From 27424c33a0f4c7c3b4d04f2a3b9ca34b40d5f0c1 Mon Sep 17 00:00:00 2001 From: Hongliang Liu <75655411+hongliangl@users.noreply.github.com> Date: Wed, 24 Apr 2024 14:19:49 +0800 Subject: [PATCH] Fix that local traffic cannot be identified in networkPolicyOnly mode (#6251) Before this commit, in AntreaProxy, to respect short-circuiting, when installing flows for an external Services, an extra flow with higher priority to match traffic sourced from local (local Pods or local Node) and destined for the external Service will be installed. This is achieved by matching the local Pod CIDR obtained from the local Node object. However, when Antrea is deployed in networkPolicyOnly mode, the Pod CIDR in the local Node object is nil, resulting in the failure of install the extra flow mentioned above. To fix the issue, a new reg mark `FromLocalRegMark` identifying traffic from local Pods or the local Node is introduced to mark the traffic from local. This reg mark can be used in all traffic mode. Fix #6244 Signed-off-by: Hongliang Liu --- pkg/agent/openflow/client_test.go | 30 ++++++++++----------- pkg/agent/openflow/fields.go | 4 ++- pkg/agent/openflow/pipeline.go | 16 +++++------ pkg/agent/openflow/pod_connectivity_test.go | 12 ++++----- pkg/agent/openflow/service.go | 9 ------- test/integration/agent/openflow_test.go | 4 +-- 6 files changed, 34 insertions(+), 41 deletions(-) diff --git a/pkg/agent/openflow/client_test.go b/pkg/agent/openflow/client_test.go index 823d917199d..658193b1220 100644 --- a/pkg/agent/openflow/client_test.go +++ b/pkg/agent/openflow/client_test.go @@ -734,7 +734,7 @@ func Test_client_InstallPodFlows(t *testing.T) { podInterfaceIPs: []net.IP{podIPv4}, expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.66,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.66 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg0=0x200/0x200,nw_dst=10.10.0.66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", @@ -748,7 +748,7 @@ func Test_client_InstallPodFlows(t *testing.T) { expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.66,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.66 actions=goto_table:PipelineIPClassifier", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg0=0x200/0x200,nw_dst=10.10.0.66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", "cookie=0x1050000000000, table=MulticastEgressPodMetric, priority=200,ip,nw_src=10.10.0.66 actions=goto_table:MulticastRouting", @@ -760,7 +760,7 @@ func Test_client_InstallPodFlows(t *testing.T) { enableIPv6: true, podInterfaceIPs: []net.IP{podIPv6}, expectedFlows: []string{ - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=100,dl_src=00:00:10:10:00:66,ipv6_src=fec0:10:10::66 actions=goto_table:IPv6", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ipv6,reg0=0x200/0x200,ipv6_dst=fec0:10:10::66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", @@ -773,7 +773,7 @@ func Test_client_InstallPodFlows(t *testing.T) { podInterfaceIPs: []net.IP{podIPv4, podIPv6}, expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.66,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.66 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=100,dl_src=00:00:10:10:00:66,ipv6_src=fec0:10:10::66 actions=goto_table:IPv6", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg0=0x200/0x200,nw_dst=10.10.0.66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", @@ -788,7 +788,7 @@ func Test_client_InstallPodFlows(t *testing.T) { trafficEncapMode: config.TrafficEncapModeNetworkPolicyOnly, expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.66,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.66 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg0=0x200/0x200,nw_dst=10.10.0.66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,nw_dst=10.10.0.66 actions=set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", @@ -801,7 +801,7 @@ func Test_client_InstallPodFlows(t *testing.T) { podInterfaceIPs: []net.IP{podIPv6}, trafficEncapMode: config.TrafficEncapModeNetworkPolicyOnly, expectedFlows: []string{ - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=100,dl_src=00:00:10:10:00:66,ipv6_src=fec0:10:10::66 actions=goto_table:IPv6", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ipv6,reg0=0x200/0x200,ipv6_dst=fec0:10:10::66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ipv6,ipv6_dst=fec0:10:10::66 actions=set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", @@ -816,7 +816,7 @@ func Test_client_InstallPodFlows(t *testing.T) { trafficEncapMode: config.TrafficEncapModeNetworkPolicyOnly, expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.66,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=100,dl_src=00:00:10:10:00:66,ipv6_src=fec0:10:10::66 actions=goto_table:IPv6", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.66 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ipv6,reg0=0x200/0x200,ipv6_dst=fec0:10:10::66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", @@ -836,7 +836,7 @@ func Test_client_InstallPodFlows(t *testing.T) { "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=192.168.77.200,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32770,vlan_tci=0x0000/0x1000,dl_dst=00:00:10:10:00:66 actions=set_field:0x1000/0xf000->reg8,set_field:0x4/0xf->reg0,set_field:0x0/0xfff->reg8,goto_table:UnSNAT", "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=4294967294,vlan_tci=0x0000/0x1000,dl_dst=00:00:10:10:00:66 actions=set_field:0x1000/0xf000->reg8,set_field:0x5/0xf->reg0,goto_table:UnSNAT", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x100000/0x100000->reg4,set_field:0x200/0x200->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,set_field:0x100000/0x100000->reg4,set_field:0x200/0x200->reg0,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=192.168.77.200 actions=set_field:0x1000/0xf000->reg8,set_field:0x0/0xfff->reg8,goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg8=0x0/0xfff,nw_dst=192.168.77.200 actions=set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", @@ -852,7 +852,7 @@ func Test_client_InstallPodFlows(t *testing.T) { expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=192.168.77.200,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32770,dl_vlan=1,dl_dst=00:00:10:10:00:66 actions=set_field:0x1000/0xf000->reg8,set_field:0x4/0xf->reg0,set_field:0x1/0xfff->reg8,goto_table:UnSNAT", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x100000/0x100000->reg4,set_field:0x200/0x200->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,set_field:0x100000/0x100000->reg4,set_field:0x200/0x200->reg0,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=192.168.77.200 actions=set_field:0x1000/0xf000->reg8,set_field:0x1/0xfff->reg8,goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg8=0x1/0xfff,nw_dst=192.168.77.200 actions=set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", @@ -927,14 +927,14 @@ func Test_client_UpdatePodFlows(t *testing.T) { podUpdatedInterfaceIPs: []net.IP{podIPv4Updated}, expectedFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.66,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.66 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg0=0x200/0x200,nw_dst=10.10.0.66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", }, expectedNewFlows: []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=100,arp_spa=10.10.0.88,arp_sha=00:00:10:10:00:66 actions=goto_table:ARPResponder", - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=100,dl_src=00:00:10:10:00:66,nw_src=10.10.0.88 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ip,reg0=0x200/0x200,nw_dst=10.10.0.88 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", @@ -946,13 +946,13 @@ func Test_client_UpdatePodFlows(t *testing.T) { podInterfaceIPs: []net.IP{podIPv6}, podUpdatedInterfaceIPs: []net.IP{podIPv6Updated}, expectedFlows: []string{ - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=100,dl_src=00:00:10:10:00:66,ipv6_src=fec0:10:10::66 actions=goto_table:IPv6", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ipv6,reg0=0x200/0x200,ipv6_dst=fec0:10:10::66 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", }, expectedNewFlows: []string{ - "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=190,in_port=100 actions=set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=100,dl_src=00:00:10:10:00:66,ipv6_src=fec0:10:10::88 actions=goto_table:IPv6", "cookie=0x1010000000000, table=L3Forwarding, priority=200,ipv6,reg0=0x200/0x200,ipv6_dst=fec0:10:10::88 actions=set_field:0a:00:00:00:00:01->eth_src,set_field:00:00:10:10:00:66->eth_dst,goto_table:L3DecTTL", "cookie=0x1010000000000, table=L2ForwardingCalc, priority=200,dl_dst=00:00:10:10:00:66 actions=set_field:0x64->reg1,set_field:0x200000/0x600000->reg0,goto_table:IngressSecurityClassifier", @@ -1357,7 +1357,7 @@ func Test_client_InstallServiceFlows(t *testing.T) { isNodePort: true, trafficPolicyLocal: true, expectedFlows: []string{ - "cookie=0x1030000000000, table=ServiceLB, priority=210,udp,reg4=0x90000/0xf0000,nw_src=10.10.0.0/24,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x30000/0x70000->reg4,set_field:0x200000/0x200000->reg4,set_field:0x64->reg7,group:100", + "cookie=0x1030000000000, table=ServiceLB, priority=210,udp,reg4=0x10090000/0x100f0000,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x30000/0x70000->reg4,set_field:0x200000/0x200000->reg4,set_field:0x64->reg7,group:100", "cookie=0x1030000000000, table=ServiceLB, priority=200,udp,reg4=0x90000/0xf0000,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x30000/0x70000->reg4,set_field:0x200000/0x200000->reg4,set_field:0x65->reg7,group:101", "cookie=0x1030000000065, table=ServiceLB, priority=190,udp,reg4=0xb0000/0xf0000,tp_dst=80 actions=learn(table=SessionAffinity,hard_timeout=100,priority=200,delete_learned,cookie=0x1030000000065,eth_type=0x800,nw_proto=0x11,OXM_OF_UDP_DST[],NXM_OF_IP_DST[],NXM_OF_IP_SRC[],load:NXM_NX_REG4[0..15]->NXM_NX_REG4[0..15],load:NXM_NX_REG4[26]->NXM_NX_REG4[26],load:NXM_NX_REG3[]->NXM_NX_REG3[],load:0x2->NXM_NX_REG4[16..18],load:0x1->NXM_NX_REG0[9],load:0x1->NXM_NX_REG4[21]),set_field:0x20000/0x70000->reg4,goto_table:EndpointDNAT", }, @@ -1392,7 +1392,7 @@ func Test_client_InstallServiceFlows(t *testing.T) { isExternal: true, trafficPolicyLocal: true, expectedFlows: []string{ - "cookie=0x1030000000000, table=ServiceLB, priority=210,sctp,reg4=0x10000/0x70000,nw_src=10.10.0.0/24,nw_dst=10.96.0.100,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x30000/0x70000->reg4,set_field:0x200000/0x200000->reg4,set_field:0x64->reg7,group:100", + "cookie=0x1030000000000, table=ServiceLB, priority=210,sctp,reg4=0x10010000/0x10070000,nw_dst=10.96.0.100,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x30000/0x70000->reg4,set_field:0x200000/0x200000->reg4,set_field:0x64->reg7,group:100", "cookie=0x1030000000000, table=ServiceLB, priority=200,sctp,reg4=0x10000/0x70000,nw_dst=10.96.0.100,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x30000/0x70000->reg4,set_field:0x200000/0x200000->reg4,set_field:0x65->reg7,group:101", "cookie=0x1030000000065, table=ServiceLB, priority=190,sctp,reg4=0x30000/0x70000,nw_dst=10.96.0.100,tp_dst=80 actions=learn(table=SessionAffinity,hard_timeout=100,priority=200,delete_learned,cookie=0x1030000000065,eth_type=0x800,nw_proto=0x84,OXM_OF_SCTP_DST[],NXM_OF_IP_DST[],NXM_OF_IP_SRC[],load:NXM_NX_REG4[0..15]->NXM_NX_REG4[0..15],load:NXM_NX_REG4[26]->NXM_NX_REG4[26],load:NXM_NX_REG3[]->NXM_NX_REG3[],load:0x2->NXM_NX_REG4[16..18],load:0x1->NXM_NX_REG0[9],load:0x1->NXM_NX_REG4[21]),set_field:0x20000/0x70000->reg4,goto_table:EndpointDNAT", }, diff --git a/pkg/agent/openflow/fields.go b/pkg/agent/openflow/fields.go index 87d0521af2e..47381d5ad0b 100644 --- a/pkg/agent/openflow/fields.go +++ b/pkg/agent/openflow/fields.go @@ -41,7 +41,7 @@ var ( PktSourceField = binding.NewRegField(0, 0, 3) FromTunnelRegMark = binding.NewRegMark(PktSourceField, tunnelVal) FromGatewayRegMark = binding.NewRegMark(PktSourceField, gatewayVal) - FromLocalRegMark = binding.NewRegMark(PktSourceField, localVal) + FromPodRegMark = binding.NewRegMark(PktSourceField, localVal) FromUplinkRegMark = binding.NewRegMark(PktSourceField, uplinkVal) FromBridgeRegMark = binding.NewRegMark(PktSourceField, bridgeVal) FromTCReturnRegMark = binding.NewRegMark(PktSourceField, tcReturnVal) @@ -147,6 +147,8 @@ var ( // the Node's traffic is forwarded to OVS. And even if there is no masquerade rule, there should be no problem to // consider the packet external sourced as the other IPs are routable externally anyway. FromExternalRegMark = binding.NewOneBitRegMark(4, 27) + // reg4[28]: Mark to indicate that whether the traffic's source is a local Pod or the Node. + FromLocalRegMark = binding.NewOneBitRegMark(4, 28) // reg5(NXM_NX_REG5) // Field to cache the Egress conjunction ID hit by TraceFlow packet. diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go index 9daed3adc33..b5f75df9327 100644 --- a/pkg/agent/openflow/pipeline.go +++ b/pkg/agent/openflow/pipeline.go @@ -533,7 +533,7 @@ func (f *featurePodConnectivity) gatewayClassifierFlows() []binding.Flow { MatchInPort(f.gatewayPort). MatchProtocol(ipProtocol). MatchSrcIP(gatewayIP). - Action().LoadRegMark(FromGatewayRegMark). + Action().LoadRegMark(FromGatewayRegMark, FromLocalRegMark). Action().GotoStage(stageValidation). Done()) } @@ -550,7 +550,7 @@ func (f *featurePodConnectivity) gatewayClassifierFlows() []binding.Flow { // podClassifierFlow generates the flow to mark the packets from a local Pod port. // If multi-cluster is enabled, also load podLabelID into LabelIDField. func (f *featurePodConnectivity) podClassifierFlow(podOFPort uint32, isAntreaFlexibleIPAM bool, podLabelID *uint32) binding.Flow { - regMarksToLoad := []*binding.RegMark{FromLocalRegMark} + regMarksToLoad := []*binding.RegMark{FromPodRegMark, FromLocalRegMark} if isAntreaFlexibleIPAM { regMarksToLoad = append(regMarksToLoad, AntreaFlexibleIPAMRegMark, RewriteMACRegMark) } @@ -769,7 +769,7 @@ func (f *featureService) snatConntrackFlows() []binding.Flow { MatchProtocol(ipProtocol). MatchCTStateNew(true). MatchCTStateTrk(true). - MatchRegMark(FromLocalRegMark). + MatchRegMark(FromPodRegMark). MatchCTMark(HairpinCTMark). Action().CT(true, SNATTable.GetNext(), f.snatCtZones[ipProtocol], nil). SNAT(&binding.IPRange{StartIP: gatewayIP, EndIP: gatewayIP}, nil). @@ -2411,9 +2411,9 @@ func (f *featureService) serviceLBFlows(config *types.ServiceConfig) []binding.F buildFlow(priorityNormal, config.TrafficPolicyGroupID(), nil), } if config.IsExternal && config.TrafficPolicyLocal { - // For short-circuiting flow, an extra match condition matching packet from local Pod CIDR is added. + // For short-circuiting flow, an extra match condition matching packet from a local Pod or the Node is added. flows = append(flows, buildFlow(priorityHigh, config.ClusterGroupID, func(b binding.FlowBuilder) binding.FlowBuilder { - return b.MatchSrcIPNet(f.localCIDRs[getIPProtocol(config.ServiceIP)]) + return b.MatchRegMark(FromLocalRegMark) })) } if config.IsDSR { @@ -2627,7 +2627,7 @@ func (f *featureEgress) externalFlows() []binding.Flow { MatchProtocol(ipProtocol). MatchCTStateRpl(false). MatchCTStateTrk(true). - MatchRegMark(FromLocalRegMark, NotAntreaFlexibleIPAMRegMark). + MatchRegMark(FromPodRegMark, NotAntreaFlexibleIPAMRegMark). Action().GotoTable(EgressMarkTable.GetID()). Done(), // This generates the flow to match the packets sourced from tunnel and destined for external network, then @@ -2750,7 +2750,7 @@ func (f *featureMulticast) igmpEgressFlow() binding.Flow { return MulticastEgressRuleTable.ofTable.BuildFlow(priorityTopAntreaPolicy). Cookie(f.cookieAllocator.Request(f.category).Raw()). MatchProtocol(binding.ProtocolIGMP). - MatchRegMark(FromLocalRegMark). + MatchRegMark(FromPodRegMark). Action().GotoStage(stageRouting). Done() } @@ -2759,7 +2759,7 @@ func (f *featureMulticast) igmpEgressFlow() binding.Flow { // and sends it to antrea-agent. func (f *featureMulticast) igmpPktInFlows() []binding.Flow { var flows []binding.Flow - sourceMarks := []*binding.RegMark{FromLocalRegMark} + sourceMarks := []*binding.RegMark{FromPodRegMark} if f.encapEnabled { sourceMarks = append(sourceMarks, FromTunnelRegMark) } diff --git a/pkg/agent/openflow/pod_connectivity_test.go b/pkg/agent/openflow/pod_connectivity_test.go index 53b2cfc5a3e..327372ebb08 100644 --- a/pkg/agent/openflow/pod_connectivity_test.go +++ b/pkg/agent/openflow/pod_connectivity_test.go @@ -34,7 +34,7 @@ func podConnectivityInitFlows( if !isIPv4 { return []string{ "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32768 actions=set_field:0x1/0xf->reg0,set_field:0x200/0x200->reg0,goto_table:UnSNAT", - "cookie=0x1010000000000, table=Classifier, priority=210,ipv6,in_port=32769,ipv6_src=fec0:10:10::1 actions=set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=210,ipv6,in_port=32769,ipv6_src=fec0:10:10::1 actions=set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32769 actions=set_field:0x2/0xf->reg0,set_field:0x8000000/0x8000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,ipv6_src=fe80::/10 actions=goto_table:IPv6", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ipv6,in_port=32769 actions=goto_table:IPv6", @@ -61,7 +61,7 @@ func podConnectivityInitFlows( flows = []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=32769,arp_spa=10.10.0.1,arp_sha=0a:00:00:00:00:01 actions=goto_table:ARPResponder", "cookie=0x1010000000000, table=ARPResponder, priority=190,arp actions=NORMAL", - "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32769,nw_src=10.10.0.1 actions=set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32769,nw_src=10.10.0.1 actions=set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32769 actions=set_field:0x2/0xf->reg0,set_field:0x8000000/0x8000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=ConntrackZone, priority=200,ip actions=ct(table=ConntrackState,zone=65520,nat)", "cookie=0x1010000000000, table=ConntrackState, priority=200,ct_state=+inv+trk,ip actions=drop", @@ -123,7 +123,7 @@ func podConnectivityInitFlows( "cookie=0x1010000000000, table=IPv6, priority=200,icmp6,icmp_type=135,icmp_code=0 actions=NORMAL", "cookie=0x1010000000000, table=IPv6, priority=200,icmp6,icmp_type=136,icmp_code=0 actions=NORMAL", "cookie=0x1010000000000, table=IPv6, priority=200,ipv6,ipv6_dst=ff00::/8 actions=NORMAL", - "cookie=0x1010000000000, table=Classifier, priority=210,ipv6,in_port=32769,ipv6_src=fec0:10:10::1 actions=set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=210,ipv6,in_port=32769,ipv6_src=fec0:10:10::1 actions=set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32769 actions=set_field:0x2/0xf->reg0,set_field:0x8000000/0x8000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=ConntrackZone, priority=200,ipv6 actions=ct(table=ConntrackState,zone=65510,nat)", "cookie=0x1010000000000, table=ConntrackState, priority=200,ct_state=+inv+trk,ipv6 actions=drop", @@ -144,7 +144,7 @@ func podConnectivityInitFlows( flows = []string{ "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=32769,arp_spa=10.10.0.1,arp_sha=0a:00:00:00:00:01 actions=goto_table:ARPResponder", "cookie=0x1010000000000, table=ARPResponder, priority=190,arp actions=NORMAL", - "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32769,nw_src=10.10.0.1 actions=set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32769,nw_src=10.10.0.1 actions=set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32769 actions=set_field:0x2/0xf->reg0,set_field:0x8000000/0x8000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=ConntrackState, priority=200,ct_state=+inv+trk,ip actions=drop", "cookie=0x1010000000000, table=ConntrackState, priority=190,ct_state=-new+trk,ct_mark=0x0/0x10,ip actions=goto_table:AntreaPolicyEgressRule", @@ -235,7 +235,7 @@ func podConnectivityInitFlows( "cookie=0x1010000000000, table=IPv6, priority=200,icmp6,icmp_type=135,icmp_code=0 actions=NORMAL", "cookie=0x1010000000000, table=IPv6, priority=200,icmp6,icmp_type=136,icmp_code=0 actions=NORMAL", "cookie=0x1010000000000, table=IPv6, priority=200,ipv6,ipv6_dst=ff00::/8 actions=NORMAL", - "cookie=0x1010000000000, table=Classifier, priority=210,ipv6,in_port=32769,ipv6_src=fec0:10:10::1 actions=set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=210,ipv6,in_port=32769,ipv6_src=fec0:10:10::1 actions=set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32769 actions=set_field:0x2/0xf->reg0,set_field:0x8000000/0x8000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=ConntrackZone, priority=200,ipv6 actions=ct(table=ConntrackState,zone=65510,nat)", "cookie=0x1010000000000, table=ConntrackState, priority=200,ct_state=+inv+trk,ipv6 actions=drop", @@ -257,7 +257,7 @@ func podConnectivityInitFlows( "cookie=0x1010000000000, table=ARPSpoofGuard, priority=200,arp,in_port=32769,arp_spa=10.10.0.1,arp_sha=0a:00:00:00:00:01 actions=goto_table:ARPResponder", "cookie=0x1010000000000, table=ARPResponder, priority=200,arp,arp_op=1 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],set_field:aa:bb:cc:dd:ee:ff->eth_src,set_field:2->arp_op,move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],set_field:aa:bb:cc:dd:ee:ff->arp_sha,move:NXM_OF_ARP_TPA[]->NXM_NX_REG2[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],move:NXM_NX_REG2[]->NXM_OF_ARP_SPA[],IN_PORT", "cookie=0x1010000000000, table=ARPResponder, priority=190,arp actions=NORMAL", - "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32769,nw_src=10.10.0.1 actions=set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + "cookie=0x1010000000000, table=Classifier, priority=210,ip,in_port=32769,nw_src=10.10.0.1 actions=set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=Classifier, priority=200,in_port=32769 actions=set_field:0x2/0xf->reg0,set_field:0x8000000/0x8000000->reg4,goto_table:SpoofGuard", "cookie=0x1010000000000, table=SpoofGuard, priority=200,ip,in_port=32769 actions=goto_table:UnSNAT", "cookie=0x1010000000000, table=ConntrackZone, priority=200,ip actions=ct(table=ConntrackState,zone=65520,nat)", diff --git a/pkg/agent/openflow/service.go b/pkg/agent/openflow/service.go index 3a2c372c2ae..2d8a4c0453b 100644 --- a/pkg/agent/openflow/service.go +++ b/pkg/agent/openflow/service.go @@ -43,7 +43,6 @@ type featureService struct { gatewayMAC net.HardwareAddr nodePortAddresses map[binding.Protocol][]net.IP serviceCIDRs map[binding.Protocol]net.IPNet - localCIDRs map[binding.Protocol]net.IPNet networkConfig *config.NetworkConfig gatewayPort uint32 @@ -81,7 +80,6 @@ func newFeatureService( snatCtZones := make(map[binding.Protocol]int) nodePortAddresses := make(map[binding.Protocol][]net.IP) serviceCIDRs := make(map[binding.Protocol]net.IPNet) - localCIDRs := make(map[binding.Protocol]net.IPNet) for _, ipProtocol := range ipProtocols { if ipProtocol == binding.ProtocolIP { gatewayIPs[ipProtocol] = nodeConfig.GatewayConfig.IPv4 @@ -93,9 +91,6 @@ func newFeatureService( if serviceConfig.ServiceCIDR != nil { serviceCIDRs[ipProtocol] = *serviceConfig.ServiceCIDR } - if nodeConfig.PodIPv4CIDR != nil { - localCIDRs[ipProtocol] = *nodeConfig.PodIPv4CIDR - } } else if ipProtocol == binding.ProtocolIPv6 { gatewayIPs[ipProtocol] = nodeConfig.GatewayConfig.IPv6 virtualIPs[ipProtocol] = config.VirtualServiceIPv6 @@ -106,9 +101,6 @@ func newFeatureService( if serviceConfig.ServiceCIDRv6 != nil { serviceCIDRs[ipProtocol] = *serviceConfig.ServiceCIDRv6 } - if nodeConfig.PodIPv6CIDR != nil { - localCIDRs[ipProtocol] = *nodeConfig.PodIPv6CIDR - } } } @@ -126,7 +118,6 @@ func newFeatureService( snatCtZones: snatCtZones, nodePortAddresses: nodePortAddresses, serviceCIDRs: serviceCIDRs, - localCIDRs: localCIDRs, gatewayMAC: nodeConfig.GatewayConfig.MAC, gatewayPort: nodeConfig.GatewayConfig.OFPort, networkConfig: networkConfig, diff --git a/test/integration/agent/openflow_test.go b/test/integration/agent/openflow_test.go index a7141f4fdfb..a6d7fe72582 100644 --- a/test/integration/agent/openflow_test.go +++ b/test/integration/agent/openflow_test.go @@ -1131,7 +1131,7 @@ func preparePodFlows(podIPs []net.IP, podMAC net.HardwareAddr, podOFPort uint32, []*ofTestUtils.ExpectFlow{ { MatchStr: fmt.Sprintf("priority=190,in_port=%d", podOFPort), - ActStr: fmt.Sprintf("set_field:0x3/0xf->reg0%s%s,goto_table:SpoofGuard", actionNotAntreaFlexibleIPAMString, actionNotMulticlusterString), + ActStr: fmt.Sprintf("set_field:0x3/0xf->reg0,set_field:0x10000000/0x10000000->reg4%s%s,goto_table:SpoofGuard", actionNotAntreaFlexibleIPAMString, actionNotMulticlusterString), }, }, }, @@ -1315,7 +1315,7 @@ func prepareGatewayFlows(gwIPs []net.IP, gwMAC net.HardwareAddr, vMAC net.Hardwa []*ofTestUtils.ExpectFlow{ { MatchStr: fmt.Sprintf("priority=210,%s,in_port=%d,%s=%s", ipProtoStr, agentconfig.DefaultHostGatewayOFPort, nwSrcStr, gwIP), - ActStr: "set_field:0x2/0xf->reg0,goto_table:SpoofGuard", + ActStr: "set_field:0x2/0xf->reg0,set_field:0x10000000/0x10000000->reg4,goto_table:SpoofGuard", }, }, },