追蹤openvswitch對特定資料報文的流表匹配與處理結果的例項
阿新 • • 發佈:2018-11-09
SDN環境中,每一個openvswitch的datapath例項中都會有大量的流表項,無論是使用各種關鍵字的grep手段或者是其他方法來確認是否由控制器下發了預期正確流表項,還是看關於特定資料包的匹配與最終action都是一件非常繁瑣和頭疼的事情。使用ovs-appctl工具結合linux自帶的tcpdump抓包工具就可以很輕鬆直觀的最終流表匹配情況,來完成自己繁瑣的查詢工作,還能避免自己的判斷的錯誤。
主要步驟如下:
1、確認你需要跟蹤的資料包的各項引數;
2、將其轉化成openflow的match域的描述;
3、使用openvswitch提供的ofproto/trace功能跟蹤流表匹配情況;
如何獲取包特徵引數?
可以找到自己需要驗證的虛擬機器,在其上發出需要驗證的協議資料包,在物理計算節點上找到該虛擬機器的後端虛擬網絡卡,在該虛擬網絡卡上使用tcpdump抓包,也可以從已有的抓包檔案中獲取,當然,也可以完全由自己指定openflow match域的內容。比如我讀一下事先抓好的資料包。
[[email protected] ~]# tcpdump -ennvv -r /home/vnet31.0.pcap <code class="language-plain">reading from file /home/vnet31.0.pcap, link-type EN10MB (Ethernet) 10:25:17.693773 fa:16:3e:8c:eb:5b > fa:16:3e:a5:15:f3, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 8060, offset 0, flags [none], proto ICMP (1), length 60) 20.20.20.104 > 20.20.20.101: ICMP echo request, id 1, seq 40197, length 40</code>
轉換成openflow的描述就是:
dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,ip,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_proto=1
由於該虛擬網絡卡連線openvswitch的ofport 是37,所以要加上 in_port=37,完整的就如下所示:
in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,ip,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_proto=1
確定了資料包的openflow的特徵描述,就可以使用ovs-appctl提供的ofproto/trace功能來跟蹤啦,命令如下:
[[email protected] ~]# ovs-appctl ofproto/trace dvs2_dp in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,ip,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_proto=1 -generat
其中dvs2_dp是我實測環境中的bridge名稱,-generate的意思是構造該資料報文,此時是確實有一個該報文通過ovs被處理了的。最終跟蹤的效果下:
[[email protected] ~]# ovs-appctl ofproto/trace dvs2_dp in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,ip,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_proto=1 -generate
Bridge: dvs2_dp
Flow: icmp,metadata=0,in_port=37,vlan_tci=0x0000,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Rule: table=0 cookie=0xd4 priority=0
OpenFlow actions=goto_table:1
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_frag=no
Rule: table=1 cookie=0x616 priority=221,in_port=37
OpenFlow actions=write_metadata:0x3000009c4,goto_table:4
Resubmitted flow: icmp,metadata=0x3000009c4,in_port=37,vlan_tci=0x0000,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_frag=no
Rule: table=4 cookie=0x617 priority=161,dl_src=fa:16:3e:8c:eb:5b
OpenFlow actions=write_metadata:0x3000009c4,goto_table:5
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow:
recirc_id=0,skb_priority=0,icmp,in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_frag=no
Rule: table=5 cookie=0xd9 priority=0
OpenFlow actions=goto_table:6
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,metadata=0/0xffffff,in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_frag=no
Rule: table=6 cookie=0x5e8 priority=102,metadata=0x9c4/0xffffff,dl_dst=fa:16:3e:a5:15:f3
OpenFlow actions=write_actions(set_field:0x9c4->tun_id,output:12)
Final flow: icmp,tun_id=0x9c4,metadata=0x3000009c4,in_port=37,vlan_tci=0x0000,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Megaflow: recirc_id=0,skb_priority=0,icmp,tun_id=0,metadata=0/0xffffff,in_port=37,dl_src=fa:16:3e:8c:eb:5b,dl_dst=fa:16:3e:a5:15:f3,nw_src=20.20.20.104,nw_dst=20.20.20.101,nw_ecn=0,nw_frag=no
Datapath actions: set(tunnel(tun_id=0x9c4,src=172.47.205.45,dst=172.47.205.46,tos=0x0,ttl=64,flags(df,key))),11上面的例子是最終資料包被打上了tun_id並從隧道埠被轉發的跟蹤,下面再舉一個table miss被丟棄的例子:
[[email protected] ~]# ovs-appctl ofproto/trace sdn_dvs_dp in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,ip,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_proto=1 -generate
Bridge: sdn_dvs_dp
Flow: icmp,metadata=0,in_port=127,vlan_tci=0x0000,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Rule: table=0 cookie=0x1ea priority=0
OpenFlow actions=goto_table:1
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_frag=no
Rule: table=1 cookie=0x294 priority=221,in_port=127
OpenFlow actions=write_metadata:0xa00000191,goto_table:4
Resubmitted flow: icmp,metadata=0xa00000191,in_port=127,vlan_tci=0x0000,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_frag=no
Rule: table=4 cookie=0x295 priority=161,dl_src=fa:16:3e:a5:85:78
OpenFlow actions=write_metadata:0xa00000191,goto_table:5
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_frag=no
Rule: table=5 cookie=0x1ef priority=0
OpenFlow actions=goto_table:6
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_frag=no
Rule: table=6 cookie=0x1f4 priority=111,dl_dst=00:d0:d0:1c:3d:2d
OpenFlow actions=goto_table:7
Resubmitted flow: unchanged
Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
Resubmitted odp: drop
Resubmitted megaflow: recirc_id=0,skb_priority=0,icmp,metadata=0/0xffffffff00000000,in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_frag=no
Rule: table=7 cookie=0x1f1 priority=0
OpenFlow actions=CONTROLLER:65535
Final flow: icmp,metadata=0xa00000191,in_port=127,vlan_tci=0x0000,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Megaflow: recirc_id=0,skb_priority=0,icmp,metadata=0/0xffffffff00000000,in_port=127,dl_src=fa:16:3e:a5:85:78,dl_dst=00:d0:d0:1c:3d:2d,nw_src=192.168.150.2,nw_dst=10.47.159.89,nw_frag=no
Datapath actions: drop
This flow is handled by the userspace slow path because it:
- Sends "packet-in" messages to the OpenFlow controller.