Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Issue with conntrack
#Creating ns1 with IP 10.100.5.8(FIP 192.168.56.31, Mac fa:16:3e:00:eb:c0)
sudo ip netns add ns1
sudo ovs-vsctl add-br test0
sudo ip link add vns1 type veth peer name vpeerns1
sudo ip link set vpeerns1 netns ns1
sudo ip link set vns1 up
sudo ip netns exec ns1 ip link set vpeerns1 address fa:16:3e:1d:3d:01
sudo ip netns exec ns1 ip addr add dev vpeerns1 10.100.5.8/24
sudo ip netns exec ns1 ip link set vpeerns1 up
sudo ip netns exec ns1 ip route add default via 10.100.5.1
sudo ovs-vsctl add-port test0 vns1
#Creating ns2 with IP 10.100.5.9 Mac fa:16:3e:13:85:be(FIP 192.168.56.32, Mac fa:16:3e:71:b6:6e)
sudo ip netns add ns2
sudo ip link add vns2 type veth peer name vpeerns2
sudo ip link set vpeerns2 netns ns2
sudo ip link set vns2 up
sudo ip netns exec ns2 ip link set vpeerns2 address fa:16:3e:13:85:be
sudo ip netns exec ns2 ip addr add dev vpeerns2 10.100.5.9/24
sudo ip netns exec ns2 ip link set vpeerns2 up
sudo ip netns exec ns2 ip route add default via 10.100.5.1
sudo ovs-vsctl add-port test0 vns2
#Dispatcher Table
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=0,priority=10,in_port=1,ip,actions=goto_table=40"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=0,priority=10,in_port=2,ip,actions=goto_table=40"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=0,priority=42,arp,actions=goto_table=81"
#L3 and Floating Ip Conversion(Router IP 10.100.5.1 Mac fa:16:3e:57:f2:9a)
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=21,priority=42,ip,nw_dst=10.100.5.9 actions=resubmit(,251)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=21,priority=42,ip,nw_dst=10.100.5.8 actions=resubmit(,251)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=21,priority=42,ip,nw_dst=192.168.56.31 actions=set_field:fa:16:3e:00:eb:c0->eth_dst,goto_table:25"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=21,priority=42,ip,nw_dst=192.168.56.32 actions=set_field:fa:16:3e:71:b6:6e->eth_dst,goto_table:25"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=25,priority=10,ip,dl_dst=fa:16:3e:00:eb:c0,nw_dst=192.168.56.31 actions=set_field:10.100.5.8->ip_dst,set_field:fa:16:3e:57:f2:9a->eth_src,set_field:fa:16:3e:1d:3d:01->eth_dst,goto_table:26"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=25,priority=10,ip,dl_dst=fa:16:3e:71:b6:6e,nw_dst=192.168.56.32 actions=set_field:10.100.5.9->ip_dst,set_field:fa:16:3e:57:f2:9a->eth_src,set_field:fa:16:3e:13:85:be->eth_dst,goto_table:26"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=26,priority=10,ip,nw_src=10.100.5.8 actions=set_field:192.168.56.31->ip_src,goto_table:28"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=26,priority=10,ip,nw_src=10.100.5.9 actions=set_field:192.168.56.32->ip_src,goto_table:28"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=27,priority=10,ip,nw_dst=10.100.5.8 actions=resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=27,priority=10,ip,nw_dst=10.100.5.9 actions=resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=28,priority=10,ip,nw_src=192.168.56.31 actions=set_field:fa:16:3e:00:eb:c0->eth_src,resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=28,priority=10,ip,nw_src=192.168.56.32 actions=set_field:fa:16:3e:71:b6:6e->eth_src,resubmit(,21)"
#ACL ruless egress from vm
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=40,priority=61010,ip,dl_src=fa:16:3e:1d:3d:01,nw_src=10.100.5.8,actions=ct(table=41,zone=5002)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=40,priority=61010,ip,dl_src=fa:16:3e:13:85:be,nw_src=10.100.5.9,actions=ct(table=41,zone=5002)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=40,priority=0,actions=drop"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=62020,ct_state=-new+est-rel-inv+trk,actions=resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=62020,ct_state=-new-est+rel-inv+trk,actions=resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=62020,ct_state=+inv+trk,actions=drop"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=1000,ct_state=+new+trk,ip,dl_src=fa:16:3e:1d:3d:01,nw_src=10.100.5.8,actions=ct(commit,zone=5002),resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=1000,ct_state=+new+trk,ip,dl_src=fa:16:3e:13:85:be,nw_src=10.100.5.9,actions=ct(commit,zone=5002),resubmit(,21)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=50,ct_state=+new+trk,actions=drop"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=41,priority=0,actions=drop"
#ARP responder
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=81,priority=100,arp,arp_tpa=192.168.56.31,arp_op=1 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],set_field:fa:16:3e:00:eb:c0->eth_src,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163e00ebc0->NXM_NX_ARP_SHA[],load:0xc0a8381f->NXM_OF_ARP_SPA[],load:0->NXM_OF_IN_PORT[],load:0x500->NXM_NX_REG6[],write_metadata:0/0x1,goto_table:220"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=81,priority=100,arp,arp_tpa=192.168.56.32,arp_op=1 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],set_field:fa:16:3e:71:b6:6e->eth_src,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163e71b66e->NXM_NX_ARP_SHA[],load:0xc0a83820->NXM_OF_ARP_SPA[],load:0->NXM_OF_IN_PORT[],load:0x500->NXM_NX_REG6[],write_metadata:0/0x1,goto_table:220"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=81,arp,arp_tpa=10.100.5.1,arp_op=1 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],set_field:fa:16:3e:57:f2:9a->eth_src,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163e7c661a->NXM_NX_ARP_SHA[],load:0xa640501->NXM_OF_ARP_SPA[],load:0->NXM_OF_IN_PORT[],load:0x100->NXM_NX_REG6[],resubmit(,220)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=81,priority=10,arp,actions=NORMAL"
#Dispatcher Table
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=220,priority=62020,ip,dl_dst=fa:16:3e:1d:3d:01,nw_dst=10.100.5.8,actions=output:1"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=220,priority=62020,ip,dl_dst=fa:16:3e:13:85:be,nw_dst=10.100.5.9,actions=output:2"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=220,priority=62020,arp,dl_dst=fa:16:3e:1d:3d:01,actions=output:1"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=220,priority=62020,arp,dl_dst=fa:16:3e:13:85:be,actions=output:2"
#ACL ruless ingress to vm
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=251,priority=61010,ip,dl_dst=fa:16:3e:1d:3d:01,nw_dst=10.100.5.8,actions=ct(table=252,zone=5002)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=251,priority=61010,ip,dl_dst=fa:16:3e:13:85:be,nw_dst=10.100.5.9,actions=ct(table=252,zone=5002)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=251,priority=0,actions=drop"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=62020,ct_state=-new+est-rel-inv+trk,actions=resubmit(,220)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=62020,ct_state=-new-est+rel-inv+trk,actions=resubmit(,220)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=62020,ct_state=+inv+trk,actions=drop"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=50,ct_state=+new+trk,actions=drop"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=1000,ct_state=+new+trk,ip,dl_dst=fa:16:3e:1d:3d:01,nw_dst=10.100.5.8,actions=ct(commit,zone=5002),resubmit(,220)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=1000,ct_state=+new+trk,ip,dl_dst=fa:16:3e:13:85:be,nw_dst=10.100.5.9,actions=ct(commit,zone=5002),resubmit(,220)"
sudo ovs-ofctl -v -O OpenFlow13 add-flow test0 "table=252,priority=0,actions=drop"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.