KVM 호스트의 방화벽 문제를 해결하기 위해 호스트에 적용되는 방화벽 규칙을 살펴볼 수 있습니다.

KVM 호스트의 방화벽 규칙에 따르는 VIF의 목록을 가져옵니다.
# ovs-appctl -t /var/run/openvswitch/nsxa-ctl dfw/vif
Vif ID       : da95fc1e-65fd-461f-814d-d92970029bf0
Port name    : db-01a-eth0
Port number  : 2

출력이 비어 있는 경우 노드와 컨트롤러 간의 연결 문제를 확인합니다.

특정 VIF(이 예에서는 da95fc1e-65fd-461f-814d-d92970029bf0이 VIF ID임)에 적용되는 규칙의 목록을 가져옵니다.
# ovs-appctl -t /var/run/vmware/nsx-agent/nsxa-ctl dfw/rules da95fc1e-65fd-461f-814d-d92970029bf0 
Distributed firewall status: enabled
 
Vif ID       : da95fc1e-65fd-461f-814d-d92970029bf0
ruleset d035308b-cb0d-4e7e-aae5-a428b461db46 {
 rule 3072 inout protocol tcp from any to addrset 48822ec3-2670-497b-82f9-524618c16877 port 443 accept with log;
 rule 3072 inout protocol tcp from any to addrset 48822ec3-2670-497b-82f9-524618c16877 port 80 accept with log;
 rule 3074 inout protocol tcp from addrset 48822ec3-2670-497b-82f9-524618c16877 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 8443 accept with log;
 rule 3074 inout protocol tcp from addrset 48822ec3-2670-497b-82f9-524618c16877 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 22 accept with log;
 rule 3075 inout protocol tcp from addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 3306 accept with log;
}
 
ruleset 3027fed3-60b1-483e-aa17-c28719275704 {
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 443 accept with log;
 rule 3076 inout protocol icmp type 8 code 0 from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 22 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 80 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 443 accept with log;
 rule 3076 inout protocol icmp type 8 code 0 from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 22 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 80 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 port 443 accept with log;
 rule 3076 inout protocol icmp type 8 code 0 from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 port 22 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 port 80 accept with log;
}
 
ruleset 5e9bdcb3-adba-4f67-a680-5e6ed5b8f40a {
 rule 2 inout protocol any from any to any accept with log;
}
 
ruleset ddf93011-4078-4006-b8f8-73f979d7a717 {
 rule 1 inout ethertype any stateless from any to any accept;
}
특정 VIF에서 사용되는 주소 집합의 목록을 가져옵니다.
# ovs-appctl -t /var/run/vmware/nsx-agent/nsxa-ctl dfw/addrsets da95fc1e-65fd-461f-814d-d92970029bf0
48822ec3-2670-497b-82f9-524618c16877 {
 mac 52:54:00:42:4d:38,
 ip 172.16.10.13,
}
 
8b9e75e7-bc62-4d7f-9a58-a872f393448e {
}
 
b695c8df-9894-4068-a5e7-5504fe48d459 {
 mac 52:54:00:64:0e:4f,
 ip 172.16.30.11,
}
Linux Conntrack 모듈을 통해 연결을 확인합니다. 이 예에서는 2개의 특정 IP 주소 간의 흐름을 확인합니다.
# ovs-appctl -t ovs-l3d conntrack/show | grep 192.168.110.10 | grep 172.16.10.13
ACTIVE icmp,orig=(src=192.168.110.10,dst=172.16.10.13,id=1,type=8,code=0),reply=(src=172.16.10.13,dst=192.168.110.10,id=1,type=0,code=0),start=2018-03-26T04:43:28.325,id=3122159040,zone=23119,status=SEEN_REPLY|CONFIRMED,timeout=29,mark=3076,labels=0x1f