Neutron私有网源地址转换

访问外网,通过地址转换将私有网IP转换成外网gateway

首先,查看网络namespace

~$ sudo ip netns exec qrouter-0aeca8b7-8a38-41b1-ace7-ee9918e2b229 ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
11325: ha-8fb54dc0-ed:  mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether fa:16:3e:bd:d9:3a brd ff:ff:ff:ff:ff:ff
    inet 10.180.64.27/23 brd 10.180.65.255 scope global ha-8fb54dc0-ed
       valid_lft forever preferred_lft forever
    inet 10.180.64.1/23 scope global secondary ha-8fb54dc0-ed
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:febd:d93a/64 scope link
       valid_lft forever preferred_lft forever
11326: qg-0aeca8b7-8a:  mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether 00:16:3e:fe:04:db brd ff:ff:ff:ff:ff:ff
    inet 169.254.4.219/24 brd 169.254.4.255 scope global qg-0aeca8b7-8a
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fefe:4db/64 scope link
       valid_lft forever preferred_lft forever
3938: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.180.66.1/23 scope global tun0
       valid_lft forever preferred_lft forever

其中qg是挂载br-ex上的,也就是最终出去的地方

虚拟机里访问外网,然后同时通过tcpdump监听ha-8fb54dc0-ed和qg-0aeca8b7-8a

~$ sudo ip netns exec qrouter-0aeca8b7-8a38-41b1-ace7-ee9918e2b229 tcpdump -i ha-8fb54dc0-ed icmp -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ha-8fb54dc0-ed, link-type EN10MB (Ethernet), capture size 65535 bytes
12:54:31.375770 fa:16:3e:00:ac:68 > fa:16:3e:bd:d9:3a, ethertype IPv4 (0x0800), length 98: 10.180.64.87 > 114.114.114.114: ICMP echo request, id 4364, seq 1, length 64
12:54:31.383902 fa:16:3e:bd:d9:3a > fa:16:3e:00:ac:68, ethertype IPv4 (0x0800), length 98: 114.114.114.114 > 10.180.64.87: ICMP echo reply, id 4364, seq 1, length 64
12:54:32.377325 fa:16:3e:00:ac:68 > fa:16:3e:bd:d9:3a, ethertype IPv4 (0x0800), length 98: 10.180.64.87 > 114.114.114.114: ICMP echo request, id 4364, seq 2, length 64
12:54:32.385475 fa:16:3e:bd:d9:3a > fa:16:3e:00:ac:68, ethertype IPv4 (0x0800), length 98: 114.114.114.114 > 10.180.64.87: ICMP echo reply, id 4364, seq 2, length 64
12:54:33.378714 fa:16:3e:00:ac:68 > fa:16:3e:bd:d9:3a, ethertype IPv4 (0x0800), length 98: 10.180.64.87 > 114.114.114.114: ICMP echo request, id 4364, seq 3, length 64
12:54:33.386913 fa:16:3e:bd:d9:3a > fa:16:3e:00:ac:68, ethertype IPv4 (0x0800), length 98: 114.114.114.114 > 10.180.64.87: ICMP echo reply, id 4364, seq 3, length 64

 

这是在10.180.64.74这个网段上监控的结果

下面就是最终连接到114.114.114.114这个网段上的结果

 

~$ sudo ip netns exec qrouter-0aeca8b7-8a38-41b1-ace7-ee9918e2b229 tcpdump -i qg-0aeca8b7-8a icmp -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qg-0aeca8b7-8a, link-type EN10MB (Ethernet), capture size 65535 bytes
12:54:31.375802 00:16:3e:fe:04:db > 00:16:3e:fe:04:01, ethertype IPv4 (0x0800), length 98: 169.254.4.219 > 114.114.114.114: ICMP echo request, id 4364, seq 1, length 64
12:54:31.383865 00:16:3e:fe:04:01 > 00:16:3e:fe:04:db, ethertype IPv4 (0x0800), length 98: 114.114.114.114 > 169.254.4.219: ICMP echo reply, id 4364, seq 1, length 64
12:54:32.377380 00:16:3e:fe:04:db > 00:16:3e:fe:04:01, ethertype IPv4 (0x0800), length 98: 169.254.4.219 > 114.114.114.114: ICMP echo request, id 4364, seq 2, length 64
12:54:32.385435 00:16:3e:fe:04:01 > 00:16:3e:fe:04:db, ethertype IPv4 (0x0800), length 98: 114.114.114.114 > 169.254.4.219: ICMP echo reply, id 4364, seq 2, length 64
12:54:33.378765 00:16:3e:fe:04:db > 00:16:3e:fe:04:01, ethertype IPv4 (0x0800), length 98: 169.254.4.219 > 114.114.114.114: ICMP echo request, id 4364, seq 3, length 64
12:54:33.386862 00:16:3e:fe:04:01 > 00:16:3e:fe:04:db, ethertype IPv4 (0x0800), length 98: 114.114.114.114 > 169.254.4.219: ICMP echo reply, id 4364, seq 3, length 64

 

 因此可以看到,这里的数据包的SRC IP地址已经被转换成外网gateway ip了,通过这层地址转换与外部通信

 

发表回复