Saturday, June 18, 2016

Playing Openvswitch And Namespace: Floating IP, Iperf testing, QOS, Security Group, and Firewall

namespace_floatingip

How to Build Floating IP

based on the knowledge of L3-routing

http://gogosatellite.blogspot.tw/2016/06/playing-openvswitch-and-namespace-veth.html

We ignore some operations from how to create name space, and how to have two nic, that one for private, another for public.

Into namespace, qrouter-f8cfe243-5908-4003-a776-59ce891e5d80 that is L3 routing namespace.

ip netns exec qrouter-f8cfe243-5908-4003-a776-59ce891e5d80 bash

adding floating ip you want 172.16.235.15.

ip addr add 172.16.235.15/24 dev qg-0155e3e5-11

where qg-0155e3e5-11 is binded in br-ex to internet world shown in the following.

Show the result of floating ip 172.16.235.15

root@kiloceilo:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
7: qg-0155e3e5-11: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether fa:16:3e:be:57:b1 brd ff:ff:ff:ff:ff:ff
    inet 172.16.235.3/24 brd 172.16.235.255 scope global qg-0155e3e5-11
       valid_lft forever preferred_lft forever
    inet 172.16.235.13/32 brd 172.16.235.13 scope global qg-0155e3e5-11
       valid_lft forever preferred_lft forever
    inet 172.16.235.15/24 scope global secondary qg-0155e3e5-11
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:febe:57b1/64 scope link
       valid_lft forever preferred_lft forever
8: qr-19bae3c4-0b: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether fa:16:3e:fe:cc:77 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global qr-19bae3c4-0b
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fefe:cc77/64 scope link
       valid_lft forever preferred_lft forever

where qr-19bae3c4-0b is the inteface that connect to private VM.

Routing 172.16.235.15 to 10.0.0.146 that is VM private IP.

iptables -t nat -A PREROUTING -i qg-0155e3e5-11  -p tcp -d 172.16.235.15  -j DNAT --to-destination 10.0.0.146

Of course we can ping 172.16.235.15

root@kiloceilo:~# ping 172.16.235.15
PING 172.16.235.15 (172.16.235.15) 56(84) bytes of data.
64 bytes from 172.16.235.15: icmp_seq=1 ttl=64 time=0.566 ms

Now you can connect to VM via the floating IP.

root@kiloceilo:~# ssh cirros@172.16.235.15
cirros@172.16.235.15's password:

If you are using OpenStack and try to build obove test in OpenStack environment, watch out the security group. Clean the security group first, and rebuild it with allowing ICMP and TCP for all ports.

Security group

prepare environment

The environment is based on my previous blog

http://gogosatellite.blogspot.tw/2016/06/playing-openvswitch-and-namespace-veth.html

Create vlandropnet testing

ip netns add vlandropnet
ovs-vsctl add-port vlanbr vlandrop tag=100 -- set interface vlandrop type=internal
ip link set vlandrop netns vlandropnet
ip netns exec vlandropnet ip address add 10.0.0.5/24 dev vlandrop
ip netns exec vlandropnet ip link set dev vlandrop up
ip netns exec vlandropnet ip link set dev lo up

Create vlanconnet testing

ip netns add vlanconnet
ovs-vsctl add-port vlanbr vlancon tag=100 -- set interface vlancon type=internal
ip link set vlancon netns vlanconnet
ip netns exec vlanconnet ip address add 10.0.0.6/24 dev vlancon
ip netns exec vlanconnet ip link set dev vlancon up
ip netns exec vlanconnet ip link set dev lo up
root@ovsvxlan1:~# ip netns exec vlanconnet ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=0.924 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=0.273 ms

Iperf testing

In vlanconnet:

root@ovsvxlan1:~# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 10.0.0.5 port 5001 connected with 10.0.0.6 port 51749
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  26.2 GBytes  22.4 Gbits/sec

In vlandropnet:

root@ovsvxlan1:~# iperf -c 10.0.0.5
------------------------------------------------------------
Client connecting to 10.0.0.5, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 10.0.0.6 port 51750 connected with 10.0.0.5 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  27.8 GBytes  23.9 Gbits/sec

Drop Method

We introduce two method. I prefer Method 2 but it contains some bugs in openflow and openvswitch 2.02 So We have to use method 1.

Method 1: Working Drop in Mac/IP

Any flow to 10.0.0.5 will be droped

 ovs-ofctl add-flow vlanbr "priority=100,eth_type=0x800,ip_dst=10.0.0.5,action=drop"

or by MAC

ovs-ofctl add-flow vlanbr "priority=100,eth_type=0x800,nw_proto=1,dl_dst=3a:69:76:f3:76:29,action=drop"

Result

root@ovsvxlan1:~# ip netns exec vlanconnet ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
^C

Check the flow table of vlanbr

root@ovsvxlan1:~# ovs-ofctl dump-flows vlanbr
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=45.519s, table=0, n_packets=6, n_bytes=588, idle_age=6, priority=100,ip,nw_dst=10.0.0.5 actions=drop
 cookie=0x0, duration=4264.462s, table=0, n_packets=101, n_bytes=7810, idle_age=4, priority=0 actions=NORMAL

Method 2: Working Drop in Port

Working in port should be the best choise, since we are working on switch.

To get the port number of vlandrop device in vlanbr bridge.

ovs-vsctl get Interface vlandrop ofport
6

Config the port 6 with dropping ICMP.

ovs-ofctl add-flow vlanbr "in_port=6,icmp,actions=drop"

Check the vlanbr flow

root@ovsvxlan1:~# ovs-ofctl dump-flows vlanbr
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=251.62s, table=0, n_packets=5, n_bytes=490, idle_age=225, icmp,in_port=6 actions=drop
 cookie=0x0, duration=7476.585s, table=0, n_packets=262, n_bytes=20092, idle_age=225, priority=0 actions=NORMAL

Result: Cannot ping 10.0.0.5.

root@ovsvxlan1:~# ip netns exec vlanconnet ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
^C

Clean the flow table.

root@ovsvxlan1:~# ovs-ofctl --strict del-flows vlanbr "idle_age=36, icmp,in_port=6"

For more testing, we can tryp arp. Of course you can ping it connected.

root@ovsvxlan1:~# ovs-ofctl add-flow vlanbr "in_port=6,arp,actions=drop"

exam

One can drop all the packet from in_port=3, is src and dst =port 3, to destination 10.0.0.5.

ovs-ofctl add-flow vlanbr 'in_port=3,tcp,nw_dst=10.0.0.5 action=drop'

Mention that in_port is FROM and TO, I really confuse in it for a long while. So that, it means a packet with request or response with (src=port3 & dst=10.0.0.5) or (dst=port3 & dst=10.0.0.5) will be droped. where port3=10.0.0.7, port2=10.0.0.6, and port1=10.0.0.5 * 5->6 (yes) * 5->7 (drop) since response drop but request pass. * 6->5 (yes) * 6->7 (yes) * 7->5 (drop) since request drop. * 7->6 (yes) 

ovs-ofctl add-flow vlanbr 'in_port=3,tcp action=drop'

One can use above command, that means any request/response to/from in_port=3 will be droped.

drop a specific port

We can try iperf port 5001.

The most important thing is that you must have to input dl_dst, destination mac address, or it will fail. But if you just assign an protocol, you don't need to input dl_dst.

A good habbit is just input the destination mac address.

ovs-ofctl add-flow vlanbr "dl_dst=3a:69:76:f3:76:29,tcp,tp_dst=5001,actions=drop"

or 

ovs-ofctl add-flow vlanbr "dl_dst=3a:69:76:f3:76:29,dl_type=0x0800,nw_proto=6,tp_dst=5001,actions=drop"

where dl_type=0x0800,nw_proto=6=tcp, you can type man ovs-ofctl to check it. It also supports range of ports by using mask, also check man ovs-ofctl.

Into vlanconnet: 

root@ovsvxlan1:~# nc -v 10.0.0.5 5001
nc: connect to 10.0.0.5 port 5001 (tcp) failed: No route to host

It cannot connect to port 5001 of 10.0.0.5 that is vlandropnet.

Firewall

To drop source mac address.

vs-ofctl add-flow vlanbr "dl_src=aa:8f:df:0c:74:27,dl_dst=3a:69:76:f3:76:29,tcp,tp_dst=5001,actions=drop"

Other mac address can acess port 5001.

The result is droped:

root@ovsvxlan1:~# nc -v 10.0.0.5 5001
^C

To drop by using source ip.

ovs-ofctl add-flow vlanbr "ip_src=10.0.0.6,dl_dst=3a:69:76:f3:76:29,tcp,tp_dst=5003,actions=drop"

Drop all connection in this subnet

ovs-ofctl add-flow vlanbr priority=500,dl_type=0x800,nw_src=10.0.0.0/24,nw_dst=10.0.0.0/24,actions=drop

Some Useful command

root@ovsvxlan1:~# ovs-ofctl dump-flows vlanbr
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=637.232s, table=0, n_packets=0, n_bytes=0, idle_age=637, priority=100,ip,nw_dst=10.0.0.1 actions=drop
 cookie=0x0, duration=3920.83s, table=0, n_packets=85, n_bytes=6690, idle_age=610, priority=0 actions=NORMAL

Delete flow, just provide two uniq parameter.

ovs-ofctl --strict del-flows vlanbr "priority=100,ip,nw_dst=10.0.0.1"

root@ovsvxlan1:~# ovs-ofctl dump-flows vlanbr
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=3954.638s, table=0, n_packets=85, n_bytes=6690, idle_age=644, priority=0 actions=NORMAL

short notation

ip     Same as dl_type=0x0800.

icmp   Same as dl_type=0x0800,nw_proto=1.

tcp    Same as dl_type=0x0800,nw_proto=6.

udp    Same as dl_type=0x0800,nw_proto=17.

sctp   Same as dl_type=0x0800,nw_proto=132.

arp    Same as dl_type=0x0806.

rarp   Same as dl_type=0x8035.

Not working command

QOS

ovs-vsctl set Interface vlandrop ingress_policing_rate=100
ovs-vsctl set Interface vlandrop ingress_policing_burst=10

install latest version of openvswitch

http://www.docoreos.com/?p=79

to run arbitry port in namespace for testing

You can modify 80 to any port number you wish.

python -m SimpleHTTPServer 80
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)