Refactor Windows SNAT flows for SNAT policy implementation #1892
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1892 +/- ##
==========================================
+ Coverage 64.47% 65.43% +0.95%
==========================================
Files 193 195 +2
Lines 16893 16872 -21
==========================================
+ Hits 10892 11040 +148
+ Misses 4837 4666 -171
- Partials 1164 1166 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
|
jianjuns
force-pushed
the
snat-flow
branch
3 times, most recently
from
bc0318c
to
09a97d9
Compare
|
/test-windows-conformance |
jianjuns
force-pushed
the
snat-flow
branch
2 times, most recently
from
6a380b4
to
18ada71
Compare
|
The OVS flow design is described in #667 (comment). This PR just implements the common flows and the SNAT flows on Windows for the default SNAT IP. |
pkg/agent/openflow/pipeline.go
Outdated
| // It is used on Windows Nodes only. | ||
| func (c *client) snatFlows(nodeIP net.IP, localSubnet net.IPNet, category cookie.Category) []binding.Flow { | ||
| snatIPRange := &binding.IPRange{StartIP: nodeIP, EndIP: nodeIP} | ||
| // snatCommonFlows installs flows to perform SNAT for traffic to the external |
There was a problem hiding this comment.
Is it complete? It doesn't seem the flows below perform SNAT
There was a problem hiding this comment.
snatCommonFlows is for the default common flows on Linux and Windows, which do not really perform SNAT. On Linux only SNAT policies will add flows to look up SNAT IP, mark packets, etc.. Let me revise the comments.
|
/test-windows-conformance |
|
/test-windows-conformance |
jianjuns
force-pushed
the
snat-flow
branch
2 times, most recently
from
147623f
to
769ec64
Compare
|
/test-windows-conformance |
jianjuns
force-pushed
the
snat-flow
branch
3 times, most recently
from
3c42745
to
29eb6ce
Compare
jianjuns
force-pushed
the
snat-flow
branch
3 times, most recently
from
5cc23ee
to
00df2de
Compare
| MatchCTMark(snatCTMark, nil). | ||
| MatchRegRange(int(marksReg), markTrafficFromUplink, binding.Range{0, 15}). | ||
| // return packets to remote Pods will be handled by L3Forwarding flows. | ||
| MatchDstIPNet(localSubnet). |
There was a problem hiding this comment.
I notice this condition is new, can a packet to remote Pods get to L3Forwarding flows? It looks like the following flow with normal priority will output the packet to bridge port?
There was a problem hiding this comment.
Humm.. yes, such pakcets will be output to br-int, which we would not want to avoid asymmetric return path.
In this case, probably no harm to set macRewriteMark for all packets, though it is not needed for packets to remote Nodes.
Separate common flows and Windows only flows for SNAT. Add a new snatTable(71) between l3ForwardingTable and l3DecTTLTable(72) for looking up SNAT IPs of the external traffic.
|
/test-all |
|
/test-e2e |
1 similar comment
|
/test-e2e |
|
/skip-all |
Separate common flows and Windows only flows for SNAT.
Add a new snatTable(71) between l3ForwardingTable and l3DecTTLTable(72)
for looking up SNAT IPs of the external traffic.
Issue: #667