NAT功能测试验证
# 所有 onv-nbctl 命令全部ovn-master节点操作
# 配置逻辑交换机及逻辑port
# 创建logical switch
ovn-nbctl ls-add ls
# 创建 logical port ls-veth1
ovn-nbctl lsp-add ls ls-veth1
ovn-nbctl lsp-set-addresses ls-veth1 "aa:aa:aa:11:11:aa 1.1.1.100"
# 创建 logical port ls-veth3
ovn-nbctl lsp-add ls ls-veth3
ovn-nbctl lsp-set-addresses ls-veth3 "aa:aa:aa:11:11:bb 1.1.1.200"
# 查看 classid
[root@ovn-master ~]# ovn-sbctl show
Chassis "6b6ce671-91bf-4796-a28e-8667a783f639"
hostname: ovn-master
Encap geneve
ip: "192.168.220.100"
options: {csum="true"}
Chassis "831b494e-9ec9-4a4a-95ba-ef04853261dd"
hostname: "ovn-node1"
Encap geneve
ip: "192.168.220.101"
options: {csum="true"}
# 配置gw逻辑路由器及join逻辑交换机
# create gw, chassis is ovn-node1's id(逻辑路由器绑定到ovn-node1节点,所有节点出外网需要经过该节点)
ovn-nbctl create Logical_Router name=gw options:chassis=e530c528-0661-4f73-a37e-b5beefb441d5
ovn-nbctl lrp-add gw lr-gw 00:00:00:00:00:11 1.1.1.1/24
# 创建逻辑交换机port并关联路由器port
ovn-nbctl lsp-add ls ls-port
ovn-nbctl lsp-set-type ls-port router
ovn-nbctl lsp-set-addresses ls-port "00:00:00:00:00:11 1.1.1.1"
ovn-nbctl lsp-set-options ls-port router-port=lr-gw
# 创建网桥,添加eth0
# slaver上操作
ovs-vsctl add-br br-ex
# ens37 是机器上的网口
ovs-vsctl add-port br-ex ens37
ip addr add 192.168.0.150/24 dev br-ex
// external-nat 后面会会创建
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=external-nat:br-ex
ip link set br-ex up
# 创建逻辑交换机outside,连接br-ex和逻辑路由器gw
# 逻辑路由器gw添加端口lr-outside
ovn-nbctl lrp-add gw lr-outside 00:00:00:AA:BB:CC 192.168.0.200/24
# outdise 添加端口 ls-outside
ovn-nbctl ls-add outside
ovn-nbctl lsp-add outside ls-outside
ovn-nbctl lsp-set-type ls-outside router
ovn-nbctl lsp-set-addresses ls-outside 00:00:00:AA:BB:CC
ovn-nbctl lsp-set-options ls-outside router-port=lr-outside
# outside 添加端口ls-external
ovn-nbctl lsp-add outside ls-external
ovn-nbctl lsp-set-addresses ls-external unknown
ovn-nbctl lsp-set-type ls-external localnet
ovn-nbctl lsp-set-options ls-external network_name="external-nat"
# 创建nat
# snat (ns 可以跟外面通讯,外面不能直连ns)
ovn-nbctl lr-nat-add gw snat 192.168.0.200 1.1.1.0/24
# dnat_snat(类似FIP,外面可以直连ns,ns也可以连接外面)
ovn-nbctl lr-nat-add gw dnat_and_snat 192.168.0.201 1.1.1.100
# 查看NAT配置
[root@master ~]# ovn-nbctl lr-nat-list gw
TYPE EXTERNAL_IP LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
dnat_and_snat 192.168.0.201 1.1.1.100
snat 192.168.0.200 1.1.1.0/24
# 配置网络命名空间
# ovn-master:
ip netns add ns1
ip link add veth1 type veth peer name veth2
ifconfig veth1 up
ifconfig veth2 up
ip link set veth2 netns ns1
ip netns exec ns1 ip link set veth2 address aa:aa:aa:11:11:aa
ip netns exec ns1 ip addr add 1.1.1.100/24 dev veth2
ip netns exec ns1 ip link set veth2 up
ip netns exec ns1 ip r add default via 1.1.1.1
ovs-vsctl add-port br-int veth1
ovs-vsctl set Interface veth1 external_ids:iface-id=ls-veth1
ip netns exec ns1 ip addr show
# ovn-node1:
ip netns add ns2
ip link add veth3 type veth peer name veth4
ifconfig veth3 up
ifconfig veth4 up
ip link set veth4 netns ns2
ip netns exec ns2 ip link set veth4 address aa:aa:aa:11:11:bb
ip netns exec ns2 ip addr add 1.1.1.200/24 dev veth4
ip netns exec ns2 ip link set veth4 up
ip netns exec ns2 ip r add default via 1.1.1.1
ovs-vsctl add-port br-int veth3
ovs-vsctl set Interface veth3 external_ids:iface-id=ls-veth3
ip netns exec ns2 ip addr show
# 查看配置
[root@ovn-master ~]# ovn-nbctl show
switch 6eedaa70-4d11-4720-a1ac-d0d3ba5a6ff1 (outside)
port ls-external
type: localnet
addresses: ["unknown"]
port ls-outside
type: router
addresses: ["00:00:00:AA:BB:CC"]
router-port: lr-outside
switch 58e35eb3-fb3e-43cc-a9eb-ac76c8591f80 (ls)
port ls-veth3
addresses: ["aa:aa:aa:11:11:bb 1.1.1.200"]
port ls-port
type: router
addresses: ["00:00:00:00:00:11 1.1.1.1"]
router-port: lr-gw
port ls-veth1
addresses: ["aa:aa:aa:11:11:aa 1.1.1.100"]
router fefe3e87-dc7f-4597-a1e7-f8a12158810a (gw)
port lr-outside
mac: "00:00:00:AA:BB:CC"
networks: ["192.168.0.200/24"]
port lr-gw
mac: "00:00:00:00:00:11"
networks: ["1.1.1.1/24"]
nat 7674b614-8586-407d-998d-1345140c83f5
external ip: "192.168.0.200"
logical ip: "1.1.1.0/24"
type: "snat"
# 连通性验证
# ovn-node1 节点的ns ping 外网网关
[root@ovn-node1 ~]# ip netns exec ns2 ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=62 time=2.10 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=62 time=1.93 ms
# ovn-node1 节点的ns ping 外网其他节点
[root@ovn-node1 ~]# ip netns exec ns2 ping 192.168.0.102
PING 192.168.0.102 (192.168.0.102) 56(84) bytes of data.
64 bytes from 192.168.0.102: icmp_seq=1 ttl=62 time=91.1 ms
64 bytes from 192.168.0.102: icmp_seq=2 ttl=62 time=111 ms
# ovn-master 节点的ns ping 外网网关
[root@ovn-master ~]# ip netns exec ns1 ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=62 time=4.63 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=62 time=3.37 ms
# trace
[root@ovn-master ~]# ovn-trace --detailed ls 'inport == "ls-veth1" && eth.src == aa:aa:aa:11:11:aa && ip4.src == 1.1.1.100 && eth.dst == 00:00:00:00:00:11 && ip4.dst == 192.168.0.1 && ip.ttl == 64'
# ip,reg14=0x1,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:aa,dl_dst=00:00:00:00:00:11,nw_src=1.1.1.100,nw_dst=192.168.0.1,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=64
ingress(dp="ls", inport="ls-veth1")
-----------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls-veth1", priority 50, uuid 41529fc2
next;
17. ls_in_l2_lkup (ovn-northd.c:5359): eth.dst == 00:00:00:00:00:11, priority 50, uuid b810b443
outport = "ls-port";
output;
egress(dp="ls", inport="ls-veth1", outport="ls-port")
-----------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:5503): outport == "ls-port", priority 50, uuid 9079ddf0
output;
/* output to "ls-port", type "l3gateway" */
ingress(dp="gw", inport="lr-gw")
--------------------------------
0. lr_in_admission (ovn-northd.c:6198): eth.dst == 00:00:00:00:00:11 && inport == "lr-gw", priority 50, uuid 794dbfd5
next;
4. lr_in_dnat (ovn-northd.c:7219): ip, priority 50, uuid acad9e97
flags.loopback = 1;
ct_dnat;
ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
7. lr_in_ip_routing (ovn-northd.c:5780): ip4.dst == 192.168.0.0/24, priority 49, uuid 69a143f7
ip.ttl--;
reg0 = ip4.dst;
reg1 = 192.168.0.200;
eth.src = 00:00:00:aa:bb:cc;
outport = "lr-outside";
flags.loopback = 1;
next;
9. lr_in_arp_resolve (ovn-northd.c:7810): ip4, priority 0, uuid 42dce81c
get_arp(outport, reg0);
/* MAC binding to c0:a5:dd:ae:1f:c5. */
next;
13. lr_in_arp_request (ovn-northd.c:8001): 1, priority 0, uuid f4fff578
output;
egress(dp="gw", inport="lr-gw", outport="lr-outside")
-----------------------------------------------------
1. lr_out_snat (ovn-northd.c:7045): ip && ip4.src == 1.1.1.0/24, priority 25, uuid 31420d44
ct_snat(192.168.0.200);
ct_snat(ip4.src=192.168.0.200)
------------------------------
3. lr_out_delivery (ovn-northd.c:8029): outport == "lr-outside", priority 100, uuid 0f57b30a
output;
/* output to "lr-outside", type "l3gateway" */
ingress(dp="outside", inport="ls-outside")
------------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls-outside", priority 50, uuid 09f5d420
next;
17. ls_in_l2_lkup (ovn-northd.c:5466): 1, priority 0, uuid 3bc9370b
outport = "_MC_unknown";
output;
multicast(dp="outside", mcgroup="_MC_unknown")
----------------------------------------------
egress(dp="outside", inport="ls-outside", outport="ls-external")
----------------------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:5503): outport == "ls-external", priority 50, uuid 5a71ea3b
output;
/* output to "ls-external", type "localnet" */
# 配置DNAT_SNAT后
[root@ovn-master ~]# ovn-nbctl show
switch 6eedaa70-4d11-4720-a1ac-d0d3ba5a6ff1 (outside)
port ls-external
type: localnet
addresses: ["unknown"]
port ls-outside
type: router
addresses: ["00:00:00:AA:BB:CC"]
router-port: lr-outside
switch 58e35eb3-fb3e-43cc-a9eb-ac76c8591f80 (ls)
port ls-veth3
addresses: ["aa:aa:aa:11:11:bb 1.1.1.200"]
port ls-port
type: router
addresses: ["00:00:00:00:00:11 1.1.1.1"]
router-port: lr-gw
port ls-veth1
addresses: ["aa:aa:aa:11:11:aa 1.1.1.100"]
router fefe3e87-dc7f-4597-a1e7-f8a12158810a (gw)
port lr-outside
mac: "00:00:00:AA:BB:CC"
networks: ["192.168.0.200/24"]
port lr-gw
mac: "00:00:00:00:00:11"
networks: ["1.1.1.1/24"]
nat 621762f2-fbc8-4232-962d-641e9ace43c8
external ip: "192.168.0.201"
logical ip: "1.1.1.100"
type: "dnat_and_snat"
nat 7674b614-8586-407d-998d-1345140c83f5
external ip: "192.168.0.200"
logical ip: "1.1.1.0/24"
type: "snat"
# trace
[root@ovn-master ~]# ovn-trace --detailed ls 'inport == "ls-veth1" && eth.src == aa:aa:aa:11:11:aa && ip4.src == 1.1.1.100 && eth.dst == 00:00:00:00:10:00 && ip4.dst == 192.168.0.1 && ip.ttl == 64'
# ip,reg14=0x1,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:aa,dl_dst=00:00:00:00:10:00,nw_src=1.1.1.100,nw_dst=192.168.0.1,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=64
ingress(dp="ls", inport="ls-veth1")
-----------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls-veth1", priority 50, uuid 41529fc2
next;
17. ls_in_l2_lkup: no match (implicit drop)
[root@ovn-master ~]# ovn-trace --detailed ls 'inport == "ls-veth1" && eth.src == aa:aa:aa:11:11:aa && ip4.src == 1.1.1.100 && eth.dst == 00:00:00:00:00:11 && ip4.dst == 192.168.0.1 && ip.ttl == 64'
# ip,reg14=0x1,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:aa,dl_dst=00:00:00:00:00:11,nw_src=1.1.1.100,nw_dst=192.168.0.1,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=64
ingress(dp="ls", inport="ls-veth1")
-----------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls-veth1", priority 50, uuid 41529fc2
next;
17. ls_in_l2_lkup (ovn-northd.c:5359): eth.dst == 00:00:00:00:00:11, priority 50, uuid b810b443
outport = "ls-port";
output;
egress(dp="ls", inport="ls-veth1", outport="ls-port")
-----------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:5503): outport == "ls-port", priority 50, uuid 9079ddf0
output;
/* output to "ls-port", type "l3gateway" */
ingress(dp="gw", inport="lr-gw")
--------------------------------
0. lr_in_admission (ovn-northd.c:6198): eth.dst == 00:00:00:00:00:11 && inport == "lr-gw", priority 50, uuid 794dbfd5
next;
4. lr_in_dnat (ovn-northd.c:7219): ip, priority 50, uuid acad9e97
flags.loopback = 1;
ct_dnat;
ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
7. lr_in_ip_routing (ovn-northd.c:5780): ip4.dst == 192.168.0.0/24, priority 49, uuid 69a143f7
ip.ttl--;
reg0 = ip4.dst;
reg1 = 192.168.0.200;
eth.src = 00:00:00:aa:bb:cc;
outport = "lr-outside";
flags.loopback = 1;
next;
9. lr_in_arp_resolve (ovn-northd.c:7810): ip4, priority 0, uuid 42dce81c
get_arp(outport, reg0);
/* MAC binding to c0:a5:dd:ae:1f:c5. */
next;
13. lr_in_arp_request (ovn-northd.c:8001): 1, priority 0, uuid f4fff578
output;
egress(dp="gw", inport="lr-gw", outport="lr-outside")
-----------------------------------------------------
1. lr_out_snat (ovn-northd.c:7045): ip && ip4.src == 1.1.1.100, priority 33, uuid 053ce2b2
ct_snat(192.168.0.201);
ct_snat(ip4.src=192.168.0.201)
------------------------------
3. lr_out_delivery (ovn-northd.c:8029): outport == "lr-outside", priority 100, uuid 0f57b30a
output;
/* output to "lr-outside", type "l3gateway" */
ingress(dp="outside", inport="ls-outside")
------------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls-outside", priority 50, uuid 09f5d420
next;
17. ls_in_l2_lkup (ovn-northd.c:5466): 1, priority 0, uuid 3bc9370b
outport = "_MC_unknown";
output;
multicast(dp="outside", mcgroup="_MC_unknown")
----------------------------------------------
egress(dp="outside", inport="ls-outside", outport="ls-external")
----------------------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:5503): outport == "ls-external", priority 50, uuid 5a71ea3b
output;
/* output to "ls-external", type "localnet" */
