在使用时,bfdd 有一种类似白名单的机制,默认会block所有IP地址
-
allow ip
-
Allows incoming packets from the given ip address. This allows BFD sessions to be established if there is an active BFD service running on the given ip. No session will be created until packets are received from the remote system. The beacon will act in passive mode for these sessions.
-
connect ip-pair
-
Starts an active session between the two ip addresses specified in ip-pair. A session will be created immediately. If there is already a session with the given ip-pair addresses then it is switched from passive to active.
-
block ip
-
Blocks any new connections from being established from the given ip address. Existing sessions with this ip will not be affected.
By default all ip addresses are blocked.
看了下源码
// E:\dev-github\OpenBFDD\CommandProcessor.cpp
/**
* "allow" command.
* Format 'allow' ip
*/
void handle_Allow(const char *message)
{
IpAddr address;
const char *addressString;
addressString = getNextParam(message);
if (!addressString)
{
messageReply("Must supply ip address.\n");
return;
}
if (!address.FromString(addressString))
{
messageReplyF("Invalid IPv4 or IPv6 address <%s>.\n", addressString);
return;
}
if (doBeaconOperation(&CommandProcessorImp::doHandleAllow, &address))
messageReplyF("Allowing connections from %s\n", address.ToString());
}
intptr_t doHandleAllow(Beacon *beacon, void *userdata)
{
IpAddr *addr = reinterpret_cast<IpAddr *>(userdata);
beacon->AllowPassiveIP(*addr); // 这里把ip放入一个set中,set可以保证ip唯一
return 0;
}
// E:\dev-github\OpenBFDD\Beacon.cpp
void Beacon::AllowPassiveIP(const IpAddr &addr)
{
LogAssert(m_scheduler->IsMainThread());
m_allowedPassiveIP.insert(addr);
}
E:\dev-github\OpenBFDD\Beacon.h
std::set<IpAddr, IpAddr::LessClass> m_allowedPassiveIP;
小结: 这么看来在是实现上应该基于明确指定的ip返回bfd响应的,不支持基于0.0.0.0的通配模式。
基于allow 类似添加待监听的远端ip之后可以基于如下命令查看这对bfd连接的状态
root@pc-node-1:/kube-ovn# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
1480: ovnext0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 00:00:00:5e:79:71 brd ff:ff:ff:ff:ff:ff
inet 10.5.204.136/24 brd 10.5.204.255 scope global ovnext0
valid_lft forever preferred_lft forever
inet6 fe80::200:ff:fe5e:7971/64 scope link
valid_lft forever preferred_lft forever
# 详情模式
# bfdd-control status remote 10.5.204.101 local 10.5.204.136
id=1
local=10.5.204.136 (p)
remote=10.5.204.101
state=Up
# 列表模式
root@pc-node-1:/kube-ovn# bfdd-control status
There are 1 sessions:
Session 1
id=1 local=10.5.204.136 (p) remote=10.5.204.101 state=Up
