CN104168200B - A kind of method and system that acl feature is realized based on Open vSwitch - Google Patents
A kind of method and system that acl feature is realized based on Open vSwitch Download PDFInfo
- Publication number
- CN104168200B CN104168200B CN201410328769.6A CN201410328769A CN104168200B CN 104168200 B CN104168200 B CN 104168200B CN 201410328769 A CN201410328769 A CN 201410328769A CN 104168200 B CN104168200 B CN 104168200B
- Authority
- CN
- China
- Prior art keywords
- flow
- network
- open vswitch
- virtual machine
- services end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a kind of method that acl feature is realized based on Open vSwitch, this method includes:The new acl rule on certain virtual machine is sent to its network control services end by main frame;Network control services termination is received after acl rule, and the acl rule is converted into used in Open vSwitch into Flow rules, and the external network proxy services end of main frame where the Flow rules are sent into the virtual machine;The Flow rules received are converted into OVS orders by external network proxy services end, and perform the OVS orders on local host, by Flow rule insertion Open vSwitch Flow tables.This method solves the acl feature of virtual machine traffic using Open vSwitch, so as to reach the purpose of control virtual-machine data flow.
Description
Technical field
The present invention relates to technical field of the computer network, and in particular to one kind realizes acl feature based on Open vSwitch
Method and system.
Background technology
Due to there may be on a virtual machine it is multiple it is virtual after system, communicate between system and be accomplished by by network,
But it is different by the interconnection of physical network equipment between common physical system, the network interface of virtual system be also it is virtual, because
This directly can not be interconnected by physical network equipment, and currently a popular a solution is:Virtual switch (Virtual
Switching, abbreviation vSwitch) technology.So-called vSwitch, refers to virtual bridge completely in server (terminal) hardware
It is upper to realize, the cooperation of external switch is not related to.
With common server equipment, each virtual machine has the Microsoft Loopback Adapter (virtual NIC) of oneself, each
Virtual NIC have the MAC Address and IP address of oneself.Layer 2 switch virtual equivalent to one vSwitch, the exchange
Machine connects Microsoft Loopback Adapter and physical network card, and the data message on virtual machine is forwarded from physical internet ports.As needed,
VSwitch can also support the functions such as two layers of forwarding, security control, Port Mirroring.
But in the prior art, realize accesses control list (Access Control list, letter using traditional vSwitch
Claiming ACL) function needs to consume cpu resource, and the performance to server has an impact.
The content of the invention
The method for realizing acl feature provided for the defect of prior art, the present invention, is solved using Open vSwitch
The acl feature of virtual machine traffic, so as to reach the purpose of control virtual-machine data flow.
In a first aspect, the invention provides a kind of method that acl feature is realized based on Open vSwitch, this method bag
Include:
S1:The access control list ACL rule on certain virtual machine of setting is sent to the first main frame by the first main frame
Network control services end;
S2:Network control services termination is received after acl rule, and the acl rule is converted into open virtual switch standard
Stream Flow rules used in Open vSwitch, and the Flow rules are sent to the second main frame of the virtual machine place
External network proxy services end;
S3:The Flow rules received are converted into OVS orders by external network proxy services end, and perform on the second main frame institute
OVS orders are stated, by Flow rule insertion Open vSwitch stream Flow tables.
Preferably, also include after this method step S3:
When there is flow to enter in Open vSwitch in virtual machine, Open vSwitch can be carried out pair in Flow tables
Than, and perform action defined in corresponding Flow rules.
Preferably, this method step S2 also includes:
The acl rule received is saved in distributed data base by network control services end.
Preferably, the acl rule is applied to network N etwork or Microsoft Loopback Adapter.
Preferably, the priority between the acl rule is followed successively by from high to low:It is not overlayable network N etwork grades
Not, Microsoft Loopback Adapter rank and overlayable Network ranks.
Second aspect, the invention provides a kind of system that acl feature is realized based on Open vSwitch, the system includes
Virtual machine, Open vSwitch, external network proxy services end and network control services end;
Network control services end, is advised for the acl rule received to be converted into Flow used in Open vSwitch
Then, the external network proxy services end of main frame where the Flow rules being sent into the virtual machine;
External network proxy services end, for the Flow received rules will be converted into OVS orders, and holds on local host
The row OVS orders, and Flow rules are inserted in the Flow tables in the Open vSwitch;
Open vSwitch, for according to the flow for entering virtual machine in Open vSwitch, entering in its Flow table
Row contrast, and perform action defined in corresponding Flow rules.
Preferably, the function at the network control services end also includes:The acl rule received is saved in distributed number
According in storehouse.
Preferably, the virtual machine, the Open vSwitch and the external network proxy services are located at same main frame, described
Network control services end is located at another main frame.
Preferably, the system also includes physical switches, for connecting different main frames by physical network card.
As shown from the above technical solution, a kind of method and system for realizing acl feature that the present invention is provided, using Open
VSwitch and distributed structure solve the acl feature of virtual machine traffic, so as to reach the mesh of control virtual-machine data flow
, because whole system is distributed in different main frames so that server performance is significantly improved.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these figures.
Fig. 1 is the flow chart of the method provided in an embodiment of the present invention that acl feature is realized based on Open vSwitch;
Fig. 2 is the structural representation of the system provided in an embodiment of the present invention that acl feature is realized based on Open vSwitch;
Fig. 3 is the flow signal that the Open vSwitch that another embodiment of the present invention is provided are contrasted in Flow tables
Figure.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
Open vSwitch are a kind of software, and Open vSwitch are open virtual switch standard.As shown in figure 1, Fig. 1 shows
The flow chart of the method that acl feature is realized based on Open vSwitch of the invention provided is gone out, this method includes:
S1:The access control list ACL rule on certain virtual machine of setting is sent to the first main frame by the first main frame
Network control services end;
S2:Network control services termination is received after acl rule, and the acl rule is converted into open virtual switch standard
Stream Flow rules used in Open vSwitch, and the Flow rules are sent to the second main frame of the virtual machine place
External network proxy services end;
S3:The Flow rules received are converted into OVS orders by external network proxy services end, and perform on the second main frame institute
OVS orders are stated, by Flow rule insertion Open vSwitch stream Flow tables.
Wherein, also include after this method step S3:
When there is flow to enter in Open vSwitch in virtual machine, Open vSwitch can be carried out pair in Flow tables
Than, and perform action defined in corresponding Flow rules.
If therefore the acl rule of new settings is does not allow the flow of 8080 ports of Transmission Control Protocol to pass through, when virtual machine stream
Amount is Transmission Control Protocol, and port is when being 8080, carries out DROP actions.
As shown in figure 3, Fig. 3 shows Flow tables in Open vSwitch, altogether including 3 Flow tables Table0, Table1
And Table2, as seen from the figure, when there is flow to enter in Open vSwitch, Open vSwitch are contrasted in Flow tables
Process be:
(1) when have flow enter Open vSwitch when, Table0 judge the flow be all for virtual machine network interface card in come out
Flow, if so, then adding VLAN Tag, and jump to Table1;
(2) Table1 judged successively according to priority the flow whether Flows with the Network ranks that can not cover, void
Intend network interface card rank Flows and overlayable Network ranks Flows in Flow rule match, if with wherein some Flow
Rule match, then perform action (action) defined in Flow rules, and if the action that need to perform to allow (normal)
Action, jumps to Table2;
(3) Table2 judges whether the flow is flow that virtual machine network interface card comes out, if so, then removing VLAN Tag.
Step S2 in the above method also includes:
The acl rule received is saved in distributed data base by network control services end.
Alternatively, the acl rule is applied to network N etwork or Microsoft Loopback Adapter.Specifically, they are directed to respectively
It is the Microsoft Loopback Adapter on some network and some virtual machine.After user sets ACL to the Microsoft Loopback Adapter of a virtual machine,
So Flow is only issued on the main frame where virtual machine.After user sets ACL to a virtual network, then can look into first
All Microsoft Loopback Adapters for belonging to this virtual network are found out, the corresponding virtual machine of this Microsoft Loopback Adapter is found out again afterwards and is led at those
On machine, finally this Flow is issued on these main frames.
Preferably, the priority between the acl rule is followed successively by from high to low:It is not overlayable network N etwork grades
Not, Microsoft Loopback Adapter rank and overlayable Network ranks.
As shown in Fig. 2 Fig. 2 shows the knot for the system that acl feature is realized based on Open vSwitch that the present invention is provided
Structure schematic diagram, the system includes virtual machine, Open vSwitch, external network proxy services end and network control services end.
Specifically, network control services end, is used for the acl rule received to be converted into Open vSwitch
Flow rules, and the external network proxy services end of main frame where the Flow rules are sent into the virtual machine;Network agent
Service end, the OVS orders are performed for the Flow received rules will be converted into OVS orders, and on local host, and
Flow rules are inserted in the Flow tables in the Open vSwitch;Open vSwitch, are entered for basis
The flow of virtual machine in Open vSwitch, is contrasted in its Flow table, and is performed dynamic defined in corresponding Flow rules
Make.
Moreover, the system also includes physical switches, for connecting different main frames by physical network card.
Wherein, the virtual machine, the Open vSwitch and the external network proxy services are located at same host B, described
Network control services end is located at another host A.
Preferably, the function at the network control services end also includes:The acl rule received is saved in distributed number
According in storehouse.
As shown from the above technical solution, a kind of method and system for realizing acl feature that the present invention is provided, using Open
VSwitch and distributed structure solve the acl feature of virtual machine traffic, so as to reach the mesh of control virtual-machine data flow
, because whole system is distributed in different main frames so that server performance is significantly improved.
The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to the foregoing embodiments
The present invention is described in detail, it will be understood by those within the art that;It still can be to foregoing each implementation
Technical scheme described in example is modified, or carries out equivalent substitution to which part technical characteristic;And these modification or
Replace, the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (9)
1. a kind of method that access control list ACL function is realized based on Open vSwitch, it is characterised in that this method bag
Include:
S1:The access control list ACL rule on certain virtual machine of setting is sent to the network of the first main frame by the first main frame
Control service end;
S2:Network control services termination is received after acl rule, and the acl rule is converted into open virtual switch standard Open
Stream Flow rules used in vSwitch, and the network of the second main frame where the Flow rules are sent into the virtual machine
Agency service end;
S3:The Flow rules received are converted into OVS orders by external network proxy services end, and execution is described on the second main frame
OVS orders, by Flow rule insertion Open vSwitch stream Flow tables.
2. according to the method described in claim 1, it is characterised in that also include after this method step S3:
When there is flow to enter in Open vSwitch in virtual machine, Open vSwitch can be contrasted in Flow tables, and
Perform and acted defined in corresponding Flow rules.
3. according to the method described in claim 1, it is characterised in that this method step S2 also includes:
The acl rule received is saved in distributed data base by network control services end.
4. according to the method described in claim 1, it is characterised in that the acl rule is applied to network or Microsoft Loopback Adapter.
5. method according to claim 4, it is characterised in that the priority between the acl rule is from high to low successively
For:Not overlayable network-level, Microsoft Loopback Adapter rank and overlayable network-level.
6. a kind of system that access control list ACL function is realized based on Open vSwitch, it is characterised in that the system includes
Virtual machine, Open vSwitch, external network proxy services end and network control services end;
Network control services end, for the acl rule received to be converted into Flow rules used in Open vSwitch,
The external network proxy services end of main frame where the Flow rules are sent into the virtual machine;
External network proxy services end, for the Flow received rules will be converted into OVS orders, and performs on local host institute
OVS orders are stated, are inserted with and by the Flow rules in the Flow tables in the Open vSwitch;
Open vSwitch, the flow of virtual machine in Open vSwitch is entered for basis, the progress pair in its Flow table
Than, and perform action defined in corresponding Flow rules.
7. system according to claim 6, it is characterised in that the function at the network control services end also includes:It will connect
The acl rule received is saved in distributed data base.
8. system according to claim 6, it is characterised in that the virtual machine, the Open vSwitch and the net
Network agency service end is located at same main frame, and the network control services end is located at another main frame.
9. system according to claim 6, it is characterised in that the system also includes physical switches, for passing through physics
Network interface card connects different main frames.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410328769.6A CN104168200B (en) | 2014-07-10 | 2014-07-10 | A kind of method and system that acl feature is realized based on Open vSwitch |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410328769.6A CN104168200B (en) | 2014-07-10 | 2014-07-10 | A kind of method and system that acl feature is realized based on Open vSwitch |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104168200A CN104168200A (en) | 2014-11-26 |
CN104168200B true CN104168200B (en) | 2017-08-25 |
Family
ID=51911836
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410328769.6A Active CN104168200B (en) | 2014-07-10 | 2014-07-10 | A kind of method and system that acl feature is realized based on Open vSwitch |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104168200B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106034052B (en) * | 2015-03-13 | 2019-05-17 | 北京网御星云信息技术有限公司 | The system and method that two laminar flow amounts are monitored a kind of between of virtual machine |
CN105245376B (en) * | 2015-10-15 | 2018-11-30 | 成都电科致远网络科技有限公司 | Residential quarters network control system based on SDN |
US20190028409A1 (en) * | 2017-07-19 | 2019-01-24 | Alibaba Group Holding Limited | Virtual switch device and method |
CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A kind of method for preventing cloud platform IP and MAC from forging |
CN108322467B (en) * | 2018-02-02 | 2021-11-05 | 云宏信息科技股份有限公司 | OVS-based virtual firewall configuration method, electronic equipment and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
CN103763309A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Safety domain control method and system based on virtual network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8989187B2 (en) * | 2010-06-04 | 2015-03-24 | Coraid, Inc. | Method and system of scaling a cloud computing network |
-
2014
- 2014-07-10 CN CN201410328769.6A patent/CN104168200B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
CN103763309A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Safety domain control method and system based on virtual network |
Non-Patent Citations (1)
Title |
---|
基于Open vSwitch的虚拟网络访问控制研究;李锐等;《计算机应用与软件》;20140531;第31卷(第5期);308-311 * |
Also Published As
Publication number | Publication date |
---|---|
CN104168200A (en) | 2014-11-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10452422B2 (en) | Method and apparatus for deploying virtual machine instance, and device | |
CN104168200B (en) | A kind of method and system that acl feature is realized based on Open vSwitch | |
US9602636B1 (en) | Stateless packet segmentation and processing | |
US7440415B2 (en) | Virtual network addresses | |
TWI389525B (en) | System of multiple subnet accessible data transfer and method thereof | |
EP2568670B1 (en) | Method for message forwarding and device for deep packet inspection | |
EP3605968B1 (en) | N:1 stateful application gateway redundancy model | |
CN105991441B (en) | The method and apparatus that route forwarding table is issued to BGP Route Selection | |
CN106953788A (en) | A kind of Virtual Network Controller and control method | |
WO2017162089A1 (en) | Service configuration method and device for network service | |
US10805390B2 (en) | Automated mirroring and remote switch port analyzer (RSPAN) functions using fabric attach (FA) signaling | |
CN103139039A (en) | Virtual network capable of achieving flow isolation control and construction method | |
CN104683165B (en) | The monitoring method of virtual machine network data under a kind of Xen virtualized environments | |
CN108322417A (en) | Processing method, device and system and the safety equipment of network attack | |
CN109639488B (en) | Multi-extranet shunt acceleration method and system | |
CN109831390A (en) | Message transmission control method and device | |
EP2446592A2 (en) | Method and apparatus for simulating ip multinetting | |
US20180343162A1 (en) | System management apparatus and system management method | |
CN109981329A (en) | Determine the method, equipment and system of network equipment connection relationship | |
JP2014011674A (en) | Storage system management program and storage system management device | |
CN111953661A (en) | SDN-based east-west flow security protection method and system | |
CN108768667A (en) | A method of for internuclear network communication in multi-core processor piece | |
RU2602333C2 (en) | Network system, packet processing method and storage medium | |
CN107566513A (en) | Test equipment DOS environmental data collecting methods and system | |
CN107249038A (en) | Business datum retransmission method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PP01 | Preservation of patent right |
Effective date of registration: 20180528 Granted publication date: 20170825 |
|
PP01 | Preservation of patent right |