Shulou(Shulou.com)06/02 Report--

1 the connection of the components in the DVR environment is shown in the figure

2 with floatingip, access virtual machine from outside, ping floatingip 192.168.100.190

The data flow is shown in the figure

2.1 get MAC

The machines in the public network first need to obtain the MAC address corresponding to the virtual machine floating IP through ARP. Floating IP is not configured on the port of fip, so fip cannot respond directly to ARP requests, so what should I do? Neutron configures arp proxy on the fg port of fip NS so that fip can respond to either ARP requests for IP addresses on its own interface or ARP requests for IP addresses that can be routed through it

Proxy_arp configured on fip netns

[root@compute ~] # ip netns exec fip-82d87e5f-167e-4525-90b2-c8f340630a1e sysctl net.ipv4.conf.fg-42d94dcb-8b.proxy_arp

Net.ipv4.conf.fg-42d94dcb-8b.proxy_arp = 1

After receiving the ARP request, fip netns returns the MAC address of its fg interface. After the machine in the public network obtains the MAC address of the virtual machine floating IP, it sends out the ICMP network packet.

2.2 fip netns routing to Lower qrouter netns

The network packet passes through br-ex and is received by the fg port of fip. Look up the routing table, hit the first route, send out from its fpr interface, and arrive at 169.254.106.114.

Ip netns exec fip-82d87e5f-167e-4525-90b2-c8f340630a1e ip route

169.254.106.114Universe 31 dev fpr-b2ce2e13-1 proto kernel scope link src 169.254.106.115

192.168.100.0/24 dev fg-42d94dcb-8b proto kernel scope link src 192.168.100.184

192.168.100.190 via 169.254.106.114 dev fpr-b2ce2e13-1

Fpr interface and rfp interface are a bunch of veth pair, and packets sent by fpr interface are received by rfp-b2ce2e13-1 interface of qrouter at the other end of the veth.

You can see that the rfp-b2ce2e13-1 port address of qrouter netns is 169.254.106.114Univer 31.

[root@compute ~] # ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 ip addr

1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Inet 127.0.0.1/8 scope host lo

Valid_lft forever preferred_lft forever

Inet6:: 1/128 scope host

Valid_lft forever preferred_lft forever

2: rfp-b2ce2e13-1: mtu 1500 qdisc noqueue state UP qlen 1000

Link/ether b2:e7:86:35:3d:ac brd ff:ff:ff:ff:ff:ff link-netnsid 0

Inet 169.254.106.114plus 31 scope global rfp-b2ce2e13-1

Valid_lft forever preferred_lft forever

Inet6 fe80::b0e7:86ff:fe35:3dac/64 scope link

Valid_lft forever preferred_lft forever

134: qr-d2b8d53f-64: mtu 1400 qdisc noqueue state UNKNOWN qlen 1000

Link/ether fa:16:3e:02:97:ab brd ff:ff:ff:ff:ff:ff

Inet 172.17.0.1/16 brd 172.17.255.255 scope global qr-d2b8d53f-64

Valid_lft forever preferred_lft forever

Inet6 fe80::f816:3eff:fe02:97ab/64 scope link

Valid_lft forever preferred_lft forever

2.3 DNAT

On qrouter, do DNAT first

-A neutron-l3-agent-PREROUTING-d 192.168.100.190 DNAT 32-I rfp-b2ce2e13-1-j DNAT-- to-destination 172.17.0.7

After DNAT, dest ip is changed to 172.17.0.7

2.4 rerouting

Check the main routing table of qrouter, hit the second entry, and send it from qr-d2b8d53f-64.

Ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 ip route

169.254.106.114Universe 31 dev rfp-b2ce2e13-1 proto kernel scope link src 169.254.106.114

172.17.0.0/16 dev qr-d2b8d53f-64 proto kernel scope link src 172.17.0.1

The packet is sent to the virtual machine via qr-d2b8d53f-64 and sent to br-int.

3 access the public network from the virtual machine with floatingip, and ping 8.8.8.8 from 172.17.0.7

3.1 routin

Enter qroute netns to view routing rules and follow the route 16 table

[root@compute ~] # ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 ip rule

0:from all lookup local

32766:from all lookup main

32767:from all lookup default

57483:from 172.17.0.7 lookup 16

2886795265:from 172.17.0.1/16 lookup 2886795265

[root@compute ~] # ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 ip route list table 16

Default via 169.254.106.115 dev rfp-b2ce2e13-1

3.2 SNAT

After routing, SNAT is performed in the POSTROUTING chain of netfilter, and the source IP is changed to 192.168.100.190

[root@compute] # ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 iptables-t nat-S

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

-N neutron-l3-agent-OUTPUT

-N neutron-l3-agent-POSTROUTING

-N neutron-l3-agent-PREROUTING

-N neutron-l3-agent-float-snat

-N neutron-l3-agent-snat

-N neutron-postrouting-bottom

-A PREROUTING-j neutron-l3-agent-PREROUTING

-An OUTPUT-j neutron-l3-agent-OUTPUT

-A POSTROUTING-j neutron-l3-agent-POSTROUTING

-A POSTROUTING-j neutron-postrouting-bottom

-A neutron-l3-agent-POSTROUTING!-I rfp-b2ce2e13-1!-o rfp-b2ce2e13-1-m conntrack!-- ctstate DNAT-j ACCEPT

-A neutron-l3-agent-PREROUTING-d 169.254.169.254 qr-+ 32-I qr-+-p tcp-m tcp-- dport 80-j REDIRECT-- to-ports 9697

-A neutron-l3-agent-PREROUTING-d 192.168.100.190 DNAT 32-I rfp-b2ce2e13-1-j DNAT-- to-destination 172.17.0.7

-A neutron-l3-agent-float-snat-s 172.17.0.7 + 32-j SNAT-- to-source 192.168.100.190

-A neutron-l3-agent-snat-j neutron-l3-agent-float-snat

-A neutron-postrouting-bottom-m comment-- comment "Perform source NAT on outgoing traffic."-j neutron-l3-agent-snat

From the rfp-b2ce2e13-1 port, the packet is sent to 169.254.106.115 fpr-b2ce2e13-1 of fip netns and RFP veth pair,fpr-b2ce2e13 b2ce2e13-1. It is a pair of RFP-1 that receives the packet.

[root@compute ~] # ip netns exec fip-82d87e5f-167e-4525-90b2-c8f340630a1e ip addr

1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Inet 127.0.0.1/8 scope host lo

Valid_lft forever preferred_lft forever

Inet6:: 1/128 scope host

Valid_lft forever preferred_lft forever

2: fpr-b2ce2e13-1: mtu 1500 qdisc noqueue state UP qlen 1000

Link/ether aa:f7:5f:31:67:db brd ff:ff:ff:ff:ff:ff link-netnsid 0

Inet 169.254.106.115swap 31 scope global fpr-b2ce2e13-1

Valid_lft forever preferred_lft forever

Inet6 fe80::a8f7:5fff:fe31:67db/64 scope link

Valid_lft forever preferred_lft forever

135: fg-42d94dcb-8b: mtu 1500 qdisc noqueue state UNKNOWN qlen 1000

Link/ether fa:16:3e:c0:dc:94 brd ff:ff:ff:ff:ff:ff

Inet 192.168.100.184/24 brd 192.168.100.255 scope global fg-42d94dcb-8b

Valid_lft forever preferred_lft forever

Inet6 fe80::f816:3eff:fec0:dc94/64 scope link

Valid_lft forever preferred_lft forever

3.3 packets are rerouted in fip netns

The packet is sent to 169.254.106.115 through fpr-b2ce2e13-1, and then the routing rules and routes are checked in fip netns.

[root@compute ~] # ip netns exec fip-82d87e5f-167e-4525-90b2-c8f340630a1e ip rule

0:from all lookup local

32766:from all lookup main

32767:from all lookup default

2852022899:from all iif fpr-b2ce2e13-1 lookup 2852022899

[root@compute ~] # ip netns exec fip-82d87e5f-167e-4525-90b2-c8f340630a1e ip route list table 2852022899

Default via 192.168.100.1 dev fg-42d94dcb-8b

The packet is sent from the fg-42d94dcb-8b port to 192.168.100.1, and then 192.168.100.1 continues to route and forward.

4 without floating IP, the virtual machine accesses the public network

4.1 Compute Node qrouter routing

View routing rules

Ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 ip rule

0:from all lookup local

32766:from all lookup main

32767:from all lookup default

2886795265:from 172.17.0.1/16 lookup 2886795265

View routing table 2886795265

Ip netns exec qrouter-b2ce2e13-127d-491a-a669-ff07263e3751 ip route list table 2886795265

Default via 172.17.0.10 dev qr-d2b8d53f-64

There is only one policy, through the qr port, to the next route 172.17.0.10

172.17.0.10 the route is at the snat netns sg port of the network node

[root@network ~] # ip netns exec snat-b2ce2e13-127d-491a-a669-ff07263e3751 ip addr

1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Inet 127.0.0.1/8 scope host lo

Valid_lft forever preferred_lft forever

Inet6:: 1/128 scope host

Valid_lft forever preferred_lft forever

93: sg-935eff5f-b8: mtu 1400 qdisc noqueue state UNKNOWN qlen 1000

Link/ether fa:16:3e:bf:6d:b5 brd ff:ff:ff:ff:ff:ff

Inet 172.17.0.10/16 brd 172.17.255.255 scope global sg-935eff5f-b8

Valid_lft forever preferred_lft forever

Inet6 fe80::f816:3eff:febf:6db5/64 scope link

Valid_lft forever preferred_lft forever

94: qg-2b2169ee-a5: mtu 1500 qdisc noqueue state UNKNOWN qlen 1000

Link/ether fa:16:3e:9d:5c:bd brd ff:ff:ff:ff:ff:ff

Inet 192.168.100.187/24 brd 192.168.100.255 scope global qg-2b2169ee-a5

Valid_lft forever preferred_lft forever

Inet6 fe80::f816:3eff:fe9d:5cbd/64 scope link

Valid_lft forever preferred_lft forever

4.2 SNAT

The snat netns of network node is used as SNAT

Ip netns exec snat-b2ce2e13-127d-491a-a669-ff07263e3751 iptables-t nat- S

-A neutron-l3-agent-snat-o qg-2b2169ee-a5-j SNAT-- to-source 192.168.100.187

4.3 snat netns routin

Ip netns exec snat-b2ce2e13-127d-491a-a669-ff07263e3751 ip rule

0:from all lookup local

32766:from all lookup main

32767:from all lookup default

There is no extra strategy, follow the main table

Ip netns exec snat-b2ce2e13-127d-491a-a669-ff07263e3751 ip route list table main

Default via 192.168.100.1 dev qg-2b2169ee-a5

172.17.0.0/16 dev sg-935eff5f-b8 proto kernel scope link src 172.17.0.10

192.168.100.0/24 dev qg-2b2169ee-a5 proto kernel scope link src 192.168.100.187

According to the destination address, hit the first, the packet goes out the qg-2b2169ee-a5 port, and then continues to route from the 192.168.100.1 gateway.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.