From 4071570d91c7aec212d70c2a0790b764bb3d65e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Mon, 29 Jan 2024 16:39:09 +0800 Subject: [PATCH] ovn: do not send direct traffic between lports to conntrack (#3663) Signed-off-by: zhangzujian --- charts/templates/controller-deploy.yaml | 1 + charts/values.yaml | 3 +++ dist/images/Dockerfile.base | 4 +++- dist/images/install.sh | 2 ++ mocks/pkg/ovs/interface.go | 28 +++++++++++++++++++++++++ pkg/controller/config.go | 3 +++ pkg/controller/controller.go | 4 ++++ pkg/ovs/interface.go | 1 + pkg/ovs/ovn-nb_global.go | 4 ++++ yamls/kube-ovn-dual-stack.yaml | 1 + yamls/kube-ovn-ipv6.yaml | 1 + yamls/kube-ovn.yaml | 1 + 12 files changed, 52 insertions(+), 1 deletion(-) diff --git a/charts/templates/controller-deploy.yaml b/charts/templates/controller-deploy.yaml index e3c287c211e..1c468a81036 100644 --- a/charts/templates/controller-deploy.yaml +++ b/charts/templates/controller-deploy.yaml @@ -99,6 +99,7 @@ spec: - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }} - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }} - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }} + - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }} - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }} - --enable-lb={{- .Values.func.ENABLE_LB }} - --enable-np={{- .Values.func.ENABLE_NP }} diff --git a/charts/values.yaml b/charts/values.yaml index ffa1933d3d5..ce109378c9a 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -62,6 +62,9 @@ func: ENABLE_LB_SVC: false ENABLE_KEEP_VM_IP: true LS_DNAT_MOD_DL_DST: true + LS_CT_SKIP_DST_LPORT_IPS: true + CHECK_GATEWAY: true + LOGICAL_GATEWAY: false ENABLE_BIND_LOCAL_IP: true U2O_INTERCONNECTION: false ENABLE_TPROXY: false diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base index 0953d3586fa..e8bf8721ecb 100644 --- a/dist/images/Dockerfile.base +++ b/dist/images/Dockerfile.base @@ -46,7 +46,9 @@ RUN cd /usr/src/ && git clone -b branch-22.12 --depth=1 https://github.com/ovn-o # ovn-ic blacklist function not work on ipv6 curl -s https://github.com/kubeovn/ovn/commit/78ab91005854532e7eb5c4fe6b2923ce292e3681.patch | git apply && \ # fix lr-lb dnat with multiple distributed gateway ports - curl -s https://github.com/kubeovn/ovn/commit/80f37c2debbf9f5230403691f791d11cc2b2e277.patch | git apply + curl -s https://github.com/kubeovn/ovn/commit/80f37c2debbf9f5230403691f791d11cc2b2e277.patch | git apply && \ + # lflow: do not send direct traffic between lports to conntrack + curl -s https://github.com/kubeovn/ovn/commit/6f1af045845deeabf06fdc7c90073e0a6874ab2f.patch | git apply RUN apt install -y build-essential fakeroot \ autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \ diff --git a/dist/images/install.sh b/dist/images/install.sh index 2ad6532ad47..93ef99ba516 100755 --- a/dist/images/install.sh +++ b/dist/images/install.sh @@ -15,6 +15,7 @@ ENABLE_LB=${ENABLE_LB:-true} ENABLE_NP=${ENABLE_NP:-true} ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true} LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true} +LS_CT_SKIP_DST_LPORT_IPS=${LS_CT_SKIP_DST_LPORT_IPS:-true} ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true} CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01} ENABLE_LB_SVC=${ENABLE_LB_SVC:-false} @@ -3970,6 +3971,7 @@ spec: - --default-exchange-link-name=$EXCHANGE_LINK_NAME - --default-vlan-id=$VLAN_ID - --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST + - --ls-ct-skip-dst-lport-ips=$LS_CT_SKIP_DST_LPORT_IPS - --pod-nic-type=$POD_NIC_TYPE - --enable-lb=$ENABLE_LB - --enable-np=$ENABLE_NP diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go index 62852d30bc1..7d96d8110e9 100644 --- a/mocks/pkg/ovs/interface.go +++ b/mocks/pkg/ovs/interface.go @@ -83,6 +83,20 @@ func (mr *MockNBGlobalMockRecorder) SetICAutoRoute(enable, blackList interface{} return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetICAutoRoute", reflect.TypeOf((*MockNBGlobal)(nil).SetICAutoRoute), enable, blackList) } +// SetLsCtSkipDstLportIPs mocks base method. +func (m *MockNBGlobal) SetLsCtSkipDstLportIPs(enabled bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SetLsCtSkipDstLportIPs", enabled) + ret0, _ := ret[0].(error) + return ret0 +} + +// SetLsCtSkipDstLportIPs indicates an expected call of SetLsCtSkipDstLportIPs. +func (mr *MockNBGlobalMockRecorder) SetLsCtSkipDstLportIPs(enabled any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNBGlobal)(nil).SetLsCtSkipDstLportIPs), enabled) +} + // SetLsDnatModDlDst mocks base method. func (m *MockNBGlobal) SetLsDnatModDlDst(enabled bool) error { m.ctrl.T.Helper() @@ -4100,6 +4114,20 @@ func (mr *MockNbClientMockRecorder) SetLogicalSwitchPrivate(lsName, cidrBlock, n return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLogicalSwitchPrivate", reflect.TypeOf((*MockNbClient)(nil).SetLogicalSwitchPrivate), lsName, cidrBlock, nodeSwitchCIDR, allowSubnets) } +// SetLsCtSkipDstLportIPs mocks base method. +func (m *MockNbClient) SetLsCtSkipDstLportIPs(enabled bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SetLsCtSkipDstLportIPs", enabled) + ret0, _ := ret[0].(error) + return ret0 +} + +// SetLsCtSkipDstLportIPs indicates an expected call of SetLsCtSkipDstLportIPs. +func (mr *MockNbClientMockRecorder) SetLsCtSkipDstLportIPs(enabled any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNbClient)(nil).SetLsCtSkipDstLportIPs), enabled) +} + // SetLsDnatModDlDst mocks base method. func (m *MockNbClient) SetLsDnatModDlDst(enabled bool) error { m.ctrl.T.Helper() diff --git a/pkg/controller/config.go b/pkg/controller/config.go index e8bf142fd2f..35a756db8fa 100644 --- a/pkg/controller/config.go +++ b/pkg/controller/config.go @@ -78,6 +78,7 @@ type Configuration struct { DefaultVlanName string DefaultVlanID int LsDnatModDlDst bool + LsCtSkipDstLportIPs bool EnableLb bool EnableNP bool @@ -149,6 +150,7 @@ func ParseFlags() (*Configuration, error) { argDefaultVlanName = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name") argDefaultVlanID = pflag.Int("default-vlan-id", 1, "The default vlan id") argLsDnatModDlDst = pflag.Bool("ls-dnat-mod-dl-dst", true, "Set ethernet destination address for DNAT on logical switch") + argLsCtSkipDstLportIPs = pflag.Bool("ls-ct-skip-dst-lport-ips", true, "Skip conntrack for direct traffic between lports") argPodNicType = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type") argPodDefaultFipType = pflag.String("pod-default-fip-type", "", "The type of fip bind to pod automatically: iptables") argEnableLb = pflag.Bool("enable-lb", true, "Enable load balancer") @@ -223,6 +225,7 @@ func ParseFlags() (*Configuration, error) { NetworkType: *argNetworkType, DefaultVlanID: *argDefaultVlanID, LsDnatModDlDst: *argLsDnatModDlDst, + LsCtSkipDstLportIPs: *argLsCtSkipDstLportIPs, DefaultProviderName: *argDefaultProviderName, DefaultHostInterface: *argDefaultInterfaceName, DefaultExchangeLinkName: *argDefaultExchangeLinkName, diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index cdb7a75adb4..ecb40f5f46f 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -785,6 +785,10 @@ func (c *Controller) Run(ctx context.Context) { util.LogFatalAndExit(err, "failed to set NB_Global option use_ct_inv_match to false") } + if err := c.OVNNbClient.SetLsCtSkipDstLportIPs(c.config.LsCtSkipDstLportIPs); err != nil { + util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips") + } + if err := c.InitOVN(); err != nil { util.LogFatalAndExit(err, "failed to initialize ovn resources") } diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go index 3dee0850efb..8675ed734a6 100644 --- a/pkg/ovs/interface.go +++ b/pkg/ovs/interface.go @@ -17,6 +17,7 @@ type NBGlobal interface { SetUseCtInvMatch() error SetICAutoRoute(enable bool, blackList []string) error SetLsDnatModDlDst(enabled bool) error + SetLsCtSkipDstLportIPs(enabled bool) error GetNbGlobal() (*ovnnb.NBGlobal, error) } diff --git a/pkg/ovs/ovn-nb_global.go b/pkg/ovs/ovn-nb_global.go index c0944210e1c..ebffa90be13 100644 --- a/pkg/ovs/ovn-nb_global.go +++ b/pkg/ovs/ovn-nb_global.go @@ -153,3 +153,7 @@ func (c *OVNNbClient) SetLBCIDR(serviceCIDR string) error { func (c *OVNNbClient) SetLsDnatModDlDst(enabled bool) error { return c.SetNbGlobalOptions("ls_dnat_mod_dl_dst", enabled) } + +func (c *OVNNbClient) SetLsCtSkipDstLportIPs(enabled bool) error { + return c.SetNbGlobalOptions("ls_ct_skip_dst_lport_ips", enabled) +} diff --git a/yamls/kube-ovn-dual-stack.yaml b/yamls/kube-ovn-dual-stack.yaml index 829d462f3a3..7d2c36f4293 100644 --- a/yamls/kube-ovn-dual-stack.yaml +++ b/yamls/kube-ovn-dual-stack.yaml @@ -66,6 +66,7 @@ spec: - --default-exchange-link-name=false - --default-vlan-id=100 - --ls-dnat-mod-dl-dst=true + - --ls-ct-skip-dst-lport-ips=true - --pod-nic-type=veth-pair - --enable-lb=true - --enable-np=true diff --git a/yamls/kube-ovn-ipv6.yaml b/yamls/kube-ovn-ipv6.yaml index eafa4bf307b..bc97a1eaf5d 100644 --- a/yamls/kube-ovn-ipv6.yaml +++ b/yamls/kube-ovn-ipv6.yaml @@ -66,6 +66,7 @@ spec: - --default-exchange-link-name=false - --default-vlan-id=100 - --ls-dnat-mod-dl-dst=true + - --ls-ct-skip-dst-lport-ips=true - --pod-nic-type=veth-pair - --enable-lb=true - --enable-np=true diff --git a/yamls/kube-ovn.yaml b/yamls/kube-ovn.yaml index 15d8965a9ea..1b0a5c352e8 100644 --- a/yamls/kube-ovn.yaml +++ b/yamls/kube-ovn.yaml @@ -66,6 +66,7 @@ spec: - --default-exchange-link-name=false - --default-vlan-id=100 - --ls-dnat-mod-dl-dst=true + - --ls-ct-skip-dst-lport-ips=true - --pod-nic-type=veth-pair - --enable-lb=true - --enable-np=true