openshift-sdn: skip OPENSHIFT-MASQ for traffic already marked.

[squeed]

If a packet has already been marked by other kube-proxy rules for masquerade, don't run it through the OPENSHIFT-MASQUERADE chain for further twiddling.

Most notably, this chain is used for Egress IPs.

This change fixes a bug where egress IPs can't access services via their ExternalIP. (bz1726045)

[squeed]

cc @danwinship

[danwinship]

So this implies that connections to an ExternalIP from a namespace using an egress IP will not use the egress IP. Is that not fixable?

[squeed]

So this implies that connections to an ExternalIP from a namespace using an egress IP will not use the egress IP. Is that not fixable?

Basically, yes. Connections from pods to external IPs are always masqueraded (as opposed to static SNAT). That prevents the RPF issues, as the source IP is chosen after the routing decision.

Even after disabling rpf filtering, egress -> external traffic was still being dropped by the conntrack INVALID filter on response, since it too doesn't like asymmetric routing.

So it does leave us with a bit of an odd situation, where the source IP is the tun0 address of the node holding the egress IP. The only other way I could think to do this would be to program every external IP in to the flow rules to skip egress IP forwarding. If you think that's a better choice, we could do that.

[pecameron]

Seems reasonable to me. I am not familiar enough with this code to do more than comment.

[danwinship]

/lgtm

[squeed]

/retest

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, squeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/github.com/openshift/sdn/OWNERS [danwinship,squeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[danwinship]

staging sdn is imminently about to be deleted and even if this merges first I think there still might be a race condition with the staging bot... keep an eye on it and be ready to re-file

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@squeed: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws	ce17b0f	link	/test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[squeed]

/hold

[openshift-ci-robot]

@squeed: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[squeed]

Moved to openshift/sdn#13