晒晒狗 vs 练练手

0%

Openstack安全组基于ovs的学习笔记

发表于 更新于 分类于 Disqus:
本文字数: 7.1k 阅读时长 ≈ 6 分钟

本文主要介绍Openstack的安全组在规则及其在ovs的流表中的体现。

实验基于openstack的stein版本,devstack安装,采用了ovs作为虚拟交换机。描述Openflow在Openstack安全组中的应用分析。实验环境以Ubuntu 18.04.3 LTS搭建

Openstack安全组

1. 安全组

在Openstack中,安全组是做哦那个在neutron port上的一组策略,这些策略可以理解为一些防火墙的规则集合。

2. 安全组的实现

Openstack中的安全组的实现有以下集中:

  • ovs + iptables + connection track
  • ovs + openflow + connection track
  • linuxbridge + iptables + connection track

由于本文实验环境基于devstack(stein),因此,仅基于第二种情况进行说明

实验准备

1. 创建项目及用户(非必须)

创建一个test的project和user

1
2
3
$ openstack project create --domain default --description "Security Group Test Project" test
$ openstack user create --domain default --password-prompt test
$ openstack role add --project test --user test admin

2. 查看test租户的默认安全组下的规则

以test用户登陆openstack的dashboard,在网络 > 安全组 下找到default安全组,查看对应的规则

安全组实验

需要事先创建一个虚拟机示例,默认关联default的安全组

0. 获取一些信息

  • 端口ID
1
2
3
4
5
6
$ openstack port list
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                                                  | Status |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+
| 41ca5359-2edc-4d74-8321-5883ecb618c5 |      | fa:16:3e:fa:fd:13 | ip_address='192.168.233.49', subnet_id='ef4d1362-24b5-4d01-8748-ffe9cc2ca2e5'                       | ACTIVE |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+

创建了一个ID为41ca5359-2edc-4d74-8321-5883ecb618c5的port,分配IP地址为192.168.233.49

  • 接口名称
1
2
3
4
5
6
7
8
9
10
11
12
$ ovs-vsctl show
...
    Bridge br-int
        Controller "tcp:127.0.0.1:6633"
            is_connected: true
            ...
            
        Port "tap41ca5359-2e"
            tag: 3
            Interface "tap41ca5359-2e"
            
        ...

对应的创建了一个tap41ca5359-2e的接口

1. 创建一条ingress的规则

通过Dashboard在default的安全组下创建一条ingress的规则,remote-ip为199.0.0.0/24,协议为tcp,目的端口为80

  • 查看br-int流表

br-int下的流表非常的多,可以使用过滤规则进行匹配

1
2
3
$ ovs-ofctl dump-flows br-int | grep 199.0.0.0
 cookie=0xd9177c011dbdf439, duration=98.493s, table=82, n_packets=0, n_bytes=0, idle_age=98, priority=77,ct_state=+est-rel-rpl,tcp,reg5=0xe,nw_src=199.0.0.0/24,tp_dst=80 actions=output:14
 cookie=0xd9177c011dbdf439, duration=98.493s, table=82, n_packets=0, n_bytes=0, idle_age=98, priority=77,ct_state=+new-est,tcp,reg5=0xe,nw_src=199.0.0.0/24,tp_dst=80 actions=ct(commit,zone=NXM_NX_REG6[0..15]),output:14,resubmit(,92)

可以看到,共新增了两条流表

3. 创建一条egress的规则

同样以remote-ip为199.0.0.0/24,协议为tcp,目的端口为80的参数创建egress规则

查看流表看到新增了如下两条:

1
2
cookie=0xd9177c011dbdf439, duration=19.261s, table=72, n_packets=0, n_bytes=0, idle_age=19, priority=77,ct_state=+est-rel-rpl,tcp,reg5=0xe,nw_dst=199.0.0.0/24,tp_dst=80 actions=resubmit(,73)
cookie=0xd9177c011dbdf439, duration=19.261s, table=72, n_packets=0, n_bytes=0, idle_age=19, priority=77,ct_state=+new-est,tcp,reg5=0xe,nw_dst=199.0.0.0/24,tp_dst=80 actions=resubmit(,73)

4. 流表解读

4.1 ingress

  • stpe2中的流表,分别指定了tcp协议,nw_src199.0.0.0/24tp_dst80
  • step2的action,第一条为直接从14的接口送出,第二条为重定向到了92

先来看看ID为14的接口是哪个?不出所料,自然是tap41ca5359-2e的接口

1
2
3
4
5
6
7
8
9
$ ovs-ofctl show br-int
...
 14(tap41ca5359-2e): addr:fe:16:3e:fa:fd:13
     config:     0
     state:      0
     current:    10MB-FD COPPER
     speed: 10 Mbps now, 0 Mbps max
     
...
  • table 92

丢弃

1
cookie=0xd9177c011dbdf439, duration=3197934.551s, table=92, n_packets=0, n_bytes=0, priority=0 actions=drop

以上可看到,源地址为199.0.0.0/24,目的端口为80TCP报文大多数情况将送往tap41ca5359-2e的接口

4.2 egress

  • step3中的流表,则分别指定了tcp协议,nw_dst199.0.0.0/24tp_dst80
  • step3的action则送往了73的table,而73则非常复杂,又涉及到了81,91,94的table
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cookie=0xd9177c011dbdf439, duration=1305.051s, table=73, n_packets=10, n_bytes=1345, priority=100,reg6=0x3,dl_dst=fa:16:3e:fa:fd:13 actions=load:0xe->NXM_NX_REG5[],resubmit(,81)
cookie=0xd9177c011dbdf439, duration=1305.051s, table=73, n_packets=5, n_bytes=438, priority=90,ct_state=+new-est,ip,reg5=0xe actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
cookie=0xd9177c011dbdf439, duration=1305.051s, table=73, n_packets=0, n_bytes=0, priority=90,ct_state=+new-est,ipv6,reg5=0xe actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
cookie=0xd9177c011dbdf439, duration=3197929.613s, table=73, n_packets=0, n_bytes=0, priority=80,reg5=0x6 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197929.613s, table=73, n_packets=0, n_bytes=0, priority=80,reg5=0x3 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197929.613s, table=73, n_packets=0, n_bytes=0, priority=80,reg5=0x4 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197929.613s, table=73, n_packets=0, n_bytes=0, priority=80,reg5=0x7 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197929.613s, table=73, n_packets=0, n_bytes=0, priority=80,reg5=0x5 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197849.617s, table=73, n_packets=5, n_bytes=446, priority=80,reg5=0x9 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197849.617s, table=73, n_packets=2, n_bytes=180, priority=80,reg5=0x8 actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197817.084s, table=73, n_packets=11, n_bytes=778, priority=80,reg5=0xa actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197815.612s, table=73, n_packets=49080, n_bytes=5791412, priority=80,reg5=0xb actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197815.612s, table=73, n_packets=8, n_bytes=648, priority=80,reg5=0xc actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=1305.051s, table=73, n_packets=6, n_bytes=1078, priority=80,reg5=0xe actions=resubmit(,94)
cookie=0xd9177c011dbdf439, duration=3197934.616s, table=73, n_packets=0, n_bytes=0, priority=0 actions=drop
  • table 91

重定向到了94

1
cookie=0xd9177c011dbdf439, duration=3197934.561s, table=91, n_packets=10, n_bytes=876, priority=1 actions=resubmit(,94)
  • table 94

正常转发

1
cookie=0xd9177c011dbdf439, duration=3197934.572s, table=94, n_packets=49280, n_bytes=5803120, priority=1 actions=NORMAL
  • table 81

送往tap41ca5359-2e的接口

1
2
3
4
5
6
7
8
9
10
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=3, n_bytes=126, priority=100,arp,reg5=0xe actions=output:"tap41ca5359-2e"
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=0, n_bytes=0, priority=100,icmp6,reg5=0xe,icmp_type=130 actions=output:"tap41ca5359-2e"
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=0, n_bytes=0, priority=100,icmp6,reg5=0xe,icmp_type=135 actions=output:"tap41ca5359-2e"
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=0, n_bytes=0, priority=100,icmp6,reg5=0xe,icmp_type=136 actions=output:"tap41ca5359-2e"
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=2, n_bytes=729, priority=95,udp,reg5=0xe,tp_src=67,tp_dst=68 actions=output:"tap41ca5359-2e"
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=0, n_bytes=0, priority=95,udp6,reg5=0xe,tp_src=547,tp_dst=546 actions=output:"tap41ca5359-2e"
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=5, n_bytes=490, priority=90,ct_state=-trk,ip,reg5=0xe actions=ct(table=82,zone=NXM_NX_REG6[0..15])
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=0, n_bytes=0, priority=90,ct_state=-trk,ipv6,reg5=0xe actions=ct(table=82,zone=NXM_NX_REG6[0..15])
cookie=0xd9177c011dbdf439, duration=1305.051s, table=81, n_packets=0, n_bytes=0, priority=80,ct_state=+trk,reg5=0xe actions=resubmit(,82)
cookie=0xd9177c011dbdf439, duration=3197934.606s, table=81, n_packets=0, n_bytes=0, priority=0 actions=drop

由上可看到,送往199.0.0.0/24,目的端口为80TCP报文大多数情况将正常转发出去

相关文章