Skip to content

Commit

Permalink
ovn: do not send direct traffic between lports to conntrack (#3663)
Browse files Browse the repository at this point in the history
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
zhangzujian committed Jan 30, 2024
1 parent 6f29efd commit d5d4caa
Show file tree
Hide file tree
Showing 10 changed files with 23 additions and 0 deletions.
2 changes: 2 additions & 0 deletions dist/images/Dockerfile.base
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ RUN cd /usr/src/ && git clone -b branch-22.03 --depth=1 https://github.com/ovn-o
curl -s https://github.com/kubeovn/ovn/commit/472809ebc83588cf321935804f171b271fd81476.patch | git apply && \
# ovn-controller: do not send GARP on localnet for Kube-OVN ports
curl -s https://github.com/kubeovn/ovn/commit/1792621bf33a661d66ca47620871668267e3e521.patch | git apply && \
# lflow: do not send direct traffic between lports to conntrack
curl -s https://github.com/kubeovn/ovn/commit/55b22c91f9e4a128ab2ae0068e426cc2f0220e0c.patch | git apply && \
sed -i 's/OVN/ovn/g' debian/changelog && \
rm -rf .git && \
./boot.sh && \
Expand Down
2 changes: 2 additions & 0 deletions dist/images/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ ENABLE_LB=${ENABLE_LB:-true}
ENABLE_NP=${ENABLE_NP:-true}
ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true}
LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true}
LS_CT_SKIP_DST_LPORT_IPS=${LS_CT_SKIP_DST_LPORT_IPS:-true}
ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true}
CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01}
ENABLE_LB_SVC=${ENABLE_LB_SVC:-false}
Expand Down Expand Up @@ -3023,6 +3024,7 @@ spec:
- --default-exchange-link-name=$EXCHANGE_LINK_NAME
- --default-vlan-id=$VLAN_ID
- --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST
- --ls-ct-skip-dst-lport-ips=$LS_CT_SKIP_DST_LPORT_IPS
- --pod-nic-type=$POD_NIC_TYPE
- --enable-lb=$ENABLE_LB
- --enable-np=$ENABLE_NP
Expand Down
1 change: 1 addition & 0 deletions kubeovn-helm/templates/controller-deploy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ spec:
- --default-exchange-link-name={{- .Values.networking.EXCHANGE_LINK_NAME }}
- --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }}
- --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }}
- --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }}
- --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
- --enable-lb={{- .Values.func.ENABLE_LB }}
- --enable-np={{- .Values.func.ENABLE_NP }}
Expand Down
1 change: 1 addition & 0 deletions kubeovn-helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ func:
LS_DNAT_MOD_DL_DST: true
CHECK_GATEWAY: true
LOGICAL_GATEWAY: false
LS_CT_SKIP_DST_LPORT_IPS: true
ENABLE_BIND_LOCAL_IP: true
ENABLE_IC: false

Expand Down
3 changes: 3 additions & 0 deletions pkg/controller/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ type Configuration struct {
DefaultVlanName string
DefaultVlanID int
LsDnatModDlDst bool
LsCtSkipDstLportIPs bool

EnableLb bool
EnableNP bool
Expand Down Expand Up @@ -143,6 +144,7 @@ func ParseFlags() (*Configuration, error) {
argDefaultVlanName = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name")
argDefaultVlanID = pflag.Int("default-vlan-id", 1, "The default vlan id")
argLsDnatModDlDst = pflag.Bool("ls-dnat-mod-dl-dst", true, "Set ethernet destination address for DNAT on logical switch")
argLsCtSkipDstLportIPs = pflag.Bool("ls-ct-skip-dst-lport-ips", true, "Skip conntrack for direct traffic between lports")
argPodNicType = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type")
argPodDefaultFipType = pflag.String("pod-default-fip-type", "", "The type of fip bind to pod automatically: iptables")
argEnableLb = pflag.Bool("enable-lb", true, "Enable load balancer")
Expand Down Expand Up @@ -212,6 +214,7 @@ func ParseFlags() (*Configuration, error) {
NetworkType: *argNetworkType,
DefaultVlanID: *argDefaultVlanID,
LsDnatModDlDst: *argLsDnatModDlDst,
LsCtSkipDstLportIPs: *argLsCtSkipDstLportIPs,
DefaultProviderName: *argDefaultProviderName,
DefaultHostInterface: *argDefaultInterfaceName,
DefaultExchangeLinkName: *argDefaultExchangeLinkName,
Expand Down
4 changes: 4 additions & 0 deletions pkg/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -678,6 +678,10 @@ func (c *Controller) Run(ctx context.Context) {
util.LogFatalAndExit(err, "failed to set NB_Global option use_ct_inv_match")
}

if err := c.ovnLegacyClient.SetLsCtSkipDstLportIPs(c.config.LsCtSkipDstLportIPs); err != nil {
util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips")
}

if err := c.InitOVN(); err != nil {
util.LogFatalAndExit(err, "failed to initialize ovn resources")
}
Expand Down
7 changes: 7 additions & 0 deletions pkg/ovs/ovn-nbctl-legacy.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,13 @@ func (c LegacyClient) SetUseCtInvMatch() error {
return nil
}

func (c LegacyClient) SetLsCtSkipDstLportIPs(enabled bool) error {
if _, err := c.ovnNbCommand("set", "NB_Global", ".", fmt.Sprintf("options:ls_ct_skip_dst_lport_ips=%v", enabled)); err != nil {
return fmt.Errorf("failed to set NB_Global option ls_ct_skip_dst_lport_ips to %v: %v", enabled, err)
}
return nil
}

func (c LegacyClient) SetICAutoRoute(enable bool, blackList []string) error {
if enable {
if _, err := c.ovnNbCommand("set", "NB_Global", ".", "options:ic-route-adv=true", "options:ic-route-learn=true", fmt.Sprintf("options:ic-route-blacklist=%s", strings.Join(blackList, ","))); err != nil {
Expand Down
1 change: 1 addition & 0 deletions yamls/kube-ovn-dual-stack.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ spec:
- --network-type=geneve
- --default-interface-name=
- --default-vlan-id=100
- --ls-ct-skip-dst-lport-ips=true
- --pod-nic-type=veth-pair
- --enable-lb=true
- --enable-np=true
Expand Down
1 change: 1 addition & 0 deletions yamls/kube-ovn-ipv6.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ spec:
- --network-type=geneve
- --default-interface-name=
- --default-vlan-id=100
- --ls-ct-skip-dst-lport-ips=true
- --pod-nic-type=veth-pair
- --enable-lb=true
- --enable-np=true
Expand Down
1 change: 1 addition & 0 deletions yamls/kube-ovn.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ spec:
- --network-type=geneve
- --default-interface-name=
- --default-vlan-id=100
- --ls-ct-skip-dst-lport-ips=true
- --pod-nic-type=veth-pair
- --enable-lb=true
- --enable-np=true
Expand Down

0 comments on commit d5d4caa

Please sign in to comment.