这一篇 http://www.rendoumi.com/zen-yang-zai-open-vswitchshang-she-zhi-span-huo-zhe-mirrorduan-kou/ 里我们描述了如何利用libvirt的脚本来设置mirror port.
下面我们来讲一下纯手工版本的:
场景依旧:
kvm01:vnet1
kvm02:vnet2
先查看一下ovs,看到有vnet1和vnet2两个端口绑到ovsbr0上了:
# ovs-vsctl show
238d066c-8354-4978-a9f4-39a98fa2d2e9
Bridge "ovsbr0"
Port "eth0"
Interface "eth0"
Port "ovsbr0"
Interface "ovsbr0"
type: internal
Port "vnet1"
Interface "vnet1"
Port "vnet2"
Interface "vnet2"
ovs_version: "1.4.2"
ovs show mirror的结果应该是空的:
# ovs-vsctl list Mirror
纯手工设定,注意几个参数,set bridge是ovsbr0,两个端口是vnet1和vnet2
# ovs-vsctl -- set bridge ovsbr0 mirrors=@m -- --id=@vnet1 get Port vnet1 -- --id=@vnet2 get Port vnet2 -- --id=@m create Mirror name=mirror_test select-dst-port=@vnet1 select-src-port=@vnet1 output-port=@vnet2
------
b073490c-5a64-4d80-93ca-534f29c09027
------
格式好看一些:
#ovs-vsctl -- set Bridge ovsbr0 mirrors=@m \
-- --id=@vnet1 get Port vnet1 \
-- --id=@vnet2 get Port vnet2 \
-- --id=@m create Mirror name=mirror_test select-dst-port=@vnet1 select-src-port=@vnet1 output-port=@vnet2
再次查看:
# ovs-vsctl list Mirror
_uuid : b073490c-5a64-4d80-93ca-534f29c09027
external_ids : {}
name : mirror_test
output_port : 6b80f606-516c-4304-91a3-0217b02e408b
output_vlan : []
select_all : false
select_dst_port : [b3ef508f-cdca-4a42-921e-9a96fffff98b]
select_src_port : [b3ef508f-cdca-4a42-921e-9a96fffff98b]
select_vlan : []
statistics : {tx_bytes=24430, tx_packets=380}
如果要删除:
# ovs-vsctl clear bridge ovsbr0 mirrors
区别: 上面手动设置的其实是对某一个特定端口的镜像,而前一篇文章里其实是对整个bridge的流量做了镜像,从而可以满足用snort扫描整个网桥流量的目的,区别就在于select_all=true这个参数。看下面,一刀流:
# ovs-vsctl \
-- --id=@m create mirror name=mymirror \
-- add bridge ovsbr0 mirrors @m \
-- --id=@vnet2 get port vnet2 \
-- set mirror mymirror select_all=true output-port=@vnet2