Merge pull request #4705 from dceara/udn-pod2service-isolation

UDN: Ensure pod2service isolation in local gw mode.
ovn-org · Sep 20, 2024 · 1c8b933 · 1c8b933
2 parents 9a25bc3 + d63887e
commit 1c8b933
Show file tree

Hide file tree

Showing 5 changed files with 195 additions and 51 deletions.
diff --git a/go-controller/pkg/node/gateway_shared_intf.go b/go-controller/pkg/node/gateway_shared_intf.go
@@ -279,9 +279,9 @@ func (npw *nodePortWatcher) updateServiceFlowCache(service *kapi.Service, netInf
 
 	// Add flows for default network services that are accessible from UDN networks
 	if util.IsNetworkSegmentationSupportEnabled() {
-		// The flow added below has a higher priority than the default network service flow:
-		//   priority=500,ip,in_port=LOCAL,nw_dst=10.96.0.0/16 actions=ct(commit,table=2,zone=64001,nat(src=169.254.0.2))
-		// This ordering ensures that there is no SNAT for UDN originated traffic.
+		// The flow added below has a higher priority than the per UDN service flow:
+		//   priority=200, table=2, ip, ip_src=169.254.0.<UDN>, actions=set_field:<bridge-mac>->eth_dst,output:<UDN-patch-port>
+		// This ordering ensures that traffic to UDN allowed default services goes to the the default patch port.
 
 		if util.IsUDNEnabledService(ktypes.NamespacedName{Namespace: service.Namespace, Name: service.Name}.String()) {
 			key = strings.Join([]string{"UDNAllowedSVC", service.Namespace, service.Name}, "_")
@@ -295,10 +295,13 @@ func (npw *nodePortWatcher) updateServiceFlowCache(service *kapi.Service, netInf
 				ipPrefix = "ipv6"
 				masqueradeSubnet = config.Gateway.V6MasqueradeSubnet
 			}
-			// table 0, user-defined network host -> OVN towards default cluster network services
-			npw.ofm.updateFlowCacheEntry(key, []string{fmt.Sprintf("cookie=%s, priority=600, in_port=%s, %s, %s_src=%s, %s_dst=%s,"+
-				"actions=ct(commit,zone=%d,table=2)",
-				defaultOpenFlowCookie, npw.ofm.defaultBridge.ofPortHost, ipPrefix, ipPrefix, masqueradeSubnet, ipPrefix, service.Spec.ClusterIP, config.Default.HostMasqConntrackZone)})
+			// table 2, user-defined network host -> OVN towards default cluster network services
+			defaultNetConfig := npw.ofm.defaultBridge.netConfig[types.DefaultNetworkName]
+
+			npw.ofm.updateFlowCacheEntry(key, []string{fmt.Sprintf("cookie=%s, priority=300, table=2, %s, %s_src=%s, %s_dst=%s, "+
+				"actions=set_field:%s->eth_dst,output:%s",
+				defaultOpenFlowCookie, ipPrefix, ipPrefix, masqueradeSubnet, ipPrefix, service.Spec.ClusterIP,
+				npw.ofm.getDefaultBridgeMAC().String(), defaultNetConfig.ofPortPatch)})
 		}
 	}
 	return utilerrors.Join(errors...)
@@ -1316,11 +1319,23 @@ func flowsForDefaultBridge(bridge *bridgeConfiguration, extraIPs []net.IP) ([]st
 			masqSubnet = config.Gateway.V6MasqueradeSubnet
 		}
 
-		// table 0, Host -> OVN towards SVC, SNAT to special IP
+		// table 0, Host (default network) -> OVN towards SVC, SNAT to special IP.
 		dftFlows = append(dftFlows,
-			fmt.Sprintf("cookie=%s, priority=500, in_port=%s, %s, %s_dst=%s,"+
+			fmt.Sprintf("cookie=%s, priority=500, in_port=%s, %s, %s_dst=%s, "+
 				"actions=ct(commit,zone=%d,nat(src=%s),table=2)",
-				defaultOpenFlowCookie, ofPortHost, protoPrefix, protoPrefix, svcCIDR, config.Default.HostMasqConntrackZone, masqIP))
+				defaultOpenFlowCookie, ofPortHost, protoPrefix, protoPrefix,
+				svcCIDR, config.Default.HostMasqConntrackZone, masqIP))
+
+		if util.IsNetworkSegmentationSupportEnabled() {
+			// table 0, Host (UDNs) -> OVN towards SVC, SNAT to special IP.
+			// For packets originating from UDN, commit without NATing, those
+			// have already been SNATed to the masq IP of the UDN.
+			dftFlows = append(dftFlows,
+				fmt.Sprintf("cookie=%s, priority=550, in_port=%s, %s, %s_src=%s, %s_dst=%s, "+
+					"actions=ct(commit,zone=%d,table=2)",
+					defaultOpenFlowCookie, ofPortHost, protoPrefix, protoPrefix,
+					masqSubnet, protoPrefix, svcCIDR, config.Default.HostMasqConntrackZone))
+		}
 
 		masqDst := masqIP
 		if util.IsNetworkSegmentationSupportEnabled() {
@@ -1420,8 +1435,38 @@ func flowsForDefaultBridge(bridge *bridgeConfiguration, extraIPs []net.IP) ([]st
 
 	// table 2, dispatch from Host -> OVN
 	dftFlows = append(dftFlows,
-		fmt.Sprintf("cookie=%s, table=2, "+
-			"actions=set_field:%s->eth_dst,output:%s", defaultOpenFlowCookie, bridgeMacAddress, defaultNetConfig.ofPortPatch))
+		fmt.Sprintf("cookie=%s, priority=100, table=2, "+
+			"actions=set_field:%s->eth_dst,output:%s", defaultOpenFlowCookie,
+			bridgeMacAddress, defaultNetConfig.ofPortPatch))
+
+	// table 2, priority 200, dispatch from UDN -> Host -> OVN. These packets have
+	// already been SNATed to the UDN's masq IP.
+	if config.IPv4Mode {
+		for _, netConfig := range bridge.patchedNetConfigs() {
+			if netConfig.masqCTMark == ctMarkOVN {
+				continue
+			}
+			dftFlows = append(dftFlows,
+				fmt.Sprintf("cookie=%s, priority=200, table=2, ip, ip_src=%s, "+
+					"actions=set_field:%s->eth_dst,output:%s",
+					defaultOpenFlowCookie, netConfig.v4MasqIPs.ManagementPort.IP,
+					bridgeMacAddress, netConfig.ofPortPatch))
+		}
+	}
+
+	if config.IPv6Mode {
+		for _, netConfig := range bridge.patchedNetConfigs() {
+			if netConfig.masqCTMark == ctMarkOVN {
+				continue
+			}
+
+			dftFlows = append(dftFlows,
+				fmt.Sprintf("cookie=%s, priority=200, table=2, ip6, ipv6_src=%s, "+
+					"actions=set_field:%s->eth_dst,output:%s",
+					defaultOpenFlowCookie, netConfig.v6MasqIPs.ManagementPort.IP,
+					bridgeMacAddress, netConfig.ofPortPatch))
+		}
+	}
 
 	// table 3, dispatch from OVN -> Host
 	dftFlows = append(dftFlows,
@@ -1522,7 +1567,7 @@ func commonFlows(subnets []*net.IPNet, bridge *bridgeConfiguration) ([]string, e
 					dftFlows = append(dftFlows,
 						fmt.Sprintf("cookie=%s, priority=100, in_port=%s, dl_src=%s, ip, ip_src=%s, "+
 							"actions=ct(commit, zone=%d, nat(src=%s), exec(set_field:%s->ct_mark)), output:%s",
-							defaultOpenFlowCookie, netConfig.ofPortPatch, bridgeMacAddress, netConfig.v4MasqIP.IP, config.Default.ConntrackZone,
+							defaultOpenFlowCookie, netConfig.ofPortPatch, bridgeMacAddress, netConfig.v4MasqIPs.GatewayRouter.IP, config.Default.ConntrackZone,
 							physicalIP.IP, netConfig.masqCTMark, ofPortPhys))
 				}
 			}
@@ -1597,7 +1642,7 @@ func commonFlows(subnets []*net.IPNet, bridge *bridgeConfiguration) ([]string, e
 					dftFlows = append(dftFlows,
 						fmt.Sprintf("cookie=%s, priority=100, in_port=%s, dl_src=%s, ipv6, ipv6_src=%s, "+
 							"actions=ct(commit, zone=%d, nat(src=%s), exec(set_field:%s->ct_mark)), output:%s",
-							defaultOpenFlowCookie, netConfig.ofPortPatch, bridgeMacAddress, netConfig.v6MasqIP.IP, config.Default.ConntrackZone,
+							defaultOpenFlowCookie, netConfig.ofPortPatch, bridgeMacAddress, netConfig.v6MasqIPs.GatewayRouter.IP, config.Default.ConntrackZone,
 							physicalIP.IP, netConfig.masqCTMark, ofPortPhys))
 				}
 			}

diff --git a/go-controller/pkg/node/gateway_udn.go b/go-controller/pkg/node/gateway_udn.go
@@ -52,10 +52,10 @@ type UserDefinedNetworkGateway struct {
 	// masqCTMark holds the mark value for this network
 	// which is used for egress traffic in shared gateway mode
 	masqCTMark uint
-	// v4MasqIP holds the IPv4 masquerade IP for this network
-	v4MasqIP *net.IPNet
-	// v6MasqIP holds the IPv6 masquerade IP for this network
-	v6MasqIP *net.IPNet
+	// v4MasqIPs holds the IPv4 masquerade IPs for this network
+	v4MasqIPs *udn.MasqueradeIPs
+	// v6MasqIPs holds the IPv6 masquerade IPs for this network
+	v6MasqIPs *udn.MasqueradeIPs
 	// stores the pointer to default network's gateway so that
 	// we can leverage it from here to program UDN flows on breth0
 	// Currently we use the openflowmanager and nodeIPManager from
@@ -83,7 +83,7 @@ func (b *bridgeConfiguration) getBridgePortConfigurations() ([]bridgeUDNConfigur
 }
 
 // addNetworkBridgeConfig adds the patchport and ctMark value for the provided netInfo into the bridge configuration cache
-func (b *bridgeConfiguration) addNetworkBridgeConfig(nInfo util.NetInfo, masqCTMark uint, v4MasqIP, v6MasqIP *net.IPNet) {
+func (b *bridgeConfiguration) addNetworkBridgeConfig(nInfo util.NetInfo, masqCTMark uint, v4MasqIPs, v6MasqIPs *udn.MasqueradeIPs) {
 	b.Lock()
 	defer b.Unlock()
 
@@ -95,8 +95,8 @@ func (b *bridgeConfiguration) addNetworkBridgeConfig(nInfo util.NetInfo, masqCTM
 		netConfig := &bridgeUDNConfiguration{
 			patchPort:  patchPort,
 			masqCTMark: fmt.Sprintf("0x%x", masqCTMark),
-			v4MasqIP:   v4MasqIP,
-			v6MasqIP:   v6MasqIP,
+			v4MasqIPs:  v4MasqIPs,
+			v6MasqIPs:  v6MasqIPs,
 		}
 
 		b.netConfig[netName] = netConfig
@@ -149,8 +149,8 @@ type bridgeUDNConfiguration struct {
 	patchPort   string
 	ofPortPatch string
 	masqCTMark  string
-	v4MasqIP    *net.IPNet
-	v6MasqIP    *net.IPNet
+	v4MasqIPs   *udn.MasqueradeIPs
+	v6MasqIPs   *udn.MasqueradeIPs
 }
 
 func (netConfig *bridgeUDNConfiguration) setBridgeNetworkOfPortsInternal() error {
@@ -179,23 +179,22 @@ func NewUserDefinedNetworkGateway(netInfo util.NetInfo, networkID int, node *v1.
 	defaultNetworkGateway Gateway) (*UserDefinedNetworkGateway, error) {
 	// Generate a per network conntrack mark and masquerade IPs to be used for egress traffic.
 	var (
-		v4MasqIP *net.IPNet
-		v6MasqIP *net.IPNet
+		v4MasqIPs *udn.MasqueradeIPs
+		v6MasqIPs *udn.MasqueradeIPs
+		err       error
 	)
 	masqCTMark := ctMarkUDNBase + uint(networkID)
 	if config.IPv4Mode {
-		v4MasqIPs, err := udn.AllocateV4MasqueradeIPs(networkID)
+		v4MasqIPs, err = udn.AllocateV4MasqueradeIPs(networkID)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get v4 masquerade IP, network %s (%d): %v", netInfo.GetNetworkName(), networkID, err)
 		}
-		v4MasqIP = v4MasqIPs.GatewayRouter
 	}
 	if config.IPv6Mode {
-		v6MasqIPs, err := udn.AllocateV6MasqueradeIPs(networkID)
+		v6MasqIPs, err = udn.AllocateV6MasqueradeIPs(networkID)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get v6 masquerade IP, network %s (%d): %v", netInfo.GetNetworkName(), networkID, err)
 		}
-		v6MasqIP = v6MasqIPs.GatewayRouter
 	}
 
 	gw, ok := defaultNetworkGateway.(*gateway)
@@ -211,8 +210,8 @@ func NewUserDefinedNetworkGateway(netInfo util.NetInfo, networkID int, node *v1.
 		kubeInterface: kubeInterface,
 		vrfManager:    vrfManager,
 		masqCTMark:    masqCTMark,
-		v4MasqIP:      v4MasqIP,
-		v6MasqIP:      v6MasqIP,
+		v4MasqIPs:     v4MasqIPs,
+		v6MasqIPs:     v6MasqIPs,
 		gateway:       gw,
 		ruleManager:   ruleManager,
 	}, nil
@@ -258,7 +257,7 @@ func (udng *UserDefinedNetworkGateway) AddNetwork() error {
 		return fmt.Errorf("could not set loose mode for reverse path filtering on management port %s: %v", mgmtPortName, err)
 	}
 	if udng.openflowManager != nil {
-		udng.openflowManager.addNetwork(udng.NetInfo, udng.masqCTMark, udng.v4MasqIP, udng.v6MasqIP)
+		udng.openflowManager.addNetwork(udng.NetInfo, udng.masqCTMark, udng.v4MasqIPs, udng.v6MasqIPs)
 
 		waiter := newStartupWaiterWithTimeout(waitForPatchPortTimeout)
 		readyFunc := func() (bool, error) {