ovs 访问外部网络异常

提问于 2019-01-29 03:40:05 -0500

adm01 图像

我的环境ha -l3环境 使用openvswitch进行配置,我试图ping测试外部网络。

# ip netns exec qrouter-10b96549-da5d-4179-b9f5-ed0a6d93feeb ip addr

ip netns exec qrouter-10b96549-da5d-4179-b9f5-ed0a6d93feeb ip addr

1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 15: ha-43c2251f-cd: <broadcast,multicast,up,lower_up> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether fa:16:3e:5c:82:02 brd ff:ff:ff:ff:ff:ff inet 169.254.192.9/18 brd 169.254.255.255 scope global ha-43c2251f-cd valid_lft forever preferred_lft forever inet 169.254.0.1/24 scope global ha-43c2251f-cd valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe5c:8202/64 scope link valid_lft forever preferred_lft forever 16: qg-3aa2260b-32: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether fa:16:3e:fb:17:ed brd ff:ff:ff:ff:ff:ff inet 172.16.14.9/24 scope global qg-3aa2260b-32 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fefb:17ed/64 scope link nodad valid_lft forever preferred_lft forever

我测试ping通外部某地址能够正常ping通: # ip netns exec qrouter-10b96549-da5d-4179-b9f5-ed0a6d93feeb ping 172.16.62.254 PING 10.86.62.254 (10.86.62.254) 56(84) bytes of data. 64 bytes from 10.86.62.254: icmp_seq=1 ttl=255 time=1.64 ms 64 bytes from 10.86.62.254: icmp_seq=2 ttl=255 time=1.08 ms

我ping大部分的外部地址都无法ping通典型现象如下,在外部主机抓包发现包是过来了:

tcpdump -i eno1 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:26:46.526371 IP 172.16.14.9 > yum: ICMP echo request, id 8223, seq 6, length 64 17:26:46.526401 IP yum > 172.16.14.9: ICMP echo reply, id 8223, seq 6, length 64 17:26:47.526637 IP 172.16.14.9 > yum: ICMP echo request, id 8223, seq 7, length 64 17:26:47.526664 IP yum > 172.16.14.9: ICMP echo reply, id 8223, seq 7, length 64 17:26:48.526603 IP 172.16.14.9 > yum: ICMP echo request, id 8223, seq 8, length 64 17:26:48.526631 IP yum > 172.16.14.9: ICMP echo reply, id 8223, seq 8, length 64

从网络节点上看见是不通:

# ip netns exec qrouter-10b96549-da5d-4179-b9f5-ed0a6d93feeb ping 172.16.241.12 PING 10.86.241.12 (10.86.241.12) 56(84) bytes of data.

我从iptables上来看:output数据包再变化,而input数据包数量无变化。

# ip netns exec qrouter-10b96549-da5d-4179-b9f5-ed0a6d93feeb iptables -S -v

-A OUTPUT -c 9915 582456 -j neutron-filter-top -A OUTPUT -c 9915 582456 -j neutron-l3-agent-OUTPUT

在主机上直接查看iptables发现双向数据包都在变化

iptables -S -v

-P INPUT ACCEPT -c 6657440 580731703 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 6671498 911838432

只有output包在变化

# ip netns exec qrouter-10b96549-da5d-4179-b9f5-ed0a6d93feeb iptables -S -v -t nat

-P INPUT ACCEPT -c 2 168 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 1018 59852

edit retag flag offensive close merge delete