Remove Service hairpin table ServiceHairpinTable and HairpinSNATTable #2842
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2842 +/- ##
==========================================
- Coverage 61.42% 61.26% -0.16%
==========================================
Files 284 284
Lines 23470 23483 +13
==========================================
- Hits 14417 14388 -29
- Misses 7496 7553 +57
+ Partials 1557 1542 -15
Flags with carried forward coverage won't be shown. Click here to find out more.
|
hongliangl
force-pushed
the
remove-hairpin
branch
from
1c9c3a9 to
d14680a
Compare
| @@ -34,9 +34,9 @@ type connTrackOvsCtlWindows struct { | |||
| func (ct *connTrackOvsCtlWindows) GetMaxConnections() (int, error) { | |||
| var zoneID int | |||
| if ct.serviceCIDRv4 != nil { | |||
| zoneID = openflow.CtZone | |||
| zoneID = openflow.DNATCtZone | |||
There was a problem hiding this comment.
Windows doesn't support IPv6 now, so it is not necessary to leverage DNATCtZoneV6 on Windows.
| Cookie(c.cookieAllocator.Request(category).Raw()). | ||
| Done(), | ||
| connectionTrackCommitTable.BuildFlow(priorityLow).MatchProtocol(proto). | ||
| MatchCTStateTrk(true). | ||
| dnatConnectionTrackCommitTable.BuildFlow(priorityHigh).MatchProtocol(proto). | ||
| MatchCTMark(ServiceCTMark). |
There was a problem hiding this comment.
It looks you want all the DNATed connections to goto snatConntrackCommitTable? Is it better to redirect only the ones has HairpinRegMark for established connections and redirect all new DNATed connections?
pkg/agent/openflow/pipeline.go
Outdated
| // Service CT_MARK). Since the reply packets should be output to the port on which it was received and the | ||
| // CT_MARK value for hairpin will be lost, HairpinRegMark is used. | ||
| dnatConnectionTrackTable.BuildFlow(priorityHigh).MatchProtocol(proto). | ||
| MatchCTStateRpl(true). |
There was a problem hiding this comment.
Is it better to load the regMark in snatConnectionTrackTable or maybe you can a sequencing table after snatConnectionTrackTable to check the snat conntrack track state?
There was a problem hiding this comment.
This flow is for reply packets. Without passing SNAT ct zone on table snatConnectionTrackTable, we cannot get the CT_MARK which is set on SNAT ct zone.
There was a problem hiding this comment.
snatConnectionTrackTable is prior to dnatConnectionTrackTable, so the reply packet is possible to enter snatConnectionTrackTable first?
pkg/agent/openflow/pipeline.go
Outdated
| // value set in SNAT ct zone will be lost after passing DNAT ct zone, before | ||
| // passing DNAT ct zone, HairpinRegMark is set and is used to match the reply | ||
| // packets. | ||
| func (c *client) l2ForwardOutputServiceHairpinFlows() []binding.Flow { |
There was a problem hiding this comment.
Do you think it is better to use a single flow in L2ForwardingOutTable for Hairpin traffic. I guess you add a flow to match condition "ServiceHairpinCTMark" for the first traffic for such flows. Maybe you can load the regmark in the flow action when committing the connection to snatConntrackZone
There was a problem hiding this comment.
It's not only for the first packet of hairpin connections. It's also for the third, fifth .. packets (requests packets except the first one). The request packets (except the first one) cannot get the value of CT_MARK when passing through SNAT ct zone on table snatConntrackTable (but reply packets can get). When passing through SNAT ct zone on table snatConntrackCommitTable, the value of CT_MARK can be got. However, the next table L2ForwardingOutTable. I think we'd better add a flow rather than a new table.
There was a problem hiding this comment.
Actually I don't prefer to use ct mark in L2ForwardingOutTable, as I thought this table is possible to focus on L2 operations... Since the target ofport number is decided after L2FwdCalcTable, is it possible to set the regMark after that table?
hongliangl
force-pushed
the
remove-hairpin
branch
from
d14680a to
4d7338f
Compare
antoninbas
added
area/ovs/openflow
|
Could you provide information about this change in the commit message & PR description? I have no context for this change and there is no linked issue. |
hongliangl
force-pushed
the
remove-hairpin
branch
3 times, most recently
from
60fca2b to
6ee76a7
Compare
Updated. |
hongliangl
force-pushed
the
remove-hairpin
branch
from
6ee76a7 to
ef0dfff
Compare
There was a problem hiding this comment.
I think Antonin means to explain why we make the changes.
In the commit message:
flow that matches the packet whose input and output
interfaces are the same and makes mark HairpinRegMark,
will be installed on table hairpinMarkTable.
a flow will be installed into hairpinMarkTable, which sets HairpinRegMark for the packets whose input and output ports are the same.
mark HairpinRegMark will be performed SNAT with Antrea
Packets with HairpinRegMark set will be SNAT'd
gateway IP on table snatConntrackCommitTable.
in snatConntrackCommitTable
hongliangl
force-pushed
the
remove-hairpin
branch
from
ef0dfff to
c458f01
Compare
@jianjuns, Thanks. Since a SNAT ct zone is added in PR #2599, hairpin Service traffic can make use of the SNAT ct zone instead of current stateless SNAT by modifying source and destination IPs. By removing hairpin table ServiceHairpinTable and HairpinSNATTable, the OVS pipeline can be simpler. |
hongliangl
force-pushed
the
remove-hairpin
branch
3 times, most recently
from
2d515eb to
0d032f8
Compare
Since a SNAT ct zone is added in PR antrea-io#2599, hairpin Service traffic can make use of the SNAT ct zone instead of current stateless SNAT by modifying source and destination IPs. By removing hairpin table ServiceHairpinTable and HairpinSNATTable, the OVS pipeline can be simpler. Pipeline modifications: - Remove table serviceHairpinTable #23. - Remove table HairpinSNATTable #108. - Add table hairpinMarkTable #81 after table l2ForwardingCalcTable #80. When a local Endpoint is referenced by a Service, then a flow that matches the packet whose input and output interfaces are the same and makes mark HairpinRegMark, will be installed on table hairpinMarkTable. Packets with mark HairpinRegMark will be performed SNAT with Antrea gateway IP on table snatConntrackCommitTable. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
force-pushed
the
remove-hairpin
branch
from
0d032f8 to
e879ea7
Compare
|
This PR is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
github-actions
bot
added
the
lifecycle/stale
Since a SNAT ct zone is added in PR #2599, hairpin Service
traffic can make use of the SNAT ct zone instead of current
stateless SNAT by modifying source and destination IPs.
By removing hairpin table ServiceHairpinTable and
HairpinSNATTable, the OVS pipeline can be simpler.
Pipeline modifications:
l2ForwardingCalcTable 80.
When a local Endpoint is referenced by a Service, then a
flow that matches the packet whose input and output
interfaces are the same and makes mark HairpinRegMark,
will be installed on table hairpinMarkTable. Packets with
mark HairpinRegMark will be performed SNAT with Antrea
gateway IP on table snatConntrackCommitTable.
Signed-off-by: Hongliang Liu lhongliang@vmware.com