Home Archives Categories Tags

Neutron havana allow address pairs

发布时间: 更新时间: 总字数:587 阅读时间:2m 作者: 分享

Neutron 启用Security Group时, 会打开anti snoop功能。但是应用可能会maintain自己的VIP,这就需要用到allow address pairs功能。

介绍

这个功能是利用iptables实现的,iptables规则如下:

# iptables -nvL neutron-openvswi-o08ccf4de-f
Chain neutron-openvswi-o08ccf4de-f (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    8  2716 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67 
 119K   11M neutron-openvswi-s08ccf4de-f  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
 116K 9490K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 1906 1356K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0 


# iptables -nvL neutron-openvswi-s08ccf4de-f
Chain neutron-openvswi-s08ccf4de-f (1 references)
 pkts bytes target     prot opt in     out     source               destination         
53112 6436K RETURN     all  --  *      *       10.224.148.51        0.0.0.0/0           MAC FA:16:3E:38:38:90 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

10.224.148.51是这个VM的IP,我们可以看到,这个IP以外的源地址都会被丢弃。

allow address pairs扩展API文档如下:

http://docs.openstack.org/api/openstack-network/2.0/content/allowed_address_pair_ext.html

我测试时使用了以下API设置allow address pair:

curl -i https://10.224.159.113:443/v2.0/ports/08ccf4de-f6e2-4d4d-bcdf-55532e93f32f -X PUT -d '{"port":{"allowed_address_pairs":[{"ip_address": "10.224.148.59"}]}}' -H "X-Auth-Token: 1969e5caed5949b98c64a2556d5b43e2" -H "Accept: application/json" -H "Content-Type: application/json"

CLI:

neutron port-update 08ccf4de-d6e2-4d4d-bcdf-55532e93f32f  --allowed-address-pairs type=dict list=true ip_address=10.224.148.59

设置后使用port-list可以看到allowed_address_pairs信息:

+-----------------------+--------------------------------------------------------------------------------------+  
| Field                 | Value                                                                                |  
+-----------------------+--------------------------------------------------------------------------------------+  
| admin_state_up        | True                                                                                 |  
| allowed_address_pairs | {"ip_address": "10.224.148.59", "mac_address": "fa:16:3e:38:38:90"}                  |  
| binding:capabilities  | {"port_filter": true}                                                                |  
| binding:host_id       | compute-1                                                               |  
| binding:vif_type      | ovs                                                                                  |  
| device_id             | 232e6621-69cc-4631-8996-732d32e9e5a4                                                 |  
| device_owner          | compute:nova                                                                         |  
| extra_dhcp_opts       |                                                                                      |  
| fixed_ips             | {"subnet_id": "bf4e762a-b4b4-4f03-80ea-20dd30ba7159", "ip_address": "10.224.148.51"} |  
| id                    | 08ccf4de-f6e2-4d4d-bcdf-55532e93f32f                                                 |  
| mac_address           | fa:16:3e:38:38:90                                                                    |  
| name                  |                                                                                      |  
| network_id            | 218203a4-bc92-4c0e-a245-654e0e3ccefe                                                 |  
| security_groups       | 6fbd7353-ccfa-4e16-864b-79b74409d39f                                                 |  
| status                | ACTIVE                                                                               |  
| tenant_id             | 097ee4a7afe0436d8c261dd0aa131fd5                                                     |  
+-----------------------+--------------------------------------------------------------------------------------+  

Security Group的iptables规则变化如下:

# iptables -nvL neutron-openvswi-s08ccf4de-f  
Chain neutron-openvswi-s08ccf4de-f (1 references)  
 pkts bytes target     prot opt in     out     source               destination           
    3   252 RETURN     all  --  *      *       10.224.148.59        0.0.0.0/0           MAC FA:16:3E:38:38:90   
53112 6436K RETURN     all  --  *      *       10.224.148.51        0.0.0.0/0           MAC FA:16:3E:38:38:90   
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

至此,虚机的VIP 10.224.148.59可以和外界通信。

完毕。

最新评论
加载中...