3. Prior Knowledge - Network NameSpace
without Network NameSpace
Process
with Network NameSpace
Process
Process
Process
Process
Process
Process
Process
Share
Routing table
Ford
NameSpace
Benz
NameSpace
Network
Resources
Network Resources
BMW
NameSpace
Network
Resources
Network
Resources
Address
Netfilter rules
eth0
eth1
Network Resources
eth2
eth0
eth1
eth2
Network NameSpace provides isolation of the system resources associated with networking. Thus, each network
namespace has its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers, and so on.
- http://lwn.net/Articles/531114/
4. Prior Knowledge - VLAN, GRE
VLAN - Virtual LAN
802.1Q Header
TPIC : 16bit - 0x8100
TCI : 16bit
PCP : 3bit
DEI : 1bit
VID : 12bit (0 ~ 4095)
GRE - Generic Routing Encapsulation
16 Bytes Header + IP header
Key field : 32bit
- identify an individual traffic flow within a tunnel
17. Security Group - VLAN, GRE
FORWARD
quantum-filter-top
quantum-openvswi-local
Security group is applied here
quantum-openvswi-FORWARD
quantum-openvswi-sg-chain
quantum-openvswi-iTAP_NUMBER
quantum-openvswi-sg-fallback
quantum-openvswi-oTAP_NUMBER
quantum-openvswi-sg-fallback
18. Security Group - VLAN, GRE
Chain quantum-openvswi-sg-chain (4 references)
target prot opt source
destination
quantum-openvswi-i21767f1f-4 all -- 0.0.0.0/0
0.0.0.0/0
quantum-openvswi-o21767f1f-4 all -- 0.0.0.0/0
0.0.0.0/0
quantum-openvswi-i7903fd30-7 all -- 0.0.0.0/0
0.0.0.0/0
quantum-openvswi-o7903fd30-7 all -- 0.0.0.0/0
0.0.0.0/0
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tap21767f1f-45 --physdev-is-bridged
PHYSDEV match --physdev-in tap21767f1f-45 --physdev-is-bridged
PHYSDEV match --physdev-out tap7903fd30-74 --physdev-is-bridged
PHYSDEV match --physdev-in tap7903fd30-74 --physdev-is-bridged
Chain quantum-openvswi-i7903fd30-7 (1 references)
target prot opt source
destination
DROP
all -- 0.0.0.0/0
0.0.0.0/0
state INVALID
RETURN all -- 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
RETURN icmp -- 0.0.0.0/0
0.0.0.0/0
RETURN tcp -- 0.0.0.0/0
0.0.0.0/0
tcp dpt:22
RETURN udp -- 50.50.1.3
0.0.0.0/0
udp spt:67 dpt:68
quantum-openvswi-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
Chain quantum-openvswi-o7903fd30-7 (2 references)
target prot opt source
destination
DROP
all -- 0.0.0.0/0
0.0.0.0/0
MAC ! FA:16:3E:DB:08:63
RETURN udp -- 0.0.0.0/0
0.0.0.0/0
udp spt:68 dpt:67
DROP
all -- !50.50.1.2
0.0.0.0/0
DROP
udp -- 0.0.0.0/0
0.0.0.0/0
udp spt:67 dpt:68
DROP
all -- 0.0.0.0/0
0.0.0.0/0
state INVALID
RETURN all -- 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
RETURN all -- 0.0.0.0/0
0.0.0.0/0
quantum-openvswi-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
[1] Note, OpenStack uses iptables rules on the TAP devices such as “tap~~” to implement security groups,.
However, Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an
Open vSwitch port.
19. Network NameSpace
janghoon@Network-node:~$ sudo ip netns exec qrouter-cf5fe7b7-8fab-45de-ab1c-c0cd404ebed0 ifconfig
lo
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
qg-fa243f49-d6 Link encap:Ethernet HWaddr fa:16:3e:9f:4b:63
inet addr:192.168.122.50 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe9f:4b63/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
qr-bc654dc2-f1 Link encap:Ethernet HWaddr fa:16:3e:c7:ec:bd
inet addr:50.50.1.1 Bcast:50.50.1.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fec7:ecbd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
janghoon@Network-node:~$ sudo ip netns exec qrouter-cf5fe7b7-8fab-45de-ab1c-c0cd404ebed0 route
Kernel IP routing table
Destination Gateway
Genmask
Flags Metric Ref Use Iface
default
192.168.122.1 0.0.0.0
UG 0 0
0 qg-fa243f49-d6
50.50.1.0
*
255.255.255.0 U 0 0
0 qr-bc654dc2-f1
192.168.122.0 *
255.255.255.0 U 0 0
0 qg-fa243f49-d6
21. Neutron ML2
The Modular Layer 2 (ML2) plugin is a framework allowing OpenStack Networking to simultaneously utilize the variety
of layer 2 networking technologies found in complex real-world data centers. It currently works with the existing
openvswitch, linuxbridge, and hyperv L2 agents, and is intended to replace and deprecate the monolithic plugins
associated with those L2 agents.
Neutron
ML2 Plugin
TypeDriver
Cisco Nexus
Arista
Flat
OpenDaylight
VxLAN
Hyper-V
GRE
OpenvSwitch
VLAN
MechanismDriver
pSwitch
TypeDriver : TypeDrivers maintain any needed type-specific network state, and perform provider network validation
and tenant network allocation.
MechanismDriver : The MechanismDriver is responsible for taking the information established by the TypeDriver and
ensuring that it is properly applied given the specific networking mechanisms that have been enabled.
https://wiki.openstack.org/wiki/Neutron/ML2