82.0/24        0.0.0.0/0
MAC FA:16:3E:41:FD:59).

	 

	In tcpdump

	tcpdump -e -n -vvv -i qbr3ede5b3e-39 | more
	tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned
	tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB
(Ethernet), capture size 65535 bytes
	08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags
[none], proto UDP (
	17), length 76)
	    10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 48
	08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags
[none], proto UDP (17
	), length 42)
	    10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum
ok] UDP, length 14
	08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags
[none], proto UDP
	
	
	

	
	tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more
	tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned
	tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB
(Ethernet), capture size 65535 bytes
	08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags
[none], proto UDP
	(17), length 111)
	    10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 83
	08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags
[none], proto UDP
	(17), length 612)
	    10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 584
	08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags
[none], proto UDP
	(17), length 612)
	
	
	

	 

	tcpdump -e -n -vvv -i qvb3ede5b3e-39 | more
	tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned
	tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB
(Ethernet), capture size 65535 bytes
	08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags
[none], proto UDP (
	17), length 84)
	    10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 56
	08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags
[none], proto UDP (1
	7), length 76)
	    10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP,
length 48
	08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype
IPv4 (0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags
[none], proto UDP (
	17), length 84)
	
	
	

	
	
	
	

	_______________________________________________
	OpenStack-operators mailing list
	OpenStack-operators at lists.openstack.org
	
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150216/2f089359/attachment.html>


More information about the OpenStack-operators mailing list