CN104168200A - Open vSwitch-based method and system for realizing ACL function - Google Patents
Open vSwitch-based method and system for realizing ACL function Download PDFInfo
- Publication number
- CN104168200A CN104168200A CN201410328769.6A CN201410328769A CN104168200A CN 104168200 A CN104168200 A CN 104168200A CN 201410328769 A CN201410328769 A CN 201410328769A CN 104168200 A CN104168200 A CN 104168200A
- Authority
- CN
- China
- Prior art keywords
- rule
- flow
- network
- open vswitch
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides an open virtual switching (vSwitch)-based method for realizing an access control list (ACL) function. The method comprises: a host sends a new ACL rule related to a certain virtual machine to a network control server; after the network control server receives the ACL rule, the ACL rule is converted into a flow rule used by the Open vSwitch and the flow rule is sent to a network agent server of a host that the virtual machine is located at; and the network agent server converts the received flow rule into an OVS command, the OVS command is executed at the local host, and the flow rule is inserted into a flow table of the Open vSwitch. According to the method, the ACL function of the virtual machine flow is realized by using the Open vSwitch way, thereby achieving an objective of virtual machine data flow controlling.
Description
Technical field
The present invention relates to technical field of the computer network, be specifically related to a kind of method and system that realize acl feature based on Open vSwitch.
Background technology
Owing to may there being multiple systems after virtual on a virtual machine, between system, communication just need to be passed through network, but different by physical network devices interconnect with between common physical system, the network interface of virtual system is also virtual, therefore can not directly pass through physical network devices interconnect, popular a solution is at present: virtual switch (Virtual Switching is called for short vSwitch) technology.So-called vSwitch, refers to virtual bridge is realized completely on server (terminal) hardware, does not relate to the cooperation of external switch.
The same with common server equipment, each virtual machine has the Microsoft Loopback Adapter (virtual NIC) of oneself, and each virtual NIC has MAC Address and the IP address of oneself.VSwitch is equivalent to a virtual Layer 2 switch, and this switch connects Microsoft Loopback Adapter and physical network card, and the data message on virtual machine is forwarded from physical internet ports.As required, vSwitch can also support the functions such as two layers of forwarding, security control, Port Mirroring.
But in prior art, utilize traditional vSwitch to realize Access Control List (ACL) (Access Control list is called for short ACL) function and need to consume cpu resource, the performance of server is had to impact.
Summary of the invention
For the defect of prior art, the method that realizes acl feature provided by the invention, adopts Open vSwitch to solve the acl feature of virtual machine flow, thereby reaches the object of controlling virtual-machine data flow.
First aspect, the invention provides a kind of method that realizes acl feature based on Open vSwitch, and the method comprises:
S1: the first main frame sends to the access control list ACL rule about certain virtual machine arranging the network control service end of the first main frame;
S2: network control service end receives after acl rule, convert described acl rule to stream Flow rule that open virtual switch standard Open vSwitch uses, and described Flow rule is sent to the network agent service end of described virtual machine place the second main frame;
S3: network agent service end converts the Flow rule receiving to OVS order, and on the second main frame, carry out described OVS order, so that described Flow rule is inserted in the stream Flow table of Open vSwitch.
Preferably, after the method step S3, also comprise:
When there being flow to enter into Open vSwitch in virtual machine, Open vSwitch can contrast in Flow table, and carries out the defined action of corresponding Flow rule.
Preferably, the method step S2 also comprises:
Network control service end is saved in the acl rule receiving in distributed data base.
Preferably, described acl rule is applicable to network N etwork or Microsoft Loopback Adapter.
Preferably, the priority between described acl rule is followed successively by from high to low: not overlayable network N etwork rank, Microsoft Loopback Adapter rank and overlayable Network rank.
Second aspect, the invention provides a kind of system that realizes acl feature based on Open vSwitch, and this system comprises virtual machine, Open vSwitch, network agent service end and network control service end;
Network control service end, for the acl rule receiving being converted to the Flow rule that Open vSwitch uses, sends to described Flow rule the network agent service end of described virtual machine place main frame;
Network agent service end, converts OVS order to for the Flow rule just receiving, and on local host, carries out described OVS order, and described Flow rule is inserted in the Flow table in described Open vSwitch;
Open vSwitch for according to the flow that enters into Open vSwitch virtual machine, contrasts in its Flow table, and carries out the defined action of corresponding Flow rule.
Preferably, the function of described network control service end also comprises: the acl rule receiving is saved in distributed data base.
Preferably, described virtual machine, described Open vSwitch and described network agent service are positioned at same main frame, and described network control service end is positioned at another main frame.
Preferably, described system also comprises physical switches, for connect different main frames by physical network card.
As shown from the above technical solution, a kind of method and system of realizing acl feature provided by the invention, adopt Open vSwitch and distributed structure to solve the acl feature of virtual machine flow, thereby reach the object of controlling virtual-machine data flow, because whole system is distributed in different main frames, server performance is obviously improved.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these figure other accompanying drawing.
Fig. 1 be the embodiment of the present invention provide realize the flow chart of the method for acl feature based on Open vSwitch;
Fig. 2 be the embodiment of the present invention provide realize the structural representation of the system of acl feature based on Open vSwitch;
Fig. 3 is the schematic flow sheet that the Open vSwitch that provides of another embodiment of the present invention contrasts in Flow table.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Open vSwitch is a kind of software, and Open vSwitch i.e. open virtual switch standard.As shown in Figure 1, Fig. 1 shows the flow chart of realizing the method for acl feature based on Open vSwitch provided by the invention, and the method comprises:
S1: the first main frame sends to the access control list ACL rule about certain virtual machine arranging the network control service end of the first main frame;
S2: network control service end receives after acl rule, convert described acl rule to stream Flow rule that open virtual switch standard Open vSwitch uses, and described Flow rule is sent to the network agent service end of described virtual machine place the second main frame;
S3: network agent service end converts the Flow rule receiving to OVS order, and on the second main frame, carry out described OVS order, so that described Flow rule is inserted in the stream Flow table of Open vSwitch.
Wherein, after the method step S3, also comprise:
When there being flow to enter into Open vSwitch in virtual machine, Open vSwitch can contrast in Flow table, and carries out the defined action of corresponding Flow rule.
If therefore the acl rule of new settings is not allow the flow of 8080 ports of Transmission Control Protocol to pass through, when virtual machine flow is Transmission Control Protocol, and port is 8080 o'clock, will carry out DROP action.
As shown in Figure 3, Fig. 3 shows Flow table in Open vSwitch, comprises altogether 3 Flow table Table0, Table1 and Table2, and as seen from the figure, in the time having flow to enter in Open vSwitch, the process that Open vSwitch contrasts in Flow table is:
(1), in the time having flow to enter Open vSwitch, Table0 judges that this flow is is all flow out in virtual machine network interface card, if so, adds VLAN Tag, and jumps to Table1;
(2) Table1 according to priority judge successively this flow whether with Flows and the overlayable Network rank Flows of the Flows of the Network rank that can not cover, Microsoft Loopback Adapter rank in Flow rule match, if with certain Flow rule match wherein, carry out this Flow defined action of rule (action), if be permission (normal) action and need the action of carrying out, jump to Table2;
(3) Table2 judges that whether this flow is virtual machine network interface card flow out, if so, removes VLAN Tag.
Step S2 in said method also comprises:
Network control service end is saved in the acl rule receiving in distributed data base.
Alternatively, described acl rule is applicable to network N etwork or Microsoft Loopback Adapter.Specifically, they respectively for be the Microsoft Loopback Adapter on some networks and some virtual machines.Arrange after ACL when user gives the Microsoft Loopback Adapter of a virtual machine, Flow is only issued on the main frame at virtual machine place so.Arrange after ACL when user gives a virtual network, so first can find out all Microsoft Loopback Adapters that belong to this virtual network, find out again afterwards virtual machine that this Microsoft Loopback Adapter is corresponding on those main frames, finally this Flow is issued on these main frames.
Preferably, the priority between described acl rule is followed successively by from high to low: not overlayable network N etwork rank, Microsoft Loopback Adapter rank and overlayable Network rank.
As shown in Figure 2, Fig. 2 shows the structural representation of realizing the system of acl feature based on Open vSwitch provided by the invention, and this system comprises virtual machine, Open vSwitch, network agent service end and network control service end.
Specifically, network control service end, for the acl rule receiving being converted to the Flow rule that Open vSwitch uses, and sends to described Flow rule the network agent service end of described virtual machine place main frame; Network agent service end, converts OVS order to for the Flow rule just receiving, and on local host, carries out described OVS order, and described Flow rule is inserted in the Flow table in described Open vSwitch; Open vSwitch for according to the flow that enters into Open vSwitch virtual machine, contrasts in its Flow table, and carries out the defined action of corresponding Flow rule.
And described system also comprises physical switches, for connect different main frames by physical network card.
Wherein, described virtual machine, described Open vSwitch and described network agent service are positioned at same host B, and described network control service end is positioned at another host A.
Preferably, the function of described network control service end also comprises: the acl rule receiving is saved in distributed data base.
As shown from the above technical solution, a kind of method and system of realizing acl feature provided by the invention, adopt Open vSwitch and distributed structure to solve the acl feature of virtual machine flow, thereby reach the object of controlling virtual-machine data flow, because whole system is distributed in different main frames, server performance is obviously improved.
Above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that; Its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these amendments or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (9)
1. a method that realizes acl feature based on Open vSwitch, is characterized in that, the method comprises:
S1: the first main frame sends to the access control list ACL rule about certain virtual machine arranging the network control service end of the first main frame;
S2: network control service end receives after acl rule, convert described acl rule to stream Flow rule that open virtual switch standard Open vSwitch uses, and described Flow rule is sent to the network agent service end of described virtual machine place the second main frame;
S3: network agent service end converts the Flow rule receiving to OVS order, and on the second main frame, carry out described OVS order, so that described Flow rule is inserted in the stream Flow table of Open vSwitch.
2. method according to claim 1, is characterized in that, after the method step S3, also comprises:
When there being flow to enter into Open vSwitch in virtual machine, Open vSwitch can contrast in Flow table, and carries out the defined action of corresponding Flow rule.
3. method according to claim 1, is characterized in that, the method step S2 also comprises:
Network control service end is saved in the acl rule receiving in distributed data base.
4. method according to claim 1, is characterized in that, described acl rule is applicable to network or Microsoft Loopback Adapter.
5. method according to claim 4, is characterized in that, the priority between described acl rule is followed successively by from high to low: not overlayable network-level, Microsoft Loopback Adapter rank and overlayable network-level.
6. a system that realizes acl feature based on Open vSwitch, is characterized in that, this system comprises virtual machine, Open vSwitch, network agent service end and network control service end;
Network control service end, for the acl rule receiving being converted to the Flow rule that Open vSwitch uses, sends to described Flow rule the network agent service end of described virtual machine place main frame;
Network agent service end, converts OVS order to for the Flow rule just receiving, and on local host, carries out described OVS order, with and described Flow rule is inserted in the Flow table in described Open vSwitch;
Open vSwitch for according to the flow that enters into Open vSwitch virtual machine, contrasts in its Flow table, and carries out the defined action of corresponding Flow rule.
7. system according to claim 6, is characterized in that, the function of described network control service end also comprises: the acl rule receiving is saved in distributed data base.
8. system according to claim 6, is characterized in that, described virtual machine, described Open vSwitch and described network agent service are positioned at same main frame, and described network control service end is positioned at another main frame.
9. system according to claim 6, is characterized in that, this system also comprises physical switches, for connect different main frames by physical network card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410328769.6A CN104168200B (en) | 2014-07-10 | 2014-07-10 | A kind of method and system that acl feature is realized based on Open vSwitch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410328769.6A CN104168200B (en) | 2014-07-10 | 2014-07-10 | A kind of method and system that acl feature is realized based on Open vSwitch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104168200A true CN104168200A (en) | 2014-11-26 |
| CN104168200B CN104168200B (en) | 2017-08-25 |
Family
ID=51911836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410328769.6A Active CN104168200B (en) | 2014-07-10 | 2014-07-10 | A kind of method and system that acl feature is realized based on Open vSwitch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104168200B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106034052A (en) * | 2015-03-13 | 2016-10-19 | 北京网御星云信息技术有限公司 | System and method for monitoring two-layer traffic among virtual machines |
| WO2017063511A1 (en) * | 2015-10-15 | 2017-04-20 | 成都电科致远网络科技有限公司 | Sdn-based residential cell network control system |
| CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A kind of method for preventing cloud platform IP and MAC from forging |
| CN108322467A (en) * | 2018-02-02 | 2018-07-24 | 云宏信息科技股份有限公司 | Virtual firewall configuration method, electronic equipment and storage medium based on OVS |
| CN110945843A (en) * | 2017-07-19 | 2020-03-31 | 阿里巴巴集团控股有限公司 | Virtual switching apparatus and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110299537A1 (en) * | 2010-06-04 | 2011-12-08 | Nakul Pratap Saraiya | Method and system of scaling a cloud computing network |
| CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN103763309A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Safety domain control method and system based on virtual network |
-
2014
- 2014-07-10 CN CN201410328769.6A patent/CN104168200B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110299537A1 (en) * | 2010-06-04 | 2011-12-08 | Nakul Pratap Saraiya | Method and system of scaling a cloud computing network |
| CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN103763309A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Safety domain control method and system based on virtual network |
Non-Patent Citations (1)
| Title |
|---|
| 李锐等: "基于Open vSwitch的虚拟网络访问控制研究", 《计算机应用与软件》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106034052A (en) * | 2015-03-13 | 2016-10-19 | 北京网御星云信息技术有限公司 | System and method for monitoring two-layer traffic among virtual machines |
| CN106034052B (en) * | 2015-03-13 | 2019-05-17 | 北京网御星云信息技术有限公司 | The system and method that two laminar flow amounts are monitored a kind of between of virtual machine |
| WO2017063511A1 (en) * | 2015-10-15 | 2017-04-20 | 成都电科致远网络科技有限公司 | Sdn-based residential cell network control system |
| CN110945843A (en) * | 2017-07-19 | 2020-03-31 | 阿里巴巴集团控股有限公司 | Virtual switching apparatus and method |
| CN110945843B (en) * | 2017-07-19 | 2022-04-12 | 阿里巴巴集团控股有限公司 | Virtual switching apparatus and method |
| CN107612843A (en) * | 2017-09-27 | 2018-01-19 | 国云科技股份有限公司 | A kind of method for preventing cloud platform IP and MAC from forging |
| CN108322467A (en) * | 2018-02-02 | 2018-07-24 | 云宏信息科技股份有限公司 | Virtual firewall configuration method, electronic equipment and storage medium based on OVS |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104168200B (en) | 2017-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10901470B2 (en) | Power distribution unit self-identification | |
| US8855116B2 (en) | Virtual local area network state processing in a layer 2 ethernet switch | |
| US9262191B2 (en) | Method, apparatus, and system for processing service flow | |
| EP2696537A1 (en) | Network system, switch, and connection terminal detection method | |
| US10432586B2 (en) | Technologies for high-performance network fabric security | |
| US9455916B2 (en) | Method and system for changing path and controller thereof | |
| US10805390B2 (en) | Automated mirroring and remote switch port analyzer (RSPAN) functions using fabric attach (FA) signaling | |
| CN104168200A (en) | Open vSwitch-based method and system for realizing ACL function | |
| CN104683165B (en) | The monitoring method of virtual machine network data under a kind of Xen virtualized environments | |
| CN101350781A (en) | Method, equipment and system for monitoring flux | |
| CN112130957B (en) | Method and system for using intelligent network card for breaking through virtualization isolation of container | |
| CN105471610B (en) | Method and device for protecting HQoS (high-quality QoS) by using multiple board cards | |
| CN105745883A (en) | Method for synchronizing forwarding tables, network device, and system | |
| EP2680141A1 (en) | Security for TCP/IP-based access from a virtual machine to network attached storage by creating dedicated networks, MAC address authentification and data direction control | |
| CN103152239A (en) | Open VSwitch-based virtual network implementation method and system | |
| RU2602333C2 (en) | Network system, packet processing method and storage medium | |
| US20130114603A1 (en) | Method for diverting packet multiple times, apparatus and system | |
| CN111262782B (en) | Message processing method, device and equipment | |
| KR101629089B1 (en) | Hybrid openFlow method for combining legacy switch protocol function and SDN function | |
| EP2992441A1 (en) | Governing bare metal guests | |
| CN106992911B (en) | Data center network access device | |
| CN109039680B (en) | Method and system for switching main Broadband Network Gateway (BNG) and standby BNG and BNG | |
| CN114448653A (en) | Policy execution method, related device and storage medium | |
| KR101544106B1 (en) | method for access to SDN using single Ethernet port | |
| CN116170389B (en) | Service container drainage method, system and computer cluster |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20180528 Granted publication date: 20170825 |
|
| PP01 | Preservation of patent right |