The answer is 'yes' and 'no'.
No, openstack (neutron/nova-networks) have no such abstraction.
Yes, you can do it with openvswitch at the compute host manually (until
VM reboot).
Quote from ovs-vsctl manpage:
*Port* *Mirroring*
Mirror all packets received or sent on*eth0* or*eth1* onto*eth2*,
assuming
that all of those ports exist on bridge*br0* (as a side-effect this
causes any packets received on*eth2* to be ignored):
*ovs-vsctl* *--* *set* *Bridge* *br0* *mirrors=@m* *\*
*--* *--id=@eth0* *get* *Port* *eth0* *\*
*--* *--id=@eth1* *get* *Port* *eth1* *\*
*--* *--id=@eth2* *get* *Port* *eth2* *\*
*--* *--id=@m* *create* *Mirror* *name=mymirror*
*select-dst-*
*port=@eth0,@eth1* *select-src-port=@eth0,@eth1*
*output-port=@eth2*
On 02/15/2015 07:34 PM, Yaron Illouz wrote:
Hi
*_Is it possible to port mirror to a vm?_*
I generate traffic from vm1 to vm2, and I am trying to mirror traffic
of vm1 to vm3
I want vm3 to receive traffic that is not destinated for him - not ip
and not mac address
I am trying to do port mirroring between vms created with openstack.
I did it with the openvswitch.
Packet are copied to the mirrored qvo, qvb, and qbr but don't reach
the tap.
From iptable output it dosen't seem to be drop in one of the chain or
in fallback.
The problem: I do see the mirrored traffic in qvo,and qvb, qbr (in
tcpdump) but it doesn't pass to the tap
I tried to insert allowed-pairs to the port, but what I really need is
define it in "promiscuous" mode. But even with allowed-pairs, traffic
don't reach vm3.
I also tried to hairpin but it didn’t help.
brctl hairpin qbr3ede5b3etap3ede5b3e on
Here are some details about my test
Openstack RDO juno on Centos 7
Neutron port list
| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | | fa:16:3e:3b:34:de |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.2"} |
| 435f35c6-80be-47ee-b30f-8376e1ea78d9 | | fa:16:3e:41:fd:59 |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.5"} |
| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | | fa:16:3e:f7:4f:ea |
{"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.3"} |
Command that I ran to do the port mirroring
ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvobd80bab5-42 get
Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39
-- --id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42
select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39
This is iptables output filtered, you can see I added a allowed
address pair.
3 3518 919K neutron-openvswi-sg-chain all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged
4 4 1358 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged
Chain neutron-openvswi-INPUT (1 references)
--
2 0 0 neutron-openvswi-o3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
tap3ede5b3e-39 --physdev-is-bridged
3 0 0 neutron-openvswi-o7e200e92-4 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap7e200e92-44
--physdev-is-bridged
4 0 0 neutron-openvswi-o435f35c6-8 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap435f35c6-80
--physdev-is-bridged
5 0 0 neutron-openvswi-o6a1bb345-9 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap6a1bb345-93
--physdev-is-bridged
6 0 0 neutron-openvswi-ofc0a7800-a all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfc0a7800-a0
--physdev-is-bridged
Chain neutron-openvswi-OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
Chain neutron-openvswi-i3ede5b3e-3 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state
INVALID
2 91 8550 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
3 0 0 RETURN udp -- * * 10.67.82.4
0.0.0.0/0 udp spt:67 dpt:68
4 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp multiport dports 1:65535
6 3416 907K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set
IPv4ecb94f49-0fdd-4f6f-b src
7 9 3054 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0
--
Chain neutron-openvswi-o3ede5b3e-3 (2 references)
num pkts bytes target prot opt in out source destination
1 4 1358 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:68 dpt:67
2 0 0 neutron-openvswi-s3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0
3 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state
INVALID
5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0 0.0.0.0/0
--
Chain neutron-openvswi-s3ede5b3e-3 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 10.67.82.0/24
0.0.0.0/0 MAC FA:16:3E:41:FD:59
2 0 0 RETURN all -- * * 10.67.82.2
0.0.0.0/0 MAC FA:16:3E:3B:34:DE
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
--
3 3518 919K neutron-openvswi-i3ede5b3e-3 all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged
4 4 1358 neutron-openvswi-o3ede5b3e-3 all -- * *
0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39
--physdev-is-bridged
.
13 397M 1617G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
--
error=`neutron-openvswi-i3ede5b3e-3'
Entry 63 (19664):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
--
error=`neutron-openvswi-o3ede5b3e-3'
Entry 119 (32280):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 17
Flags: 00
Invflags: 00
Counters: 4 packets, 1358 bytes
Cache: 00000000
--
error=`neutron-openvswi-s3ede5b3e-3'
Entry 173 (43608):
SRC IP: 10.67.82.0/255.255.255.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
The tcpdump traces show proper traffic flow from MAC/IP
fa:16:3e:f7:4f:ea/10.67.82.3 to fa:16:3e:41:fd:59/10.67.82.5 going
into a bridge/switch that has a nic with mac/IP of
fa:16:3e:3b:34:de/10.67.82.2 connected to its other port
I though the allowed address pair I added will allow this traffic ->
you can see it in neutron-openvswi-s3ede5b3e-3 (1 0 0 RETURN
all -- * * 10.67.82.0/24 0.0.0.0/0 MAC FA:16:3E:41:FD:59).
In tcpdump
tcpdump -e -n -vvv -i qbr3ede5b3e-39 | more
tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB (Ethernet),
capture size 65535 bytes
08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags
[none], proto UDP (
17), length 76)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48
08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags
[none], proto UDP (17
), length 42)
10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum ok] UDP,
length 14
08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags
[none], proto UDP
tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more
tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB (Ethernet),
capture size 65535 bytes
08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags
[none], proto UDP
(17), length 111)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 83
08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags
[none], proto UDP
(17), length 612)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 584
08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags
[none], proto UDP
(17), length 612)
tcpdump -e -n -vvv -i qvb3ede5b3e-39 | more
tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned
tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB (Ethernet),
capture size 65535 bytes
08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags
[none], proto UDP (
17), length 84)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 56
08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags
[none], proto UDP (1
7), length 76)
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48
08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags
[none], proto UDP (
17), length 84)
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
