Commit new connections after NetworkPolicy check

Add conntrackCommitTable(#105) between ingressDefaultTable(#100) and
L2ForwardingOutTable(#110), and packets in the new connections are committed
in this table.
Packet could be resubmitted to conntrackCommit table from DNATTable and
ingressDefaultTable.

.github/workflows/kind.yml

@@ -43,4 +43,4 @@ jobs:
     - name: Run e2e tests
       run: |
         ./hack/generate-manifest.sh --kind | docker exec -i kind-control-plane dd of=/root/antrea.yml
-        go test -short github.com/vmware-tanzu/antrea/test/e2e -provider=kind
+        go test github.com/vmware-tanzu/antrea/test/e2e -provider=kind

pkg/agent/openflow/pipeline.go

@@ -38,6 +38,7 @@ const (
 	l2ForwardingCalcTable binding.TableIDType = 80
 	ingressRuleTable      binding.TableIDType = 90
 	ingressDefaultTable   binding.TableIDType = 100
+	conntrackCommitTable  binding.TableIDType = 105
 	l2ForwardingOutTable  binding.TableIDType = 110
 
 	// Flow priority level
@@ -144,9 +145,11 @@ func (c *client) defaultFlows() (flows []binding.Flow) {
 		case binding.TableMissActionNormal:
 			flowBuilder = flowBuilder.Action().Normal()
 		case binding.TableMissActionDrop:
+			flowBuilder = flowBuilder.Action().Drop()
+		case binding.TableMissActionNone:
 			fallthrough
 		default:
-			flowBuilder = flowBuilder.Action().Drop()
+			continue
 		}
 		flows = append(flows, flowBuilder.Done())
 	}
@@ -183,12 +186,15 @@ func (c *client) podClassifierFlow(podOFPort uint32) binding.Flow {
 }
 
 // connectionTrackFlows generates flows that redirect traffic to ct_zone and handle traffic according to ct_state:
-// 1) commit new connections to ct.
-// 2) Add ct_mark on the packet if it is sent back to the switch from the host gateway.
-// 3) Drop all invalid traffic.
+// 1) commit new connections to ct_zone(0xfff0) in the contrackCommitTable.
+// 2) Add ct_mark on the packet if it is sent to the switch from the host gateway.
+// 3) Allow traffic if it hits ct_mark and is sent from the host gateway.
+// 4) Drop all invalid traffic.
+// 5) Resubmit other traffic to the next table by the table-miss flow.
 func (c *client) connectionTrackFlows() (flows []binding.Flow) {
 	connectionTrackTable := c.pipeline[conntrackTable]
 	connectionTrackStateTable := c.pipeline[conntrackStateTable]
+	connectionTrackCommitTable := c.pipeline[conntrackCommitTable]
 	flows = []binding.Flow{
 		connectionTrackTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
 			Action().CT(false, connectionTrackTable.GetNext(), ctZone).CTDone().
@@ -200,17 +206,17 @@ func (c *client) connectionTrackFlows() (flows []binding.Flow) {
 			Action().ResubmitToTable(connectionTrackStateTable.GetNext()).
 			Done(),
 		connectionTrackStateTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
+			MatchCTStateInv(true).MatchCTStateTrk(true).
+			Action().Drop().
+			Done(),
+		connectionTrackCommitTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
 			MatchRegRange(int(marksReg), markTrafficFromGateway, binding.Range{0, 15}).
 			MatchCTStateNew(true).MatchCTStateTrk(true).
-			Action().CT(true, connectionTrackStateTable.GetNext(), ctZone).LoadToMark(gatewayCTMark).CTDone().
+			Action().CT(true, connectionTrackCommitTable.GetNext(), ctZone).LoadToMark(gatewayCTMark).CTDone().
 			Done(),
-		connectionTrackStateTable.BuildFlow(priorityLow).MatchProtocol(binding.ProtocolIP).
+		connectionTrackCommitTable.BuildFlow(priorityLow).MatchProtocol(binding.ProtocolIP).
 			MatchCTStateNew(true).MatchCTStateTrk(true).
-			Action().CT(true, connectionTrackStateTable.GetNext(), ctZone).CTDone().
-			Done(),
-		connectionTrackStateTable.BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
-			MatchCTStateInv(true).MatchCTStateTrk(true).
-			Action().Drop().
+			Action().CT(true, connectionTrackCommitTable.GetNext(), ctZone).CTDone().
 			Done(),
 	}
 	return
@@ -350,7 +356,9 @@ func (c *client) gatewayIPSpoofGuardFlow(gatewayOFPort uint32) binding.Flow {
 func (c *client) serviceCIDRDNATFlow(serviceCIDR *net.IPNet, gatewayOFPort uint32) binding.Flow {
 	return c.pipeline[dnatTable].BuildFlow(priorityNormal).MatchProtocol(binding.ProtocolIP).
 		MatchDstIPNet(*serviceCIDR).
-		Action().Output(int(gatewayOFPort)).
+		Action().LoadRegRange(int(portCacheReg), gatewayOFPort, ofPortRegRange).
+		Action().LoadRegRange(int(marksReg), portFoundMark, ofPortMarkRange).
+		Action().ResubmitToTable(conntrackCommitTable).
 		Done()
 }
 
@@ -444,12 +452,12 @@ func (c *client) defaultDropFlow(tableID binding.TableIDType, matchKey int, matc
 		Action().Drop().Done()
 }
 
-// localProbeFlow generates the flow to resubmit packets to l2ForwardingOutTable. The packets are sent from Node to probe the liveness/readiness of local Pods.
+// localProbeFlow generates the flow to resubmit packets to conntrackCommitTable. The packets are sent from Node to probe the liveness/readiness of local Pods.
 func (c *client) localProbeFlow(localGatewayIP net.IP) binding.Flow {
 	return c.pipeline[ingressRuleTable].BuildFlow(priorityHigh).
 		MatchProtocol(binding.ProtocolIP).
 		MatchSrcIP(localGatewayIP).
-		Action().ResubmitToTable(l2ForwardingOutTable).Done()
+		Action().ResubmitToTable(conntrackCommitTable).Done()
 }
 
 // NewClient is the constructor of the Client interface.
@@ -460,17 +468,18 @@ func NewClient(bridgeName string) Client {
 		pipeline: map[binding.TableIDType]binding.Table{
 			classifierTable:       bridge.CreateTable(classifierTable, spoofGuardTable, binding.TableMissActionNext),
 			spoofGuardTable:       bridge.CreateTable(spoofGuardTable, conntrackTable, binding.TableMissActionDrop),
-			conntrackTable:        bridge.CreateTable(conntrackTable, conntrackStateTable, binding.TableMissActionNext),
+			conntrackTable:        bridge.CreateTable(conntrackTable, conntrackStateTable, binding.TableMissActionNone),
 			conntrackStateTable:   bridge.CreateTable(conntrackStateTable, dnatTable, binding.TableMissActionNext),
 			dnatTable:             bridge.CreateTable(dnatTable, egressRuleTable, binding.TableMissActionNext),
+			egressRuleTable:       bridge.CreateTable(egressRuleTable, egressDefaultTable, binding.TableMissActionNext),
+			egressDefaultTable:    bridge.CreateTable(egressDefaultTable, l3ForwardingTable, binding.TableMissActionNext),
 			l3ForwardingTable:     bridge.CreateTable(l3ForwardingTable, l2ForwardingCalcTable, binding.TableMissActionNext),
 			l2ForwardingCalcTable: bridge.CreateTable(l2ForwardingCalcTable, ingressRuleTable, binding.TableMissActionNext),
-			l2ForwardingOutTable:  bridge.CreateTable(l2ForwardingOutTable, binding.LastTableID, binding.TableMissActionDrop),
 			arpResponderTable:     bridge.CreateTable(arpResponderTable, binding.LastTableID, binding.TableMissActionDrop),
-			egressRuleTable:       bridge.CreateTable(egressRuleTable, egressDefaultTable, binding.TableMissActionNext),
-			egressDefaultTable:    bridge.CreateTable(egressDefaultTable, l3ForwardingTable, binding.TableMissActionNext),
 			ingressRuleTable:      bridge.CreateTable(ingressRuleTable, ingressDefaultTable, binding.TableMissActionNext),
-			ingressDefaultTable:   bridge.CreateTable(ingressDefaultTable, l2ForwardingOutTable, binding.TableMissActionNext),
+			ingressDefaultTable:   bridge.CreateTable(ingressDefaultTable, conntrackCommitTable, binding.TableMissActionNext),
+			conntrackCommitTable:  bridge.CreateTable(conntrackCommitTable, l2ForwardingOutTable, binding.TableMissActionNext),
+			l2ForwardingOutTable:  bridge.CreateTable(l2ForwardingOutTable, binding.LastTableID, binding.TableMissActionDrop),
 		},
 		nodeFlowCache:            newFlowCategoryCache(),
 		podFlowCache:             newFlowCategoryCache(),

pkg/ovs/openflow/interfaces.go

@@ -44,6 +44,7 @@ const (
 	TableMissActionDrop MissActionType = iota
 	TableMissActionNormal
 	TableMissActionNext
+	TableMissActionNone
 )
 
 const (

test/integration/agent/openflow_test.go

@@ -37,10 +37,10 @@ var (
 )
 
 const (
-	ingressRuleTable     = uint8(90)
-	ingressDefaultTable  = uint8(100)
-	l2ForwardingOutTable = uint8(110)
-	priorityNormal       = 200
+	ingressRuleTable    = uint8(90)
+	ingressDefaultTable = uint8(100)
+	contrackCommitTable = uint8(105)
+	priorityNormal      = 200
 )
 
 type expectTableFlows struct {
@@ -126,7 +126,7 @@ func testInstallServiceFlows(t *testing.T, config *testConfig) {
 	if err != nil {
 		t.Fatalf("Failed to install Openflow entries to skip service CIDR from egress table")
 	}
-	for _, tableFlow := range prepareServiceHelperFlows(*config.serviceCIDR) {
+	for _, tableFlow := range prepareServiceHelperFlows(*config.serviceCIDR, config.localGateway.ofPort) {
 		ofTestUtils.CheckFlowExists(t, config.bridge, tableFlow.tableID, true, tableFlow.flows)
 	}
 }
@@ -214,7 +214,7 @@ func TestNetworkPolicyFlows(t *testing.T) {
 
 	err = c.InstallPolicyRuleFlows(rule)
 	require.Nil(t, err, "Failed to InstallPolicyRuleFlows")
-	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, l2ForwardingOutTable, priorityNormal, rule, assert.True)
+	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, contrackCommitTable, priorityNormal, rule, assert.True)
 	checkDefaultDropFlows(t, ingressDefaultTable, priorityNormal, types.DstAddress, toIPList, true)
 
 	addedFrom := prepareIPNetAddresses([]string{"192.168.5.0/24", "192.169.1.0/24"})
@@ -263,7 +263,7 @@ func TestNetworkPolicyFlows(t *testing.T) {
 
 	err = c.UninstallPolicyRuleFlows(ruleID)
 	require.Nil(t, err, "Failed to DeletePolicyRuleService")
-	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, l2ForwardingOutTable, priorityNormal, rule, assert.False)
+	checkConjunctionFlows(t, ingressRuleTable, ingressDefaultTable, contrackCommitTable, priorityNormal, rule, assert.False)
 	checkDefaultDropFlows(t, ingressDefaultTable, priorityNormal, types.DstAddress, toIPList, false)
 }
 
@@ -535,7 +535,7 @@ func prepareGatewayFlows(gwIP net.IP, gwMAC net.HardwareAddr, gwOFPort uint32, v
 			[]*ofTestUtils.ExpectFlow{
 				{
 					fmt.Sprintf("priority=210,ip,nw_src=%s", gwIP.String()),
-					"resubmit(,110)"},
+					"resubmit(,105)"},
 			},
 		},
 	}
@@ -580,12 +580,14 @@ func prepareNodeFlows(peerSubnet net.IPNet, peerGwIP, peerNodeIP net.IP, vMAC, l
 	}
 }
 
-func prepareServiceHelperFlows(serviceCIDR net.IPNet) []expectTableFlows {
+func prepareServiceHelperFlows(serviceCIDR net.IPNet, gwOFPort uint32) []expectTableFlows {
 	return []expectTableFlows{
 		{
 			uint8(40),
 			[]*ofTestUtils.ExpectFlow{
-				{fmt.Sprintf("priority=200,ip,nw_dst=%s", serviceCIDR.String()), "output:1"},
+				{fmt.Sprintf("priority=200,ip,nw_dst=%s", serviceCIDR.String()),
+					fmt.Sprintf("load:0x%x->NXM_NX_REG1[],load:0x1->NXM_NX_REG0[16],resubmit(,105)", gwOFPort),
+				},
 			},
 		},
 	}
@@ -612,16 +614,13 @@ func prepareDefaultFlows() []expectTableFlows {
 			uint8(30),
 			[]*ofTestUtils.ExpectFlow{
 				{"priority=200,ip", "ct(table=31,zone=65520)"},
-				{"priority=80,ip", "resubmit(,31)"},
 			},
 		},
 		{
 			uint8(31),
 			[]*ofTestUtils.ExpectFlow{
 				{"priority=210,ct_state=-new+trk,ct_mark=0x20,ip,reg0=0x1/0xffff", "resubmit(,40)"},
-				{"priority=200,ct_state=+new+trk,ip,reg0=0x1/0xffff", "ct(commit,table=40,zone=65520,exec(load:0x20->NXM_NX_CT_MARK[])"},
 				{"priority=200,ct_state=+inv+trk,ip", "drop"},
-				{"priority=190,ct_state=+new+trk,ip", "ct(commit,table=40,zone=65520)"},
 				{"priority=80,ip", "resubmit(,40)"},
 			},
 		},
@@ -651,7 +650,15 @@ func prepareDefaultFlows() []expectTableFlows {
 		},
 		{
 			uint8(100),
-			[]*ofTestUtils.ExpectFlow{{"priority=80,ip", "resubmit(,110)"}},
+			[]*ofTestUtils.ExpectFlow{{"priority=80,ip", "resubmit(,105)"}},
+		},
+		{
+			uint8(105),
+			[]*ofTestUtils.ExpectFlow{
+				{"priority=200,ct_state=+new+trk,ip,reg0=0x1/0xffff", "ct(commit,table=110,zone=65520,exec(load:0x20->NXM_NX_CT_MARK[])"},
+				{"priority=190,ct_state=+new+trk,ip", "ct(commit,table=110,zone=65520)"},
+				{"priority=80,ip", "resubmit(,110)"},
+			},
 		},
 		{
 			uint8(110),