OpenShift CNI 使用OpenvSwitch组网笔记

整体网络走向说明

本篇文章需要了解的知识

OpenShift

见官方文档：https://docs.openshift.com/

OpenVSwitch

建议也是去看官方文档：http://www.openvswitch.org/

如果英文不太好可以用翻译软件…
下面分享几篇大佬们写的不错的中文文章：

• https://opengers.github.io/openstack/openstack-base-openflow-in-openvswitch/
• https://opengers.github.io/openstack/openstack-base-use-openvswitch/#port
• https://sq.sf.163.com/blog/article/220308584666034176

ovs 手册：

• https://man7.org/linux/man-pages/man7/ovs-actions.7.html
• http://www.openvswitch.org/support/dist-docs/ovs-fields.7.txt

约定

• OpenShift 版本：3.11
• OpenFlow版本：OpenFlow13

集群网路配置

$ oc get clusternetwork
NAME      CLUSTER NETWORKS   SERVICE NETWORK   PLUGIN NAME
default   10.128.0.0/14:9    172.30.0.0/16     redhat/openshift-ovs-subnet

$ oc get clusternetwork default -o yaml
apiVersion: network.openshift.io/v1
clusterNetworks:
- CIDR: 10.128.0.0/14
  hostSubnetLength: 9
hostsubnetlength: 9
kind: ClusterNetwork
metadata:
  name: default
network: 10.128.0.0/14
pluginName: redhat/openshift-ovs-subnet
serviceNetwork: 172.30.0.0/16
vxlanPort: 4789

主机子网配置

$ oc get hostsubnets
NAME                 HOST                 HOST IP       SUBNET          EGRESS CIDRS   EGRESS IPS
oc-01.test   oc-01.test   172.16.1.15   10.128.0.0/23   []             []
oc-02.test   oc-02.test   172.16.1.16   10.129.0.0/23   []             []
oc-03.test   oc-03.test   172.16.1.22   10.130.0.0/23   []             []
oc-04.test   oc-04.test   172.16.1.25   10.131.0.0/23   []             []

集群网络策略

$ oc get networkpolicy --all-namespaces
No resources found.

PS：这里缺一张整体的网络流量图，待补充…

OpenVSwitch 怎么实现的组网

查看网络接口

$ ovs-vsctl show
6acf82ec-xxxx-xxxx-xxxx-xxxxxxxxxxx
    Bridge "br0"
        fail_mode: secure
....
        Port "vxlan0"
            Interface "vxlan0"
                type: vxlan
                options: {dst_port="4789", key=flow, remote_ip=flow}
        Port "br0"
            Interface "br0"
                type: internal
        Port "tun0"
            Interface "tun0"
                type: internal
        Port "vethxxxxx"
            Interface "vethxxxxx"
    ovs_version: "2.7.0"
....

$ ovs-ofctl -O OpenFlow13 show br0
OFPT_FEATURES_REPLY (OF1.3) (xid=0x2): dpid:00003edba3c69f45
n_tables:254, n_buffers:0
capabilities: FLOW_STATS TABLE_STATS PORT_STATS GROUP_STATS QUEUE_STATS
OFPST_PORT_DESC reply (OF1.3) (xid=0x3):
 1(vxlan0): addr:96:1c:47:a4:9f:70
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 2(tun0): addr:f6:f8:76:bb:7e:e9
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
....
OFPT_GET_CONFIG_REPLY (OF1.3) (xid=0x5): frags=nx-match miss_send_len=0

注：为节省阅读心智，上方省略了Pod的veth网卡。

• vxlan0：用vxlan协议创建一个隧道，隧道提供给不同宿主机上pod之间的通讯。vxlan0的remote_ip最终受流表来控制，这样就用流表来实现灵活的控制。
• tun0：tun0联通了br0交换机指宿主机的网络栈，同时配置了IP，用于和该节点上的容器通讯，给当前Host上的Pod提供了Gateway、DNS等功能。

另外还需要注意，br0的fail_mode是secure。

OpenVSwitch VxLAN组网实现

OFPST_FLOW reply (OF1.3) (xid=0x2): flags=[more]
 # 丢弃组播数据包
 cookie=0x0, duration=26835.966s, table=0, n_packets=0, n_bytes=0, priority=250,ip,in_port=2,nw_dst=224.0.0.0/4 actions=drop
 # 如果数据包从vxlan0端口进入，且数据包为arp协议类型，且arp数据包源CIDR为10.128.0.0/14，目的CIDR为10.131.0.0/23，执行：NXM_NX_TUN_ID第0到第31bits的内容复制至NXM_NX_REG0寄存器中，进入table 10
 cookie=0x0, duration=26835.966s, table=0, n_packets=31938, n_bytes=1341396, priority=200,arp,in_port=1,arp_spa=10.128.0.0/14,arp_tpa=10.131.0.0/23 actions=move:NXM_NX_TUN_ID[0..31]->NXM_NX_REG0[],goto_table:10
 # 如果数据包从vxlan0端口进入，且数据包为ip协议类型，且ip数据包源CIDR为10.128.0.0/14，执行：NXM_NX_TUN_ID第0到第31bits的内容复制至NXM_NX_REG0寄存器中，进入table 10
 cookie=0x0, duration=26835.966s, table=0, n_packets=15334975, n_bytes=2265852854, priority=200,ip,in_port=1,nw_src=10.128.0.0/14 actions=move:NXM_NX_TUN_ID[0..31]->NXM_NX_REG0[],goto_table:10
 # 如果数据包从vxlan0端口进入，且数据包为ip协议类型，且ip数据包目的CIDR为10.128.0.0/14，执行：NXM_NX_TUN_ID第0到第31bits的内容复制至NXM_NX_REG0寄存器中，进入table 10
 cookie=0x0, duration=26835.966s, table=0, n_packets=0, n_bytes=0, priority=200,ip,in_port=1,nw_dst=10.128.0.0/14 actions=move:NXM_NX_TUN_ID[0..31]->NXM_NX_REG0[],goto_table:10
 # 如果数据包从tun0端口进入，且数据包为arp协议类型，且arp数据包源地址为10.131.0.1，arp数据包目的CIDR为10.128.0.0/14，执行：进入table 30
 cookie=0x0, duration=26835.966s, table=0, n_packets=29864, n_bytes=1254288, priority=200,arp,in_port=2,arp_spa=10.131.0.1,arp_tpa=10.128.0.0/14 actions=goto_table:30
 # 如果数据包从tun0端口进入，且数据包为ip协议类型，执行：进入table 30
 cookie=0x0, duration=26835.966s, table=0, n_packets=22337872, n_bytes=5719200305, priority=200,ip,in_port=2 actions=goto_table:30
 # 如果数据包从vxlan0端口进入，执行：丢弃；这个包的优先级较低，如果上面的记录都没有命中
 cookie=0x0, duration=26835.966s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=1 actions=drop
 # 如果数据包从tun0端口进入，执行：丢弃；这个包的优先级较低
 cookie=0x0, duration=26835.966s, table=0, n_packets=3, n_bytes=126, priority=150,in_port=2 actions=drop
 # 下面这三条是提供给pod通讯使用的。
 cookie=0x0, duration=26835.966s, table=0, n_packets=55826, n_bytes=2344692, priority=100,arp actions=goto_table:20
 cookie=0x0, duration=26835.966s, table=0, n_packets=22912521, n_bytes=4711052251, priority=100,ip actions=goto_table:20
 # 默认丢弃规则
 cookie=0x0, duration=26835.966s, table=0, n_packets=350, n_bytes=28220, priority=0 actions=drop


 # 如果数据包的隧道源地址为172.16.1.15（一台OpenShift节点），执行：转到table 30
 cookie=0xe771f965, duration=26827.834s, table=10, n_packets=99671, n_bytes=7324487, priority=100,tun_src=172.16.1.15 actions=goto_table:30
 # 如果数据包的隧道源地址为172.16.1.16（一台OpenShift节点），执行：转到table 30
 cookie=0x998beb3f, duration=26827.823s, table=10, n_packets=14517967, n_bytes=2129937937, priority=100,tun_src=172.16.1.16 actions=goto_table:30
 # 如果数据包的隧道源地址为172.16.1.22（一台OpenShift节点），执行：转到table 30
 cookie=0x96dd1847, duration=26827.816s, table=10, n_packets=749091, n_bytes=129920959, priority=100,tun_src=172.16.1.22 actions=goto_table:30
 # 默认丢弃规则
 cookie=0x0, duration=26835.966s, table=10, n_packets=184, n_bytes=10867, priority=0 actions=drop


 # 如果数据包从3端口（某个pod的端口）进入 ，arp数据包的源地址为10.131.1.241（pod的IP），并判断源Mac地址是否为00:00:0a:83:01:f1/00:00:ff:ff:ff:ff，执行：把0写入NXM_NX_REG0寄存器，跳转到table 21
 cookie=0x0, duration=26816.360s, table=20, n_packets=0, n_bytes=0, priority=100,arp,in_port=3,arp_spa=10.131.1.241,arp_sha=00:00:0a:83:01:f1/00:00:ff:ff:ff:ff actions=load:0->NXM_NX_REG0[],goto_table:21
 # 如果数据包从28端口（某个Pod的端口）进入，arp数据包的源地址为10.131.0.16（pod的IP），并判断源Mac地址是否为00:00:0a:83:00:10/00:00:ff:ff:ff:ff，执行：把0写入NXM_NX_REG0寄存器，跳转到table 21
 cookie=0x0, duration=26811.560s, table=20, n_packets=1, n_bytes=42, priority=100,arp,in_port=28,arp_spa=10.131.0.16,arp_sha=00:00:0a:83:00:10/00:00:ff:ff:ff:ff actions=load:0->NXM_NX_REG0[],goto_table:21
 # 如果数据包从3端口（某个pod的端口）进入 ，ip数据包的源地址为10.131.1.241（pod的IP），执行：把0写入NXM_NX_REG0寄存器，跳转到table 21
 cookie=0x0, duration=26816.361s, table=20, n_packets=0, n_bytes=0, priority=100,ip,in_port=3,nw_src=10.131.1.241 actions=load:0->NXM_NX_REG0[],goto_table:21
 # 如果数据包从28端口（某个Pod的端口）进入，ip数据包的源地址为10.131.0.16（pod的IP），执行：把0写入NXM_NX_REG0寄存器，跳转到table 21
 cookie=0x0, duration=26811.560s, table=20, n_packets=26695, n_bytes=2664161, priority=100,ip,in_port=28,nw_src=10.131.0.16 actions=load:0->NXM_NX_REG0[],goto_table:21
 # 默认丢弃规则
 cookie=0x0, duration=26835.967s, table=20, n_packets=11, n_bytes=726, priority=0 actions=drop


 # 直接转到table 30
 cookie=0x0, duration=26835.967s, table=21, n_packets=22968336, n_bytes=4713396217, priority=0 actions=goto_table:30


 # arp目的地址为10.131.0.1，直接传给端口tun0
 cookie=0x0, duration=26835.967s, table=30, n_packets=29751, n_bytes=1249542, priority=300,arp,arp_tpa=10.131.0.1 actions=output:2
 # ip目的地址为10.131.0.1，直接传给端口tun0
 cookie=0x0, duration=26835.967s, table=30, n_packets=7420321, n_bytes=1336966551, priority=300,ip,nw_dst=10.131.0.1 actions=output:2
 # arp包目的地址CIDR为10.131.0.0/23，转到table 40
 cookie=0x0, duration=26835.967s, table=30, n_packets=56683, n_bytes=2380686, priority=200,arp,arp_tpa=10.131.0.0/23 actions=goto_table:40
 # ip包目的地址CIDR为10.131.0.0/23， 转到table 70
 cookie=0x0, duration=26835.967s, table=30, n_packets=20105961, n_bytes=3328280845, priority=200,ip,nw_dst=10.131.0.0/23 actions=goto_table:70
 # arp包目的地址CIDR为10.128.0.0/14，转到table 50
 cookie=0x0, duration=26835.967s, table=30, n_packets=31028, n_bytes=1303176, priority=100,arp,arp_tpa=10.128.0.0/14 actions=goto_table:50
 # ip包目的地址CIDR为10.128.0.0/14，转到table 90
 cookie=0x0, duration=26835.967s, table=30, n_packets=18224624, n_bytes=4565240650, priority=100,ip,nw_dst=10.128.0.0/14 actions=goto_table:90
 # ip包目的地址CIDR为172.30.0.0/16，转到table 60
 cookie=0x0, duration=26835.967s, table=30, n_packets=10043629, n_bytes=2548334949, priority=100,ip,nw_dst=172.30.0.0/16 actions=goto_table:60
 # 数据包从vxlan0端口进入，ip包目的地址CIDR为224.0.0.0/4，转到table 120
 cookie=0x0, duration=26835.967s, table=30, n_packets=0, n_bytes=0, priority=50,ip,in_port=1,nw_dst=224.0.0.0/4 actions=goto_table:120
 # ip包目的地址CIDR为224.0.0.0/4，转到table 110
 cookie=0x0, duration=26835.967s, table=30, n_packets=0, n_bytes=0, priority=25,ip,nw_dst=224.0.0.0/4 actions=goto_table:110
 # ip包，直接转到100
 cookie=0x0, duration=26835.967s, table=30, n_packets=4790804, n_bytes=917277794, priority=0,ip actions=goto_table:100
 # 默认丢弃规则
 cookie=0x0, duration=26835.967s, table=30, n_packets=0, n_bytes=0, priority=0,arp actions=drop

 # 如果arp目的地址为10.131.1.241，直接转发给端口3（某个Pod的端口）
 cookie=0x0, duration=26816.361s, table=40, n_packets=0, n_bytes=0, priority=100,arp,arp_tpa=10.131.1.241 actions=output:3
 # 如果arp目的地址为10.131.0.16，直接转发给端口28（某个Pod的端口）
 cookie=0x0, duration=26811.560s, table=40, n_packets=1, n_bytes=42, priority=100,arp,arp_tpa=10.131.0.16 actions=output:28
 # 默认丢弃规则
 cookie=0x0, duration=26835.967s, table=40, n_packets=857, n_bytes=35994, priority=0 actions=drop

 # 如果arp目的CIDR为10.128.0.0/23，执行：把NXM_NX_REG0寄存器的值覆盖到NXM_NX_TUN_ID，设置隧道的目的接受地址为172.16.1.15（一台OpenShift 节点），并转发到vxlan0端口
 cookie=0xe771f965, duration=26827.835s, table=50, n_packets=6622, n_bytes=278124, priority=100,arp,arp_tpa=10.128.0.0/23 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.15->tun_dst,output:1
 # 如果arp目的CIDR为10.129.0.0/23，执行：把NXM_NX_REG0寄存器的值覆盖到NXM_NX_TUN_ID，设置隧道的目的接受地址为172.16.1.16（一台OpenShift 节点），并转发到vxlan0端口
 cookie=0x998beb3f, duration=26827.824s, table=50, n_packets=8555, n_bytes=359310, priority=100,arp,arp_tpa=10.129.0.0/23 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.16->tun_dst,output:1
 # 如果arp目的CIDR为10.130.0.0/23，执行：把NXM_NX_REG0寄存器的值覆盖到NXM_NX_TUN_ID，设置隧道的目的接受地址为172.16.1.22（一台OpenShift 节点），并转发到vxlan0端口
 cookie=0x96dd1847, duration=26827.817s, table=50, n_packets=15846, n_bytes=665532, priority=100,arp,arp_tpa=10.130.0.0/23 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.22->tun_dst,output:1
 # 默认丢弃规则
 cookie=0x0, duration=26835.967s, table=50, n_packets=5, n_bytes=210, priority=0 actions=drop

 # re0（NXM_NX_REG0）寄存器如果为0，直接转发给tun0端口
 cookie=0x0, duration=26835.967s, table=60, n_packets=10043629, n_bytes=2548334949, priority=200,reg0=0 actions=output:2
 # ip目的地址为172.30.31.182（某个OpenShift Service IP），且IP数据包偏移量非0，执行：NXM_NX_REG1寄存器被赋值0，NXM_NX_REG2寄存器被赋值0x2，转到table 80
 cookie=0x0, duration=26827.828s, table=60, n_packets=0, n_bytes=0, priority=100,ip,nw_dst=172.30.31.182,nw_frag=later actions=load:0->NXM_NX_REG1[],load:0x2->NXM_NX_REG2[],goto_table:80
 # ip目的地址为172.30.69.140（某个OpenShift Service IP），且IP数据包偏移量非0，执行：NXM_NX_REG1寄存器被赋值0，NXM_NX_REG2寄存器被赋值0x2，转到table 80
 cookie=0x0, duration=26827.824s, table=60, n_packets=0, n_bytes=0, priority=100,ip,nw_dst=172.30.69.140,nw_frag=later actions=load:0->NXM_NX_REG1[],load:0x2->NXM_NX_REG2[],goto_table:80
 # ip目的地址为172.30.31.182（某个OpenShift Service IP），且为udp包，端口为514，执行：NXM_NX_REG1寄存器被赋值0，NXM_NX_REG2寄存器被赋值0x2，转到table 80
 cookie=0x0, duration=26827.828s, table=60, n_packets=0, n_bytes=0, priority=100,udp,nw_dst=172.30.31.182,tp_dst=514 actions=load:0->NXM_NX_REG1[],load:0x2->NXM_NX_REG2[],goto_table:80
 # ip目的地址为172.30.31.182（某个OpenShift Service IP），且为tcp包，端口为514，执行：NXM_NX_REG1寄存器被赋值0，NXM_NX_REG2寄存器被赋值0x2，转到table 80
 cookie=0x0, duration=26827.828s, table=60, n_packets=0, n_bytes=0, priority=100,tcp,nw_dst=172.30.31.182,tp_dst=514 actions=load:0->NXM_NX_REG1[],load:0x2->NXM_NX_REG2[],goto_table:80
 # ip目的地址为172.30.69.140（某个OpenShift Service IP），且为tcp包，端口为443，执行：NXM_NX_REG1寄存器被赋值0，NXM_NX_REG2寄存器被赋值0x2，转到table 80
 cookie=0x0, duration=26827.824s, table=60, n_packets=0, n_bytes=0, priority=100,tcp,nw_dst=172.30.69.140,tp_dst=443 actions=load:0->NXM_NX_REG1[],load:0x2->NXM_NX_REG2[],goto_table:80
 # 默认丢弃规则
 cookie=0x0, duration=26835.968s, table=60, n_packets=0, n_bytes=0, priority=0 actions=drop


 # ip目的地址为10.131.1.241（某个Pod的IP），执行：NXM_NX_REG1被赋值0，NXM_NX_REG2被赋值0x3（该值表示该Pod对应在交换机第几个Port），转到table 80
 cookie=0x0, duration=26816.362s, table=70, n_packets=0, n_bytes=0, priority=100,ip,nw_dst=10.131.1.241 actions=load:0->NXM_NX_REG1[],load:0x3->NXM_NX_REG2[],goto_table:80
 # ip目的地址为10.131.0.16 （某个Pod的IP），执行：NXM_NX_REG1被赋值0，NXM_NX_REG2被赋值0x1c（该值表示该Pod对应在交换机第几个Port），转到table 80
 cookie=0x0, duration=26811.561s, table=70, n_packets=26747, n_bytes=2464711, priority=100,ip,nw_dst=10.131.0.16 actions=load:0->NXM_NX_REG1[],load:0x1c->NXM_NX_REG2[],goto_table:80
 # 默认丢弃规则
 cookie=0x0, duration=26835.968s, table=70, n_packets=33, n_bytes=2323, priority=0 actions=drop


 # ip源地址为10.131.0.1，直接转发到NXM_NX_REG2寄存器所存储的值对应的端口，例如：如果NXM_NX_REG2值为0x3，转发到3号端口
 cookie=0x0, duration=26835.968s, table=80, n_packets=106921, n_bytes=10689512, priority=300,ip,nw_src=10.131.0.1 actions=output:NXM_NX_REG2[]
 # 默认丢弃规则
 cookie=0x0, duration=26835.968s, table=80, n_packets=0, n_bytes=0, priority=0 actions=drop
 # 直接转发到NXM_NX_REG2寄存器所存储的值对应的端口，例如：如果NXM_NX_REG2值为0x3，转发到3号端口
 cookie=0x0, duration=26835.963s, table=80, n_packets=19999007, n_bytes=3317589010, priority=200 actions=output:NXM_NX_REG2[]


 # ip目的CIDR为10.128.0.0/23（受OpenShift hostsubnet资源控制），执行：NXM_NX_TUN_ID第0到31bits的内容被NXM_NX_REG0覆盖，配置vxlan隧道的接收端为172.16.1.15，从vxlan0端口发出
 cookie=0xe771f965, duration=26827.836s, table=90, n_packets=47422, n_bytes=3689269, priority=100,ip,nw_dst=10.128.0.0/23 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.15->tun_dst,output:1
 # ip目的CIDR为10.129.0.0/23（受OpenShift hostsubnet资源判断），执行：NXM_NX_TUN_ID第0到31bits的内容被NXM_NX_REG0覆盖，配置vxlan隧道的接收端为172.16.1.15，从vxlan0端口发出
 cookie=0x998beb3f, duration=26827.825s, table=90, n_packets=17283087, n_bytes=4371464711, priority=100,ip,nw_dst=10.129.0.0/23 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.16->tun_dst,output:1
 # ip目的CIDR为10.130.0.0/23（受OpenShift hostsubnet资源判断），执行：NXM_NX_TUN_ID第0到31bits的内容被NXM_NX_REG0覆盖，配置vxlan隧道的接收端为172.16.1.15，从vxlan0端口发出
 cookie=0x96dd1847, duration=26827.818s, table=90, n_packets=894115, n_bytes=190086670, priority=100,ip,nw_dst=10.130.0.0/23 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.22->tun_dst,output:1
 # 默认丢弃规则
 cookie=0x0, duration=26835.968s, table=90, n_packets=0, n_bytes=0, priority=0 actions=drop


 # udp目的端口为4789，直接丢弃
 cookie=0x0, duration=26835.968s, table=100, n_packets=0, n_bytes=0, priority=300,udp,tp_dst=4789 actions=drop
 # ip目的地址为172.16.1.25，tcp端口为53，直接转发给tun0端口（Pod用户和当前host上的dnsmasq通讯）
 cookie=0x0, duration=26835.968s, table=100, n_packets=0, n_bytes=0, priority=200,tcp,nw_dst=172.16.1.25,tp_dst=53 actions=output:2
 # ip目的地址为172.16.1.25，udp端口为53，直接转发给tun0端口（Pod用户和当前host上的dnsmasq通讯）
 cookie=0x0, duration=26835.968s, table=100, n_packets=233836, n_bytes=24594932, priority=200,udp,nw_dst=172.16.1.25,tp_dst=53 actions=output:2
 # 跳转到101
 cookie=0x0, duration=26835.968s, table=100, n_packets=4556968, n_bytes=892682862, priority=0 actions=goto_table:101

 # 直接转发给tun0端口
 cookie=0x0, duration=26835.968s, table=101, n_packets=4556968, n_bytes=892682862, priority=0 actions=output:2


 # 丢弃
 cookie=0x0, duration=26835.968s, table=110, n_packets=0, n_bytes=0, priority=0 actions=drop

 # 执行：NXM_NX_TUN_ID第0到31bits的内容被NXM_NX_REG0覆盖，配置vxlan隧道的接收端为172.16.1.15，从vxlan0端口发出
 #                                                     配置vxlan隧道的接收端为172.16.1.16，从vxlan0端口发出
 #                                                     配置vxlan隧道的接收端为172.16.1.22，从vxlan0端口发出
 cookie=0x0, duration=26827.813s, table=111, n_packets=0, n_bytes=0, priority=100 actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:172.16.1.15->tun_dst,output:1,set_field:172.16.1.16->tun_dst,output:1,set_field:172.16.1.22->tun_dst,output:1,goto_table:120


 # 丢弃
 cookie=0x0, duration=26835.968s, table=120, n_packets=0, n_bytes=0, priority=0 actions=drop

 # 不做任何动作，仅仅是一个注释，在OpenShift代码branch=3.11 pkg/network/node/ovscontroller.go LINE 243处添加
 cookie=0x0, duration=26835.968s, table=253, n_packets=0, n_bytes=0, actions=note:00.07.00.00.00.00

节点怎么与容器内的Pod通讯

OpenShift通过tun0网卡，接入OpenVSwitch br0交换机，通过此操作可以实现宿主机与集群内的Pod通讯：

$ ip route show
default via 172.16.1.253 dev eth0 proto dhcp metric 100
10.128.0.0/14 dev tun0 scope link
172.16.1.0/24 dev eth0 proto kernel scope link src 172.16.1.25 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

$ iptables-save |grep tun0
-A FORWARD -i tun0 ! -o tun0 -m comment --comment "administrator overrides" -j OPENSHIFT-ADMIN-OUTPUT-RULES
-A OPENSHIFT-FIREWALL-ALLOW -i tun0 -m comment --comment "from SDN to localhost" -j ACCEPT
-A POSTROUTING -s 127.0.0.0/8 -o tun0 -m comment --comment "SNAT for localhost access to hostports" -j MASQUERADE