$ ovn-nbctl show
lswitch 78687d53-e037-4555-bcd3-f4f8eaf3f2aa (sw0)
lport sw0-port1
- macs: 00:00:00:00:00:01
+ addresses: 00:00:00:00:00:01
lport sw0-port2
- macs: 00:00:00:00:00:02
+ addresses: 00:00:00:00:00:02
The `ovn-sbctl` utility can be used to see into the state stored in the
`OVN_Southbound` database. The `show` command shows that there is a single
$ ovn-nbctl show
lswitch e3190dc2-89d1-44ed-9308-e7077de782b3 (sw0)
lport sw0-port1
- macs: 00:00:00:00:00:01
+ addresses: 00:00:00:00:00:01
lport sw0-port2
- macs: 00:00:00:00:00:02
+ addresses: 00:00:00:00:00:02
lswitch c8ed4c5f-9733-43f6-93da-795b1aabacb1 (sw1)
lport sw1-port1
- macs: 00:00:00:00:00:03
+ addresses: 00:00:00:00:00:03
lport sw1-port2
- macs: 00:00:00:00:00:04
+ addresses: 00:00:00:00:00:04
Physically, all ports reside on the same chassis.
$ ovn-nbctl show
lswitch b977dc03-79a5-41ba-9665-341a80e1abfd (sw0)
lport sw0-port1
- macs: 00:00:00:00:00:01
+ addresses: 00:00:00:00:00:01
lport sw0-port2
- macs: 00:00:00:00:00:02
+ addresses: 00:00:00:00:00:02
lport sw0-port4
- macs: 00:00:00:00:00:04
+ addresses: 00:00:00:00:00:04
lport sw0-port3
- macs: 00:00:00:00:00:03
+ addresses: 00:00:00:00:00:03
Using `ovn-sbctl` to view the state of the system, we can see that there are two
chassis: one local that we can interact with, and a fake remote chassis. Two
$ ovn-nbctl show
lswitch 5a652488-cfba-4f3e-929d-00010cdfde40 (provnet1-2)
lport provnet1-2-physnet1
- macs: unknown
+ addresses: unknown
lport provnet1-2-port1
- macs: 00:00:00:00:00:02
+ addresses: 00:00:00:00:00:02
lswitch 5829b60a-eda8-4d78-94f6-7017ff9efcf0 (provnet1-4)
lport provnet1-4-port1
- macs: 00:00:00:00:00:04
+ addresses: 00:00:00:00:00:04
lport provnet1-4-physnet1
- macs: unknown
+ addresses: unknown
lswitch 06cbbcb6-38e3-418d-a81e-634ec9b54ad6 (provnet1-1)
lport provnet1-1-port1
- macs: 00:00:00:00:00:01
+ addresses: 00:00:00:00:00:01
lport provnet1-1-physnet1
- macs: unknown
+ addresses: unknown
lswitch 9cba3b3b-59ae-4175-95f5-b6f1cd9c2afb (provnet1-3)
lport provnet1-3-physnet1
- macs: unknown
+ addresses: unknown
lport provnet1-3-port1
- macs: 00:00:00:00:00:03
+ addresses: 00:00:00:00:00:03
`port1` on each logical switch represents a regular logical port for a VIF on a
hypervisor. `physnet1` on each logical switch is the special `localnet` port.
lswitch 12ea93d0-694b-48e9-adef-d0ddd3ec4ac9 (provnet1-7-101)
lport provnet1-7-physnet1-101
parent: , tag:101
- macs: unknown
+ addresses: unknown
lport provnet1-7-101-port1
- macs: 00:00:00:00:00:07
+ addresses: 00:00:00:00:00:07
lswitch c9a5ce3a-15ec-48ea-a898-416013463589 (provnet1-4)
lport provnet1-4-port1
- macs: 00:00:00:00:00:04
+ addresses: 00:00:00:00:00:04
lport provnet1-4-physnet1
- macs: unknown
+ addresses: unknown
lswitch e07d4f7a-2085-4fbb-9937-d6192b79a397 (provnet1-1)
lport provnet1-1-physnet1
- macs: unknown
+ addresses: unknown
lport provnet1-1-port1
- macs: 00:00:00:00:00:01
+ addresses: 00:00:00:00:00:01
lswitch 6c098474-0509-4219-bc9b-eb4e28dd1aeb (provnet1-2)
lport provnet1-2-physnet1
- macs: unknown
+ addresses: unknown
lport provnet1-2-port1
- macs: 00:00:00:00:00:02
+ addresses: 00:00:00:00:00:02
lswitch 723c4684-5d58-4202-b8e3-4ba99ad5ed9e (provnet1-8-101)
lport provnet1-8-101-port1
- macs: 00:00:00:00:00:08
+ addresses: 00:00:00:00:00:08
lport provnet1-8-physnet1-101
parent: , tag:101
- macs: unknown
+ addresses: unknown
lswitch 8444e925-ceb2-4b02-ac20-eb2e4cfb954d (provnet1-6-101)
lport provnet1-6-physnet1-101
parent: , tag:101
- macs: unknown
+ addresses: unknown
lport provnet1-6-101-port1
- macs: 00:00:00:00:00:06
+ addresses: 00:00:00:00:00:06
lswitch e11e5605-7c46-4395-b28d-cff57451fc7e (provnet1-3)
lport provnet1-3-port1
- macs: 00:00:00:00:00:03
+ addresses: 00:00:00:00:00:03
lport provnet1-3-physnet1
- macs: unknown
+ addresses: unknown
lswitch 0706b697-6c92-4d54-bc0a-db5bababb74a (provnet1-5-101)
lport provnet1-5-101-port1
- macs: 00:00:00:00:00:05
+ addresses: 00:00:00:00:00:05
lport provnet1-5-physnet1-101
parent: , tag:101
- macs: unknown
+ addresses: unknown
The physical topology shows that we have 4 regular VIF ports on each simulated
hypervisor.
$ ovn/env5/packet2.sh
+6) Stateful ACLs
+----------------
+
+ACLs provide a way to do distributed packet filtering for OVN networks. One
+example use of ACLs is that OpenStack Neutron uses them to implement security
+groups. ACLs are implemented using conntrack integration with OVS.
+
+Start with a simple logical switch with 2 logical ports.
+
+[View ovn/env6/setup.sh][env6setup].
+
+ $ ovn/env6/setup.sh
+
+A common use case would be the following policy applied for `sw0-port1`:
+
+* Allow outbound IP traffic and associated return traffic.
+* Allow incoming ICMP requests and associated return traffic.
+* Allow incoming SSH connections and associated return traffic.
+* Drop other incoming IP traffic.
+
+The following script applies this policy to our environment.
+
+[View ovn/env6/add-acls.sh][env6acls].
+
+ $ ovn/env6/add-acls.sh
+
+We can view the configured ACLs on this network using the `ovn-nbctl` command.
+
+ $ ovn-nbctl acl-list sw0
+ from-lport 1002 (inport == “sw0-port1” && ip) allow-related
+ to-lport 1002 (outport == “sw0-port1” && ip && icmp) allow-related
+ to-lport 1002 (outport == “sw0-port1” && ip && tcp && tcp.dst == 22) allow-related
+ to-lport 1001 (outport == “sw0-port1” && ip) drop
+
+Now that we have ACLs configured, there are new entries in the logical flow
+table in the stages `switch_in_pre_acl`, switch_in_acl`, `switch_out_pre_acl`,
+and `switch_out_acl`.
+
+ $ ovn-sbctl lflow-list
+
+Let’s look more closely at `switch_out_pre_acl` and `switch_out_acl`.
+
+In `switch_out_pre_acl`, we match IP traffic and put it through the connection
+tracker. This populates the connection state fields so that we can apply policy
+as appropriate.
+
+ table=0(switch_out_pre_acl), priority= 100, match=(ip), action=(ct_next;)
+ table=1(switch_out_pre_acl), priority= 0, match=(1), action=(next;)
+
+In `switch_out_acl`, we allow packets associated with existing connections. We
+drop packets that are deemed to be invalid (such as non-SYN TCP packet not
+associated with an existing connection).
+
+ table=1(switch_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;)
+ table=1(switch_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;)
+ table=1(switch_out_acl), priority=65535, match=(ct.inv), action=(drop;)
+
+For new connections, we apply our configured ACL policy to decide whether to
+allow the connection or not. In this case, we’ll allow ICMP or SSH. Otherwise,
+we’ll drop the packet.
+
+ table=1(switch_out_acl), priority= 2002, match=(ct.new && (outport == “sw0-port1” && ip && icmp)), action=(ct_commit; next;)
+ table=1(switch_out_acl), priority= 2002, match=(ct.new && (outport == “sw0-port1” && ip && tcp && tcp.dst == 22)), action=(ct_commit; next;)
+ table=1(switch_out_acl), priority= 2001, match=(outport == “sw0-port1” && ip), action=(drop;)
+
+When using ACLs, the default policy is to allow and track IP connections. Based
+on our above policy, IP traffic directed at `sw0-port1` will never hit this flow
+at priority 1.
+
+ table=1(switch_out_acl), priority= 1, match=(ip), action=(ct_commit; next;)
+ table=1(switch_out_acl), priority= 0, match=(1), action=(next;)
+
+Note that conntrack integration is not yet supported in ovs-sandbox, so the
+OpenFlow flows will not represent what you’d see in a real environment. The
+logical flows described above give a very good idea of what the flows look like,
+though.
+
+[This blog post][openstack-ovn-acl-blog] discusses OVN ACLs from an OpenStack
+perspective and also provides an example of what the resulting OpenFlow flows
+look like.
+
+7) Container Ports
+------------------
+
+OVN supports containers running directly on the hypervisors and running
+containers inside VMs. This example shows how OVN supports network
+virtualization to containers when run inside VMs. Details about how to use
+docker containers in OVS can be found [here][openvswitch-docker].
+
+To support container traffic created inside a VM and to distinguish network
+traffic coming from different container vifs, for each container a logical
+port needs to be created with parent name set to the VM's logical port and
+the tag set to the vlan tag of the container vif.
+
+Start with a simple logical switch with 3 logical ports.
+
+[View ovn/env7/setup.sh][env7setup].
+
+ $ ovn/env7/setup.sh
+
+Lets create a container vif attached to the logical port 'sw0-port1' and
+another container vif attached to the logical port 'sw0-port2'.
+
+[View ovn/env7/add-container-ports.sh][env7contports]
+
+ $ ovn/env7/add-container-ports.sh
+
+Run the `ovn-nbctl` command to see the logical ports
+
+ $ovn-nbctl show
+
+
+As you can see a logical port 'csw0-cport1' is created on a logical
+switch 'csw0' whose parent is 'sw0-port1' and it has tag set to 42.
+And a logical port 'csw0-cport2' is created on the logical switch 'csw0'
+whose parent is 'sw0-port2' and it has tag set to 43.
+
+Bridge 'br-vmport1' represents the ovs bridge running inside the VM
+connected to the logical port 'sw0-port1'. In this tutorial the ovs port
+to 'sw0-port1' is created as a patch port with its peer connected to the
+ovs bridge 'br-vmport1'. An ovs port 'cport1' is added to 'br-vmport1'
+which represents the container interface connected to the ovs bridge
+and vlan tag set to 42. Similarly 'br-vmport2' represents the ovs bridge
+for the logical port 'sw0-port2' and 'cport2' connected to 'br-vmport2'
+with vlan tag set to 43.
+
+This first trace shows a packet from 'csw0-port1' with a destination mac
+address of 'csw0-port2'. You can see ovs bridge of the vm 'br-vmport1' tags
+the traffic with vlan id 42 and the traffic reaches to the br-int because
+of the patch port. As you can see below `ovn-controller` has added a flow
+to strip the vlan tag and set the reg6 and metadata appropriately.
+
+ $ ovs-ofctl -O OpenFlow13 dump-flows br-int
+ OFPST_FLOW reply (OF1.3) (xid=0x2):
+ cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=3,dl_vlan=42 actions=pop_vlan,set_field:0x3->reg5,set_field:0x2->metadata,set_field:0x1->reg6,resubmit(,16)
+ cookie=0x0, duration=2767.002s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=4,dl_vlan=43 actions=pop_vlan,set_field:0x4->reg5,set_field:0x2->metadata,set_field:0x2->reg6,resubmit(,16)
+ cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=3 actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16)
+ cookie=0x0, duration=2767.001s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=4 actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16)
+
+[View ovn/env7/packet1.sh][env7packet1].
+
+ $ ovn/env5/packet1.sh
+
+
+The second trace shows a packet from 'csw0-port2' to 'csw0-port1'.
+
+[View ovn/env7/packet2.sh][env7packet2].
+
+ $ ovn/env5/packet1.sh
+
+You can extend this setup by adding additional container ports with two
+hypervisors. Please see the tutorial 3 above.
+
[ovn-architecture(7)]:http://openvswitch.org/support/dist-docs/ovn-architecture.7.html
-[Tutorial.md]:./Tutorial.md
+[Tutorial.md]:https://github.com/openvswitch/ovs/blob/master/tutorial/Tutorial.md
[ovn-nb(5)]:http://openvswitch.org/support/dist-docs/ovn-nb.5.html
[ovn-sb(5)]:http://openvswitch.org/support/dist-docs/ovn-sb.5.html
[vtep(5)]:http://openvswitch.org/support/dist-docs/vtep.5.html
[vtep-ctl(8)]:http://openvswitch.org/support/dist-docs/vtep-ctl.8.html
[ovn-nbctl(8)]:http://openvswitch.org/support/dist-docs/ovn-nbctl.8.html
[ovn-sbctl(8)]:http://openvswitch.org/support/dist-docs/ovn-sbctl.8.html
-[env1setup]:./ovn/env1/setup.sh
-[env1packet1]:./ovn/env1/packet1.sh
-[env1packet2]:./ovn/env1/packet2.sh
-[env1thirdport]:./ovn/env1/add-third-port.sh
-[env2setup]:./ovn/env2/setup.sh
-[env2packet1]:./ovn/env2/packet1.sh
-[env2packet2]:./ovn/env2/packet2.sh
-[env3setup]:./ovn/env3/setup.sh
-[env3packet1]:./ovn/env3/packet1.sh
-[env3packet2]:./ovn/env3/packet2.sh
-[env4setup1]:./ovn/env4/setup1.sh
-[env4setup2]:./ovn/env4/setup2.sh
-[env4packet1]:./ovn/env4/packet1.sh
-[env4packet2]:./ovn/env4/packet2.sh
-[env4packet3]:./ovn/env4/packet3.sh
-[env4packet4]:./ovn/env4/packet4.sh
-[env4packet5]:./ovn/env4/packet5.sh
-[env5setup]:./ovn/env5/setup.sh
-[env5packet1]:./ovn/env5/packet1.sh
-[env5packet2]:./ovn/env5/packet2.sh
+[env1setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env1/setup.sh
+[env1packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env1/packet1.sh
+[env1packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env1/packet2.sh
+[env1thirdport]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env1/add-third-port.sh
+[env2setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env2/setup.sh
+[env2packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env2/packet1.sh
+[env2packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env2/packet2.sh
+[env3setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env3/setup.sh
+[env3packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env3/packet1.sh
+[env3packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env3/packet2.sh
+[env4setup1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/setup1.sh
+[env4setup2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/setup2.sh
+[env4packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/packet1.sh
+[env4packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/packet2.sh
+[env4packet3]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/packet3.sh
+[env4packet4]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/packet4.sh
+[env4packet5]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env4/packet5.sh
+[env5setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env5/setup.sh
+[env5packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env5/packet1.sh
+[env5packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env5/packet2.sh
+[env6setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/setup.sh
+[env6acls]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/add-acls.sh
+[env7setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/setup.sh
+[env7contports]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/add-container-ports.sh
+[env7packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet1.sh
+[env7packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet2.sh
+[openstack-ovn-acl-blog]:http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/
+[openvswitch-docker]:http://openvswitch.org/support/dist-docs/INSTALL.Docker.md.txt
projects / cascardo / ovs.git / blobdiff