Remove table ServiceHairpinTable and HairpinSNATTable

Signed-off-by: Hongliang Liu <[email protected]>
antrea-io · Sep 26, 2021 · d14680a · d14680a
1 parent e880406
commit d14680a
Show file tree

Hide file tree

Showing 14 changed files with 199 additions and 231 deletions.
diff --git a/pkg/agent/flowexporter/connections/conntrack_connections.go b/pkg/agent/flowexporter/connections/conntrack_connections.go
@@ -123,10 +123,10 @@ func (cs *ConntrackConnectionStore) Poll() ([]int, error) {
 	var zones []uint16
 	var connsLens []int
 	if cs.v4Enabled {
-		zones = append(zones, openflow.CtZone)
+		zones = append(zones, openflow.DNATCtZone)
 	}
 	if cs.v6Enabled {
-		zones = append(zones, openflow.CtZoneV6)
+		zones = append(zones, openflow.DNATCtZoneV6)
 	}
 	var totalConns int
 	for _, zone := range zones {

diff --git a/pkg/agent/flowexporter/connections/conntrack_connections_perf_test.go b/pkg/agent/flowexporter/connections/conntrack_connections_perf_test.go
@@ -67,7 +67,7 @@ func BenchmarkPoll(b *testing.B) {
 	conns := generateConns()
 	b.ResetTimer()
 	for n := 0; n < b.N; n++ {
-		mockConnDumper.EXPECT().DumpFlows(uint16(openflow.CtZone)).Return(conns, testNumOfConns, nil)
+		mockConnDumper.EXPECT().DumpFlows(uint16(openflow.DNATCtZone)).Return(conns, testNumOfConns, nil)
 		connStore.Poll()
 		b.StopTimer()
 		conns = generateUpdatedConns(conns)

diff --git a/pkg/agent/flowexporter/connections/conntrack_connections_test.go b/pkg/agent/flowexporter/connections/conntrack_connections_test.go
@@ -378,7 +378,7 @@ func TestConnectionStore_MetricSettingInPoll(t *testing.T) {
 	// Hard-coded conntrack occupancy metrics for test
 	TotalConnections := 0
 	MaxConnections := 300000
-	mockConnDumper.EXPECT().DumpFlows(uint16(openflow.CtZone)).Return(testFlows, TotalConnections, nil)
+	mockConnDumper.EXPECT().DumpFlows(uint16(openflow.DNATCtZone)).Return(testFlows, TotalConnections, nil)
 	mockConnDumper.EXPECT().GetMaxConnections().Return(MaxConnections, nil)
 	connsLens, err := conntrackConnStore.Poll()
 	require.Nil(t, err, fmt.Sprintf("Failed to add connections to connection store: %v", err))

diff --git a/pkg/agent/flowexporter/connections/conntrack_linux.go b/pkg/agent/flowexporter/connections/conntrack_linux.go
@@ -61,7 +61,7 @@ func NewConnTrackSystem(nodeConfig *config.NodeConfig, serviceCIDRv4 *net.IPNet,
 // DumpFlows opens netlink connection and dumps all the flows in Antrea ZoneID of conntrack table.
 func (ct *connTrackSystem) DumpFlows(zoneFilter uint16) ([]*flowexporter.Connection, int, error) {
 	svcCIDR := ct.serviceCIDRv4
-	if zoneFilter == openflow.CtZoneV6 {
+	if zoneFilter == openflow.DNATCtZoneV6 {
 		svcCIDR = ct.serviceCIDRv6
 	}
 	// Get connection to netlink socket

diff --git a/pkg/agent/flowexporter/connections/conntrack_linux_test.go b/pkg/agent/flowexporter/connections/conntrack_linux_test.go
@@ -58,17 +58,17 @@ func TestConnTrackSystem_DumpFlows(t *testing.T) {
 	tuple := flowexporter.Tuple{SourceAddress: net.IP{1, 2, 3, 4}, DestinationAddress: net.IP{4, 3, 2, 1}, Protocol: 6, SourcePort: 65280, DestinationPort: 255}
 	antreaFlow := &flowexporter.Connection{
 		FlowKey: tuple,
-		Zone:    openflow.CtZone,
+		Zone:    openflow.DNATCtZone,
 	}
 	tuple = flowexporter.Tuple{SourceAddress: net.IP{1, 2, 3, 4}, DestinationAddress: net.IP{100, 50, 25, 5}, Protocol: 6, SourcePort: 60001, DestinationPort: 200}
 	antreaServiceFlow := &flowexporter.Connection{
 		FlowKey: tuple,
-		Zone:    openflow.CtZone,
+		Zone:    openflow.DNATCtZone,
 	}
 	tuple = flowexporter.Tuple{SourceAddress: net.IP{5, 6, 7, 8}, DestinationAddress: net.IP{8, 7, 6, 5}, Protocol: 6, SourcePort: 60001, DestinationPort: 200}
 	antreaGWFlow := &flowexporter.Connection{
 		FlowKey: tuple,
-		Zone:    openflow.CtZone,
+		Zone:    openflow.DNATCtZone,
 	}
 	nonAntreaFlow := &flowexporter.Connection{
 		FlowKey: tuple,
@@ -100,9 +100,9 @@ func TestConnTrackSystem_DumpFlows(t *testing.T) {
 	connDumperDPSystem.connTrack = mockNetlinkCT
 	// Set expects for mocks
 	mockNetlinkCT.EXPECT().Dial().Return(nil)
-	mockNetlinkCT.EXPECT().DumpFlowsInCtZone(uint16(openflow.CtZone)).Return(testFlows, nil)
+	mockNetlinkCT.EXPECT().DumpFlowsInCtZone(uint16(openflow.DNATCtZone)).Return(testFlows, nil)
 
-	conns, totalConns, err := connDumperDPSystem.DumpFlows(openflow.CtZone)
+	conns, totalConns, err := connDumperDPSystem.DumpFlows(openflow.DNATCtZone)
 	assert.NoErrorf(t, err, "Dump flows function returned error: %v", err)
 	assert.Equal(t, 1, len(conns), "number of filtered connections should be equal")
 	assert.Equal(t, len(testFlows), totalConns, "Number of connections in conntrack table should be equal to testFlows")
@@ -173,7 +173,7 @@ func TestConnTrackOvsAppCtl_DumpFlows(t *testing.T) {
 	}
 	mockOVSCtlClient.EXPECT().RunAppctlCmd("dpctl/dump-conntrack", false, "-m", "-s").Return(ovsctlCmdOutput, nil)
 
-	conns, totalConns, err := connDumper.DumpFlows(uint16(openflow.CtZone))
+	conns, totalConns, err := connDumper.DumpFlows(uint16(openflow.DNATCtZone))
 	if err != nil {
 		t.Errorf("conntrackNetdev.DumpConnections function returned error: %v", err)
 	}

diff --git a/pkg/agent/flowexporter/connections/conntrack_ovs.go b/pkg/agent/flowexporter/connections/conntrack_ovs.go
@@ -85,7 +85,7 @@ func NewConnTrackOvsAppCtl(nodeConfig *config.NodeConfig, serviceCIDRv4 *net.IPN
 // DumpFlows uses "ovs-appctl dpctl/dump-conntrack" to dump conntrack flows in the Antrea ZoneID.
 func (ct *connTrackOvsCtl) DumpFlows(zoneFilter uint16) ([]*flowexporter.Connection, int, error) {
 	svcCIDR := ct.serviceCIDRv4
-	if zoneFilter == openflow.CtZoneV6 {
+	if zoneFilter == openflow.DNATCtZoneV6 {
 		svcCIDR = ct.serviceCIDRv6
 	}
 	conns, totalConns, err := ct.ovsAppctlDumpConnections(zoneFilter)

diff --git a/pkg/agent/flowexporter/connections/conntrack_windows.go b/pkg/agent/flowexporter/connections/conntrack_windows.go
@@ -34,9 +34,9 @@ type connTrackOvsCtlWindows struct {
 func (ct *connTrackOvsCtlWindows) GetMaxConnections() (int, error) {
 	var zoneID int
 	if ct.serviceCIDRv4 != nil {
-		zoneID = openflow.CtZone
+		zoneID = openflow.DNATCtZone
 	} else {
-		zoneID = openflow.CtZoneV6
+		zoneID = openflow.DNATCtZoneV6
 	}
 	// dpctl/ct-get-maxconns returns operation not supported on Windows node, use dpctl/ct-get-limits intead.
 	cmdOutput, execErr := ct.ovsctlClient.RunAppctlCmd("dpctl/ct-get-limits", false, fmt.Sprintf("zone=%d", zoneID))

diff --git a/pkg/agent/openflow/client.go b/pkg/agent/openflow/client.go
@@ -620,29 +620,21 @@ func (c *client) InstallDefaultServiceFlows(nodePortAddressesIPv4, nodePortAddre
 	flows := []binding.Flow{
 		c.serviceNeedLBFlow(),
 		c.sessionAffinityReselectFlow(),
-		c.l2ForwardOutputServiceHairpinFlow(),
 	}
+	flows = append(flows, c.l2ForwardOutputServiceHairpinFlows()...)
 	if c.IsIPv4Enabled() {
-		flows = append(flows, c.serviceHairpinResponseDNATFlow(binding.ProtocolIP))
 		flows = append(flows, c.serviceLBBypassFlows(binding.ProtocolIP)...)
 		flows = append(flows, c.l3FwdServiceDefaultFlowsViaGW(binding.ProtocolIP, cookie.Service)...)
 		if c.proxyAll {
-			// The output interface of a packet is the same as where it is from, and the action of the packet should be
-			// IN_PORT, rather than output. When a packet of Service is from Antrea gateway and its Endpoint is on host
-			// network, it needs hairpin mark (by setting a register, it will be matched at table L2ForwardingOutTable).
-			flows = append(flows, c.serviceHairpinRegSetFlows(binding.ProtocolIP))
 			// These flows are used to match the first packet of NodePort. The flows will set a bit of a register to mark
 			// the Service type of the packet as NodePort. The mark will be consumed in table serviceLBTable to match NodePort
 			flows = append(flows, c.serviceClassifierFlows(nodePortAddressesIPv4, binding.ProtocolIP)...)
 		}
 	}
 	if c.IsIPv6Enabled() {
-		flows = append(flows, c.serviceHairpinResponseDNATFlow(binding.ProtocolIPv6))
 		flows = append(flows, c.serviceLBBypassFlows(binding.ProtocolIPv6)...)
 		flows = append(flows, c.l3FwdServiceDefaultFlowsViaGW(binding.ProtocolIPv6, cookie.Service)...)
 		if c.proxyAll {
-			// As IPv4 above.
-			flows = append(flows, c.serviceHairpinRegSetFlows(binding.ProtocolIPv6))
 			// As IPv4 above.
 			flows = append(flows, c.serviceClassifierFlows(nodePortAddressesIPv6, binding.ProtocolIPv6)...)
 		}

diff --git a/pkg/agent/openflow/fields.go b/pkg/agent/openflow/fields.go
@@ -133,6 +133,8 @@ var (
 	FromGatewayCTMark = binding.NewCTMark(0x20, 0, 31)
 	// Mark to indicate DNAT is performed on the connection for Service.
 	ServiceCTMark = binding.NewCTMark(0x21, 0, 31)
+	// Mark to indicate the connection is hairpin Service case.
+	ServiceHairpinCTMark = binding.NewCTMark(0x22, 0, 31)
 )
 
 // Fields using CT label.

diff --git a/pkg/agent/openflow/network_policy_test.go b/pkg/agent/openflow/network_policy_test.go
@@ -338,11 +338,11 @@ func TestBatchInstallPolicyRuleFlows(t *testing.T) {
 					c.pipeline[EgressRuleTable].BuildFlow(priorityLow).Cookie(cookiePolicy).
 						MatchProtocol(binding.ProtocolIP).MatchConjID(10).
 						Action().LoadToRegField(TFEgressConjIDField, 10).
-						Action().CT(true, EgressMetricTable, CtZone).LoadToLabelField(10, EgressRuleCTLabel).CTDone().Done(),
+						Action().CT(true, EgressMetricTable, DNATCtZone).LoadToLabelField(10, EgressRuleCTLabel).CTDone().Done(),
 					c.pipeline[EgressRuleTable].BuildFlow(priorityLow).Cookie(cookiePolicy).
 						MatchProtocol(binding.ProtocolIP).MatchConjID(11).
 						Action().LoadToRegField(TFEgressConjIDField, 11).
-						Action().CT(true, EgressMetricTable, CtZone).LoadToLabelField(11, EgressRuleCTLabel).CTDone().Done(),
+						Action().CT(true, EgressMetricTable, DNATCtZone).LoadToLabelField(11, EgressRuleCTLabel).CTDone().Done(),
 					c.pipeline[EgressRuleTable].BuildFlow(priorityNormal).Cookie(cookiePolicy).
 						MatchProtocol(binding.ProtocolIP).MatchSrcIP(net.ParseIP("192.168.1.40")).
 						Action().Conjunction(10, 1, 2).
@@ -443,7 +443,7 @@ func TestBatchInstallPolicyRuleFlows(t *testing.T) {
 					c.pipeline[AntreaPolicyIngressRuleTable].BuildFlow(priority100).Cookie(cookiePolicy).
 						MatchProtocol(binding.ProtocolIP).MatchConjID(10).
 						Action().LoadToRegField(TFIngressConjIDField, 10).
-						Action().CT(true, IngressMetricTable, CtZone).LoadToLabelField(10, IngressRuleCTLabel).CTDone().Done(),
+						Action().CT(true, IngressMetricTable, DNATCtZone).LoadToLabelField(10, IngressRuleCTLabel).CTDone().Done(),
 					c.pipeline[AntreaPolicyIngressRuleTable].BuildFlow(priority100).Cookie(cookiePolicy).
 						MatchConjID(11).
 						Action().LoadToRegField(CNPDenyConjIDField, 11).
@@ -488,10 +488,10 @@ func TestBatchInstallPolicyRuleFlows(t *testing.T) {
 						Action().Conjunction(12, 3, 3).Done(),
 					c.pipeline[IngressMetricTable].BuildFlow(priorityNormal).Cookie(cookiePolicy).
 						MatchProtocol(binding.ProtocolIP).MatchCTStateNew(true).MatchCTLabelField(0, 10, IngressRuleCTLabel).
-						Action().GotoTable(conntrackCommitTable).Done(),
+						Action().GotoTable(dnatConntrackCommitTable).Done(),
 					c.pipeline[IngressMetricTable].BuildFlow(priorityNormal).Cookie(cookiePolicy).
 						MatchProtocol(binding.ProtocolIP).MatchCTStateNew(false).MatchCTLabelField(0, 10, IngressRuleCTLabel).
-						Action().GotoTable(conntrackCommitTable).Done(),
+						Action().GotoTable(dnatConntrackCommitTable).Done(),
 					c.pipeline[IngressMetricTable].BuildFlow(priorityNormal).Cookie(cookiePolicy).
 						MatchRegMark(CnpDenyRegMark).MatchRegFieldWithValue(CNPDenyConjIDField, 11).
 						Action().Drop().Done(),