若要疑難排解 KVM 主機的防火牆問題,您可以查看主機上套用的防火牆規則。

取得受限於 KVM 主機上的防火牆規則的 VIF 清單:

# ovs-appctl -t /var/run/openvswitch/nsxa-ctl dfw/vif
Vif ID       : da95fc1e-65fd-461f-814d-d92970029bf0
Port name    : db-01a-eth0
Port number  : 2

如果輸出空白,請尋找節點和控制器之間的連線問題。

取得套用至特定 VIF 的規則清單 (在此範例中,da95fc1e-65fd-461f-814d-d92970029bf0 為 VIF 識別碼):

# ovs-appctl -t /var/run/vmware/nsx-agent/nsxa-ctl dfw/rules da95fc1e-65fd-461f-814d-d92970029bf0 
Distributed firewall status: enabled
 
Vif ID       : da95fc1e-65fd-461f-814d-d92970029bf0
ruleset d035308b-cb0d-4e7e-aae5-a428b461db46 {
 rule 3072 inout protocol tcp from any to addrset 48822ec3-2670-497b-82f9-524618c16877 port 443 accept with log;
 rule 3072 inout protocol tcp from any to addrset 48822ec3-2670-497b-82f9-524618c16877 port 80 accept with log;
 rule 3074 inout protocol tcp from addrset 48822ec3-2670-497b-82f9-524618c16877 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 8443 accept with log;
 rule 3074 inout protocol tcp from addrset 48822ec3-2670-497b-82f9-524618c16877 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 22 accept with log;
 rule 3075 inout protocol tcp from addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 3306 accept with log;
}
 
ruleset 3027fed3-60b1-483e-aa17-c28719275704 {
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 443 accept with log;
 rule 3076 inout protocol icmp type 8 code 0 from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 22 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 80 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 443 accept with log;
 rule 3076 inout protocol icmp type 8 code 0 from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 22 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 80 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 port 443 accept with log;
 rule 3076 inout protocol icmp type 8 code 0 from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 port 22 accept with log;
 rule 3076 inout protocol tcp from 192.168.110.10 to addrset 48822ec3-2670-497b-82f9-524618c16877 port 80 accept with log;
}
 
ruleset 5e9bdcb3-adba-4f67-a680-5e6ed5b8f40a {
 rule 2 inout protocol any from any to any accept with log;
}
 
ruleset ddf93011-4078-4006-b8f8-73f979d7a717 {
 rule 1 inout ethertype any stateless from any to any accept;
}

取得特定 VIF 中使用的位址集清單:

# ovs-appctl -t /var/run/vmware/nsx-agent/nsxa-ctl dfw/addrsets da95fc1e-65fd-461f-814d-d92970029bf0
48822ec3-2670-497b-82f9-524618c16877 {
 mac 52:54:00:42:4d:38,
 ip 172.16.10.13,
}
 
8b9e75e7-bc62-4d7f-9a58-a872f393448e {
}
 
b695c8df-9894-4068-a5e7-5504fe48d459 {
 mac 52:54:00:64:0e:4f,
 ip 172.16.30.11,
}

透過 Linux Conntrack 模組檢查連線。在此範例中,尋找兩個特定 IP 位址之間經過的流量。

# ovs-appctl -t ovs-l3d conntrack/show | grep 192.168.110.10 | grep 172.16.10.13
ACTIVE icmp,orig=(src=192.168.110.10,dst=172.16.10.13,id=1,type=8,code=0),reply=(src=172.16.10.13,dst=192.168.110.10,id=1,type=0,code=0),start=2018-03-26T04:43:28.325,id=3122159040,zone=23119,status=SEEN_REPLY|CONFIRMED,timeout=29,mark=3076,labels=0x1f