ovn: do not send direct traffic between lports to conntrack (#3663)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
kubeovn · Jan 30, 2024 · 822df37 · 822df37
1 parent 130f06c
commit 822df37
Show file tree

Hide file tree

Showing 12 changed files with 50 additions and 1 deletion.
diff --git a/charts/templates/controller-deploy.yaml b/charts/templates/controller-deploy.yaml
@@ -99,6 +99,7 @@ spec:
           - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }}
           - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }}
           - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }}
+          - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }}
           - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
           - --enable-lb={{- .Values.func.ENABLE_LB }}
           - --enable-np={{- .Values.func.ENABLE_NP }}

diff --git a/charts/values.yaml b/charts/values.yaml
@@ -62,6 +62,7 @@ func:
   ENABLE_LB_SVC: false
   ENABLE_KEEP_VM_IP: true
   LS_DNAT_MOD_DL_DST: true
+  LS_CT_SKIP_DST_LPORT_IPS: true
   ENABLE_BIND_LOCAL_IP: true
   U2O_INTERCONNECTION: false
   ENABLE_TPROXY: false

diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
@@ -44,7 +44,9 @@ RUN cd /usr/src/ && git clone -b branch-22.12 --depth=1 https://github.com/ovn-o
     # ovn-controller: do not send GARP on localnet for Kube-OVN ports
     curl -s https://github.com/kubeovn/ovn/commit/8af8751cdb55f582c675db921f2526b06fd3d8c0.patch | git apply && \
     # ovn-ic blacklist function not work on ipv6
-    curl -s https://github.com/kubeovn/ovn/commit/78ab91005854532e7eb5c4fe6b2923ce292e3681.patch | git apply
+    curl -s https://github.com/kubeovn/ovn/commit/78ab91005854532e7eb5c4fe6b2923ce292e3681.patch | git apply && \
+    # lflow: do not send direct traffic between lports to conntrack
+    curl -s https://github.com/kubeovn/ovn/commit/6f1af045845deeabf06fdc7c90073e0a6874ab2f.patch | git apply
 
 RUN apt install -y build-essential fakeroot \
     autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \

diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -15,6 +15,7 @@ ENABLE_LB=${ENABLE_LB:-true}
 ENABLE_NP=${ENABLE_NP:-true}
 ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true}
 LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true}
+LS_CT_SKIP_DST_LPORT_IPS=${LS_CT_SKIP_DST_LPORT_IPS:-true}
 ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true}
 CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01}
 ENABLE_LB_SVC=${ENABLE_LB_SVC:-false}
@@ -3959,6 +3960,7 @@ spec:
           - --default-exchange-link-name=$EXCHANGE_LINK_NAME
           - --default-vlan-id=$VLAN_ID
           - --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST
+          - --ls-ct-skip-dst-lport-ips=$LS_CT_SKIP_DST_LPORT_IPS
           - --pod-nic-type=$POD_NIC_TYPE
           - --enable-lb=$ENABLE_LB
           - --enable-np=$ENABLE_NP

diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go
diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -78,6 +78,7 @@ type Configuration struct {
 	DefaultVlanName         string
 	DefaultVlanID           int
 	LsDnatModDlDst          bool
+	LsCtSkipDstLportIPs     bool
 
 	EnableLb          bool
 	EnableNP          bool
@@ -149,6 +150,7 @@ func ParseFlags() (*Configuration, error) {
 		argDefaultVlanName         = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name")
 		argDefaultVlanID           = pflag.Int("default-vlan-id", 1, "The default vlan id")
 		argLsDnatModDlDst          = pflag.Bool("ls-dnat-mod-dl-dst", true, "Set ethernet destination address for DNAT on logical switch")
+		argLsCtSkipDstLportIPs     = pflag.Bool("ls-ct-skip-dst-lport-ips", true, "Skip conntrack for direct traffic between lports")
 		argPodNicType              = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type")
 		argPodDefaultFipType       = pflag.String("pod-default-fip-type", "", "The type of fip bind to pod automatically: iptables")
 		argEnableLb                = pflag.Bool("enable-lb", true, "Enable load balancer")
@@ -223,6 +225,7 @@ func ParseFlags() (*Configuration, error) {
 		NetworkType:                    *argNetworkType,
 		DefaultVlanID:                  *argDefaultVlanID,
 		LsDnatModDlDst:                 *argLsDnatModDlDst,
+		LsCtSkipDstLportIPs:            *argLsCtSkipDstLportIPs,
 		DefaultProviderName:            *argDefaultProviderName,
 		DefaultHostInterface:           *argDefaultInterfaceName,
 		DefaultExchangeLinkName:        *argDefaultExchangeLinkName,

diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -777,6 +777,10 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to set NB_Global option use_ct_inv_match to false")
 	}
 
+	if err := c.OVNNbClient.SetLsCtSkipDstLportIPs(c.config.LsCtSkipDstLportIPs); err != nil {
+		util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips")
+	}
+
 	if err := c.InitOVN(); err != nil {
 		util.LogFatalAndExit(err, "failed to initialize ovn resources")
 	}

diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go
@@ -17,6 +17,7 @@ type NBGlobal interface {
 	SetUseCtInvMatch() error
 	SetICAutoRoute(enable bool, blackList []string) error
 	SetLsDnatModDlDst(enabled bool) error
+	SetLsCtSkipDstLportIPs(enabled bool) error
 	GetNbGlobal() (*ovnnb.NBGlobal, error)
 }
 

diff --git a/pkg/ovs/ovn-nb_global.go b/pkg/ovs/ovn-nb_global.go
@@ -153,3 +153,7 @@ func (c *OVNNbClient) SetLBCIDR(serviceCIDR string) error {
 func (c *OVNNbClient) SetLsDnatModDlDst(enabled bool) error {
 	return c.SetNbGlobalOptions("ls_dnat_mod_dl_dst", enabled)
 }
+
+func (c *OVNNbClient) SetLsCtSkipDstLportIPs(enabled bool) error {
+	return c.SetNbGlobalOptions("ls_ct_skip_dst_lport_ips", enabled)
+}
diff --git a/yamls/kube-ovn-dual-stack.yaml b/yamls/kube-ovn-dual-stack.yaml
@@ -66,6 +66,7 @@ spec:
             - --default-exchange-link-name=false
             - --default-vlan-id=100
             - --ls-dnat-mod-dl-dst=true
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true

diff --git a/yamls/kube-ovn-ipv6.yaml b/yamls/kube-ovn-ipv6.yaml
@@ -66,6 +66,7 @@ spec:
             - --default-exchange-link-name=false
             - --default-vlan-id=100
             - --ls-dnat-mod-dl-dst=true
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true

diff --git a/yamls/kube-ovn.yaml b/yamls/kube-ovn.yaml
@@ -66,6 +66,7 @@ spec:
             - --default-exchange-link-name=false
             - --default-vlan-id=100
             - --ls-dnat-mod-dl-dst=true
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true