[openstack-community] qvb level filter

Yaron Illouz yaroni at radcom.com
Wed Feb 11 16:31:17 UTC 2015 

Hi 

 

I am trying to do port mirroring between vms.

I did it with the openvswitch.

Packet are copied to the mirrored qvo, but then stop at the qvb Rx. I
don't see where it is stuck.

>From iptable output it dosen't seem to be drop in one of the chain or
many packet in fallback.

Iptables are at qvb level? If not so what block my packets

 

 

You can see only 201 packet reach qbr but more than 72 Million packet
arrived to qvb

ifconfig | grep -A 5 3ede5b3

qbr3ede5b3e-39: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::e4ae:56ff:fe5f:137d  prefixlen 64  scopeid
0x20<link>

        ether aa:8c:e8:75:72:d2  txqueuelen 0  (Ethernet)

        RX packets 201  bytes 16528 (16.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 8  bytes 648 (648.0 B)

--

qvb3ede5b3e-39: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu
1500

        inet6 fe80::a88c:e8ff:fe75:72d2  prefixlen 64  scopeid
0x20<link>

        ether aa:8c:e8:75:72:d2  txqueuelen 1000  (Ethernet)

        RX packets 72789130  bytes 20271610754 (18.8 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 30  bytes 3394 (3.3 KiB)

--

qvo3ede5b3e-39: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu
1500

        inet6 fe80::c70:cff:fef0:d432  prefixlen 64  scopeid 0x20<link>

        ether 0e:70:0c:f0:d4:32  txqueuelen 1000  (Ethernet)

        RX packets 30  bytes 3394 (3.3 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 72789140  bytes 20271612780 (18.8 GiB)

--

tap3ede5b3e-39: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::fc16:3eff:fe3b:34de  prefixlen 64  scopeid
0x20<link>

        ether fe:16:3e:3b:34:de  txqueuelen 500  (Ethernet)

        RX packets 15  bytes 2188 (2.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 3526  bytes 966661 (944.0 KiB)

 

 

Neutron port list

| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe |      | fa:16:3e:3b:34:de |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.2"}  |

| 435f35c6-80be-47ee-b30f-8376e1ea78d9 |      | fa:16:3e:41:fd:59 |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.5"}  |

| 89193daa-bf67-4237-8045-30a6e3c107a2 |      | fa:16:3e:a5:56:38 |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.4"}  |

| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 |      | fa:16:3e:f7:4f:ea |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.3"}  |

 

 

Command that I ran

ovs-vsctl -- set Bridge br-int mirrors=@m  -- --id=@qvobd80bab5-42 get
Port  qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39 --
--id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42
select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39

 

 

This is iptables output filtered, you can see I added a allowed address
pair.

3     3518  919K neutron-openvswi-sg-chain  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged

4        4  1358 neutron-openvswi-sg-chain  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged

 

Chain neutron-openvswi-INPUT (1 references)

--

2        0     0 neutron-openvswi-o3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged

3        0     0 neutron-openvswi-o7e200e92-4  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap7e200e92-44 --physdev-is-bridged

4        0     0 neutron-openvswi-o435f35c6-8  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap435f35c6-80 --physdev-is-bridged

5        0     0 neutron-openvswi-o6a1bb345-9  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap6a1bb345-93 --physdev-is-bridged

6        0     0 neutron-openvswi-ofc0a7800-a  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tapfc0a7800-a0 --physdev-is-bridged

 

Chain neutron-openvswi-OUTPUT (1 references)

num   pkts bytes target     prot opt in     out     source
destination

 

Chain neutron-openvswi-i3ede5b3e-3 (1 references)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            state INVALID

2       91  8550 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0            state RELATED,ESTABLISHED

3        0     0 RETURN     udp  --  *      *       10.67.82.4
0.0.0.0/0            udp spt:67 dpt:68

4        0     0 RETURN     icmp --  *      *       0.0.0.0/0
0.0.0.0/0

5        0     0 RETURN     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp multiport dports 1:65535

6     3416  907K RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set IPv4ecb94f49-0fdd-4f6f-b src

7        9  3054 neutron-openvswi-sg-fallback  all  --  *      *
0.0.0.0/0            0.0.0.0/0

 

--

Chain neutron-openvswi-o3ede5b3e-3 (2 references)

num   pkts bytes target     prot opt in     out     source
destination

1        4  1358 RETURN     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp spt:68 dpt:67

2        0     0 neutron-openvswi-s3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0

3        0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp spt:67 dpt:68

4        0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            state INVALID

5        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0            state RELATED,ESTABLISHED

6        0     0 RETURN     all  --  *      *       0.0.0.0/0
0.0.0.0/0

7        0     0 neutron-openvswi-sg-fallback  all  --  *      *
0.0.0.0/0            0.0.0.0/0

 

--

Chain neutron-openvswi-s3ede5b3e-3 (1 references)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 RETURN     all  --  *      *       10.67.82.0/24
0.0.0.0/0            MAC FA:16:3E:41:FD:59

2        0     0 RETURN     all  --  *      *       10.67.82.2
0.0.0.0/0            MAC FA:16:3E:3B:34:DE

3        0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

 

 

--

3     3518  919K neutron-openvswi-i3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out
tap3ede5b3e-39 --physdev-is-bridged

4        4  1358 neutron-openvswi-o3ede5b3e-3  all  --  *      *
0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged

...

13    397M 1617G ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

 

--

error=`neutron-openvswi-i3ede5b3e-3'

 

Entry 63 (19664):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/................to `'/................

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

--

error=`neutron-openvswi-o3ede5b3e-3'

 

Entry 119 (32280):

SRC IP: 0.0.0.0/0.0.0.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/................to `'/................

Protocol: 17

Flags: 00

Invflags: 00

Counters: 4 packets, 1358 bytes

Cache: 00000000

--

error=`neutron-openvswi-s3ede5b3e-3'

 

Entry 173 (43608):

SRC IP: 10.67.82.0/255.255.255.0

DST IP: 0.0.0.0/0.0.0.0

Interface: `'/................to `'/................

Protocol: 0

Flags: 00

Invflags: 00

Counters: 0 packets, 0 bytes

Cache: 00000000

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/community/attachments/20150211/44db7f18/attachment-0001.html>

More information about the Community mailing list