Commits on Mar 22, 2022

1. Flexible Pipeline …

   Flexible Pipeline is framework to generate OVS pipelines with dynamic
   table IDs. There are some abstractions introduced in this framework:
   
   - **feature** is the interface to program a major function in Antrea
     data path
   - **stage** in FlexiblePipeline is used to group tables which implement
     similar functions in a pipeline
   - **pipeline** is used to implement a major function in Antrea data
     path
   - **Table** is the basic unit to build OVS pipelines. A Table can be
     referenced by one or more features, but its member struct ofTable
     will be initialized and realized on OVS only when it is referenced
     by any activated features
   
   At this moment, we have the following features:
   
   - featurePodConnectivity, implementation of connectivity for Pods,
     activated by default
   - featureNetworkPolicy, implementation of K8s NetworkPolicy and Antrea
     NetworkPolicy, activated by default
   - featureService, implementation of K8s Service, activated by default
   - featureEgress, implementation of Egress, activation is determined by
     feature gate Egress
   - featureMulticast, implementation of multicast, activation is
     determined by feature gate Multicast
   
   At this moment, we have the following stages:
   
   - stageStart is only used to initialize PipelineClassifierTable
   - stageClassifier is used to classify packets "category" (tunnel, local
     gateway or local Pod, etc)
   - stageValidation is used to validate packets
   - stageConntrackState is used to transform committed packets in CT zones
   - stagePreRouting is similar to PREROUTING chain of nat table in iptables
     DNAT for Service connections is performed in this stage
   - stageEgressSecurity is used to install egress rules for K8s
     NetworkPolicy and Antrea NetworkPolicy
   - stageRouting is used to implement L3 Forwarding of packets.
   - stagePostRouting is similar to POSTROUTING chain of nat table in
     iptables. SNAT for Service connections is performed in this stage
   - stageSwitching is used to implement L2 Forwarding of packets
   - stageIngressSecurity is used to install ingress rules for K8s
     NetworkPolicy and Antrea NetworkPolicy
   - stageConntrack is used to commit non-Service connections
   - stageOutput is used to output packets to target port
   
   At this moment, we have the following pipelines:
   
   - pipelineRoot is only used to initialize PipelineClassifierTable
   - pipelineARP is used to process ARP packets
   - pipelineIP is used to process IPv4/IPv6 packets
   - pipelineMulticast is used to process multicast packets
   
   After refactoring, PipelineClassifierTable is table 0. It's the only
   fixed table ID. Packets are forwarded to different pipelines in this
   table.
   
   OVS pipelineARP is used to process ARP packets. Stages and tables
   in this pipeline:
   
   - stageValidation
     - ARPSpoofGuardTable, ARP-spoofing part of original SpoofGuardTable
   - stageOutput
     - ARPResponderTable, renamed from arpResponderTable
   
   OVS pipelineIP is used to process IPv4/IPv6 packets. Stages and
   tables in this pipelines
   
   - stageClassifier
     - ClassifierTable, original ClassifierTable (0)
   - stageValidation
     - SpoofGuardTable, part of original SpoofGuardTable (10)
     - IPv6Table, original IPv6Table (21)
     - IPClassifierTable, new added for multicast
   - stageConntrackState
     - SNATConntrackTable, original ServiceConntrackTable (35)
     - ConntrackTable, original ConntrackTable (30)
     - ConntrackStateTable, original ConntrackStateTable (31)
   - stagePreRouting
     - PreRoutingClassifierTable, new added
     - NodePortMarkTable, original ServiceClassifierTable (35)
     - SessionAffinityTable, original SessionAffinityTable (41)
     - ServiceLBTable, original ServiceLBTable (41)
     - EndpointDNATTable, original EndpointDNATTable (42)
     - DNATTable, original DNATTable (40)
   - stageEgressSecurity
     - AntreaPolicyEgressRuleTable, original AntreaPolicyEgressRuleTable
      (45)
     - EgressRuleTable, original EgressRuleTable (50)
     - EgressDefaultTable, original EgressDefaultTable (60)
     - EgressMetricTable, original EgressMetricTable (61)
   - stageRouting
     - L3ForwardingTable, original L3ForwardingTable (70)
     - EgressMarkTable, original SNATTable (71)
     - L3DecTTLTable, original L3DecTTLTable (72)
   - stagePostRouting
     - ServiceMarkTable, new added
     - SNATConntrackCommitTable, origin ServiceConntrackCommitTable
       (105)
   - stageSwitching
     - L2ForwardingCalcTable, original L2ForwardingCalcTable (80)
   - stageIngressSecurity
     - IngressSecurityClassifierTable, new added
     - AntreaPolicyIngressRuleTable, original AntreaPolicyIngressRuleTable
       (85)
     - IngressRuleTable, original IngressRuleTable (90)
     - IngressDefaultTable, original IngressDefaultTable (100)
     - IngressMetricTable, original IngressDefaultTable (101)
   - stageConntrack
     - ConntrackCommitTable, original ConntrackCommitTable (105)
   - stageOutput
     - L2ForwardingOutTable, original L2ForwardingOutTable (110)
   
   OVS pipelineMulticast is used to process multicast packets.
   Stages and tables in this pipeline:
   
   - stageRouting
     - MulticastTable, original MulticastTable (22)
   
   Removed tables:
   
   - original ServiceHairpinTable (22)
   - original DefaultTierEgressRuleTable (49)
   - original HairpinSNATTable (108)
   
   For hairpin connection, SNAT is performed by CT operation instead of
   modifying source IP stateless. Another change is to use different IPs
   to perform SNAT:
   
   - Hairpin Service connection initiated through a local Pod, and SNAT
     is performed with the Antrea gateway IP.
   - Hairpin Service connection initiated through the Antrea gateway,
     and SNAT is performed with a virtual IP.
   
   Signed-off-by: Hongliang Liu <lhongliang@vmware.com>

   

   hongliangl committed Mar 22, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 7b8495f
   • Browse repository at this point

   Copy the full SHA

   7b8495f View commit details

   Browse the repository at this point in the history