Skip to content

Commit e550dc3

Browse files
pliurhpliurh
committed
Prevent inbound NodePort traffic from being forward to kernel
Set ct_mark 0x1 for inbound traffic to NodePort service. Added a new flow to drop the traffic from OVN to NodePort service to prevent traffic to nodePort from being forwarded to the host accidentally during GR OVN LB resyncs. Fix flake for the test "[sig-network] Conntrack should be able to preserve UDP traffic when server pod cycles for a NodePort service" Signed-off-by: Peng Liu <[email protected]>
1 parent e712193 commit e550dc3

File tree

2 files changed

+15
-5
lines changed

2 files changed

+15
-5
lines changed

go-controller/pkg/node/gateway_localnet_linux_test.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1192,7 +1192,8 @@ var _ = Describe("Node Operations", func() {
11921192
},
11931193
}
11941194
expectedNodePortFlows := []string{
1195-
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=output:patch-breth0_ov",
1195+
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=ct(commit, zone=64003, exec(set_field:0x1->ct_mark)),output:patch-breth0_ov",
1196+
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, tcp, tp_dst=31111, ct_state=+est+trk, ct_mark=0x1,actions=drop",
11961197
fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_src=31111, actions=output:eth0",
11971198
gwMAC),
11981199
}
@@ -2305,7 +2306,8 @@ var _ = Describe("Node Operations", func() {
23052306
}
23062307
expectedFlows := []string{
23072308
// default
2308-
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=output:patch-breth0_ov",
2309+
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=ct(commit, zone=64003, exec(set_field:0x1->ct_mark)),output:patch-breth0_ov",
2310+
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, tcp, tp_dst=31111, ct_state=+est+trk, ct_mark=0x1,actions=drop",
23092311
fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_src=31111, actions=output:eth0",
23102312
gwMAC),
23112313
}
@@ -2595,7 +2597,8 @@ var _ = Describe("Node Operations", func() {
25952597
}
25962598
expectedFlows := []string{
25972599
// default
2598-
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=output:patch-breth0_ov",
2600+
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=eth0, tcp, tp_dst=31111, actions=ct(commit, zone=64003, exec(set_field:0x1->ct_mark)),output:patch-breth0_ov",
2601+
"cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, tcp, tp_dst=31111, ct_state=+est+trk, ct_mark=0x1,actions=drop",
25992602
fmt.Sprintf("cookie=0x453ae29bcbbc08bd, priority=110, in_port=patch-breth0_ov, dl_src=%s, tcp, tp_src=31111, actions=output:eth0",
26002603
gwMAC),
26012604
}

go-controller/pkg/node/gateway_shared_intf.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -331,9 +331,16 @@ func (npw *nodePortWatcher) updateServiceFlowCache(service *corev1.Service, netI
331331
// case2 (see function description for details)
332332
npw.ofm.updateFlowCacheEntry(key, []string{
333333
// table=0, matches on service traffic towards nodePort and sends it to OVN pipeline
334+
// setting the ct_mark to '0x1' to indicate that this is OVN traffic
334335
fmt.Sprintf("cookie=%s, priority=110, in_port=%s, %s, tp_dst=%d, "+
335-
"actions=%s",
336-
cookie, npw.ofportPhys, flowProtocol, svcPort.NodePort, actions),
336+
"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)),%s",
337+
cookie, npw.ofportPhys, flowProtocol, svcPort.NodePort, config.Default.HostNodePortConntrackZone, nodetypes.CtMarkOVN, actions),
338+
// table=0, matches on service traffic towards nodePort from OVN and drops it, to prevent the traffic goes to the host.
339+
// match on ct_state=+est+trk and ct_mark=0x1 to ensure that this rule only applies to return traffic from OVN.
340+
// This is to prevent traffic to nodePort from being forwarded to the host accidentally during GR OVN LB resyncs.
341+
fmt.Sprintf("cookie=%s, priority=110, in_port=%s, %s, tp_dst=%d, ct_state=+est+trk, ct_mark=%s,"+
342+
"actions=drop",
343+
cookie, netConfig.OfPortPatch, flowProtocol, svcPort.NodePort, nodetypes.CtMarkOVN),
337344
// table=0, matches on return traffic from service nodePort and sends it out to primary node interface (br-ex)
338345
fmt.Sprintf("cookie=%s, priority=110, in_port=%s, dl_src=%s, %s, tp_src=%d, "+
339346
"actions=output:%s",

0 commit comments

Comments
 (0)