Linux策略路由使用场景及验证

实验环境：CentOS7 + OVS2.4.0

原理图

拓扑图

1、如拓扑，各个端口组、虚拟机配置对应的IP

2、qos_pri和policy_bridge两个网桥使用patch_port连接起来

       ovs-vsctladd-portpolicy_bridgepatch_to_qos

       ovs-vsctl set Interfacepatch_to_qostype=patch

       ovs-vsctlsetInterfacepatch_to_qosoptions:peer=patch_to_policy

       ovs-vsctlshow

       ovs-vsctladd-portpatch_to_policyqos_pri

       ovs-vsctladd-portqos_pripatch_to_policy

       ovs-vsctlsetInterfacepatch_to_policytype=patch

       ovs-vsctlsetInterfacepatch_to_policyoptions:peer=patch_to_qos

未配置策略路由也未配置patch_port的情况下

vm到两个端口组都不通，原因是默认172.168.1.0网段报文会走test_pg接口，但是vm的报文只能到qos_pri桥就终止了转发

[root@localhost ~]#route -n

Kernel IP routing table

Destination    Gateway         Genmask        Flags Metric Ref    Use Iface

0.0.0.0        100.5.4.254     0.0.0.0         UG   100    0        0 eno1

100.5.4.0      0.0.0.0         255.255.252.0   U    100    0        0 eno1

172.168.1.0    0.0.0.0         255.255.255.0   U    0      0        0test_pg

172.168.1.0    0.0.0.0         255.255.255.0   U    0      0        0qos_pg

192.168.10.0   0.0.0.0         255.255.255.0   U    0      0        0br-test

192.168.122.0  0.0.0.0         255.255.255.0   U    0      0        0virbr0

未配置策略路由，配置patch port后

VM变换ping 1.15和1.10，在两个端口组抓报文

tcpdump   -i   qos_pg    -n –nn

抓不到任何报文

tcpdump  -i     test_pg  -n  -nn

可以抓到1.15和1.10的请求回应报文

16:41:50.438155IP172.168.1.12 > 172.168.1.15: ICMP echo request, id 14797,seq 16,length 64

16:41:50.438205 IP 172.168.1.15 >172.168.1.12: ICMP echo reply, id 14797,seq 16, length64

16:41:21.217165 IP 172.168.1.12 >172.168.1.10: ICMP echo request, id 14585,seq 1209, length 64

16:41:21.217226 IP 172.168.1.10 >172.168.1.12: ICMP echo reply, id 14585,seq 1209, length 64

配置策略路由配置patchport

[root@localhost ~]#iproute add 172.168.1.0 via 172.168.1.15devqos_pg table 11

[root@localhost ~]#iproute add default via 172.168.1.15devqos_pg table 11

[root@localhost ~]#ip ruleadd from 172.168.1.15 table 11

[root@localhost ~]#tcpdump -iqos_pg -n -nn

tcpdump: verbose output suppressed, use -v or -vv forfull protocol decode

listening onqos_pg,link-type EN10MB (Ethernet), capture size 65535 bytes

16:45:35.441155 IP 172.168.1.12 >172.168.1.15: ICMP echo request, id 14797,seq 241, length 64

16:45:35.441214 IP 172.168.1.15 >172.168.1.12: ICMP echo reply, id 14797,seq 241, length64

[root@localhost ~]#tcpdump -itest_pg -n -nn

tcpdump: verbose output suppressed, use -v or -vv forfull protocol decode

listening ontest_pg,link-type EN10MB (Ethernet), capture size 65535 bytes

16:46:13.504134 IP 172.168.1.12 >172.168.1.10: ICMP echo request, id 14842,seq 8, length 64

16:46:13.504214 IP 172.168.1.10 >172.168.1.12: ICMP echo reply, id 14842,seq 8, length 64

报文转发原理

[root@localhost ~]#ip ruleshow

0:  fromall lookup local

32764:  from172.168.1.15 lookup 11

32765:  from10.1.1.3 lookup 10

32766:  fromall lookup main

32767:  fromall lookup default

 [root@localhost ~]#iproute show table 11

default via 172.168.1.15devqos_pg

172.168.1.0 via 172.168.1.15devqos_pg

报文查找路由表有一个优先级，根据添加的路由规则，源地址172.168.1.15的报文会去table11中查找路由，table11路由表设置出接口是qos_pg即可