Flexible pipeline

[hongliangl]

Flexible Pipeline is framework to generate OVS pipelines with dynamic
table IDs. There are some abstractions introduced in this framework:

• feature is the interface to program a major function in Antrea
  data path
• stage in FlexiblePipeline is used to group tables which implement
  similar functions in a pipeline
• pipeline is used to implement a major function in Antrea data
  path
• Table is the basic unit to build OVS pipelines. A Table can be
  referenced by one or more features, but its member struct ofTable
  will be initialized and realized on OVS only when it is referenced
  by any activated features

At this moment, we have the following features:

• featurePodConnectivity, implementation of connectivity for Pods,
  activated by default
• featureNetworkPolicy, implementation of K8s NetworkPolicy and Antrea
  NetworkPolicy, activated by default
• featureService, implementation of K8s Service, activated by default
• featureEgress, implementation of Egress, activation is determined by
  feature gate Egress
• featureMulticast, implementation of multicast, activation is
  determined by feature gate Multicast

At this moment, we have the following stages:

• stageStart is only used to initialize PipelineClassifierTable
• stageClassifier is used to classify packets "category" (tunnel, local
  gateway or local Pod, etc)
• stageValidation is used to validate packets
• stageConntrackState is used to transform committed packets in CT zones
• stagePreRouting is similar to PREROUTING chain of nat table in iptables
  DNAT for Service connections is performed in this stage
• stageEgressSecurity is used to install egress rules for K8s
  NetworkPolicy and Antrea NetworkPolicy
• stageRouting is used to implement L3 Forwarding of packets.
• stagePostRouting is similar to POSTROUTING chain of nat table in
  iptables. SNAT for Service connections is performed in this stage
• stageSwitching is used to implement L2 Forwarding of packets
• stageIngressSecurity is used to install ingress rules for K8s
  NetworkPolicy and Antrea NetworkPolicy
• stageConntrack is used to commit non-Service connections
• stageOutput is used to output packets to target port

At this moment, we have the following pipelines:

• pipelineRoot is only used to initialize PipelineClassifierTable
• pipelineARP is used to process ARP packets
• pipelineIP is used to process IPv4/IPv6 packets
• pipelineMulticast is used to process multicast packets

After refactoring, PipelineClassifierTable is table 0. It's the only
fixed table ID. Packets are forwarded to different pipelines in this
table.

OVS pipelineARP is used to process ARP packets. Stages and tables
in this pipeline:

• stageValidation
  • ARPSpoofGuardTable, ARP-spoofing part of original SpoofGuardTable
• stageOutput
  • ARPResponderTable, renamed from arpResponderTable

OVS pipelineIP is used to process IPv4/IPv6 packets. Stages and
tables in this pipelines

• stageClassifier
  • ClassifierTable, original ClassifierTable (0)
• stageValidation
  • SpoofGuardTable, part of original SpoofGuardTable (10)
  • IPv6Table, original IPv6Table (21)
  • IPClassifierTable, new added for multicast
• stageConntrackState
  • SNATConntrackTable, original ServiceConntrackTable (35)
  • ConntrackTable, original ConntrackTable (30)
  • ConntrackStateTable, original ConntrackStateTable (31)
• stagePreRouting
  • PreRoutingClassifierTable, new added
  • NodePortMarkTable, original ServiceClassifierTable (35)
  • SessionAffinityTable, original SessionAffinityTable (41)
  • ServiceLBTable, original ServiceLBTable (41)
  • EndpointDNATTable, original EndpointDNATTable (42)
  • DNATTable, original DNATTable (40)
• stageEgressSecurity
  • AntreaPolicyEgressRuleTable, original AntreaPolicyEgressRuleTable
    (45)
  • EgressRuleTable, original EgressRuleTable (50)
  • EgressDefaultTable, original EgressDefaultTable (60)
  • EgressMetricTable, original EgressMetricTable (61)
• stageRouting
  • L3ForwardingTable, original L3ForwardingTable (70)
  • EgressMarkTable, original SNATTable (71)
  • L3DecTTLTable, original L3DecTTLTable (72)
• stagePostRouting
  • ServiceMarkTable, new added
  • SNATConntrackCommitTable, origin ServiceConntrackCommitTable
    (105)
• stageSwitching
  • L2ForwardingCalcTable, original L2ForwardingCalcTable (80)
• stageIngressSecurity
  • IngressSecurityClassifierTable, new added
  • AntreaPolicyIngressRuleTable, original AntreaPolicyIngressRuleTable
    (85)
  • IngressRuleTable, original IngressRuleTable (90)
  • IngressDefaultTable, original IngressDefaultTable (100)
  • IngressMetricTable, original IngressDefaultTable (101)
• stageConntrack
  • ConntrackCommitTable, original ConntrackCommitTable (105)
• stageOutput
  • L2ForwardingOutTable, original L2ForwardingOutTable (110)

OVS pipelineMulticast is used to process multicast packets.
Stages and tables in this pipeline:

• stageRouting
  • MulticastTable, original MulticastTable (22)

Removed tables:

• original ServiceHairpinTable (22)
• original DefaultTierEgressRuleTable (49)
• original HairpinSNATTable (108)

For hairpin connection, SNAT is performed by CT operation instead of
modifying source IP stateless. Another change is to use different IPs
to perform SNAT:

• Hairpin Service connection initiated through a local Pod, and SNAT
  is performed with the Antrea gateway IP.
• Hairpin Service connection initiated through the Antrea gateway,
  and SNAT is performed with a virtual IP.

Signed-off-by: Hongliang Liu lhongliang@vmware.com

[hongliangl]

/test-all-features-conformance
/test-conformance
/test-e2e
/test-flexible-ipam-e2e
/test-ipv6-conformance
/test-ipv6-e2e
/test-ipv6-networkpolicy
/test-ipv6-only-conformance
/test-ipv6-only-e2e
/test-ipv6-only-networkpolicy
/test-multicluster-e2e
/test-networkpolicy
/test-windows-conformance
/test-windows-e2e to trigger.
/test-windows-networkpolicy
/test-windows-proxyall-e2e

[codecov-commenter]

Codecov Report

Merging #3058 (020c35b) into main (c7cb8ca) will decrease coverage by 1.00%.
The diff coverage is 76.10%.

@@            Coverage Diff             @@
##             main    #3058      +/-   ##
==========================================
- Coverage   65.55%   64.55%   -1.01%     
==========================================
  Files         268      276       +8     
  Lines       26909    27117     +208     
==========================================
- Hits        17641    17505     -136     
- Misses       7346     7753     +407     
+ Partials     1922     1859      -63     

Flag	Coverage Δ
kind-e2e-tests	54.28% <70.26%> (-1.45%)	⬇️
unit-tests	42.92% <47.78%> (+0.22%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/openflow/multicast.go	0.00% <0.00%> (ø)
pkg/agent/openflow/openflow_test_utils.go	0.00% <0.00%> (ø)
pkg/agent/openflow/pipeline.go	74.48% <ø> (-5.39%)	⬇️
pkg/agent/openflow/pipeline_other.go	5.12% <10.52%> (+2.90%)	⬆️
pkg/agent/openflow/cookie/allocator.go	74.19% <40.00%> (+6.45%)	⬆️
pkg/agent/openflow/egress.go	57.89% <57.89%> (ø)
pkg/agent/openflow/pod_connectivity.go	69.81% <69.81%> (ø)
pkg/agent/openflow/client.go	69.31% <74.48%> (+6.09%)	⬆️
pkg/agent/openflow/traceflow.go	80.00% <80.00%> (ø)
pkg/ovs/openflow/ofctrl_bridge.go	56.47% <81.81%> (+1.18%)	⬆️
... and 36 more

[luolanzone]

looks like you need to update all commits' title, #1 linked to the issue in Antrea which is misleading information.

[hongliangl]

looks like you need to update all commits' title, #1 linked to the issue in Antrea which is misleading information.

updated

[jianjuns]

@hongliangl : I assume you will address comments on individual PRs too? For example, comments on #3035.

[hongliangl]

@jianjuns I will address comments in #3035, but I won't update the code of individual PRs. Please review the code in this PR, thanks.

[XinShuYang]

/test-flexible-ipam-e2e

[Dyanngg]

A general question on debuggability: It used to be the case that we can use table number in OVS dumps to find the specific flows (e.g. for a ACNP ingress rule, kubectl exec -n kube-system <ANTREA_AGENT_POD_NAME> -c antrea-ovs -- ovs-ofctl dump-flows br-int table=95). With the flexible pipeline change, how would user find out which table number correspond to AntreaPolicyIngressTable in runtime?

[hongliangl]

/test-windows-networkpolicy
/test-ipv6-conformance

[hongliangl]

/test-windows-networkpolicy

[XinShuYang]

/test-windows-networkpolicy

[tnqn]

/test-windows-networkpolicy

[hongliangl]

/test-windows-networkpolicy

[tnqn]

Do we know if "jenkins-windows-networkpolicy" failure is related?

[hongliangl]

Do we know if "jenkins-windows-networkpolicy" failure is related?

I'm finding the reason.

[hongliangl]

/test-windows-networkpolicy

[hongliangl]

/test-windows-networkpolicy

[hongliangl]

/test-windows-networkpolicy

[hongliangl]

/test-all-features-conformance
/test-conformance
/test-e2e
/test-flexible-ipam-e2e
/test-multicluster-e2e
/test-networkpolicy
/test-windows-conformance
/test-windows-e2e
/test-windows-networkpolicy
/test-windows-proxyall-e2e
/test-integration

[hongliangl]

/test-windows-e2e
/test-windows-proxyall-e2e

[hongliangl]

/test-ipv6-conformance
/test-ipv6-e2e
/test-ipv6-networkpolicy
/test-ipv6-only-conformance
/test-ipv6-only-e2e
/test-ipv6-only-networkpolicy

[hongliangl]

/test-flexible-ipam-e2e
/test-integration

[hongliangl]

/test-integration

[hongliangl]

/test-integration

[hongliangl]

/test-ipv6-e2e

[hongliangl]

Thanks everyone for review this big PR!

[jianjuns]

Congrats! @hongliangl