Optimize the flows for forwarding the packets with unknown destination in L3ForwardingTable #3809
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3809 +/- ##
===========================================
- Coverage 63.38% 46.08% -17.31%
===========================================
Files 280 247 -33
Lines 39750 35881 -3869
===========================================
- Hits 25197 16537 -8660
- Misses 12593 17708 +5115
+ Partials 1960 1636 -324
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
/test-all |
1 similar comment
|
/test-all |
3e60fd5 to
6118729
Compare
|
/test-all-features-conformance |
|
/test-all-features-conformance |
|
/test-flexible-ipam-e2e |
|
/test-flexible-ipam-e2e |
|
/test-windows-e2e |
|
/test-flexible-ipam-e2e |
|
/test-windows-e2e |
|
/test-flexible-ipam-e2e |
|
/test-flexible-ipam-e2e |
|
/test-flexible-ipam-e2e |
3 similar comments
|
/test-flexible-ipam-e2e |
|
/test-flexible-ipam-e2e |
|
/test-flexible-ipam-e2e |
pkg/agent/openflow/pipeline.go
Outdated
| // gateway and destined for external network. Note that, the destination MAC address of the packets should be rewritten to | ||
| // local Antrea gateway's so that the packets can be forwarded to external network via local Antrea gateway. | ||
| func (f *featureService) l3FwdFlowToExternalEndpoint() binding.Flow { | ||
| // This generates the flow to match the packets sourced from per-Node IPAM Pod and destined for external network. |
There was a problem hiding this comment.
The comment means the opposite of the code
pkg/agent/openflow/pipeline.go
Outdated
| // l3FwdFlowToExternal generates the flow to forward the packets destined for external network. Corresponding cases are | ||
| // listed in the follows: | ||
| // Assuming that AntreaProxy is enabled, | ||
| // - when Egress is disabled, request packets of Service or non-Service connections sourced from local non-AntreaIPAM |
There was a problem hiding this comment.
If a flow is designed for both Service and non-Service connections, which already means it's Service irrelevant. better to remove "of Service or non-Service connections" from comments together to avoid unnecessary attention and being verbose.
So do the commit message.
8420ebb to
1f8f8a9
Compare
…n in L3ForwardingTable Fix antrea-io#3806 Currently, when Egress and AntreaIPAM are enabled, there are several flows in L3ForwardingTable like the follows: ``` 1. table=L3Forwarding, priority=190,ip,reg0=0/0x200,reg8=0/0xfff,nw_dst=10.10.0.0/24 actions=resubmit(,L2ForwardingCalc) 2. table=L3Forwarding, priority=190,ct_mark=0x10/0x10,reg0=0x200/0x200,reg4=0/0x100000 actions=mod_dl_dst:d2:35:24:7f:3a:f8,load:0x2->NXM_NX_REG0[4..7],resubmit(,L3DecTTL) 3. table=L3Forwarding, priority=190,ct_mark=0x10/0x10,reg4=0x100000/0x100000 actions=resubmit(,L3DecTTL) 4. table=L3Forwarding, priority=190,ct_state=-rpl+trk,ip,reg0=0x3/0xf actions=resubmit(,EgressMark) 5. table=L3Forwarding, priority=190,ct_state=-rpl+trk,ip,reg0=0x1/0xf actions=mod_dl_dst:d2:35:24:7f:3a:f8,resubmit(,EgressMark) 6. table=L3Forwarding, priority=0 actions=load:0x2->NXM_NX_REG0[4..7],resubmit(,L2ForwardingCalc) ``` - Flow 1 is used to forward the packets of non-Service connections between local Pods. - Flow 2 is used to forward the packets of Service connections sourced from local non-AntreaIPAM Pods and destined for external network Endpoint. - Flow 3 is used to forward the packets of Service connections sourced from local AntreaIPAM Pods and destined for external network Endpoint. - Flow 4 is used to forward the packets sourced from local Pods and destined for external network, and the flow is for Egress. - Flow 5 is used to forward the packets sourced from tunnel and destined for external network, and the flow is also for Egress. - Flow 6 is the default flow. `load:0x2->NXM_NX_REG0[4..7]` means `to Gateway`. For request packets sourced from a local Pod and destined for another local Pod, they are expected to be matched by flow 1, however, they can be matched by flow 4, and this leads the unexpected result in antrea-io#3806. In addition, when Egress is enabled, if a local Pod accesses to a Service whose Endpoint is on external Network, the request packets are expected to be matched by flow 4, but they can be also matched by flow 2. To resolve above issues, the new flows are like the follows: ``` 1. table=L3Forwarding, priority=200,ip,reg0=0/0x200,reg8=0/0xfff,nw_dst=10.10.0.0/24 actions=resubmit(,L2ForwardingCalc) 2. table=L3Forwarding, priority=190,ct_mark=0x10/0x10,reg0=0x202/0x20f actions=mod_dl_dst:d2:35:24:7f:3a:f8,load:0x2->NXM_NX_REG0[4..7],resubmit(,L3DecTTL) 3. table=L3Forwarding, priority=190,ct_state=-rpl+trk,ip,reg0=0x3/0xf,reg4=0/0x100000 actions=resubmit(,EgressMark) 4. table=L3Forwarding, priority=190,ct_state=-rpl+trk,ip,reg0=0x1/0xf actions=mod_dl_dst:d2:35:24:7f:3a:f8,resubmit(,EgressMark) 5. table=L3Forwarding, priority=0 actions=load:0x2->NXM_NX_REG0[4..7],resubmit(,L2ForwardingCalc) ``` Issue antrea-io#3806 is fixed by raising the priority of the legacy flow 1 to normal (200). It is the new flow 1 now. In legacy flow 2, packets of Service connections with unknown destination can be either sourced from local Pods or Antrea gateway. In the new flow 2, only the packets of Service connections sourced Antrea gateway are matched. Packets of Service connections sourced from local Pods and destined for unknown destination (external network) are matched by the new flow 5. Packets of connections sourced from local Pods and destined for external network are matched by the new flow 3 (Egress is enabled) or the new flow 5 (Egress is disabled). Packets of connections sourced from local AntreaIPAM Pods (AntreaIPAM is enabled) and destined for external network are matched by the new flow 5. Other modifications: fix some stale comments. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
|
/test-all-features-conformance |
|
/test-flexible-ipam-e2e |
|
Fixed space issue on flexible-ipam testbed. Please ignore TestPrometheus failure on flexible-ipam which will be fixed by #3868 |
|
/test-e2e |
|
/test-ipv6-only-e2e |
1 similar comment
|
/test-ipv6-only-e2e |
|
/test-windows-conformance |
The last sentence is inaccurate and redundant with the following paragraph? |
|
@hongliangl please backport it to appliable releases |
|
Thanks for reviewing and merging this PR. I'll backport it to 1.6 |
Fix #3806
Currently, when Egress and AntreaIPAM are enabled, there are several flows in
L3ForwardingTable like the follows:
local Pods.
local non-AntreaIPAM Pods and destined for external network Endpoint.
local AntreaIPAM Pods and destined for external network Endpoint.
for external network, and the flow is for Egress.
external network, and the flow is also for Egress.
load:0x2->NXM_NX_REG0[4..7]meansto Gateway.For request packets sourced from a local Pod and destined for another local
Pod, they are expected to be matched by flow 1, however, they can be matched
by flow 4, and this leads the unexpected result in #3806.
In addition, when Egress is enabled, if a local Pod accesses to a Service
whose Endpoint is on external Network, the request packets are expected to
be matched by flow 4, but they can be also matched by flow 2.
To resolve above issues, the new flows are like the follows:
Issue #3806 is fixed by raising the priority of the legacy flow 1 to
normal (200). It is the new flow 1 now.
In legacy flow 2, packets of Service connections with unknown destination
can be either sourced from local Pods or Antrea gateway. In the new flow 2,
only the packets of Service connections sourced Antrea gateway are matched.
Packets of connections sourced from local Pods and destined for external
network are matched by the new flow 3 (Egress is enabled) or the new flow
5 (Egress is disabled).
Packets of connections sourced from local AntreaIPAM Pods (AntreaIPAM is
enabled) and destined for external network are matched by the new flow 5.
Other modifications: fix some stale comments.
Signed-off-by: Hongliang Liu lhongliang@vmware.com