OpenDaylight VTN应用——流表过滤 | SDNLAB

本例子主要演示通过VTN下发流表规则来空置主机的通信，支持的动作包括pass，drop，redirect。利用mininet虚拟出openflow交换机，并对其进行控制，mininet交换机拓扑图如下：配置mininet拓扑：

sudo mn --controller=remote,ip=172.31.2.70 --topo tree,2

1	sudo mn --controller=remote,ip=172.31.2.70 --topo tree,2

查看拓扑链接结构：

mininet> net
h1 h1-eth0:s2-eth1
h2 h2-eth0:s2-eth2
h3 h3-eth0:s3-eth1
h4 h4-eth0:s3-eth2
s1 lo:  s1-eth1:s2-eth3 s1-eth2:s3-eth3
s2 lo:  s2-eth1:h1-eth0 s2-eth2:h2-eth0 s2-eth3:s1-eth1
s3 lo:  s3-eth1:h3-eth0 s3-eth2:h4-eth0 s3-eth3:s1-eth2

mininet> net

h1 h1-eth0:s2-eth1

h2 h2-eth0:s2-eth2

h3 h3-eth0:s3-eth1

h4 h4-eth0:s3-eth2

s1 lo: s1-eth1:s2-eth3 s1-eth2:s3-eth3

s2 lo: s2-eth1:h1-eth0 s2-eth2:h2-eth0 s2-eth3:s1-eth1

s3 lo: s3-eth1:h3-eth0 s3-eth2:h4-eth0 s3-eth3:s1-eth2

添加如下of流表，如果没有改表项的话：

sudo ovs-ofctl add-flow s1 priority=0,actions=output:CONTROLLER
sudo ovs-ofctl add-flow s2 priority=0,actions=output:CONTROLLER
sudo ovs-ofctl add-flow s3 priority=0,actions=output:CONTROLLER

sudo ovs-ofctl add-flow s1 priority=0,actions=output:CONTROLLER

sudo ovs-ofctl add-flow s2 priority=0,actions=output:CONTROLLER

sudo ovs-ofctl add-flow s3 priority=0,actions=output:CONTROLLER

创建vtn

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"vtn" : {"vtn_name":"vtn_one","description":"test VTN" }}' http://172.31.2.70:8083/vtn-webapi/vtns
HTTP/1.1 201 Created

1 2	curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"vtn" : {"vtn_name":"vtn_one","description":"test VTN" }}' http://172.31.2.70:8083/vtn-webapi/vtns HTTP/1.1 201 Created

创建控制器

curl  -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"controller": {"controller_id": "controller1", "ipaddr":"172.31.2.70", "type": "odc", "version": "1.0", "auditstatus":"enable"}}' http://172.31.2.70:8083/vtn-webapi/controllers
HTTP/1.1 201 Created

1 2	curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"controller": {"controller_id": "controller1", "ipaddr":"172.31.2.70", "type": "odc", "version": "1.0", "auditstatus":"enable"}}' http://172.31.2.70:8083/vtn-webapi/controllers HTTP/1.1 201 Created

创建虚拟桥

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"vbridge" : {"vbr_name":"vbr_one","controller_id":"controller1","domain_id":"(DEFAULT)" }}'  http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges
HTTP/1.1 201 Created

1 2	curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"vbridge" : {"vbr_name":"vbr_one","controller_id":"controller1","domain_id":"(DEFAULT)" }}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges HTTP/1.1 201 Created

创建虚拟接口

 curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"interface": {"if_name": "if1","description": "if_desc1"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces
HTTP/1.1 201 Created

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"interface": {"if_name": "if2","description": "if_desc2"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces
HTTP/1.1 201 Created

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"interface": {"if_name": "if1","description": "if_desc1"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces

HTTP/1.1 201 Created

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"interface": {"if_name": "if2","description": "if_desc2"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces

HTTP/1.1 201 Created

创建接口映射

curl -i --user admin:adminpass -H 'content-type: application/json' -X PUT -d '{"portmap":{"logical_port_id": "PP-OF:openflow:3-s3-eth1"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/portmap
HTTP/1.1 204 No Content

curl -i --user admin:adminpass -H 'content-type: application/json' -X PUT -d '{"portmap":{"logical_port_id": "PP-OF:openflow:2-s2-eth1"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if2/portmap
HTTP/1.1 204 No Content

curl -i --user admin:adminpass -H 'content-type: application/json' -X PUT -d '{"portmap":{"logical_port_id": "PP-OF:openflow:3-s3-eth1"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/portmap

HTTP/1.1 204 No Content

curl -i --user admin:adminpass -H 'content-type: application/json' -X PUT -d '{"portmap":{"logical_port_id": "PP-OF:openflow:2-s2-eth1"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if2/portmap

HTTP/1.1 204 No Content

创建流列表

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"flowlist": {"fl_name": "flowlist1", "ip_version":"IP"}}' http://172.31.2.70:8083/vtn-webapi/flowlists
HTTP/1.1 201 Created

1 2	curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"flowlist": {"fl_name": "flowlist1", "ip_version":"IP"}}' http://172.31.2.70:8083/vtn-webapi/flowlists HTTP/1.1 201 Created

创建流列表实体

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"flowlistentry": {"seqnum": "10","macethertype": "0x800","ipdstaddr": "10.0.0.1","ipdstaddrprefix": "24","ipsrcaddr": "10.0.0.3","ipsrcaddrprefix": "24","ipproto": "1"}}' http://172.31.2.70:8083/vtn-webapi/flowlists/flowlist1/flowlistentries
HTTP/1.1 201 Created

curl -i --user admin:adminpass -H 'content-type: application/json' -X POST -d '{"flowlistentry": {"seqnum": "10","macethertype": "0x800","ipdstaddr": "10.0.0.1","ipdstaddrprefix": "24","ipsrcaddr": "10.0.0.3","ipsrcaddrprefix": "24","ipproto": "1"}}' http://172.31.2.70:8083/vtn-webapi/flowlists/flowlist1/flowlistentries

HTTP/1.1 201 Created

为接口创建流过滤规则

curl -i --user admin:adminpass -X POST -H 'content-type: application/json' -d '{"flowfilter" : {"ff_type": "in"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/flowfilters
HTTP/1.1 201 Created

1 2	curl -i --user admin:adminpass -X POST -H 'content-type: application/json' -d '{"flowfilter" : {"ff_type": "in"}}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/flowfilters HTTP/1.1 201 Created

此时检测h1和h3的连通性：

mininet> h1 ping h3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=15.0 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.046 ms

mininet> h1 ping h3

PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.

64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=15.0 ms

64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.193 ms

64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.046 ms

创建一条drop类型的流规则

curl -i --user admin:adminpass -X POST -H 'content-type: application/json' -d '{"flowfilterentry": {"seqnum": "11", "fl_name": "flowlist1", "action_type":"drop", "priority":"3", "dscp":"55" }}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/flowfilters/in/flowfilterentries
HTTP/1.1 201 Created

curl -i --user admin:adminpass -X POST -H 'content-type: application/json' -d '{"flowfilterentry": {"seqnum": "11", "fl_name": "flowlist1", "action_type":"drop", "priority":"3", "dscp":"55" }}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/flowfilters/in/flowfilterentries

HTTP/1.1 201 Created

此时检测h1和h3的连通性：

mininet> h1 ping h3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
31 packets transmitted, 0 received, 100% packet loss, time 30239ms

mininet> h1 ping h3

PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.

31 packets transmitted, 0 received, 100% packet loss, time 30239ms

查看流表规则：

mininet@ubuntu:~$ sudo ovs-ofctl dump-flows s3
NXST_FLOW reply (xid=0x4):
 cookie=0x7f5600000000001c, duration=3.364s, table=0, n_packets=0, n_bytes=0, idle_timeout=300, idle_age=3, priority=11,arp,in_port=1,vlan_tci=0x0000/0x1fff,dl_src=ca:17:a4:aa:dd:ff,dl_dst=66:d1:83:3f:f9:c9 actions=output:3
 cookie=0x0, duration=431.826s, table=0, n_packets=95, n_bytes=7843, idle_age=0, priority=0 actions=CONTROLLER:65535
 cookie=0x7f5600000000001b, duration=8.343s, table=0, n_packets=6, n_bytes=588, idle_timeout=300, idle_age=1, priority=14,icmp,in_port=1,vlan_tci=0x0000/0x1fff,dl_src=ca:17:a4:aa:dd:ff,dl_dst=66:d1:83:3f:f9:c9,nw_src=10.0.0.3,nw_dst=10.0.0.1 actions=drop
 cookie=0x7f5600000000001a, duration=8.373s, table=0, n_packets=8, n_bytes=672, idle_age=1, priority=10,in_port=3,vlan_tci=0x0000/0x1fff,dl_src=66:d1:83:3f:f9:c9,dl_dst=ca:17:a4:aa:dd:ff actions=output:1

mininet@ubuntu:~$ sudo ovs-ofctl dump-flows s3

NXST_FLOW reply (xid=0x4):

cookie=0x7f5600000000001c, duration=3.364s, table=0, n_packets=0, n_bytes=0, idle_timeout=300, idle_age=3, priority=11,arp,in_port=1,vlan_tci=0x0000/0x1fff,dl_src=ca:17:a4:aa:dd:ff,dl_dst=66:d1:83:3f:f9:c9 actions=output:3

cookie=0x0, duration=431.826s, table=0, n_packets=95, n_bytes=7843, idle_age=0, priority=0 actions=CONTROLLER:65535

cookie=0x7f5600000000001b, duration=8.343s, table=0, n_packets=6, n_bytes=588, idle_timeout=300, idle_age=1, priority=14,icmp,in_port=1,vlan_tci=0x0000/0x1fff,dl_src=ca:17:a4:aa:dd:ff,dl_dst=66:d1:83:3f:f9:c9,nw_src=10.0.0.3,nw_dst=10.0.0.1 actions=drop

cookie=0x7f5600000000001a, duration=8.373s, table=0, n_packets=8, n_bytes=672, idle_age=1, priority=10,in_port=3,vlan_tci=0x0000/0x1fff,dl_src=66:d1:83:3f:f9:c9,dl_dst=ca:17:a4:aa:dd:ff actions=output:1

发现多了一条drop的流规则。修改为pass规则的流表

curl -i --user admin:adminpass -X PUT -H 'content-type: application/json' -d '{"flowfilterentry": {"seqnum": "11", "fl_name": "flowlist1", "action_type":"pass", "priority":"3", "dscp":"55" }}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/flowfilters/in/flowfilterentries/11
HTTP/1.1 204 No Content

curl -i --user admin:adminpass -X PUT -H 'content-type: application/json' -d '{"flowfilterentry": {"seqnum": "11", "fl_name": "flowlist1", "action_type":"pass", "priority":"3", "dscp":"55" }}' http://172.31.2.70:8083/vtn-webapi/vtns/vtn_one/vbridges/vbr_one/interfaces/if1/flowfilters/in/flowfilterentries/11

HTTP/1.1 204 No Content

此时检测h1和h3的连通性：

mininet> h1 ping h3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=15.0 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.046 ms

mininet> h1 ping h3

PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.

64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=15.0 ms

64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.193 ms

64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.046 ms