From 28aa65d18fb1e9fa44d1a4faee1eca130110d7ce Mon Sep 17 00:00:00 2001
From: changluyi <47097611+changluyi@users.noreply.github.com>
Date: Sun, 7 Apr 2024 15:49:57 +0800
Subject: [PATCH] skip conntrack when access node dns ip (#3894)

* skip conntrack when access node local dns ip

Signed-off-by: Changlu Yi <clyi@alauda.io>
---
 dist/images/Dockerfile.base  |  4 +++-
 mocks/pkg/ovs/interface.go   | 28 ++++++++++++++++++++++++++++
 pkg/controller/config.go     |  5 +++++
 pkg/controller/controller.go |  4 ++++
 pkg/ovs/interface.go         |  1 +
 pkg/ovs/ovn-nb_global.go     | 25 +++++++++++++++++++++++++
 pkg/util/net.go              |  8 ++++++++
 7 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
index 393f6996ba3..18f33ffb815 100644
--- a/dist/images/Dockerfile.base
+++ b/dist/images/Dockerfile.base
@@ -48,7 +48,9 @@ RUN cd /usr/src/ && git clone -b branch-22.12 --depth=1 https://github.com/ovn-o
     # lflow: do not send direct traffic between lports to conntrack
     curl -s https://github.com/kubeovn/ovn/commit/54cbe0d1ba2051e640dd3e53498f373362547691.patch | git apply && \
     # northd: add nb option version_compatibility
-    curl -s https://github.com/kubeovn/ovn/commit/06f5a7c684a6030036e2663eecf934b37c3e666e.patch | git apply
+    curl -s https://github.com/kubeovn/ovn/commit/06f5a7c684a6030036e2663eecf934b37c3e666e.patch | git apply && \
+    # northd: skip conntrack when access node local dns ip
+    curl -s https://github.com/kubeovn/ovn/commit/1ea964886da774506962d6bf23f8f894d93a10eb.patch | git apply
 
 RUN apt install -y build-essential fakeroot \
     autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \
diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go
index 021e69d4ff5..63ab5fbbea2 100644
--- a/mocks/pkg/ovs/interface.go
+++ b/mocks/pkg/ovs/interface.go
@@ -102,6 +102,20 @@ func (mr *MockNBGlobalMockRecorder) SetLsCtSkipDstLportIPs(enabled any) *gomock.
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNBGlobal)(nil).SetLsCtSkipDstLportIPs), enabled)
 }
 
+// SetNodeLocalDNSIP mocks base method.
+func (m *MockNBGlobal) SetNodeLocalDNSIP(nodeLocalDNSIP string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetNodeLocalDNSIP", nodeLocalDNSIP)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetNodeLocalDNSIP indicates an expected call of SetNodeLocalDNSIP.
+func (mr *MockNBGlobalMockRecorder) SetNodeLocalDNSIP(nodeLocalDNSIP any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNodeLocalDNSIP", reflect.TypeOf((*MockNBGlobal)(nil).SetNodeLocalDNSIP), nodeLocalDNSIP)
+}
+
 // SetLsDnatModDlDst mocks base method.
 func (m *MockNBGlobal) SetLsDnatModDlDst(enabled bool) error {
 	m.ctrl.T.Helper()
@@ -4245,6 +4259,20 @@ func (mr *MockNbClientMockRecorder) SetLsCtSkipDstLportIPs(enabled any) *gomock.
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNbClient)(nil).SetLsCtSkipDstLportIPs), enabled)
 }
 
+// SetNodeLocalDNSIP mocks base method.
+func (m *MockNbClient) SetNodeLocalDNSIP(nodeLocalDNSIP string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetNodeLocalDNSIP", nodeLocalDNSIP)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetNodeLocalDNSIP indicates an expected call of SetNodeLocalDNSIP.
+func (mr *MockNbClientMockRecorder) SetNodeLocalDNSIP(nodeLocalDNSIP any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNodeLocalDNSIP", reflect.TypeOf((*MockNbClient)(nil).SetNodeLocalDNSIP), nodeLocalDNSIP)
+}
+
 // SetLsDnatModDlDst mocks base method.
 func (m *MockNbClient) SetLsDnatModDlDst(enabled bool) error {
 	m.ctrl.T.Helper()
diff --git a/pkg/controller/config.go b/pkg/controller/config.go
index 944b8e866fd..2cb6dd8a705 100644
--- a/pkg/controller/config.go
+++ b/pkg/controller/config.go
@@ -292,6 +292,11 @@ func ParseFlags() (*Configuration, error) {
 		return nil, fmt.Errorf("check system cidr failed, %v", err)
 	}
 
+	if err := util.CheckNodeDNSIP(config.NodeLocalDNSIP); err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+
 	klog.Infof("config is %+v", config)
 	return config, nil
 }
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index 657da3e7f34..b8f82d5429f 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -752,6 +752,10 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips")
 	}
 
+	if err := c.OVNNbClient.SetNodeLocalDNSIP(c.config.NodeLocalDNSIP); err != nil {
+		util.LogFatalAndExit(err, "failed to set NB_Global option node_local_dns_ip")
+	}
+
 	if err := c.InitOVN(); err != nil {
 		util.LogFatalAndExit(err, "failed to initialize ovn resources")
 	}
diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go
index 0afde76fd74..2cf0f984549 100644
--- a/pkg/ovs/interface.go
+++ b/pkg/ovs/interface.go
@@ -18,6 +18,7 @@ type NBGlobal interface {
 	SetICAutoRoute(enable bool, blackList []string) error
 	SetLsDnatModDlDst(enabled bool) error
 	SetLsCtSkipDstLportIPs(enabled bool) error
+	SetNodeLocalDNSIP(nodeLocalDNSIP string) error
 	GetNbGlobal() (*ovnnb.NBGlobal, error)
 }
 
diff --git a/pkg/ovs/ovn-nb_global.go b/pkg/ovs/ovn-nb_global.go
index 29b5584b0fa..38a41db5771 100644
--- a/pkg/ovs/ovn-nb_global.go
+++ b/pkg/ovs/ovn-nb_global.go
@@ -157,3 +157,28 @@ func (c *OVNNbClient) SetLsDnatModDlDst(enabled bool) error {
 func (c *OVNNbClient) SetLsCtSkipDstLportIPs(enabled bool) error {
 	return c.SetNbGlobalOptions("ls_ct_skip_dst_lport_ips", enabled)
 }
+
+func (c *OVNNbClient) SetNodeLocalDNSIP(nodeLocalDNSIP string) error {
+	if nodeLocalDNSIP != "" {
+		return c.SetNbGlobalOptions("node_local_dns_ip", nodeLocalDNSIP)
+	}
+
+	nbGlobal, err := c.GetNbGlobal()
+	if err != nil {
+		return fmt.Errorf("get nb global: %v", err)
+	}
+
+	options := make(map[string]string, len(nbGlobal.Options))
+	for k, v := range nbGlobal.Options {
+		options[k] = v
+	}
+
+	delete(options, "node_local_dns_ip")
+
+	nbGlobal.Options = options
+	if err := c.UpdateNbGlobal(nbGlobal, &nbGlobal.Options); err != nil {
+		return fmt.Errorf("remove option node_local_dns_ip failed , %v", err)
+	}
+
+	return nil
+}
diff --git a/pkg/util/net.go b/pkg/util/net.go
index 6f6e80d476c..24148304b8a 100644
--- a/pkg/util/net.go
+++ b/pkg/util/net.go
@@ -525,6 +525,14 @@ func CheckSystemCIDR(cidrs []string) error {
 	return nil
 }
 
+func CheckNodeDNSIP(nodeLocalDNSIP string) error {
+	if nodeLocalDNSIP != "" && !IsValidIP(nodeLocalDNSIP) {
+		err := fmt.Errorf("node dns ip %s is not valid ip", nodeLocalDNSIP)
+		return err
+	}
+	return nil
+}
+
 // GetExternalNetwork returns the external network name
 // if the external network is not specified, return the default external network name
 func GetExternalNetwork(externalNet string) string {