ovn-nbctl 可以 设置 ip 和 mac 以及 端口安全性
总结:port-security 在 ovs 层面是 ACL,如果不使用这个,依然可以用 ACL 实现。这个属性只是一种易用性设计。关闭 port-security 只是说没有它的 ACL,并不是关闭安全组。你依然可以配置其他的安全组来实现限制性。
kube-ovn pod annotaion: kubernetes.io/port_security=false 即可关闭地址校验。
check ovn-nbctl lsp-add sw0 lsp0 \
-- lsp-set-addresses lsp0 "00:00:00:00:ff:01 1.2.3.4" \
-- lsp-set-port-security lsp0 "00:00:00:00:ff:01 1.2.3.4"
check ovn-nbctl --wait=hv lsp-set-port-security sw0p2 ""
# 设置为 空
lsp-set-port-security port [addrs]...
Sets the port security addresses associated with port to addrs.
Multiple sets of addresses may be set by using multiple addrs
arguments. If no addrs argument is given, port will not have
port security enabled.
# 如果没有配置地址参数,则没有端口安全性
Port security limits the addresses from which a logical port may
send packets and to which it may receive packets. See the
ovn-nb(5) documentation for the port_security column in the
Logical_Switch_Port table for details.
lsp-get-port-security port
Lists all the port security addresses associated with port on
standard output, one per line.
关于 port-security的几个使用点:
- vip 必须包含在 port_security 中,如果 port_security 有地址
Virtual port Options:
These options apply when type is virtual.
options : virtual-ip: optional string
This option represents the virtual IPv4 address.
options : virtual-parents: optional string
This options represents a set of logical port names (with in the
same logical switch) which can own the virtual ip configured in
the options:virtual-ip. All these virtual parents should add the
virtual ip in the port_security if port security addressed are
enabled.
- port_security 自身的用法
port_security: set of strings 一个字符串集合
This column controls the addresses from which the host attached
to the logical port (``the host’’) is allowed to send packets
and to which it is allowed to receive packets. If this column is
empty, all addresses are permitted.
此列控制连接到逻辑端口的主机("主机")允许从哪些地址发送数据包。
以及允许从哪些地址接收数据包。如果此列为空,则允许所有地址。
Each element in the set must begin with one Ethernet address.
This would restrict the host to sending packets from and receiv‐
ing packets to the ethernet addresses defined in the logical
port’s port_security column. It also restricts the inner source
MAC addresses that the host may send in ARP and IPv6 Neighbor
Discovery packets. The host is always allowed to receive packets
to multicast and broadcast Ethernet addresses.
集合中的每个元素必须以一个以太网地址开头。
这就限制了主机只能从逻辑地址中定义的以太网地址发送数据包,
也只能从逻辑地址中定义的以太网地址接收数据包。
它还限制主机在ARP和IPv6邻居发现报文中可以发送的内部源MAC地址。
主机总是允许接收到多播和广播以太网地址的数据包。
Each element in the set may additionally contain one or more
IPv4 or IPv6 addresses (or both), with optional masks. If a mask
is given, it must be a CIDR mask. In addition to the restric‐
tions described for Ethernet addresses above, such an element
restricts the IPv4 or IPv6 addresses from which the host may
send and to which it may receive packets to the specified ad‐
dresses. A masked address, if the host part is zero, indicates
that the host is allowed to use any address in the subnet; if
the host part is nonzero, the mask simply indicates the size of
the subnet. In addition:
集合中的每个元素可以额外包含一个或多个IPv4或IPv6地址(或两者都包含),掩码(可选)
如果给出了掩码,则必须是CIDR掩码。除了上面描述的以太网地址的限制之外,
这样一个元素限制了主机可以发送和接收数据包到指定地址的IPv4或IPv6地址。
如果主机部分为零,则掩码地址表示允许主机使用子网中的任何地址;
如果主机部分不为零,则掩码仅表示子网的大小。此外:
(指定mac后,可以指定ip地址(cidr),也可以不指定),不指定的效果是什么?
• If any IPv4 address is given, the host is also allowed to
receive packets to the IPv4 local broadcast address
255.255.255.255 and to IPv4 multicast addresses
(224.0.0.0/4). If an IPv4 address with a mask is given,
the host is also allowed to receive packets to the broad‐
cast address in that specified subnet.
如果给定任何IPv4地址,主机也被允许接收到IPv4本地广播地址255.255.255.255
IPv4组播地址(224.0.0.0/4)的数据包。
如果给定了带掩码的IPv4地址,
主机也被允许接收到该指定子网中的广播地址的数据包。
If any IPv4 address is given, the host is additionally
restricted to sending ARP packets with the specified
source IPv4 address. (RARP is not restricted.)
如果指定了IPv4地址,则主机只能发送指定源IPv4地址的ARP报文。
(RARP不受限制。)
• If any IPv6 address is given, the host is also allowed to
receive packets to IPv6 multicast addresses (ff00::/8).
如果给出了任何IPv6地址,主机也被允许接收IPv6多播地址(ff00::/8)的数据包。
If any IPv6 address is given, the host is additionally
restricted to sending IPv6 Neighbor Discovery Solicita‐
tion or Advertisement packets with the specified source
address or, for solicitations, the unspecified address.
如果指定了IPv6地址,则主机只能发送指定源地址的,IPv6邻居发现请求或通告报文
或,对于征求:未指定的地址。
If an element includes an IPv4 address, but no IPv6 addresses,
then IPv6 traffic is not allowed. If an element includes an IPv6
address, but no IPv4 address, then IPv4 and ARP traffic is not
allowed.
如果元素包含IPv4地址,但不包含IPv6地址,则不允许IPv6流量。
如果元素中包含IPv6地址,但没有IPv4地址,则不允许IPv4和ARP流量。
This column uses the same lexical syntax as the match column in
the OVN Southbound database’s Pipeline table. Multiple addresses
within an element may be space or comma separated.
该列使用与OVN南向数据库的Pipeline表中的匹配列相同的词法语法。
一个元素中的多个地址可以用空格或逗号分隔。
This column is provided as a convenience to cloud management
systems, but all of the features that it implements can be im‐
plemented as ACLs using the ACL table.
这个列是为了方便云管理系统(CMS)而提供的,
但是它实现的所有特性都可以使用 ACL 表作为 ACL 来实现。
Examples:
80:fa:5b:06:72:b7
The host may send traffic from and receive traffic to the
specified MAC address, and to receive traffic to Ethernet
multicast and broadcast addresses, but not otherwise. The
host may not send ARP or IPv6 Neighbor Discovery packets
with inner source Ethernet addresses other than the one
specified.
主机可以向指定的MAC地址发送和接收流量,
也可以向以太网组播和广播地址接收流量,
但除非你指定了一个地址。主机才能基于该地址发送的ARP或IPv6邻居发现报文。
80:fa:5b:06:72:b7 192.168.1.10/24
This adds further restrictions to the first example. The
host may send IPv4 packets from or receive IPv4 packets
to only 192.168.1.10, except that it may also receive
IPv4 packets to 192.168.1.255 (based on the subnet mask),
255.255.255.255, and any address in 224.0.0.0/4. The host
may not send ARPs with a source Ethernet address other
than 80:fa:5b:06:72:b7 or source IPv4 address other than
192.168.1.10. The host may not send or receive any IPv6
(including IPv6 Neighbor Discovery) traffic.
这为第一个示例增加了进一步的限制。
主机只能发送或接收到192.168.1.10的IPv4报文,
也可以接收到192.168.1.255(基于子网掩码)、255.255.255.255和224.0.0.0/4
中的任何地址的IPv4报文。
主机不能发送源以太网地址为80:fa:5b:06:72:b7以外的arp,
不能发送源IPv4地址为192.168.1.10以外的arp。
主机不会发送或接收任何IPv6(包括IPv6邻居发现)流量。
"80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
The host may send traffic from and receive traffic to the
specified MAC addresses, and to receive traffic to Ether‐
net multicast and broadcast addresses, but not otherwise.
With MAC 80:fa:5b:12:42:ba, the host may send traffic
from and receive traffic to any L3 address. With MAC
80:fa:5b:06:72:b7, the host may send IPv4 packets from or
receive IPv4 packets to only 192.168.1.10, except that it
may also receive IPv4 packets to 192.168.1.255 (based on
the subnet mask), 255.255.255.255, and any address in
224.0.0.0/4. The host may not send or receive any IPv6
(including IPv6 Neighbor Discovery) traffic.
主机可以向指定的MAC地址发送和接收流量,
也可以向以太网组播和广播地址接收流量,但不能向其他地址接收流量。
对于MAC80:fa:5b:12:42:ba,主机可以从任何L3地址发送和接收流量。
对于MAC80:fa:5b:06:72:b7,主机只能发送或接收到192.168.1.10的IPv4数据包,
但它也可以接收到192.168.1.255(基于子网掩码)、255.255.255.255和
224.0.0.0/4中的任何地址的IPv4数据包。
主机不会发送或接收任何IPv6(包括IPv6邻居发现)流量
批量关闭所有虚拟机的 port-security
#!/bin/bash
set -eox pipefail
vms=`(kubectl get vm -A -o wide | grep -v NAMESPACE| grep -v kube-system |awk '{print $2 "." $1}')`
for vm in $vms; do
ips=`(kubectl get ips|grep $vm |awk '{print $1}')`
for ip in $ips; do
kubectl ko nbctl lsp-get-port-security $ip
# kubectl ko nbctl lsp-set-port-security $ip
# kubectl ko nbctl lsp-get-port-security $ip
done
done
