我有一个 KVM 主机和一个客户机。
KVM 主机托管邮件服务 (postfix)。VM 是垃圾邮件过滤器(为方便起见,称为“垃圾邮件过滤器”)。
基本问题和疑问是 spamfilter(KVM Guest)和 KVM Host 上的 postfix)无法通信。tcpdump 显示 tcp 握手 SYN 从 KVM Guest 通过 VLAN 通过 Router-on-a-stick 发送到网络,并到达目标 KVM Host 接口。但是,KVM Host 没有应答。ICMP 也是如此。
因此,显然来自 KVM Guest 的数据包被丢弃在 KVM 主机的某个地方。为什么?
详细信息和疑难解答(适合那些敢阅读的人):
网络布局:
这是具有单个物理网络适配器 enp2s0 的 Gentoo Linux,并且 VM 网络配置了网桥br203
带有邮件服务的 KVM 主机配置为br201。
桥梁br203和br201配置了 VLAN ID203和201分别。两者都有 192.168.20x.254 地址。两者都在 VLAN 中继上,而该中继又连接到单独的防火墙,并且两者都通过该防火墙进行通信(防火墙上的数据包捕获证实了这一点)。
交通流向如下:
KVM 主机 > 接口 (br201) > VLAN201 > 防火墙 > VLAN203 > br203 > spamfilter KVM 客户机
反之亦然:
spamfilter KVM 客户机 > br203 > VLAN203 > 防火墙 > VLAN201 > (br201) 接口 > KVM 主机
ifconfig将显示(跳过统计行,没有掉落,超限......,排序输出):
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d4:3d:7e:4f:0c:01 txqueuelen 1000 (Ethernet)
RX packets 52464 bytes 29573045 (28.2 MiB)
enp2s0.200: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.200 netmask 255.255.255.0 broadcast 192.168.200.255
ether d4:3d:7e:4f:0c:c8 txqueuelen 1000 (Ethernet)
enp2s0.201: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d4:3d:7e:4f:0c:01 txqueuelen 1000 (Ethernet)
br201: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.201.254 netmask 255.255.255.0 broadcast 192.168.201.255
ether d4:3d:7e:4f:0c:c9 txqueuelen 1000 (Ethernet)
enp2s0.203: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d4:3d:7e:4f:0c:01 txqueuelen 1000 (Ethernet)
br203: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.203.254 netmask 255.255.255.0 broadcast 192.168.203.255
ether d4:3d:7e:4f:0c:cb txqueuelen 1000 (Ethernet)
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:54:00:ef:66:9a txqueuelen 1000 (Ethernet)
从 KVM 主机的地址 192.168.201.254 ping 到 192.168.203.254 的 Ping 命令:ping -I br201 192.168.203.254
一个 ICMP 请求和答复的 tcpdump 输出:
request:
14:55:54.829736 br201 Out IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
14:55:54.829740 enp2s0.201 Out IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
14:55:54.829742 enp2s0 Out IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
14:55:54.829990 enp2s0 P IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
14:55:54.829990 enp2s0.203 P IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
14:55:54.829998 vnet0 Out IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
14:55:54.829990 br203 P IP 192.168.201.254 > 192.168.203.254: ICMP echo request, id 13614, seq 1, length 64
reply:
14:55:54.830218 vnet0 P IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
14:55:54.830226 enp2s0.203 Out IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
14:55:54.830229 enp2s0 Out IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
14:55:54.830218 br203 P IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
14:55:54.830368 enp2s0 P IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
14:55:54.830368 enp2s0.201 P IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
14:55:54.830368 br201 In IP 192.168.203.254 > 192.168.201.254: ICMP echo reply, id 13614, seq 1, length 64
基于此,我认为数据包在 br201 和接收数据包的应用程序“之间”被丢弃。这种情况似乎只发生在流量来自 KVM 主机路由表中的地址时。