晒晒狗 vs 练练手

0%

OVS学习笔记——常用命令练习

发表于 分类于 Disqus:
本文字数: 10k 阅读时长 ≈ 9 分钟

控制管理

  • 创建网桥
1
$ ovs-vsctl add-br testbr
  • 查看网桥和端口
1
2
3
4
5
6
7
$ ovs-vsctl show
b66c0897-27c9-441a-9486-42cfb65a4649
    Bridge testbr
        Port testbr
            Interface testbr
                type: internal
    ovs_version: "2.5.5"
  • 网桥端口操作
1
2
$ ovs-vsctl add-port br0 eth1
$ ovs-vsctl del-port br0 eth1
  • 查看流表
1
2
3
$ ovs-ofctl dump-flows testbr
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=364.789s, table=0, n_packets=0, n_bytes=0, idle_age=364, priority=0 actions=NORMAL
  • 控制器设置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 设置控制器
$ ovs-vsctl set-controller testbr tcp:10.180.9.62:6633
$ ovs-vsctl show
b66c0897-27c9-441a-9486-42cfb65a4649
    Bridge testbr
        Controller "tcp:10.180.9.62:6633"
        Port testbr
            Interface testbr
                type: internal
    ovs_version: "2.5.5"
# 查看控制器列表
$ ovs-vsctl list controller
_uuid               : 2fe35662-3f4f-446b-9296-6f1eae38ba5e
connection_mode     : []
controller_burst_limit: []
controller_rate_limit: []
enable_async_messages: []
external_ids        : {}
inactivity_probe    : []
is_connected        : true
local_gateway       : []
local_ip            : []
local_netmask       : []
max_backoff         : []
other_config        : {}
role                : other
status              : {sec_since_connect="4", state=ACTIVE}
target              : "tcp:10.180.9.62:6633"
# 删除控制器
$ ovs-vsctl del-controller testbr
  • 接口相关
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ovs-ofctl dump-ports s1
OFPST_PORT reply (xid=0x2): 3 ports
  port LOCAL: rx pkts=0, bytes=0, drop=94, errs=0, frame=0, over=0, crc=0
           tx pkts=0, bytes=0, drop=0, errs=0, coll=0
  port  1: rx pkts=124, bytes=8418, drop=0, errs=0, frame=0, over=0, crc=0
           tx pkts=130, bytes=8898, drop=0, errs=0, coll=0
  port  2: rx pkts=123, bytes=8340, drop=0, errs=0, frame=0, over=0, crc=0
           tx pkts=130, bytes=8886, drop=0, errs=0, coll=0
$ ovs-appctl dpif/show
system@ovs-system: hit:318465 missed:735
    s1:
        s1 65534/3: (internal)
        s1-eth1 1/2: (system)
        s1-eth2 2/1: (system)

流表类

流表操作

查看流表

1
2
3
4
$ ovs-ofctl dump-flows s1
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=356.689s, table=0, n_packets=708, n_bytes=42480, idle_age=0, priority=65535,dl_dst=01:80:c2:00:00:0e,dl_type=0x88cc actions=CONTROLLER:65535
 cookie=0x0, duration=356.699s, table=0, n_packets=94, n_bytes=7488, idle_age=346, priority=0 actions=CONTROLLER:65535

添加普通流表

1
2
3
4
5
6
$ ovs-ofctl add-flow s1 in_port=1,actions=drop
$ ovs-ofctl dump-flows s1
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=441.879s, table=0, n_packets=878, n_bytes=52680, idle_age=0, priority=65535,dl_dst=01:80:c2:00:00:0e,dl_type=0x88cc actions=CONTROLLER:65535
 cookie=0x0, duration=2.861s, table=0, n_packets=0, n_bytes=0, idle_age=2, in_port=1 actions=drop
 cookie=0x0, duration=441.889s, table=0, n_packets=94, n_bytes=7488, idle_age=432, priority=0 actions=CONTROLLER:65535

按照匹配删除流表

1
2
3
4
5
$ ovs-ofctl del-flows s1 "in_port=1"
mininet> sh ovs-ofctl dump-flows s1
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=521.249s, table=0, n_packets=1036, n_bytes=62160, idle_age=0, priority=65535,dl_dst=01:80:c2:00:00:0e,dl_type=0x88cc actions=CONTROLLER:65535
 cookie=0x0, duration=521.259s, table=0, n_packets=94, n_bytes=7488, idle_age=511, priority=0 actions=CONTROLLER:65535

常用匹配项

VLAN Tag

1
2
3
4
5
6
$ vs-ofctl add-flow s1 priority=401,in_port=1,dl_vlan=777,actions=output:2
$ ovs-ofctl dump-flows s1
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=663.043s, table=0, n_packets=1318, n_bytes=79080, idle_age=0, priority=65535,dl_dst=01:80:c2:00:00:0e,dl_type=0x88cc actions=CONTROLLER:65535
 cookie=0x0, duration=3.022s, table=0, n_packets=0, n_bytes=0, idle_age=3, priority=401,in_port=1,dl_vlan=777 actions=output:2
 cookie=0x0, duration=663.053s, table=0, n_packets=94, n_bytes=7488, idle_age=653, priority=0 actions=CONTROLLER:65535

MAC

1
2
3
4
5
6
$ ovs-ofctl add-flow s3 in_port=1,dl_src=0a:f6:95:7e:c6:4a/0a:f6:95:7e:c6:4a,action=output:3
$ ovs-ofctl add-flow s3 in_port=1,dl_dst=be:7c:6a:e9:e6:b1/be:7c:6a:e9:e6:b1,action=output:2
$ sh ovs-ofctl dump-flows s3
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=69.067s, table=0, n_packets=0, n_bytes=0, idle_age=69, in_port=1,dl_src=0a:f6:95:7e:c6:4a/0a:f6:95:7e:c6:4a actions=output:3
 cookie=0x0, duration=14.496s, table=0, n_packets=0, n_bytes=0, idle_age=14, in_port=1,dl_dst=be:7c:6a:e9:e6:b1/be:7c:6a:e9:e6:b1 actions=output:2

IP

1
2
3
4
5
6
7
8
$ ovs-ofctl add-flow s3 ip,in_port=1,nw_src=192.168.0.0/16,action=drop
$ ovs-ofctl add-flow s3 ip,in_port=1,nw_dst=192.168.0.0/16,action=drop
$ ovs-ofctl dump-flows s3
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=119.033s, table=0, n_packets=119, n_bytes=7140, idle_age=0, priority=65535,dl_dst=01:80:c2:00:00:0e,dl_type=0x88cc actions=CONTROLLER:65535
 cookie=0x0, duration=28.864s, table=0, n_packets=0, n_bytes=0, idle_age=28, ip,in_port=1,nw_src=192.168.0.0/16 actions=drop
 cookie=0x0, duration=10.036s, table=0, n_packets=0, n_bytes=0, idle_age=10, ip,in_port=1,nw_dst=192.168.0.0/16 actions=drop
 cookie=0x0, duration=119.057s, table=0, n_packets=90, n_bytes=7164, idle_age=109, priority=0 actions=CONTROLLER:65535

其他

匹配项 关键字 条件 举例
以太网类型 dl_type in_port=1,dl_type=0x0806,actions=output:2
协议号 nw_proto 指定dl_type=0x0800或者ip ip,in_port=1,nw_proto=1,actions=output:2
TCP flags tcp_flags 指定TCP tcp,tcp_flags=ack,actions=output:2

一些速记符

速记符 匹配项
ip dl_type=0x800
ipv6 dl_type=0x86dd
icmp dl_type=0x0800,nw_proto=1
icmp6 dl_type=0x86dd,nw_proto=58
tcp dl_type=0x0800,nw_proto=6
tcp6 dl_type=0x86dd,nw_proto=6
udp dl_type=0x0800,nw_proto=17
udp6 dl_type=0x86dd,nw_proto=17
arp dl_type=0x0806

指令动作(actions)

基础动作

动作 说明 举例
normal L2/L3处理 actions=normal
output 出接口 actions=output:2
group 指定的group actions=group:1
flood 从所有物理接口转发出去,除了入接口和已关闭flooding的接口 actions=flood
all 从所有物理接口转发出去,除了入接口 actions=all
local 转发给本地网桥 actions=local
in_port 从入接口转发出去 actions=in_port
controller 以packet-in消息上送给控制器 actions=controller
drop 丢弃数据包 actions=drop

修改VLAN ID

  • 关键字: mod_vlan_vid

  • 举例

    1
    $ ovs-ofctl add-flow s1 in_port=1,actions=mod_vlan_vid:1034,output:2

剥除VLAN

  • 关键字: strip_vlan

  • 举例

    1
    $ ovs-ofctl add-flow s1 in_port=1,actions=strip_vlan,output:2

弹出最外层VLAN

  • 关键字: pop_vlan

  • 举例

    1
    $ ovs-ofctl add-flow br0 in_port=1,dl_type=0x8100,dl_vlan=777,actions=pop_vlan,output:2

修改源/目的MAC

  • 关键字:mod_dl_src / mod_dl_dst

  • 举例

    1
    2
    $ ovs-ofctl add-flow s1 in_port=1,actions=mod_dl_src:01:80:c2:00:00:0e,output:2
    $ ovs-ofctl add-flow s1 in_port=1,actions=mod_dl_dst:01:80:c2:00:00:0e,output:2

修改源/目的IP

  • 关键字: mod_nw_src/mod_nw_dst

  • 举例

    1
    2
    $ ovs-ofctl add-flow s1 in_port=1,actions=mod_nw_src:192.168.0.10,output:2
    $ ovs-ofctl add-flow s1 in_port=1,actions=mod_nw_dst:192.168.0.10,output:2

修改TCP/UDP端口

  • 关键字:mod_tp_src/mod_tp_dst

  • 举例

    1
    2
    3
    4
    $ ovs-ofctl add-flow s1 tcp,in_port=1,actions=mod_tp_src:1039,output:2
    $ ovs-ofctl add-flow s1 tcp,in_port=1,actions=mod_tp_dst:21,output:2
    $ ovs-ofctl add-flow s1 udp,in_port=1,actions=mod_tp_src:1039,output:2
    $ ovs-ofctl add-flow s1 udp,in_port=1,actions=mod_tp_dst:53,output:2

VxLan

  • 创建VxLAN接口

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    $ ovs-vsctl add-port s3 vxlan1 -- set Interface vxlan1 type=vxlan options:remote_ip=1.1.1.1 ofport_request=2000
    $ ovs-vsctl show
        Bridge "s3"
            Controller "tcp:10.180.9.62:6633"
            Controller "ptcp:6636"
            fail_mode: secure
            Port "s3-eth2"
                Interface "s3-eth2"
            Port "vxlan1"
                Interface "vxlan1"
                    type: vxlan
                    options: {remote_ip="1.1.1.1"}
            Port "s3-eth3"
                Interface "s3-eth3"
            Port "s3-eth1"
                Interface "s3-eth1"
            Port "s3"
                Interface "s3"
                    type: internal

  • VxLAN流表

    1
    2
    3
    4
    5
    6
    $ ovs-ofctl add-flow s3 ip,in_port=1,nw_dst=192.168.0.0/16,actions=output:2000
    $ ovs-ofctl add-flow s3 in_port=2000,actions=output:1
    $ ovs-ofctl dump-flows s3
    NXST_FLOW reply (xid=0x4):
     cookie=0x0, duration=35.227s, table=0, n_packets=0, n_bytes=0, idle_age=35, ip,in_port=1,nw_dst=192.168.0.0/16 actions=output:2000
     cookie=0x0, duration=2.469s, table=0, n_packets=0, n_bytes=0, idle_age=2, in_port=2000 actions=output:1

实验

拓扑

1
2
3
4
5
6
7
8
9
10
11
12
13
                +------------+
                |     s2     |
                +---+----+---+
                    |    |
         +----------+    +----------+
         |                          |
+--------+--------+        +--------+--------+
|       s3        |        |        s4       |
+---+---------+---+        +---+---------+---+
    |         |                |         |
+---+--+   +--+---+        +---+--+   +--+---+
|  h1  |   |  h2  |        |  h3  |   |  h4  |
+------+   +------+        +------+   +------+

实验要求

  1. h1可以与h3通信,但不可以与h2和h4通信
  2. h2可以与h4通信,但不可以与h1和h3通信

具体操作

  1. 由h1送出的报文,在s3上打上vlan tag 1000
  2. 随后s3将报文送往s2
  3. s2收到s3的vlan1000的报文,直接转送s4
  4. s4收到vlan1000的报文后,剥离vlan,送到h3
  5. h3收到请求报文后,返回响应报文,送往s4
  6. s4收到h3的报文后,打上vlan tag 1000
  7. 随后s4将报文送往s2
  8. s2收到s4的vlan1000的报文,直接送往s3
  9. s3收到s2的vlan1000报文后,剥离vlan,送往h1

h1-h3流表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ovs-ofctl dump-flows s2
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=1664.027s, table=0, n_packets=79, n_bytes=4026, idle_age=803, in_port=1,dl_vlan=1000 actions=output:2
 cookie=0x0, duration=1642.112s, table=0, n_packets=10, n_bytes=852, idle_age=803, in_port=2,dl_vlan=1000 actions=output:1

$ ovs-ofctl dump-flows s3
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=2826.459s, table=0, n_packets=330, n_bytes=14700, idle_age=807, in_port=1 actions=mod_vlan_vid:1000,output:3
 cookie=0x0, duration=1895.062s, table=0, n_packets=10, n_bytes=852, idle_age=807, in_port=3,dl_vlan=1000 actions=strip_vlan,output:1

$ ovs-ofctl dump-flows s4
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=2776.175s, table=0, n_packets=229, n_bytes=10010, idle_age=810, in_port=1 actions=mod_vlan_vid:1000,output:3
 cookie=0x0, duration=1507.500s, table=0, n_packets=10, n_bytes=852, idle_age=810, in_port=3,dl_vlan=1000 actions=strip_vlan,output:1

h2-h4流表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ovs-ofctl dump-flows s2
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=827.167s, table=0, n_packets=60, n_bytes=2816, idle_age=698, in_port=2,dl_vlan=2000 actions=output:1
 cookie=0x0, duration=812.342s, table=0, n_packets=60, n_bytes=2816, idle_age=698, in_port=1,dl_vlan=2000 actions=output:2
 
$ ovs-ofctl dump-flows s3
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=1347.703s, table=0, n_packets=60, n_bytes=2576, idle_age=702, in_port=2 actions=mod_vlan_vid:2000,output:3
 cookie=0x0, duration=710.639s, table=0, n_packets=3, n_bytes=194, idle_age=702, in_port=3,dl_vlan=2000 actions=strip_vlan,output:2
 
$ ovs-ofctl dump-flows s4
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=1133.570s, table=0, n_packets=60, n_bytes=2576, idle_age=705, in_port=2 actions=mod_vlan_vid:2000,output:3
 cookie=0x0, duration=1088.590s, table=0, n_packets=60, n_bytes=2816, idle_age=705, in_port=3,dl_vlan=2000 actions=strip_vlan,output:2

命令列表

  • h1-h3
1
2
3
4
5
6
ovs-ofctl add-flow s2 in_port=1,dl_vlan=1000,actions=output:2
ovs-ofctl add-flow s2 in_port=2,dl_vlan=1000,actions=output:1
ovs-ofctl add-flow s3 in_port=1,actions=mod_vlan_vid:1000,output:3
ovs-ofctl add-flow s3 in_port=3,dl_vlan=1000,actions=strip_vlan,output:1
ovs-ofctl add-flow s4 in_port=1,actions=mod_vlan_vid:1000,output:3
ovs-ofctl add-flow s4 in_port=3,dl_vlan=1000,actions=strip_vlan,output:1
  • h2-h4
1
2
3
4
5
6
ovs-ofctl add-flow s2 in_port=2,dl_vlan=2000,actions=output:1
ovs-ofctl add-flow s2 in_port=1,dl_vlan=2000,actions=output:2
ovs-ofctl add-flow s3 in_port=2,actions=mod_vlan_vid:2000,output:3
ovs-ofctl add-flow s3 in_port=3,dl_vlan=2000,actions=strip_vlan,output:2
ovs-ofctl add-flow s4 in_port=2,actions=mod_vlan_vid:2000,output:3
ovs-ofctl add-flow s4 in_port=3,dl_vlan=2000,actions=strip_vlan,output:2
相关文章