Neutron allow address pairs 介绍

发布时间: 更新时间: 总字数:607 阅读时间:2m 作者: IP属地: 分享 复制网址

Neutron 启用Security Group时, 会打开反欺诈(anti-spoofing)功能。此时虚拟机将无法使用没有在它们自己的网络端口中配置的 MACIP 地址进行通讯,这就需要用到allow address pairs功能。

介绍

这个功能是利用iptables实现的,iptables规则如下:

# iptables -nvL neutron-openvswi-o08ccf4de-f
Chain neutron-openvswi-o08ccf4de-f (2 references)
 pkts bytes target     prot opt in     out     source               destination
    8  2716 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
 119K   11M neutron-openvswi-s08ccf4de-f  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 116K 9490K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 1906 1356K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0


# iptables -nvL neutron-openvswi-s08ccf4de-f
Chain neutron-openvswi-s08ccf4de-f (1 references)
 pkts bytes target     prot opt in     out     source               destination
53112 6436K RETURN     all  --  *      *       10.224.148.51        0.0.0.0/0           MAC FA:16:3E:38:38:90
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

10.224.148.51是这个VM的IP,我们可以看到,这个IP以外的源地址都会被丢弃。

allow address pairs扩展API文档如下:

http://docs.openstack.org/api/openstack-network/2.0/content/allowed_address_pair_ext.html

我测试时使用了以下API设置allow address pair:

curl -i https://10.224.159.113:443/v2.0/ports/08ccf4de-f6e2-4d4d-bcdf-55532e93f32f -X PUT -d '{"port":{"allowed_address_pairs":[{"ip_address": "10.224.148.59"}]}}' -H "X-Auth-Token: 1969e5caed5949b98c64a2556d5b43e2" -H "Accept: application/json" -H "Content-Type: application/json"

CLI:

neutron port-update 08ccf4de-d6e2-4d4d-bcdf-55532e93f32f  --allowed-address-pairs type=dict list=true ip_address=10.224.148.59

设置后使用port-list可以看到allowed_address_pairs信息:

+-----------------------+--------------------------------------------------------------------------------------+
| Field                 | Value                                                                                |
+-----------------------+--------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                 |
| allowed_address_pairs | {"ip_address": "10.224.148.59", "mac_address": "fa:16:3e:38:38:90"}                  |
| binding:capabilities  | {"port_filter": true}                                                                |
| binding:host_id       | compute-1                                                               |
| binding:vif_type      | ovs                                                                                  |
| device_id             | 232e6621-69cc-4631-8996-732d32e9e5a4                                                 |
| device_owner          | compute:nova                                                                         |
| extra_dhcp_opts       |                                                                                      |
| fixed_ips             | {"subnet_id": "bf4e762a-b4b4-4f03-80ea-20dd30ba7159", "ip_address": "10.224.148.51"} |
| id                    | 08ccf4de-f6e2-4d4d-bcdf-55532e93f32f                                                 |
| mac_address           | fa:16:3e:38:38:90                                                                    |
| name                  |                                                                                      |
| network_id            | 218203a4-bc92-4c0e-a245-654e0e3ccefe                                                 |
| security_groups       | 6fbd7353-ccfa-4e16-864b-79b74409d39f                                                 |
| status                | ACTIVE                                                                               |
| tenant_id             | 097ee4a7afe0436d8c261dd0aa131fd5                                                     |
+-----------------------+--------------------------------------------------------------------------------------+

Security Group的iptables规则变化如下:

# iptables -nvL neutron-openvswi-s08ccf4de-f
Chain neutron-openvswi-s08ccf4de-f (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   252 RETURN     all  --  *      *       10.224.148.59        0.0.0.0/0           MAC FA:16:3E:38:38:90
53112 6436K RETURN     all  --  *      *       10.224.148.51        0.0.0.0/0           MAC FA:16:3E:38:38:90
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

至此,虚机的VIP 10.224.148.59可以和外界通信。

Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数