Prioritize L7NP flows over TrafficControl

[hongliangl]

When applying an L7NP to a Pod, there's a potential issue where creating a TrafficControl CR with a redirect action to the same Pod could bypass the L7 engine. This is due to the fact that both the ct mark L7NPRedirectCTMark for identifying L7NP packets and the reg mark TrafficControlRedirectRegMark for identifying TrafficControl redirect packets can be set together. In OutputTable, the priorities of flows to match the ct mark and the reg mark are the same. Without an additional condition to distinguish between them, packets with both the reg mark and ct mark may be matched by either flow with an equal chance. To rectify this and ensure proper L7NP enforcement, it is crucial to assign a higher priority to the flow that matches the ct mark L7NPRedirectCTMark.

This patch also adds an extra parameter priority to InstallTrafficControlMarkFlows, which is
used to set the priority of the related flows.

[antoninbas]

That looks fine to me, but that may not be sufficient for @tushartathgur's L7Visibility implementation. I think ideally we want a way to ensure that priority(L7NP) > priority(user-defined TC) > priority(L7Visibility). Some extra work may be needed to ensure the second > relationship.

[hongliangl]

You are right, some extra work should be done to ensure the second > relationship. I think it's better to include these part of work in @tushartathgur 's PR. I can work on this part based on his PR.

[hongliangl]

That looks fine to me, but that may not be sufficient for @tushartathgur's L7Visibility implementation. I think ideally we want a way to ensure that priority(L7NP) > priority(user-defined TC) > priority(L7Visibility). Some extra work may be needed to ensure the second > relationship.

@antoninbas Done as you said. I have added an extra parameter to InstallTrafficControlMarkFlows to decide the priority of the related flows. Please see the latest commit I have pushed. Thanks.

[antoninbas]

fine by me again, but @tnqn and @tushartathgur should take a look

I'll defer to Quan for approval

[antoninbas]

you could define a dedicated type for this:

type TrafficControlFlowPriority string

const (
	TrafficControlFlowPriorityHigh   TrafficControlFlowPriority = "high"
	TrafficControlFlowPriorityMedium TrafficControlFlowPriority = "medium"
	TrafficControlFlowPriorityLow    TrafficControlFlowPriority = "low"
)

func (p TrafficControlFlowPriority) toOFPriority() uint16 {
	switch p {
	case TrafficControlFlowPriorityHigh:
		return priorityHigh
	case TrafficControlFlowPriorityMedium:
		return priorityNormal
	case TrafficControlFlowPriorityLow:
		return priorityLow
	default:
		return 0
	}
}

[hongliangl]

Good idea! Thanks

[hongliangl]

@tnqn @tushartathgur Could you help verify this? Thanks a lot.

[tnqn]

Why aren't they defined in the same file as the type?

[hongliangl]

To avoid cycled-import in test code, I only moved the definition to another file. It's okay to move these definitions to the where TrafficControlFlowPriority is defined.

[tnqn]

What's this change for? The flow has the same match and condition as the one in trafficControlCommonFlows, changing priority shouldn't change anything.

[hongliangl]

This is not a necessary change. As you mentioned, this is the same flow with the one in trafficControlCommonFlows. When both L7NP and TrafficControl are enabled, the same flows will be added and it is a little weird, so I changed the priority. I think it is also okay to revert the change since we can handle duplicated flows when syncing flows to OVS.

[tnqn]

Better to comment which kind of flows should which priority.

[hongliangl]

Added

[tnqn]

LGTM

[tnqn]

/test-all

[hongliangl]

/test-e2e

[tnqn]

/test-e2e