Reduce dataplane overhead caused by ct action (#3858)

To support performing both SNAT and DNAT for traffic, Antrea uses two CT zones for SNAT and DNAT separately. For each packet, multiple CT actions are executed to go through the zones. And because SNAT is performed after DNAT, reply traffic wouldn't be unNATed correctly if they go through the zones in the same order as request traffic, an extra CT action for unSNAT was added before DNAT to resolve it. These CT actions introduce measurable overhead to the dataplane. Since the first unSNAT action is for reply traffic of SNATed connections only, and there are only few cases needing SNAT, this patch adds conditions to the unSNAT flow to make irrelevant traffic bypass it. With less CT action and less recirculation caused by it, the dataplane performance is significantly increased. TCP_RR and TCP_CRR improvement in a kind cluster is as below: ``` Test old TPS new TPS delta TCP_RR 14568.69 17826.26 +22.36% TCP_CRR 2781.7 3498.12 +25.75% ``` Signed-off-by: Quan Tian <qtian@vmware.com>
antrea-io · Jun 6, 2022 · 90419f2 · 90419f2
1 parent e3d4352
commit 90419f2
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 56 deletions.
diff --git a/pkg/agent/openflow/framework.go b/pkg/agent/openflow/framework.go
@@ -219,14 +219,14 @@ func (f *featureService) getRequiredTables() []*Table {
 		return []*Table{DNATTable}
 	}
 	tables := []*Table{
-		SNATConntrackTable,
+		UnSNATTable,
 		PreRoutingClassifierTable,
 		SessionAffinityTable,
 		ServiceLBTable,
 		EndpointDNATTable,
 		L3ForwardingTable,
 		ServiceMarkTable,
-		SNATConntrackCommitTable,
+		SNATTable,
 		ConntrackCommitTable,
 		L2ForwardingOutTable,
 	}

diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go
@@ -73,7 +73,7 @@ var (
 	//       * If you want to add a table called `FooTable` just after `ConntrackStateTable` in pipelineARP, then the
 	//         table should be declared after `ConntrackStateTable`:
 	//       ```go
-	//          SNATConntrackTable  = newTable("SNATConntrackZone", stageConntrackState, pipelineIP)
+	//          UnSNATTable         = newTable("UnSNAT", stageConntrackState, pipelineIP)
 	//          ConntrackTable      = newTable("ConntrackZone", stageConntrackState, pipelineIP)
 	//          ConntrackStateTable = newTable("ConntrackState", stageConntrackState, pipelineIP)
 	//          FooTable            = newTable("Foo", stageConntrackState, pipelineIP)
@@ -129,7 +129,7 @@ var (
 	PipelineIPClassifierTable = newTable("PipelineIPClassifier", stageValidation, pipelineIP)
 
 	// Tables in stageConntrackState:
-	SNATConntrackTable  = newTable("SNATConntrackZone", stageConntrackState, pipelineIP)
+	UnSNATTable         = newTable("UnSNAT", stageConntrackState, pipelineIP)
 	ConntrackTable      = newTable("ConntrackZone", stageConntrackState, pipelineIP)
 	ConntrackStateTable = newTable("ConntrackState", stageConntrackState, pipelineIP)
 
@@ -155,8 +155,8 @@ var (
 	L3DecTTLTable     = newTable("L3DecTTL", stageRouting, pipelineIP)
 
 	// Tables in stagePostRouting:
-	ServiceMarkTable         = newTable("ServiceMark", stagePostRouting, pipelineIP)
-	SNATConntrackCommitTable = newTable("SNATConntrackCommit", stagePostRouting, pipelineIP)
+	ServiceMarkTable = newTable("ServiceMark", stagePostRouting, pipelineIP)
+	SNATTable        = newTable("SNAT", stagePostRouting, pipelineIP)
 
 	// Tables in stageSwitching:
 	L2ForwardingCalcTable = newTable("L2ForwardingCalc", stageSwitching, pipelineIP)
@@ -722,17 +722,11 @@ func (f *featureService) snatConntrackFlows() []binding.Flow {
 	cookieID := f.cookieAllocator.Request(f.category).Raw()
 	var flows []binding.Flow
 	for _, ipProtocol := range f.ipProtocols {
+		gatewayIP, _ := f.gatewayIPs[ipProtocol]
+		// virtualIP is used as SNAT IP when a request's source IP is gateway IP and we need to forward it back to
+		// gateway interface to avoid asymmetry path.
+		virtualIP, _ := f.virtualIPs[ipProtocol]
 		flows = append(flows,
-			// This generates the flow to transform destination IP of reply packets from tracked SNATed Service connection
-			// committed in SNAT CT zone.
-			SNATConntrackTable.ofTable.BuildFlow(priorityNormal).
-				Cookie(cookieID).
-				MatchProtocol(ipProtocol).
-				Action().CT(false, SNATConntrackTable.GetNext(), f.snatCtZones[ipProtocol], nil).
-				NAT().
-				CTDone().
-				Done(),
-
 			// SNAT should be performed for the following connections:
 			// - Hairpin Service connection initiated through a local Pod, and SNAT should be performed with the Antrea
 			//   gateway IP.
@@ -749,46 +743,65 @@ func (f *featureService) snatConntrackFlows() []binding.Flow {
 
 			// This generates the flow to match the first packet of hairpin Service connection initiated through the Antrea
 			// gateway with ConnSNATCTMark and HairpinCTMark, then perform SNAT in SNAT CT zone with a virtual IP.
-			SNATConntrackCommitTable.ofTable.BuildFlow(priorityNormal).
+			SNATTable.ofTable.BuildFlow(priorityNormal).
 				Cookie(cookieID).
 				MatchProtocol(ipProtocol).
 				MatchCTStateNew(true).
 				MatchCTStateTrk(true).
 				MatchRegMark(FromGatewayRegMark).
 				MatchCTMark(HairpinCTMark).
-				Action().CT(true, SNATConntrackCommitTable.GetNext(), f.snatCtZones[ipProtocol], nil).
-				SNAT(&binding.IPRange{StartIP: f.virtualIPs[ipProtocol], EndIP: f.virtualIPs[ipProtocol]}, nil).
+				Action().CT(true, SNATTable.GetNext(), f.snatCtZones[ipProtocol], nil).
+				SNAT(&binding.IPRange{StartIP: virtualIP, EndIP: virtualIP}, nil).
 				LoadToCtMark(ServiceCTMark, HairpinCTMark).
 				CTDone().
 				Done(),
+			// This generates the flow to unSNAT reply packets of connections committed in SNAT CT zone by the above flow.
+			UnSNATTable.ofTable.BuildFlow(priorityNormal).
+				Cookie(cookieID).
+				MatchProtocol(ipProtocol).
+				MatchDstIP(virtualIP).
+				Action().CT(false, UnSNATTable.GetNext(), f.snatCtZones[ipProtocol], nil).
+				NAT().
+				CTDone().
+				Done(),
+
 			// This generates the flow to match the first packet of hairpin Service connection initiated through a Pod with
 			// ConnSNATCTMark and HairpinCTMark, then perform SNAT in SNAT CT zone with the Antrea gateway IP.
-			SNATConntrackCommitTable.ofTable.BuildFlow(priorityNormal).
+			SNATTable.ofTable.BuildFlow(priorityNormal).
 				Cookie(cookieID).
 				MatchProtocol(ipProtocol).
 				MatchCTStateNew(true).
 				MatchCTStateTrk(true).
 				MatchRegMark(FromLocalRegMark).
 				MatchCTMark(HairpinCTMark).
-				Action().CT(true, SNATConntrackCommitTable.GetNext(), f.snatCtZones[ipProtocol], nil).
-				SNAT(&binding.IPRange{StartIP: f.gatewayIPs[ipProtocol], EndIP: f.gatewayIPs[ipProtocol]}, nil).
+				Action().CT(true, SNATTable.GetNext(), f.snatCtZones[ipProtocol], nil).
+				SNAT(&binding.IPRange{StartIP: gatewayIP, EndIP: gatewayIP}, nil).
 				LoadToCtMark(ServiceCTMark, HairpinCTMark).
 				CTDone().
 				Done(),
 			// This generates the flow to match the first packet of NodePort / LoadBalancer connection (non-hairpin) initiated
 			// through the Antrea gateway with ConnSNATCTMark, then perform SNAT in SNAT CT zone with the Antrea gateway IP.
-			SNATConntrackCommitTable.ofTable.BuildFlow(priorityLow).
+			SNATTable.ofTable.BuildFlow(priorityLow).
 				Cookie(cookieID).
 				MatchProtocol(ipProtocol).
 				MatchCTStateNew(true).
 				MatchCTStateTrk(true).
 				MatchRegMark(FromGatewayRegMark).
 				MatchCTMark(ConnSNATCTMark).
-				Action().CT(true, SNATConntrackCommitTable.GetNext(), f.snatCtZones[ipProtocol], nil).
-				SNAT(&binding.IPRange{StartIP: f.gatewayIPs[ipProtocol], EndIP: f.gatewayIPs[ipProtocol]}, nil).
+				Action().CT(true, SNATTable.GetNext(), f.snatCtZones[ipProtocol], nil).
+				SNAT(&binding.IPRange{StartIP: gatewayIP, EndIP: gatewayIP}, nil).
 				LoadToCtMark(ServiceCTMark).
 				CTDone().
 				Done(),
+			// This generates the flow to unSNAT reply packets of connections committed in SNAT CT zone by the above flows.
+			UnSNATTable.ofTable.BuildFlow(priorityNormal).
+				Cookie(cookieID).
+				MatchProtocol(ipProtocol).
+				MatchDstIP(gatewayIP).
+				Action().CT(false, UnSNATTable.GetNext(), f.snatCtZones[ipProtocol], nil).
+				NAT().
+				CTDone().
+				Done(),
 			// This generates the flow to match the subsequent request packets of connection whose first request packet has
 			// been committed in SNAT CT zone, then commit the packets in SNAT CT zone again to perform SNAT.
 			// For example:
@@ -821,14 +834,14 @@ func (f *featureService) snatConntrackFlows() []binding.Flow {
 			*/
 			// As a result, subsequent request packets like packet 3 will only perform SNAT when they pass through SNAT
 			// CT zone the second time, after they are DNATed in DNAT CT zone.
-			SNATConntrackCommitTable.ofTable.BuildFlow(priorityNormal).
+			SNATTable.ofTable.BuildFlow(priorityNormal).
 				Cookie(cookieID).
 				MatchProtocol(ipProtocol).
 				MatchCTMark(ConnSNATCTMark).
 				MatchCTStateNew(false).
 				MatchCTStateTrk(true).
 				MatchCTStateRpl(false).
-				Action().CT(false, SNATConntrackCommitTable.GetNext(), f.snatCtZones[ipProtocol], nil).
+				Action().CT(false, SNATTable.GetNext(), f.snatCtZones[ipProtocol], nil).
 				NAT().
 				CTDone().
 				Done(),

diff --git a/pkg/agent/openflow/pipeline_test.go b/pkg/agent/openflow/pipeline_test.go
@@ -58,7 +58,7 @@ func TestBuildPipeline(t *testing.T) {
 					ClassifierTable,
 					SpoofGuardTable,
 					IPv6Table,
-					SNATConntrackTable,
+					UnSNATTable,
 					ConntrackTable,
 					ConntrackStateTable,
 					PreRoutingClassifierTable,
@@ -74,7 +74,7 @@ func TestBuildPipeline(t *testing.T) {
 					EgressMarkTable,
 					L3DecTTLTable,
 					ServiceMarkTable,
-					SNATConntrackCommitTable,
+					SNATTable,
 					L2ForwardingCalcTable,
 					AntreaPolicyIngressRuleTable,
 					IngressRuleTable,
@@ -105,7 +105,7 @@ func TestBuildPipeline(t *testing.T) {
 					ClassifierTable,
 					SpoofGuardTable,
 					IPv6Table,
-					SNATConntrackTable,
+					UnSNATTable,
 					ConntrackTable,
 					ConntrackStateTable,
 					PreRoutingClassifierTable,
@@ -121,7 +121,7 @@ func TestBuildPipeline(t *testing.T) {
 					EgressMarkTable,
 					L3DecTTLTable,
 					ServiceMarkTable,
-					SNATConntrackCommitTable,
+					SNATTable,
 					L2ForwardingCalcTable,
 					AntreaPolicyIngressRuleTable,
 					IngressRuleTable,
@@ -185,7 +185,7 @@ func TestBuildPipeline(t *testing.T) {
 				pipelineIP: {
 					ClassifierTable,
 					SpoofGuardTable,
-					SNATConntrackTable,
+					UnSNATTable,
 					ConntrackTable,
 					ConntrackStateTable,
 					PreRoutingClassifierTable,
@@ -200,7 +200,7 @@ func TestBuildPipeline(t *testing.T) {
 					EgressMarkTable,
 					L3DecTTLTable,
 					ServiceMarkTable,
-					SNATConntrackCommitTable,
+					SNATTable,
 					L2ForwardingCalcTable,
 					AntreaPolicyIngressRuleTable,
 					IngressRuleTable,

diff --git a/test/integration/agent/openflow_test.go b/test/integration/agent/openflow_test.go
@@ -756,7 +756,7 @@ func expectedProxyServiceGroupAndFlows(gid uint32, svc svcConfig, endpointList [
 		if ep.GetIsLocal() {
 			hairpinFlows.flows = append(hairpinFlows.flows, &ofTestUtils.ExpectFlow{
 				MatchStr: fmt.Sprintf("priority=190,ct_state=+new+trk,ip,nw_src=%s,nw_dst=%s", ep.IP(), ep.IP()),
-				ActStr:   "ct(commit,table=SNATConntrackCommit,zone=65520,exec(load:0x1->NXM_NX_CT_MARK[5],load:0x1->NXM_NX_CT_MARK[6]))",
+				ActStr:   "ct(commit,table=SNAT,zone=65520,exec(load:0x1->NXM_NX_CT_MARK[5],load:0x1->NXM_NX_CT_MARK[6]))",
 			})
 		}
 	}
@@ -1068,7 +1068,7 @@ func preparePodFlows(podIPs []net.IP, podMAC net.HardwareAddr, podOFPort uint32,
 			[]*ofTestUtils.ExpectFlow{
 				{
 					MatchStr: fmt.Sprintf("priority=210,ip,in_port=%d%s,dl_dst=%s", 3, matchVlanVIDString, podMAC.String()),
-					ActStr:   fmt.Sprintf("load:0x1->NXM_NX_REG8[12..15],load:0x4->NXM_NX_REG0[0..3],load:%s->NXM_NX_REG8[0..11],goto_table:SNATConntrackZone", vlanVIDString),
+					ActStr:   fmt.Sprintf("load:0x1->NXM_NX_REG8[12..15],load:0x4->NXM_NX_REG0[0..3],load:%s->NXM_NX_REG8[0..11],goto_table:UnSNAT", vlanVIDString),
 				},
 			},
 		}}...)
@@ -1078,7 +1078,7 @@ func preparePodFlows(podIPs []net.IP, podMAC net.HardwareAddr, podOFPort uint32,
 				[]*ofTestUtils.ExpectFlow{
 					{
 						MatchStr: fmt.Sprintf("priority=210,ip,in_port=LOCAL,vlan_tci=0x0000/0x1fff,dl_dst=%s", podMAC.String()),
-						ActStr:   fmt.Sprintf("load:0x1->NXM_NX_REG8[12..15],load:0x5->NXM_NX_REG0[0..3],goto_table:SNATConntrackZone"),
+						ActStr:   fmt.Sprintf("load:0x1->NXM_NX_REG8[12..15],load:0x5->NXM_NX_REG0[0..3],goto_table:UnSNAT"),
 					},
 				},
 			}}...)
@@ -1118,7 +1118,7 @@ func preparePodFlows(podIPs []net.IP, podMAC net.HardwareAddr, podOFPort uint32,
 						},
 					},
 				})
-			nextTableForSpoofguard = "SNATConntrackZone"
+			nextTableForSpoofguard = "UnSNAT"
 		} else {
 			ipProto = "ipv6"
 			nwSrcField = "ipv6_src"
@@ -1193,7 +1193,7 @@ func prepareGatewayFlows(gwIPs []net.IP, gwMAC net.HardwareAddr, vMAC net.Hardwa
 					[]*ofTestUtils.ExpectFlow{
 						{
 							MatchStr: fmt.Sprintf("priority=200,ip,in_port=%d", config1.HostGatewayOFPort),
-							ActStr:   fmt.Sprintf("%sgoto_table:SNATConntrackZone", actionSetCtZoneField),
+							ActStr:   fmt.Sprintf("%sgoto_table:UnSNAT", actionSetCtZoneField),
 						},
 					},
 				},
@@ -1254,7 +1254,7 @@ func prepareTunnelFlows(tunnelPort uint32, vMAC net.HardwareAddr) []expectTableF
 			[]*ofTestUtils.ExpectFlow{
 				{
 					MatchStr: fmt.Sprintf("priority=200,in_port=%d", tunnelPort),
-					ActStr:   "load:0x1->NXM_NX_REG0[0..3],load:0x1->NXM_NX_REG0[9],goto_table:SNATConntrackZone",
+					ActStr:   "load:0x1->NXM_NX_REG0[0..3],load:0x1->NXM_NX_REG0[9],goto_table:UnSNAT",
 				},
 			},
 		},
@@ -1352,8 +1352,8 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 		tableName: "ConntrackCommit",
 		flows:     []*ofTestUtils.ExpectFlow{{MatchStr: "priority=0", ActStr: fmt.Sprintf("goto_table:%s", outputStageTable)}},
 	}
-	tableSNATConntrackCommitFlows := expectTableFlows{
-		tableName: "SNATConntrackCommit",
+	tableSNATFlows := expectTableFlows{
+		tableName: "SNAT",
 	}
 	tableL3ForwardingFlows := expectTableFlows{
 		"L3Forwarding",
@@ -1363,8 +1363,8 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 		tableName: "L3DecTTL",
 		flows:     []*ofTestUtils.ExpectFlow{{MatchStr: "priority=0", ActStr: "goto_table:ServiceMark"}},
 	}
-	tableSNATConntrackZoneFlows := expectTableFlows{
-		tableName: "SNATConntrackZone",
+	tableUnSNATFlows := expectTableFlows{
+		tableName: "UnSNAT",
 		flows:     []*ofTestUtils.ExpectFlow{{MatchStr: "priority=0", ActStr: "goto_table:ConntrackZone"}},
 	}
 	tableConntrackZoneFlows := expectTableFlows{
@@ -1373,15 +1373,16 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 	}
 	tableServiceMarkFlows := expectTableFlows{
 		tableName: "ServiceMark",
-		flows:     []*ofTestUtils.ExpectFlow{{MatchStr: "priority=0", ActStr: "goto_table:SNATConntrackCommit"}},
+		flows:     []*ofTestUtils.ExpectFlow{{MatchStr: "priority=0", ActStr: "goto_table:SNAT"}},
 	}
 	if config.enableIPv4 {
 		tableARPResponderFlows.flows = append(tableARPResponderFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=190,arp", ActStr: "NORMAL"},
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=0", ActStr: "drop"},
 		)
-		tableSNATConntrackZoneFlows.flows = append(tableSNATConntrackZoneFlows.flows,
-			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ip", ActStr: "ct(table=ConntrackZone,zone=65521,nat)"},
+		tableUnSNATFlows.flows = append(tableUnSNATFlows.flows,
+			&ofTestUtils.ExpectFlow{MatchStr: fmt.Sprintf("priority=200,ip,nw_dst=%s", config.nodeConfig.GatewayConfig.IPv4), ActStr: "ct(table=ConntrackZone,zone=65521,nat)"},
+			&ofTestUtils.ExpectFlow{MatchStr: fmt.Sprintf("priority=200,ip,nw_dst=%s", config1.VirtualServiceIPv4), ActStr: "ct(table=ConntrackZone,zone=65521,nat)"},
 		)
 		tableConntrackZoneFlows.flows = append(tableConntrackZoneFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ip", ActStr: fmt.Sprintf("ct(table=ConntrackState,zone=%s,nat)", ctZone)},
@@ -1392,7 +1393,7 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 		tableConntrackCommitFlows.flows = append(tableConntrackCommitFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ct_mark=0/0x10,ip", ActStr: fmt.Sprintf("ct(commit,table=%s,zone=%s,exec(move:NXM_NX_REG0[0..3]->NXM_NX_CT_MARK[0..3]))", outputStageTable, ctZone)},
 		)
-		tableSNATConntrackCommitFlows.flows = append(tableSNATConntrackCommitFlows.flows,
+		tableSNATFlows.flows = append(tableSNATFlows.flows,
 			&ofTestUtils.ExpectFlow{
 				MatchStr: "priority=200,ct_state=+new+trk,ct_mark=0x40/0x40,ip,reg0=0x2/0xf",
 				ActStr:   fmt.Sprintf("ct(commit,table=L2ForwardingCalc,zone=65521,nat(src=%s),exec(load:0x1->NXM_NX_CT_MARK[4],load:0x1->NXM_NX_CT_MARK[6]))", config1.VirtualServiceIPv4),
@@ -1415,17 +1416,18 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 			&ofTestUtils.ExpectFlow{MatchStr: fmt.Sprintf("priority=190,ip,reg0=0/0x200%s,nw_dst=%s", matchVLANString, podCIDR), ActStr: "goto_table:L2ForwardingCalc"},
 		)
 		tableServiceMarkFlows.flows = append(tableServiceMarkFlows.flows,
-			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ip,reg0=0x22/0xff", ActStr: fmt.Sprintf("ct(commit,table=SNATConntrackCommit,zone=%s,exec(load:0x1->NXM_NX_CT_MARK[5],load:0x1->NXM_NX_CT_MARK[6]))", ctZone)},
-			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ip,reg0=0x12/0xff,reg4=0x200000/0x200000", ActStr: fmt.Sprintf("ct(commit,table=SNATConntrackCommit,zone=%s,exec(load:0x1->NXM_NX_CT_MARK[5]))", ctZone)},
+			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ip,reg0=0x22/0xff", ActStr: fmt.Sprintf("ct(commit,table=SNAT,zone=%s,exec(load:0x1->NXM_NX_CT_MARK[5],load:0x1->NXM_NX_CT_MARK[6]))", ctZone)},
+			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ip,reg0=0x12/0xff,reg4=0x200000/0x200000", ActStr: fmt.Sprintf("ct(commit,table=SNAT,zone=%s,exec(load:0x1->NXM_NX_CT_MARK[5]))", ctZone)},
 		)
 		tableL3DecTTLFlows.flows = append(tableL3DecTTLFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=210,ip,reg0=0x2/0xf", ActStr: "goto_table:ServiceMark"},
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ip", ActStr: "dec_ttl,goto_table:ServiceMark"},
 		)
 	}
 	if config.enableIPv6 {
-		tableSNATConntrackZoneFlows.flows = append(tableSNATConntrackZoneFlows.flows,
-			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ipv6", ActStr: "ct(table=ConntrackZone,zone=65511,nat)"},
+		tableUnSNATFlows.flows = append(tableUnSNATFlows.flows,
+			&ofTestUtils.ExpectFlow{MatchStr: fmt.Sprintf("priority=200,ipv6,ipv6_dst=%s", config.nodeConfig.GatewayConfig.IPv6), ActStr: "ct(table=ConntrackZone,zone=65511,nat)"},
+			&ofTestUtils.ExpectFlow{MatchStr: fmt.Sprintf("priority=200,ipv6,ipv6_dst=%s", config1.VirtualServiceIPv6), ActStr: "ct(table=ConntrackZone,zone=65511,nat)"},
 		)
 		tableConntrackZoneFlows.flows = append(tableConntrackZoneFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ipv6", ActStr: fmt.Sprintf("ct(table=ConntrackState,zone=%s,nat)", ctZoneV6)},
@@ -1436,7 +1438,7 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 		tableConntrackCommitFlows.flows = append(tableConntrackCommitFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ct_mark=0/0x10,ipv6", ActStr: fmt.Sprintf("ct(commit,table=Output,zone=%s,exec(move:NXM_NX_REG0[0..3]->NXM_NX_CT_MARK[0..3]))", ctZoneV6)},
 		)
-		tableSNATConntrackCommitFlows.flows = append(tableSNATConntrackCommitFlows.flows,
+		tableSNATFlows.flows = append(tableSNATFlows.flows,
 			&ofTestUtils.ExpectFlow{
 				MatchStr: "priority=200,ct_state=+new+trk,ct_mark=0x40/0x40,ipv6,reg0=0x2/0xf",
 				ActStr:   fmt.Sprintf("ct(commit,table=L2ForwardingCalc,zone=65511,nat(src=%s),exec(load:0x1->NXM_NX_CT_MARK[4],load:0x1->NXM_NX_CT_MARK[6]))", config1.VirtualServiceIPv6),
@@ -1459,8 +1461,8 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 			&ofTestUtils.ExpectFlow{MatchStr: fmt.Sprintf("priority=190,ipv6,reg0=0/0x200,ipv6_dst=%s", podCIDR), ActStr: "goto_table:L2ForwardingCalc"},
 		)
 		tableServiceMarkFlows.flows = append(tableServiceMarkFlows.flows,
-			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ipv6,reg0=0x22/0xff", ActStr: "ct(commit,table=SNATConntrackCommit,zone=65510,exec(load:0x1->NXM_NX_CT_MARK[5],load:0x1->NXM_NX_CT_MARK[6]))"},
-			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ipv6,reg0=0x12/0xff,reg4=0x200000/0x200000", ActStr: "ct(commit,table=SNATConntrackCommit,zone=65510,exec(load:0x1->NXM_NX_CT_MARK[5]))"},
+			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ipv6,reg0=0x22/0xff", ActStr: "ct(commit,table=SNAT,zone=65510,exec(load:0x1->NXM_NX_CT_MARK[5],load:0x1->NXM_NX_CT_MARK[6]))"},
+			&ofTestUtils.ExpectFlow{MatchStr: "priority=200,ct_state=+new+trk,ipv6,reg0=0x12/0xff,reg4=0x200000/0x200000", ActStr: "ct(commit,table=SNAT,zone=65510,exec(load:0x1->NXM_NX_CT_MARK[5]))"},
 		)
 		tableL3DecTTLFlows.flows = append(tableL3DecTTLFlows.flows,
 			&ofTestUtils.ExpectFlow{MatchStr: "priority=210,ipv6,reg0=0x2/0xf", ActStr: "goto_table:ServiceMark"},
@@ -1480,10 +1482,10 @@ func prepareDefaultFlows(config *testConfig) []expectTableFlows {
 		tableConntrackZoneFlows,
 		tableConntrackStateFlows,
 		tableConntrackCommitFlows,
-		tableSNATConntrackCommitFlows,
+		tableSNATFlows,
 		tableL3ForwardingFlows,
 		tableL3DecTTLFlows,
-		tableSNATConntrackZoneFlows,
+		tableUnSNATFlows,
 		tableServiceMarkFlows,
 		tableVLANFlows,
 		{