1.问题: 在K版 neutron 中 打开openvswitch 安全组之后, 创建ipv6的网络并关联到一个vm。 vm启动后无法分配ipv6地址。
2.原因:
K版的 D:\temp\neutron\agent\linux\openvswitch_firewall.py 不支持ipv6 创建流表。
3.现象:
2018-10-09 19:06:55.499 16558 DEBUG neutron.agent.linux.utils [req-9e28b1ff-3315-4cc6-ba2d-83ac975722bf - - - - -] Running command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ovs-ofctl', 'add-flows', 'qbr56a6ca7d-2c', '-'] create_process /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:84
2018-10-09 19:06:55.678 16558 ERROR neutron.agent.linux.utils [req-9e28b1ff-3315-4cc6-ba2d-83ac975722bf - - - - -]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ovs-ofctl', 'add-flows', 'qbr56a6ca7d-2c', '-']
Exit code: 1
Stdin: hard_timeout=0,idle_timeout=0,priority=3,table=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00,in_port=1,actions=set_queue:0,normal
hard_timeout=0,idle_timeout=0,priority=2,table=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00,actions=set_queue:0,normal
hard_timeout=0,idle_timeout=0,priority=2,table=0,ip,nw_dst=169.254.0.0/16,actions=normal
hard_timeout=0,idle_timeout=0,priority=3,ip,table=0,nw_src=169.254.0.0/16,in_port=1,actions=normal
hard_timeout=0,idle_timeout=0,priority=1,table=0,actions=pop_queue,resubmit(,33)
hard_timeout=0,idle_timeout=0,priority=2,table=0,in_port=1,actions=pop_queue,resubmit(,34)
hard_timeout=0,idle_timeout=0,priority=2,arp,dl_src=fa:16:3e:a4:c4:84,table=0,nw_src=2019:2:2:2:f816:3eff:fea4:c484,actions=normal
hard_timeout=0,idle_timeout=0,priority=3,arp,nw_dst=2019:2:2:2:f816:3eff:fea4:c484,table=0,dl_dst=fa:16:3e:a4:c4:84,in_port=1,actions=normal
hard_timeout=0,idle_timeout=0,priority=4,udp,tp_dst=546/0xffff,table=32,tp_src=547/0xffff,nw_src=fe80::f816:3eff:fea3:ec40,actions=learn(table=33,priority=5,hard_timeout=120,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=4,udp,tp_dst=546/0xffff,table=32,tp_src=547/0xffff,nw_src=fe80::f816:3eff:fe65:ab99,actions=learn(table=33,priority=5,hard_timeout=120,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,icmp_code=0,icmp,table=31,icmp_type=8,actions=learn(table=34,priority=5,hard_timeout=15,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=1,icmp_type=0,icmp_code=0,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=31,tcp,actions=learn(table=34,priority=5,hard_timeout=300,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=6,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[], NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=31,udp,actions=learn(table=34,priority=5,hard_timeout=120,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,icmp_code=0,icmp,table=32,icmp_type=8,actions=learn(table=33,priority=5,hard_timeout=15,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=1,icmp_type=0,icmp_code=0,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=32,tcp,actions=learn(table=33,priority=5,hard_timeout=300,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=6,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[], NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=32,udp,actions=learn(table=33,priority=5,hard_timeout=120,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,icmp_code=0,icmp,table=31,icmp_type=8,actions=learn(table=34,priority=5,hard_timeout=15,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=1,icmp_type=0,icmp_code=0,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=31,tcp,actions=learn(table=34,priority=5,hard_timeout=300,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=6,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[], NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=31,udp,actions=learn(table=34,priority=5,hard_timeout=120,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,icmp_code=0,icmp,table=32,icmp_type=8,actions=learn(table=33,priority=5,hard_timeout=15,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=1,icmp_type=0,icmp_code=0,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=32,tcp,actions=learn(table=33,priority=5,hard_timeout=300,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=6,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[], NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],output:NXM_OF_IN_PORT[]),normal
hard_timeout=0,idle_timeout=0,priority=5,table=32,udp,actions=learn(table=33,priority=5,hard_timeout=120,fin_idle_timeout=5,fin_hard_timeout=10,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal
Stdout:
Stderr: ovs-ofctl: -:7: 2019:2:2:2:f816:3eff:fea4:c484: invalid IP address
4. 思路是想修改 对于ipv6 的rule加载处做单独处理:
对于UDP 报文原来是这样的:
def _add_udp_rule(self,deferred_qbr,tap_ofport,qvb_ofport,rule):
if 'source_port_range_min' in rule and \
'source_port_range_max' in rule and \
'port_range_min' in rule and \
'port_range_max' in rule:
dest_port_mask_range = get_little_set(rule['source_port_range_min'],rule['source_port_range_max'])
src_port_mask_range = get_little_set(rule['port_range_min'],rule['port_range_max'])
for dst_port in dest_port_mask_range:
for src_port in src_port_mask_range:
if 'direction' in rule:
if rule['direction'] == 'ingress':
col_kwargs = {
'table':OVS_TABLE_IMCOMING_STATIC,
'proto':rule['protocol'],
'tp_dst': '%s/%s' % (src_port,src_port_mask_range[src_port]),
'tp_src': '%s/%s' % (dst_port,dest_port_mask_range[dst_port]),
'priority': 4,
'actions':'learn(table=%d,priority=5,hard_timeout=120,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[]),normal' % (OVS_TABLE_OUTGOING_DYNAMIC)
}
if rule.get('source_ip_prefix',None):
col_kwargs['nw_src'] = rule['source_ip_prefix']
deferred_qbr.add_flow(**col_kwargs)
我在改为ipv6时发现:
table=%d,priority=5,hard_timeout=120,eth_type=0x800,nw_proto=17,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[], NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],output:NXM_OF_IN_PORT[] 不能这么写,标红色处会报错, 所以请教有人知道对于ipv6 源目的ip调换应该遵从什么协议文档? 格式是什么样子的?
|
|