From 602d5d2d889524493a044aa4f14f7172d1ec6a2c Mon Sep 17 00:00:00 2001 From: zhangzujian Date: Tue, 23 Jan 2024 08:31:57 +0000 Subject: [PATCH] ovn: do not send direct traffic between lports to conntrack Signed-off-by: zhangzujian --- charts/templates/controller-deploy.yaml | 1 + charts/values.yaml | 1 + dist/images/Dockerfile.base | 4 +++- dist/images/install.sh | 2 ++ mocks/pkg/ovs/interface.go | 28 +++++++++++++++++++++++++ pkg/controller/config.go | 3 +++ pkg/controller/controller.go | 4 ++++ pkg/ovs/interface.go | 1 + pkg/ovs/ovn-nb_global.go | 4 ++++ yamls/kube-ovn-dual-stack.yaml | 1 + yamls/kube-ovn-ipv6.yaml | 1 + yamls/kube-ovn.yaml | 1 + 12 files changed, 50 insertions(+), 1 deletion(-) diff --git a/charts/templates/controller-deploy.yaml b/charts/templates/controller-deploy.yaml index 0e694945cd4..975d7fc6ae9 100644 --- a/charts/templates/controller-deploy.yaml +++ b/charts/templates/controller-deploy.yaml @@ -99,6 +99,7 @@ spec: - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }} - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }} - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }} + - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }} - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }} - --enable-lb={{- .Values.func.ENABLE_LB }} - --enable-np={{- .Values.func.ENABLE_NP }} diff --git a/charts/values.yaml b/charts/values.yaml index 827af95ae80..fef1ba76f4c 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -63,6 +63,7 @@ func: ENABLE_LB_SVC: false ENABLE_KEEP_VM_IP: true LS_DNAT_MOD_DL_DST: true + LS_CT_SKIP_DST_LPORT_IPS: true CHECK_GATEWAY: true LOGICAL_GATEWAY: false ENABLE_BIND_LOCAL_IP: true diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base index 4c8c662fc3d..00c63c1c9d0 100644 --- a/dist/images/Dockerfile.base +++ b/dist/images/Dockerfile.base @@ -46,7 +46,9 @@ RUN cd /usr/src/ && git clone -b branch-22.12 --depth=1 https://github.com/ovn-o # ovn-ic blacklist function not work on ipv6 curl -s https://github.com/kubeovn/ovn/commit/78ab91005854532e7eb5c4fe6b2923ce292e3681.patch | git apply && \ # fix lr-lb dnat with multiple distributed gateway ports - curl -s https://github.com/kubeovn/ovn/commit/80f37c2debbf9f5230403691f791d11cc2b2e277.patch | git apply + curl -s https://github.com/kubeovn/ovn/commit/80f37c2debbf9f5230403691f791d11cc2b2e277.patch | git apply && \ + # lflow: do not send direct traffic between lports to conntrack + curl -s https://github.com/kubeovn/ovn/commit/6f1af045845deeabf06fdc7c90073e0a6874ab2f.patch | git apply RUN apt install -y build-essential fakeroot \ autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \ diff --git a/dist/images/install.sh b/dist/images/install.sh index f090b3918af..7ff5aa6522b 100755 --- a/dist/images/install.sh +++ b/dist/images/install.sh @@ -15,6 +15,7 @@ ENABLE_LB=${ENABLE_LB:-true} ENABLE_NP=${ENABLE_NP:-true} ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true} LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true} +LS_CT_SKIP_DST_LPORT_IPS=${LS_CT_SKIP_DST_LPORT_IPS:-true} ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true} CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01} ENABLE_LB_SVC=${ENABLE_LB_SVC:-false} @@ -3972,6 +3973,7 @@ spec: - --default-exchange-link-name=$EXCHANGE_LINK_NAME - --default-vlan-id=$VLAN_ID - --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST + - --ls-ct-skip-dst-lport-ips=$LS_CT_SKIP_DST_LPORT_IPS - --pod-nic-type=$POD_NIC_TYPE - --enable-lb=$ENABLE_LB - --enable-np=$ENABLE_NP diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go index 6a436f37072..d85278bce3f 100644 --- a/mocks/pkg/ovs/interface.go +++ b/mocks/pkg/ovs/interface.go @@ -88,6 +88,20 @@ func (mr *MockNBGlobalMockRecorder) SetICAutoRoute(enable, blackList any) *gomoc return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetICAutoRoute", reflect.TypeOf((*MockNBGlobal)(nil).SetICAutoRoute), enable, blackList) } +// SetLsCtSkipDstLportIPs mocks base method. +func (m *MockNBGlobal) SetLsCtSkipDstLportIPs(enabled bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SetLsCtSkipDstLportIPs", enabled) + ret0, _ := ret[0].(error) + return ret0 +} + +// SetLsCtSkipDstLportIPs indicates an expected call of SetLsCtSkipDstLportIPs. +func (mr *MockNBGlobalMockRecorder) SetLsCtSkipDstLportIPs(enabled any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNBGlobal)(nil).SetLsCtSkipDstLportIPs), enabled) +} + // SetLsDnatModDlDst mocks base method. func (m *MockNBGlobal) SetLsDnatModDlDst(enabled bool) error { m.ctrl.T.Helper() @@ -4133,6 +4147,20 @@ func (mr *MockNbClientMockRecorder) SetLogicalSwitchPrivate(lsName, cidrBlock, n return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLogicalSwitchPrivate", reflect.TypeOf((*MockNbClient)(nil).SetLogicalSwitchPrivate), lsName, cidrBlock, nodeSwitchCIDR, allowSubnets) } +// SetLsCtSkipDstLportIPs mocks base method. +func (m *MockNbClient) SetLsCtSkipDstLportIPs(enabled bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SetLsCtSkipDstLportIPs", enabled) + ret0, _ := ret[0].(error) + return ret0 +} + +// SetLsCtSkipDstLportIPs indicates an expected call of SetLsCtSkipDstLportIPs. +func (mr *MockNbClientMockRecorder) SetLsCtSkipDstLportIPs(enabled any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNbClient)(nil).SetLsCtSkipDstLportIPs), enabled) +} + // SetLsDnatModDlDst mocks base method. func (m *MockNbClient) SetLsDnatModDlDst(enabled bool) error { m.ctrl.T.Helper() diff --git a/pkg/controller/config.go b/pkg/controller/config.go index 53c7441d260..8648db63f6e 100644 --- a/pkg/controller/config.go +++ b/pkg/controller/config.go @@ -78,6 +78,7 @@ type Configuration struct { DefaultVlanName string DefaultVlanID int LsDnatModDlDst bool + LsCtSkipDstLportIPs bool EnableLb bool EnableNP bool @@ -149,6 +150,7 @@ func ParseFlags() (*Configuration, error) { argDefaultVlanName = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name") argDefaultVlanID = pflag.Int("default-vlan-id", 1, "The default vlan id") argLsDnatModDlDst = pflag.Bool("ls-dnat-mod-dl-dst", true, "Set ethernet destination address for DNAT on logical switch") + argLsCtSkipDstLportIPs = pflag.Bool("ls-ct-skip-dst-lport-ips", true, "Skip conntrack for direct traffic between lports") argPodNicType = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type") argPodDefaultFipType = pflag.String("pod-default-fip-type", "iptables", "The type of fip bind to pod automatically: iptables") argEnableLb = pflag.Bool("enable-lb", true, "Enable load balancer") @@ -223,6 +225,7 @@ func ParseFlags() (*Configuration, error) { NetworkType: *argNetworkType, DefaultVlanID: *argDefaultVlanID, LsDnatModDlDst: *argLsDnatModDlDst, + LsCtSkipDstLportIPs: *argLsCtSkipDstLportIPs, DefaultProviderName: *argDefaultProviderName, DefaultHostInterface: *argDefaultInterfaceName, DefaultExchangeLinkName: *argDefaultExchangeLinkName, diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 3ace70aad0b..040ea22bfe9 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -785,6 +785,10 @@ func (c *Controller) Run(ctx context.Context) { util.LogFatalAndExit(err, "failed to set NB_Global option use_ct_inv_match to false") } + if err := c.OVNNbClient.SetLsCtSkipDstLportIPs(c.config.LsCtSkipDstLportIPs); err != nil { + util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips") + } + if err := c.InitOVN(); err != nil { util.LogFatalAndExit(err, "failed to initialize ovn resources") } diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go index f288ad4d253..cc46d6b5655 100644 --- a/pkg/ovs/interface.go +++ b/pkg/ovs/interface.go @@ -17,6 +17,7 @@ type NBGlobal interface { SetUseCtInvMatch() error SetICAutoRoute(enable bool, blackList []string) error SetLsDnatModDlDst(enabled bool) error + SetLsCtSkipDstLportIPs(enabled bool) error GetNbGlobal() (*ovnnb.NBGlobal, error) } diff --git a/pkg/ovs/ovn-nb_global.go b/pkg/ovs/ovn-nb_global.go index c0944210e1c..ebffa90be13 100644 --- a/pkg/ovs/ovn-nb_global.go +++ b/pkg/ovs/ovn-nb_global.go @@ -153,3 +153,7 @@ func (c *OVNNbClient) SetLBCIDR(serviceCIDR string) error { func (c *OVNNbClient) SetLsDnatModDlDst(enabled bool) error { return c.SetNbGlobalOptions("ls_dnat_mod_dl_dst", enabled) } + +func (c *OVNNbClient) SetLsCtSkipDstLportIPs(enabled bool) error { + return c.SetNbGlobalOptions("ls_ct_skip_dst_lport_ips", enabled) +} diff --git a/yamls/kube-ovn-dual-stack.yaml b/yamls/kube-ovn-dual-stack.yaml index 96d72ea314d..8c4943bd74b 100644 --- a/yamls/kube-ovn-dual-stack.yaml +++ b/yamls/kube-ovn-dual-stack.yaml @@ -66,6 +66,7 @@ spec: - --default-exchange-link-name=false - --default-vlan-id=100 - --ls-dnat-mod-dl-dst=true + - --ls-ct-skip-dst-lport-ips=true - --pod-nic-type=veth-pair - --enable-lb=true - --enable-np=true diff --git a/yamls/kube-ovn-ipv6.yaml b/yamls/kube-ovn-ipv6.yaml index 4cc65d42b4a..5840f96ab40 100644 --- a/yamls/kube-ovn-ipv6.yaml +++ b/yamls/kube-ovn-ipv6.yaml @@ -66,6 +66,7 @@ spec: - --default-exchange-link-name=false - --default-vlan-id=100 - --ls-dnat-mod-dl-dst=true + - --ls-ct-skip-dst-lport-ips=true - --pod-nic-type=veth-pair - --enable-lb=true - --enable-np=true diff --git a/yamls/kube-ovn.yaml b/yamls/kube-ovn.yaml index d09d1d94278..29c03915135 100644 --- a/yamls/kube-ovn.yaml +++ b/yamls/kube-ovn.yaml @@ -66,6 +66,7 @@ spec: - --default-exchange-link-name=false - --default-vlan-id=100 - --ls-dnat-mod-dl-dst=true + - --ls-ct-skip-dst-lport-ips=true - --pod-nic-type=veth-pair - --enable-lb=true - --enable-np=true