Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Flexible Pipeline is framework to generate OVS pipelines with dynamic table IDs. There are some abstractions introduced in this framework: - **feature** is the interface to program a major function in Antrea data path - **stage** in FlexiblePipeline is used to group tables which implement similar functions in a pipeline - **pipeline** is used to implement a major function in Antrea data path - **Table** is the basic unit to build OVS pipelines. A Table can be referenced by one or more features, but its member struct ofTable will be initialized and realized on OVS only when it is referenced by any activated features At this moment, we have the following features: - featurePodConnectivity, implementation of connectivity for Pods, activated by default - featureNetworkPolicy, implementation of K8s NetworkPolicy and Antrea NetworkPolicy, activated by default - featureService, implementation of K8s Service, activated by default - featureEgress, implementation of Egress, activation is determined by feature gate Egress - featureMulticast, implementation of multicast, activation is determined by feature gate Multicast At this moment, we have the following stages: - stageStart is only used to initialize PipelineClassifierTable - stageClassifier is used to classify packets "category" (tunnel, local gateway or local Pod, etc) - stageValidation is used to validate packets - stageConntrackState is used to transform committed packets in CT zones - stagePreRouting is similar to PREROUTING chain of nat table in iptables DNAT for Service connections is performed in this stage - stageEgressSecurity is used to install egress rules for K8s NetworkPolicy and Antrea NetworkPolicy - stageRouting is used to implement L3 Forwarding of packets. - stagePostRouting is similar to POSTROUTING chain of nat table in iptables. SNAT for Service connections is performed in this stage - stageSwitching is used to implement L2 Forwarding of packets - stageIngressSecurity is used to install ingress rules for K8s NetworkPolicy and Antrea NetworkPolicy - stageConntrack is used to commit non-Service connections - stageOutput is used to output packets to target port At this moment, we have the following pipelines: - pipelineRoot is only used to initialize PipelineClassifierTable - pipelineARP is used to process ARP packets - pipelineIP is used to process IPv4/IPv6 packets - pipelineMulticast is used to process multicast packets After refactoring, PipelineClassifierTable is table 0. It's the only fixed table ID. Packets are forwarded to different pipelines in this table. OVS pipelineARP is used to process ARP packets. Stages and tables in this pipeline: - stageValidation - ARPSpoofGuardTable, ARP-spoofing part of original SpoofGuardTable - stageOutput - ARPResponderTable, renamed from arpResponderTable OVS pipelineIP is used to process IPv4/IPv6 packets. Stages and tables in this pipelines - stageClassifier - ClassifierTable, original ClassifierTable (0) - stageValidation - SpoofGuardTable, part of original SpoofGuardTable (10) - IPv6Table, original IPv6Table (21) - IPClassifierTable, new added for multicast - stageConntrackState - SNATConntrackTable, original ServiceConntrackTable (35) - ConntrackTable, original ConntrackTable (30) - ConntrackStateTable, original ConntrackStateTable (31) - stagePreRouting - PreRoutingClassifierTable, new added - NodePortMarkTable, original ServiceClassifierTable (35) - SessionAffinityTable, original SessionAffinityTable (41) - ServiceLBTable, original ServiceLBTable (41) - EndpointDNATTable, original EndpointDNATTable (42) - DNATTable, original DNATTable (40) - stageEgressSecurity - AntreaPolicyEgressRuleTable, original AntreaPolicyEgressRuleTable (45) - EgressRuleTable, original EgressRuleTable (50) - EgressDefaultTable, original EgressDefaultTable (60) - EgressMetricTable, original EgressMetricTable (61) - stageRouting - L3ForwardingTable, original L3ForwardingTable (70) - EgressMarkTable, original SNATTable (71) - L3DecTTLTable, original L3DecTTLTable (72) - stagePostRouting - ServiceMarkTable, new added - SNATConntrackCommitTable, origin ServiceConntrackCommitTable (105) - stageSwitching - L2ForwardingCalcTable, original L2ForwardingCalcTable (80) - stageIngressSecurity - IngressSecurityClassifierTable, new added - AntreaPolicyIngressRuleTable, original AntreaPolicyIngressRuleTable (85) - IngressRuleTable, original IngressRuleTable (90) - IngressDefaultTable, original IngressDefaultTable (100) - IngressMetricTable, original IngressDefaultTable (101) - stageConntrack - ConntrackCommitTable, original ConntrackCommitTable (105) - stageOutput - L2ForwardingOutTable, original L2ForwardingOutTable (110) OVS pipelineMulticast is used to process multicast packets. Stages and tables in this pipeline: - stageRouting - MulticastTable, original MulticastTable (22) Removed tables: - original ServiceHairpinTable (22) - original DefaultTierEgressRuleTable (49) - original HairpinSNATTable (108) For hairpin connection, SNAT is performed by CT operation instead of modifying source IP stateless. Another change is to use different IPs to perform SNAT: - Hairpin Service connection initiated through a local Pod, and SNAT is performed with the Antrea gateway IP. - Hairpin Service connection initiated through the Antrea gateway, and SNAT is performed with a virtual IP. Signed-off-by: Hongliang Liu <[email protected]>
- Loading branch information