Flexible Pipeline is framework to generate OVS pipelines with dynamic
table IDs. There are some abstractions introduced in this framework:
- **feature** is the interface to program a major function in Antrea
data path
- **stage** in FlexiblePipeline is used to group tables which implement
similar functions in a pipeline
- **pipeline** is used to implement a major function in Antrea data
path
- **Table** is the basic unit to build OVS pipelines. A Table can be
referenced by one or more features, but its member struct ofTable
will be initialized and realized on OVS only when it is referenced
by any activated features
At this moment, we have the following features:
- featurePodConnectivity, implementation of connectivity for Pods,
activated by default
- featureNetworkPolicy, implementation of K8s NetworkPolicy and Antrea
NetworkPolicy, activated by default
- featureService, implementation of K8s Service, activated by default
- featureEgress, implementation of Egress, activation is determined by
feature gate Egress
- featureMulticast, implementation of multicast, activation is
determined by feature gate Multicast
At this moment, we have the following stages:
- stageStart is only used to initialize PipelineClassifierTable
- stageClassifier is used to classify packets "category" (tunnel, local
gateway or local Pod, etc)
- stageValidation is used to validate packets
- stageConntrackState is used to transform committed packets in CT zones
- stagePreRouting is similar to PREROUTING chain of nat table in iptables
DNAT for Service connections is performed in this stage
- stageEgressSecurity is used to install egress rules for K8s
NetworkPolicy and Antrea NetworkPolicy
- stageRouting is used to implement L3 Forwarding of packets.
- stagePostRouting is similar to POSTROUTING chain of nat table in
iptables. SNAT for Service connections is performed in this stage
- stageSwitching is used to implement L2 Forwarding of packets
- stageIngressSecurity is used to install ingress rules for K8s
NetworkPolicy and Antrea NetworkPolicy
- stageConntrack is used to commit non-Service connections
- stageOutput is used to output packets to target port
At this moment, we have the following pipelines:
- pipelineRoot is only used to initialize PipelineClassifierTable
- pipelineARP is used to process ARP packets
- pipelineIP is used to process IPv4/IPv6 packets
- pipelineMulticast is used to process multicast packets
After refactoring, PipelineClassifierTable is table 0. It's the only
fixed table ID. Packets are forwarded to different pipelines in this
table.
OVS pipelineARP is used to process ARP packets. Stages and tables
in this pipeline:
- stageValidation
- ARPSpoofGuardTable, ARP-spoofing part of original SpoofGuardTable
- stageOutput
- ARPResponderTable, renamed from arpResponderTable
OVS pipelineIP is used to process IPv4/IPv6 packets. Stages and
tables in this pipelines
- stageClassifier
- ClassifierTable, original ClassifierTable (0)
- stageValidation
- SpoofGuardTable, part of original SpoofGuardTable (10)
- IPv6Table, original IPv6Table (21)
- IPClassifierTable, new added for multicast
- stageConntrackState
- SNATConntrackTable, original ServiceConntrackTable (35)
- ConntrackTable, original ConntrackTable (30)
- ConntrackStateTable, original ConntrackStateTable (31)
- stagePreRouting
- PreRoutingClassifierTable, new added
- NodePortMarkTable, original ServiceClassifierTable (35)
- SessionAffinityTable, original SessionAffinityTable (41)
- ServiceLBTable, original ServiceLBTable (41)
- EndpointDNATTable, original EndpointDNATTable (42)
- DNATTable, original DNATTable (40)
- stageEgressSecurity
- AntreaPolicyEgressRuleTable, original AntreaPolicyEgressRuleTable
(45)
- EgressRuleTable, original EgressRuleTable (50)
- EgressDefaultTable, original EgressDefaultTable (60)
- EgressMetricTable, original EgressMetricTable (61)
- stageRouting
- L3ForwardingTable, original L3ForwardingTable (70)
- EgressMarkTable, original SNATTable (71)
- L3DecTTLTable, original L3DecTTLTable (72)
- stagePostRouting
- ServiceMarkTable, new added
- SNATConntrackCommitTable, origin ServiceConntrackCommitTable
(105)
- stageSwitching
- L2ForwardingCalcTable, original L2ForwardingCalcTable (80)
- stageIngressSecurity
- IngressSecurityClassifierTable, new added
- AntreaPolicyIngressRuleTable, original AntreaPolicyIngressRuleTable
(85)
- IngressRuleTable, original IngressRuleTable (90)
- IngressDefaultTable, original IngressDefaultTable (100)
- IngressMetricTable, original IngressDefaultTable (101)
- stageConntrack
- ConntrackCommitTable, original ConntrackCommitTable (105)
- stageOutput
- L2ForwardingOutTable, original L2ForwardingOutTable (110)
OVS pipelineMulticast is used to process multicast packets.
Stages and tables in this pipeline:
- stageRouting
- MulticastTable, original MulticastTable (22)
Removed tables:
- original ServiceHairpinTable (22)
- original DefaultTierEgressRuleTable (49)
- original HairpinSNATTable (108)
For hairpin connection, SNAT is performed by CT operation instead of
modifying source IP stateless. Another change is to use different IPs
to perform SNAT:
- Hairpin Service connection initiated through a local Pod, and SNAT
is performed with the Antrea gateway IP.
- Hairpin Service connection initiated through the Antrea gateway,
and SNAT is performed with a virtual IP.
Signed-off-by: Hongliang Liu <[email protected]>