1. 簡介neutron-l3-agent
OpenStack neutron-l3-agent 主要負責實現網絡三層協議,爲虛擬機完成SNAT,DNAT等地址的轉換與僞裝,提供安全彈性隔離的雲網絡環境,
下面詳細敘述了OpenStack如何使用iptables鏈與規則完成複雜的neutron-l3-agent 的網絡地址轉換(NAT)功能,虛擬機floating ip與fixed ip綁定的工作原理。
2. iptables 簡介
2.1 iptables 鏈拓撲結構
2.2 iptables 表結構
Table filter:
Chain INPUT
Chain FORWARDChain OUTPUT
filter 表用於一般的信息包過濾,它包含 INPUT 、 OUTPUT 和 FORWARD 鏈。
Table nat:
Chain PREROUTING
Chain OUTPUT
Chain POSTROUTING
PREROUTING 鏈由指定信息包一到達防火牆就改變它們的規則所組成,而 POSTROUTING 鏈由指定正當信息包打算離開防火牆時改變它們的規則所組成。
3. iptables command
# 添加一條規則到 INPUT 鏈的末尾,ACCEPT 來自源地址 10.9.1.141 的包
[root@xianghui-10-9-1-141 ~]# iptables -A INPUT -s 10.9.1.141 -j ACCEPT#允許protocol爲TCP 、 UDP 、 ICMP 的包通過
[root@xianghui-10-9-1-141 ~]# iptables -A INPUT -p TCP, UDP[root@xianghui-10-9-1-141 ~]# iptables -D INPUT --dport 80 -j DROP[root@xianghui-10-9-1-141 ~]# iptables -P INPUT DROP# 創建一個新鏈new-chain
[root@xianghui-10-9-1-141 ~]# iptables -N new-chain# 刪除Table filter 中的所有規則
[root@xianghui-10-9-1-141 ~]# iptables -F# 列出INPUT鏈中的所有規則
[root@xianghui-10-9-1-141 ~]# iptables -L INPUT# 刪除鏈
[root@xianghui-10-9-1-141 ~]# iptables -X4. 配置neutron-l3-agent
[root@xianghui-10-9-1-141 ~]# neutron router-create router1
+--------------------------------------+---------+-----------------------+
| id | name | external_gateway_info |
+--------------------------------------+---------+-----------------------+
|c36b384e-b1f5-45e5-bb4f-c3ed32885142 | router1 | null |
+--------------------------------------+---------+-----------------------+[root@xianghui-10-9-1-141 ~]# vi /etc/neutron/l3_agent.ini
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
# OS is RHEL6.4, not support namespace
use_namespaces = False
# This is done by setting the specific router_id.
router_id = c36b384e-b1f5-45e5-bb4f-c3ed32885142
# Name of bridge used for external network traffic. This should be set to
# empty value for the linux bridge
external_network_bridge = br-eth1[root@xianghui-10-9-1-141 ~]# service neutron-l3-agent restart啓用轉發功能
[root@xianghui-10-9-1-141 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward5. neutron 利用iptables 實現 NAT 原理
iptables 中neutron l3 agent自定義的鏈:neutron-l3-agent-PREROUTING
neutron-l3-agent-OUTPUT
neutron-l3-agent-POSTROUTING
創建外部網絡(分配floatingip)
[root@xianghui-10-9-1-141 ~]# neutron net-create ext_net --router:external=True
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 2d72d81b-cf09-459e-87fb-a50fa0e8730a |
| name | ext_net |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 1000 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | e1932e73-1e4b-4f87-9ebf-758a757e20ef |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+---------------------------+--------------------------------------+[root@oc2603148815 cfn]# subnet-create ext_net --allocation-pool start=192.168.12.10,end=192.168.12.50 --gateway 192.168.12.1 192.168.12.0/24 --enable_dhcp=False
+------------------+----------------------------------------------------+
| Field | Value |
+------------------+----------------------------------------------------+
| allocation_pools | {"start": "192.168.12.10", "end": "192.168.12.50"} |
| cidr | 192.168.12.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 192.168.12.1 |
| host_routes | |
| id | e1932e73-1e4b-4f87-9ebf-758a757e20ef |
| ip_version | 4 |
| name | |
| network_id | 2d72d81b-cf09-459e-87fb-a50fa0e8730a |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+------------------+----------------------------------------------------+[root@oc2603148815 cfn]# neutron net-create vlan-70 --provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id 16
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 793a95b7-cf1f-4bde-b7b8-5a9a2e552fae |
| name | vlan-70 |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 16 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | f542941d-5d53-45e4-85d0-944e030c2bcc |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+---------------------------+--------------------------------------+[root@oc2603148815 cfn]# neutron subnet-create vlan-70 70.0.0.0/24
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "70.0.0.2", "end": "70.0.0.254"} |
| cidr | 70.0.0.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 70.0.0.1 |
| host_routes | |
| id | f542941d-5d53-45e4-85d0-944e030c2bcc |
| ip_version | 4 |
| name | |
| network_id | 793a95b7-cf1f-4bde-b7b8-5a9a2e552fae |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+------------------+--------------------------------------------+[root@oc2603148815 cfn]# neutron net-list
+--------------------------------------+---------+------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+------------------------------------------------------+
| 2d72d81b-cf09-459e-87fb-a50fa0e8730a | ext_net | e1932e73-1e4b-4f87-9ebf-758a757e20ef 192.168.12.0/24 |
| 793a95b7-cf1f-4bde-b7b8-5a9a2e552fae | vlan-70 | f542941d-5d53-45e4-85d0-944e030c2bcc 70.0.0.0/24 |
+--------------------------------------+---------+------------------------------------------------------+# neutron router-gateway-set $ROUTER_ID $EXTERNAL_NETWORK_ID
[root@oc2603148815 cfn]# neutron router-gateway-set 06d85a01-fc42-4cde-a0f1-377f2f394a64 2d72d81b-cf09-459e-87fb-a50fa0e8730a
# neutron router-interface-add $ROUTER_ID $SUBNET_ID
[root@oc2603148815 cfn]# neutron router-interface-add 06d85a01-fc42-4cde-a0f1-377f2f394a64 f542941d-5d53-45e4-85d0-944e030c2bcc經過上面的步驟後neutron-l3-agent會加入下列規則到iptables:
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 70.0.0.0/24 -j SNAT --to-source 192.168.12.10
-A neutron-postrouting-bottom -j neutron-l3-agent-snat[root@xianghui-10-9-1-141 ~]# neutron floatingip-create 2d72d81b-cf09-459e-87fb-a50fa0e8730a
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 192.168.12.11 |
| floating_network_id | 2d72d81b-cf09-459e-87fb-a50fa0e8730a |
| id | f8b48ab7-ea51-4f29-bc84-0ab179808dbb |
| port_id | |
| router_id | |
| tenant_id | adc4e7a4effa44ffa3c6e48dd5a8555a |
+---------------------+--------------------------------------+找出想要被綁定的fixed ip 的port id
[root@xianghui-10-9-1-141 ~]# neutron port-list
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| 0d06055b-2f31-4d8e-b8da-e048d76a07cc | | fa:16:3e:d7:f4:19 | {"subnet_id": "5c62752f-27ba-4d38-9702-2ca17ec2741d", "ip_address": "70.0.0.3"} |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+[root@xianghui-10-9-1-141 ~]# neutron floatingip-associate f8b48ab7-ea51-4f29-bc84-0ab179808dbb0d06055b-2f31-4d8e-b8da-e048d76a07cc
Associated floatingip f8b48ab7-ea51-4f29-bc84-0ab179808dbb[root@xianghui-10-9-1-141 ~]# neutron floatingip-list
+--------------------------------------+------------------+---------------------+--------------------------------------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| f8b48ab7-ea51-4f29-bc84-0ab179808dbb | 70.0.0.3 | 192.168.12.11 | b0797fe6-b799-41ea-86d0-9d9bfa0b2eb9 |
+--------------------------------------+------------------+---------------------+--------------------------------------+經過前面步驟後,iptables會多出下面的規則, 所有目標ip是192.168.12.11的包都會被轉發到ip 70.0.0.3的guest上
-A neutron-l3-agent-OUTPUT -d 192.168.12.11/32 -j DNAT --to-destination 70.0.0.3
-A neutron-l3-agent-PREROUTING -d 192.168.12.11/32 -j DNAT --to-destination 70.0.0.3
-A neutron-l3-agent-float-snat -s 70.0.0.3/32 -j SNAT --to-source 192.168.12.11源地址轉換(SNAT)
[root@xianghui-10-9-1-141 ~]# iptables -t nat -Aneutron-l3-agent-float-snat -s 70.0.0.6/32-j SNAT --to-source 192.168.12.100[root@xianghui-10-9-1-141 ~]# iptables -t nat -Aneutron-l3-agent-PREROUTING -d 192.168.12.100/32-j DNAT --to-destination 70.0.0.6測試:(從guest 70.0.0.11上ping 192.168.12.100, 結果被轉發到70.0.0.6的guest上)
[root@xianghui-10-9-1-141 ~]# ssh [email protected]
[ec2-user@wordpress-test-wikidatabase-jevfsmkbakch ~]$ ping 192.168.12.100
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 70.0.0.6: icmp_req=1 ttl=64 time=3.09 ms
64 bytes from 70.0.0.6: icmp_req=2 ttl=64 time=0.281 ms
64 bytes from 70.0.0.6: icmp_req=3 ttl=64 time=0.151 ms[root@xianghui-10-9-1-141 ~]# iptables -t nat -A POSTROUTING -j neutron-l3-agent-float-snat
[ec2-user@wordpress-test-wikidatabase-jevfsmkbakch ~]$ ping 192.168.12.100
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 192.168.12.100: icmp_req=1 ttl=63 time=2.47 ms
64 bytes from 192.168.12.100: icmp_req=2 ttl=63 time=0.199 ms
64 bytes from 192.168.12.100: icmp_req=3 ttl=63 time=0.251 ms7. 實例分析(ALL-IN-ONE)
7.1 虛擬機的網絡拓撲
7.2 虛擬機之間用floating ip ping通
# ping 192.168.12.100(70.0.0.6) from 70.0.0.11
# s:70.0.0.11 d:70.0.0.6
# prerouting -> forward -> postrouting
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-FORWARD -d 70.0.0.11/32 -j ACCEPT
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-FORWARD -d 70.0.0.6/32 -j ACCEPT
[root@xianghui-10-9-1-141 ~]# iptables -t nat -A neutron-l3-agent-PREROUTING -d 192.168.12.100/32 -j DNAT --to-destination 70.0.0.67.3 虛擬機主機ping通虛擬機的floating ip
-A OUTPUT -j neutron-l3-agent-OUTPUT
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-OUTPUT -d 192.168.12.100/32 -j DNAT --to-destination 70.0.0.6