Add OpenFlow rules for NodePort in shared gateway mode

pliurh · pliurh · commit 6d68c8743e72 · 2025-10-09T04:10:29.000-04:00
This commit introduces new OpenFlow rules to correctly handle NodePort
service traffic in a shared gateway configuration.

The new rules address two scenarios:

1.  A rule with priority 109 is added to drop traffic originating from
    OVN towards a NodePort. This prevents ingress traffic from being
    incorrectly forwarded to the host during OVN logical router
    resynchronizations.

2.  A higher-priority rule (110) is added to allow traffic from the
    local host or pods destined for a NodePort service to egress to the
    physical network. This ensures that local clients can access
    services via their NodePort.
diff --git a/go-controller/pkg/node/gateway_localnet_linux_test.go b/go-controller/pkg/node/gateway_localnet_linux_test.go
@@ -1195,6 +1195,10 @@ var _ = Describe("Node Operations", func() {
 					"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=output:patch-breth0_ov",
 					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_src=31111, actions=output:eth0",
 						gwMAC),
+					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_dst=31111, ip, nw_src=%s, actions=normal",
+						gwMAC, v4localnetGatewayIP),
+					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=109, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_dst=31111, actions=drop",
+						gwMAC),
 				}
 				expectedLBIngressFlows := []string{
 					"cookie=0x10c6b89e483ea111, priority=110, in_port=eth0, arp, arp_op=1, arp_tpa=5.5.5.5, actions=output:LOCAL",
@@ -2308,6 +2312,10 @@ var _ = Describe("Node Operations", func() {
 					"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=output:patch-breth0_ov",
 					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_src=31111, actions=output:eth0",
 						gwMAC),
+					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_dst=31111, ip, nw_src=%s, actions=normal",
+						gwMAC, v4localnetGatewayIP),
+					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=109, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_dst=31111, actions=drop",
+						gwMAC),
 				}
 
 				f4 := iptV4.(*util.FakeIPTables)
@@ -2598,6 +2606,10 @@ var _ = Describe("Node Operations", func() {
 					"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=output:patch-breth0_ov",
 					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_src=31111, actions=output:eth0",
 						gwMAC),
+					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_dst=%s, tcp, tp_dst=31111, ip, nw_src=%s, actions=normal",
+						gwMAC, v4localnetGatewayIP),
+					fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=109, in_port=patch-breth0_ov, dl_dst=%s, tcp, tp_dst=31111, actions=drop",
+						gwMAC),
 				}
 
 				f4 := iptV4.(*util.FakeIPTables)
diff --git a/go-controller/pkg/node/gateway_shared_intf.go b/go-controller/pkg/node/gateway_shared_intf.go
@@ -329,11 +329,31 @@ func (npw *nodePortWatcher) updateServiceFlowCache(service *corev1.Service, netI
 					npw.ofm.updateFlowCacheEntry(key, nodeportFlows)
 				} else if config.Gateway.Mode == config.GatewayModeShared {
 					// case2 (see function description for details)
+					var ipProtocol, gwIP string
+					if strings.Contains(flowProtocol, "6") {
+						ipProtocol = "ip6"
+						gwIP = npw.gatewayIPv6
+					} else {
+						ipProtocol = "ip"
+						gwIP = npw.gatewayIPv4
+					}
+
 					npw.ofm.updateFlowCacheEntry(key, []string{
 						// table=0, matches on service traffic towards nodePort and sends it to OVN pipeline
 						fmt.Sprintf("cookie=%s, priority=110, in_port=%s, %s, tp_dst=%d, "+
 							"actions=%s",
 							cookie, npw.ofportPhys, flowProtocol, svcPort.NodePort, actions),
+						// table=0, matches on service traffic towards nodePort from OVN and drops it, to prevent the ingress traffic goes to the host.
+						// This is to prevent ingress traffic to nodePort from being forwarded to the host accidentally during GR OVN LB resyncs.
+						fmt.Sprintf("cookie=%s, priority=109, in_port=%s, dl_src=%s, %s, tp_dst=%d, "+
+							"actions=drop",
+							cookie, netConfig.OfPortPatch, npw.ofm.getDefaultBridgeMAC(), flowProtocol, svcPort.NodePort),
+						// table=0, matches on local host/pods egress traffic to service nodePort and sends it out to physical network.
+						// This is needed for the case where a local pod/host is trying to access the service via nodePort. It gets higher
+						// priority than the previous rule to allow local traffic to nodePort to be sent out.
+						fmt.Sprintf("cookie=%s, priority=110, in_port=%s, dl_src=%s, %s, tp_dst=%d, %s, nw_src=%s, "+
+							"actions=normal",
+							cookie, netConfig.OfPortPatch, npw.ofm.getDefaultBridgeMAC(), flowProtocol, svcPort.NodePort, ipProtocol, gwIP),
 						// table=0, matches on return traffic from service nodePort and sends it out to primary node interface (br-ex)
 						fmt.Sprintf("cookie=%s, priority=110, in_port=%s, dl_src=%s, %s, tp_src=%d, "+
 							"actions=output:%s",
