-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor Windows SNAT flows for SNAT policy implementation #1892
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1892 +/- ##
==========================================
+ Coverage 64.47% 65.43% +0.95%
==========================================
Files 193 195 +2
Lines 16893 16872 -21
==========================================
+ Hits 10892 11040 +148
+ Misses 4837 4666 -171
- Partials 1164 1166 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
|
bc0318c
to
09a97d9
Compare
/test-windows-conformance |
6a380b4
to
18ada71
Compare
The OVS flow design is described in #667 (comment). This PR just implements the common flows and the SNAT flows on Windows for the default SNAT IP. |
pkg/agent/openflow/pipeline.go
Outdated
// It is used on Windows Nodes only. | ||
func (c *client) snatFlows(nodeIP net.IP, localSubnet net.IPNet, category cookie.Category) []binding.Flow { | ||
snatIPRange := &binding.IPRange{StartIP: nodeIP, EndIP: nodeIP} | ||
// snatCommonFlows installs flows to perform SNAT for traffic to the external |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it complete? It doesn't seem the flows below perform SNAT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
snatCommonFlows is for the default common flows on Linux and Windows, which do not really perform SNAT. On Linux only SNAT policies will add flows to look up SNAT IP, mark packets, etc.. Let me revise the comments.
/test-windows-conformance |
/test-windows-conformance |
147623f
to
769ec64
Compare
/test-windows-conformance |
3c42745
to
29eb6ce
Compare
5cc23ee
to
00df2de
Compare
MatchCTMark(snatCTMark, nil). | ||
MatchRegRange(int(marksReg), markTrafficFromUplink, binding.Range{0, 15}). | ||
// return packets to remote Pods will be handled by L3Forwarding flows. | ||
MatchDstIPNet(localSubnet). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I notice this condition is new, can a packet to remote Pods get to L3Forwarding flows? It looks like the following flow with normal priority will output the packet to bridge port?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Humm.. yes, such pakcets will be output to br-int, which we would not want to avoid asymmetric return path.
In this case, probably no harm to set macRewriteMark for all packets, though it is not needed for packets to remote Nodes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the flow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall, just a question about the impact of the new condition in a snat flow.
Separate common flows and Windows only flows for SNAT. Add a new snatTable(71) between l3ForwardingTable and l3DecTTLTable(72) for looking up SNAT IPs of the external traffic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
/test-e2e |
1 similar comment
/test-e2e |
/skip-all |
Separate common flows and Windows only flows for SNAT.
Add a new snatTable(71) between l3ForwardingTable and l3DecTTLTable(72)
for looking up SNAT IPs of the external traffic.
Issue: #667