Commit new connections after NetworkPolicy check

Add conntrackCommit table(#105) between ingressDefault table(#100) and L2ForwardingOut(#110) table, and packets in the new connections are committed in this table. There is no table-miss flow in this table.
antrea-io · Dec 13, 2019 · 0e68f1b · 0e68f1b
1 parent 951b7f3
commit 0e68f1b
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 25 deletions.
diff --git a/.github/workflows/kind.yml b/.github/workflows/kind.yml
@@ -43,4 +43,4 @@ jobs:
     - name: Run e2e tests
       run: |
         ./hack/generate-manifest.sh --kind | docker exec -i kind-control-plane dd of=/root/antrea.yml
-        go test -short github.com/vmware-tanzu/antrea/test/e2e -provider=kind
+        go test github.com/vmware-tanzu/antrea/test/e2e -provider=kind
diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go
@@ -38,6 +38,7 @@ const (
 	l2ForwardingCalcTable binding.TableIDType = 80
 	ingressRuleTable      binding.TableIDType = 90
 	ingressDefaultTable   binding.TableIDType = 100
+	conntrackCommitTable  binding.TableIDType = 105
 	l2ForwardingOutTable  binding.TableIDType = 110
 
 	// Flow priority level
@@ -144,9 +145,11 @@ func (c *client) defaultFlows() (flows []binding.Flow) {
 		case binding.TableMissActionNormal:
 			flowBuilder = flowBuilder.Action().Normal()
 		case binding.TableMissActionDrop:
+			flowBuilder = flowBuilder.Action().Drop()
+		case binding.TableMissActionNone:
 			fallthrough
 		default:
-			flowBuilder = flowBuilder.Action().Drop()
+			continue
 		}
 		flows = append(flows, flowBuilder.Done())
 	}
@@ -183,12 +186,15 @@ func (c *client) podClassifierFlow(podOFPort uint32) binding.Flow {
 }
 
 // connectionTrackFlows generates flows that redirect traffic to ct_zone and handle traffic according to ct_state:
-// 1) commit new connections to ct.
-// 2) Add ct_mark on the packet if it is sent back to the switch from the host gateway.
-// 3) Drop all invalid traffic.
+// 1) commit new connections to ct_zone(0xfff0) in the contrackCommitTable.
+// 2) Add ct_mark on the packet if it is sent to the switch from the host gateway.
+// 3) Allow traffic if it hits ct_mark and is sent from the host gateway.
+// 4) Drop all invalid traffic.
+// 5) Resubmit other traffic to the next table by the table-miss flow.
 func (c *client) connectionTrackFlows() (flows []binding.Flow) {
 	connectionTrackTable := c.pipeline[conntrackTable]
 	connectionTrackStateTable := c.pipeline[conntrackStateTable]
+	connectionTrackCommitTable := c.pipeline[conntrackCommitTable]
 	flows = []binding.Flow{
 		connectionTrackTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
 			Action().CT(false, connectionTrackTable.GetNext(), ctZone).CTDone().
@@ -200,17 +206,17 @@ func (c *client) connectionTrackFlows() (flows []binding.Flow) {
 			Action().ResubmitToTable(connectionTrackStateTable.GetNext()).
 			Done(),
 		connectionTrackStateTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
+			MatchCTStateInv(true).MatchCTStateTrk(true).
+			Action().Drop().
+			Done(),
+		connectionTrackCommitTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
 			MatchRegRange(int(marksReg), markTrafficFromGateway, binding.Range{0, 15}).
 			MatchCTStateNew(true).MatchCTStateTrk(true).
-			Action().CT(true, connectionTrackStateTable.GetNext(), ctZone).LoadToMark(gatewayCTMark).CTDone().
+			Action().CT(true, connectionTrackCommitTable.GetNext(), ctZone).LoadToMark(gatewayCTMark).CTDone().
 			Done(),
-		connectionTrackStateTable.BuildFlow(priorityLow).MatchProtocol(binding.ProtocolIP).
+		connectionTrackCommitTable.BuildFlow(priorityLow).MatchProtocol(binding.ProtocolIP).
 			MatchCTStateNew(true).MatchCTStateTrk(true).
-			Action().CT(true, connectionTrackStateTable.GetNext(), ctZone).CTDone().
-			Done(),
-		connectionTrackStateTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
-			MatchCTStateInv(true).MatchCTStateTrk(true).
-			Action().Drop().
+			Action().CT(true, connectionTrackCommitTable.GetNext(), ctZone).CTDone().
 			Done(),
 	}
 	return
@@ -463,14 +469,15 @@ func NewClient(bridgeName string) Client {
 			conntrackTable:        bridge.CreateTable(conntrackTable, conntrackStateTable, binding.TableMissActionNext),
 			conntrackStateTable:   bridge.CreateTable(conntrackStateTable, dnatTable, binding.TableMissActionNext),
 			dnatTable:             bridge.CreateTable(dnatTable, egressRuleTable, binding.TableMissActionNext),
+			egressRuleTable:       bridge.CreateTable(egressRuleTable, egressDefaultTable, binding.TableMissActionNext),
+			egressDefaultTable:    bridge.CreateTable(egressDefaultTable, l3ForwardingTable, binding.TableMissActionNext),
 			l3ForwardingTable:     bridge.CreateTable(l3ForwardingTable, l2ForwardingCalcTable, binding.TableMissActionNext),
 			l2ForwardingCalcTable: bridge.CreateTable(l2ForwardingCalcTable, ingressRuleTable, binding.TableMissActionNext),
-			l2ForwardingOutTable:  bridge.CreateTable(l2ForwardingOutTable, binding.LastTableID, binding.TableMissActionDrop),
 			arpResponderTable:     bridge.CreateTable(arpResponderTable, binding.LastTableID, binding.TableMissActionDrop),
-			egressRuleTable:       bridge.CreateTable(egressRuleTable, egressDefaultTable, binding.TableMissActionNext),
-			egressDefaultTable:    bridge.CreateTable(egressDefaultTable, l3ForwardingTable, binding.TableMissActionNext),
 			ingressRuleTable:      bridge.CreateTable(ingressRuleTable, ingressDefaultTable, binding.TableMissActionNext),
-			ingressDefaultTable:   bridge.CreateTable(ingressDefaultTable, l2ForwardingOutTable, binding.TableMissActionNext),
+			ingressDefaultTable:   bridge.CreateTable(ingressDefaultTable, conntrackCommitTable, binding.TableMissActionNext),
+			conntrackCommitTable:  bridge.CreateTable(conntrackCommitTable, l2ForwardingOutTable, binding.TableMissActionNone),
+			l2ForwardingOutTable:  bridge.CreateTable(l2ForwardingOutTable, binding.LastTableID, binding.TableMissActionDrop),
 		},
 		nodeFlowCache:            newFlowCategoryCache(),
 		podFlowCache:             newFlowCategoryCache(),

diff --git a/pkg/ovs/openflow/interfaces.go b/pkg/ovs/openflow/interfaces.go
@@ -44,6 +44,7 @@ const (
 	TableMissActionDrop MissActionType = iota
 	TableMissActionNormal
 	TableMissActionNext
+	TableMissActionNone
 )
 
 const (

diff --git a/test/integration/agent/openflow_test.go b/test/integration/agent/openflow_test.go
@@ -37,10 +37,10 @@ var (
 )
 
 const (
-	ingressRuleTable     = uint8(90)
-	ingressDefaultTable  = uint8(100)
-	l2ForwardingOutTable = uint8(110)
-	priorityNormal       = 200
+	ingressRuleTable    = uint8(90)
+	ingressDefaultTable = uint8(100)
+	contrackCommitTable = uint8(105)
+	priorityNormal      = 200
 )
 
 type expectTableFlows struct {
@@ -214,7 +214,7 @@ func TestNetworkPolicyFlows(t *testing.T) {
 
 	err = c.InstallPolicyRuleFlows(rule)
 	require.Nil(t, err, "Failed to InstallPolicyRuleFlows")
-	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, l2ForwardingOutTable, priorityNormal, rule, assert.True)
+	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, contrackCommitTable, priorityNormal, rule, assert.True)
 	checkDefaultDropFlows(t, ingressDefaultTable, priorityNormal, types.DstAddress, toIPList, true)
 
 	addedFrom := prepareIPNetAddresses([]string{"192.168.5.0/24", "192.169.1.0/24"})
@@ -263,7 +263,7 @@ func TestNetworkPolicyFlows(t *testing.T) {
 
 	err = c.UninstallPolicyRuleFlows(ruleID)
 	require.Nil(t, err, "Failed to DeletePolicyRuleService")
-	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, l2ForwardingOutTable, priorityNormal, rule, assert.False)
+	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, contrackCommitTable, priorityNormal, rule, assert.False)
 	checkDefaultDropFlows(t, ingressDefaultTable, priorityNormal, types.DstAddress, toIPList, false)
 }
 
@@ -619,9 +619,7 @@ func prepareDefaultFlows() []expectTableFlows {
 			uint8(31),
 			[]*ofTestUtils.ExpectFlow{
 				{"priority=210,ct_state=-new+trk,ct_mark=0x20,ip,reg0=0x1/0xffff", "resubmit(,40)"},
-				{"priority=200,ct_state=+new+trk,ip,reg0=0x1/0xffff", "ct(commit,table=40,zone=65520,exec(load:0x20->NXM_NX_CT_MARK[])"},
 				{"priority=200,ct_state=+inv+trk,ip", "drop"},
-				{"priority=190,ct_state=+new+trk,ip", "ct(commit,table=40,zone=65520)"},
 				{"priority=80,ip", "resubmit(,40)"},
 			},
 		},
@@ -651,7 +649,14 @@ func prepareDefaultFlows() []expectTableFlows {
 		},
 		{
 			uint8(100),
-			[]*ofTestUtils.ExpectFlow{{"priority=80,ip", "resubmit(,110)"}},
+			[]*ofTestUtils.ExpectFlow{{"priority=80,ip", "resubmit(,105)"}},
+		},
+		{
+			uint8(105),
+			[]*ofTestUtils.ExpectFlow{
+				{"priority=200,ct_state=+new+trk,ip,reg0=0x1/0xffff", "ct(commit,table=110,zone=65520,exec(load:0x20->NXM_NX_CT_MARK[])"},
+				{"priority=190,ct_state=+new+trk,ip", "ct(commit,table=110,zone=65520)"},
+			},
 		},
 		{
 			uint8(110),