Use Open vSwitch

Use Open vSwitch
Bridge Management
Add a bridge named br0
Ovs-vsctl add-br br0
Delete A Bridge named br0
Ovs-vsctl del-br br0

List all bridges
Ovs-vsctl list-br

Judge whether the bridge br0 exists
Ovs-vsctl br-exists br0

List all network interfaces mounted to the bridge br0
Ovs-vsctl list-ports br0

Mount the network interface eth0 to the bridge br0
Ovs-vsctl add-port br0 eth0

Delete the eth0 network interface attached to the bridge br0
Ovs-vsctl del-port br0 eth0

List bridges mounted with eth0 Network Interfaces
Ovs-vsctl port-to-br eth0

Bridge Management (ovsdb Database Operations)
Ovsdb is a very lightweight database. It is not so much a database as a temporary configuration cache that provides functions such as addition, deletion, query, and modification, it is because the ovsdb database does not use many database technologies, such as SQL language queries and stored procedures. The ovsdb database is implemented through the pattern file "openvswitch-1.1.0pre2/vswitchd/vswitch. ovsschema". to customize the ovsdb database, you can change the vswitch. ovsschema file, but the following is still called the database.

The general format of database operations is:
Ovs-vsctl list/set/get/add/remove/clear/destroy table record column [value]
By default, ovsdb has the following data tables:
Bridge, controller, interface, mirror, netflow, open_vswitch, port, qos, queue, ssl, sflow
That is, the table can be any of the above. Record is the value of the name field in the data table, column is the field name and value field value of any field in the data table.

Basic operations:
View all records in the bridge data table




Obtain the value of the _ uuid field in the bridge data table.


Set the value of the datapath_type field of the bridge data table.


Clear the flood_vlans field value of the bridge data table.
Ovs-vsctl remove bridge xenbr0 flood_vlans 23
Or
Ovs-vsctl clear bridge xenbr0 flood_vlans

Delete qos records with the uuid 69ee0c09-9e52-4236-8af6-037a98ca704d
Ovs-vsctl destroy qos 69ee0c09-9e52-4236-8af6-037a98ca704d

Application Scenario settings:
QoS settings
For network interface settings: Set the bandwidth of the network interface vif0.0 to 1000 ± kbps
Ovs-vsctl set interface vif0.0 ingress_appsing_rate = 1000
Ovs-vsctl set interface vif0.0 ingress_appsing_burst = 100
(Ingress_policing_rate: Maximum sending rate (unit: kbps)
Ingress_policing_burst: The maximum floating value that exceeds ingress_policing_rate)

For vswitch port settings: linux-htb QoS created on port vif0.0, linux-htb QoS can set the maximum and minimum bandwidth for packet streams with specified features, in the maximum bandwidth range, a packet stream with a certain feature can borrow the bandwidth that is not used up by another feature packet stream.
Ovs-vsctl -- set port vif0.0 qos = @ newqos
-- Id = @ newqos create qos type = linux-htb other-config:
Max-rate = 100000000 queues = 0 = @ q0, 1 = @ q1
-- Id = @ q0 create queue other-config: min-rate = 100000000 other-config: max-rate = 100000000
-- Id = @ q1 create queue other-config: min-rate = 500000000
Adds the bandwidth limit to a feature packet stream.
(Assume that vif0.0 is connected to Port 1 of the vswitch. For the usage of the ovs-ofctl command, see 2.2.3)
Ovs-ofctl add-flow xenbr0 "in_port = 2, idle_timeout = 0, actions = enqueue: 1: 0"

Port ing
All packets sent to port eth0 and from Port eth1 are directed to port eth2.
(Assume that the uuid of the eth0, eth1, and eth2 ports is:
69ee0c09-9e52-4236-8af6-037a98ca704d
69ee0c09-9e52-4236-8af6-037a98ca704e
69ee0c09-9e52-4236-8af6-037a98ca704f
You can run the ovs-vsctl list port command to view the uuid of the port)
Ovs-vsctl -- set bridge xenbr0 mirrors = @ m
-- Id = @ m create mirror name = mymirror
Select-dst-port = 69ee0c09-9e52-4236-8af6-037a98ca704d
Select-src-port = 69ee0c09-9e52-4236-8af6-037a98ca704e
Output-port = 69ee0c09-9e52-4236-8af6-037a98ca704f

Stream rule management
Stream rule Composition
Each flow rule consists of a series of fields, including basic fields, condition fields, and action fields:
The basic fields include the effective time duration_sec, the table item table_id, priority, number of data packets processed n_packets, and idle_timeout. the idle time-out period idle_timeout is measured in seconds, the stream rule will be automatically deleted when the set idle timeout value is exceeded. If the set idle timeout value is 0, the stream rule will never expire, idle_timeout is not included in the output of ovs-ofctl dump-flows brname.

The condition fields include the input port number in_port, the source mac address dl_src/dl_dst, the source IP address nw_src/nw_dst, the data packet type dl_type, and the network layer protocol type nw_proto, however, when no definite value is provided for the underlying field in the network hierarchy, the upper-layer field cannot be set to a definite value, that is, a flow rule allows the underlying protocol field to be specified as a definite value, the high-level protocol field is specified as a wildcard (if not specified, it is matched with any value), and the High-level protocol field is not allowed to be specified as a definite value, however, the underlying protocol field is a wildcard (not specified to match any value). Otherwise, all the stream rules in ovs-vswitchd will be lost and the network cannot be connected.

Action fields include normal forwarding, directed to a switch port output: port, dropped drop, and changed the source mac address mod_dl_src/mod_dl_dst. A flow rule can have multiple actions, the action execution is completed sequentially according to the specified sequence.

Basic operations
View information about the vswitch xenbr0



In the displayed xenbr0 information, the number before the network interface name is the port number that the network interface is attached to the Open vSwitch, for example, 1 (vif0.0): 1 is the port number corresponding to the network interface vif0.0, you can use this command to view the port number corresponding to the network interface when adding a flow rule containing the in_port field.

View the status of each switch port on xenbr0

The output contains information such as the number of packets received, the number of bytes, the number of packet loss, and the number of error packets on each network interface.

View All stream rules on xenbr0

There are two flow rules in the output results. The first rule is the default flow rule, that is, normal forwarding of all data packets. It is a function completed by a common L2 Switch. The priority is 0, the lowest, and never times out.
The second is the manually added stream rule. The basic field does not contain the idle_timeout field, indicating that the stream never times out. The priority is 32768. Open vSwitch processes the received packets according to the flow rule, if the features extracted from the data packet do not match the condition field, use the first flow rule to process all received data packets.

Add a stream rule: discard all data packets sent from Port 2



Delete a flow rule: delete all flow rules with in_port = 2 in the condition field.


A stream rule can contain wildcard characters and a simplified form. ANY field can be * or ANY, for example:
Discard all received packets
Ovs-ofctl add-flow xenbr0 dl_type = *, nw_src = ANY, actions = drop

The abbreviated form is to abbreviated the field group as the protocol name. Currently, the supported abbreviations include ip, arp, icmp, tcp, and udp. the correspondence with the flow rule condition fields is as follows:
Dl_type = 0x0800<=>Ip
Dl_type = 0x0806<=>Arp
Dl_type = 0x0800, nw_proto = 1<=>Icmp
Dl_type = 0x0800, nw_proto = 6<=>Tcp
Dl_type = 0x0800, nw_proto = 17<=>Udp


(1.1.0 is supported in later versions)
Dl_type = 0x86dd.<=>Ipv6
Dl_type = 0x86dd, nw_proto = 6.<=>Tcp6
Dl_type = 0x86dd, nw_proto = 17.<=>Udp6
Dl_type = 0x86dd, nw_proto = 58.<=>Icmp6

Application Scenario settings
Website shielding
Shield access from any host managed by the Open vSwitch to the host 119.75.213.50, but only block ip packets (specified by dl_type = 0x0800 ), that is, all hosts cannot access all IP-based services on the host, such as the World Wide Web Service and FTP access.
Ovs-ofctl add-flow xenbr0 idle_timeout = 0, dl_type = 0x0800, nw_src = 119.75.213.50, actions = drop

Packet redirection
Forward all icmp protocol packets (with dl_type = 0x0800 and nw_proto = 1) to port 4, including the icmp packets sent by port 4, this flow rule will enable ping between hosts managed by Open vSwitch and between external networks. However, services such as the World Wide Web and FTP can be used.
Ovs-ofctl add-flow xenbr0 idle_timeout = 0, dl_type = 0x0800, nw_proto = 1, actions = output: 4

Remove VLAN tags
Remove tags from all VLAN data packets sent from Port 3, and then forward
Ovs-ofctl add-flow xenbr0 idle_timeout = 0, in_port = 3, actions = strip_vlan, normal

Forward data packets after changing the source IP address
Change the Source IP field of all IP packets received from Port 3 to 211.68.52.32
Ovs-ofctl add-flow xenbr0 idle_timeout = 0, in_port = 3, actions = mod_nw_src: 211.68.52.32, normal
Flow operations in the kernel module
View the flow of the kernel module
Ovs-dpctl dump-flows xenbr0
Background module control, such as logging system and background module exit
View the appctl commands supported by the background module
View the appctl commands supported by ovsdb-server. ovs-appctl can be used for backend modules only after it is run in the background module. By default, all running background modules will create a socket file to communicate with ovs-appctl in the/usr/local/var/run/openvswitch/directory.


Change the log level of each backend module of the Open vSwitch
Change the log level info of the ovs-vswitchd module. The previous "ANY" in "ANY: info" represents ANY module component in ovs-vswitchd, "ovs-appctl -- target =/usr/local/var/run/openvswitch/
The first column of the ovs-vswitchd.29384.ctl vlog/list Command output is all the module components included in ovs-vswitchd. The last "ANY" in "ANY: info" indicates the log output in ANY way. There are three log output methods: console, syslog, file, this parameter is used to output logs to the console, write the logs to the system log system, and write the Files specified by the-log-file parameter when the ovs-vswitchd is started. "Info" in "ANY: info" indicates the log level. There are five log levels: emer, err, warn, info, and dbg. When dbg is set to the lowest level, all log information will be output, but this may cause rapid expansion of the log system, occupying more and more hard disk storage space.
Ovs-appctl -- target =/usr/local/var/run/openvswitch/ovs-vswitchd.29384.ctl vlog/set
ANY: info

Exit background module
Stop ovs-vswitchd
Ovs-appctl -- target =/usr/local/var/run/openvswitch/ovs-vswitchd.29384.ctl exit