Skip to content

Commit

Permalink
Install flows to skip SNAT for k8s nodes (#2708)
Browse files Browse the repository at this point in the history
If destination IP is nodeIPs, we must skip SNAT if egress is enabled,
no need to forward such packets to the egressIP node

Signed-off-by: Yang Li <[email protected]>
  • Loading branch information
leonstack committed Sep 15, 2021
1 parent cf22420 commit c5a1c1e
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions pkg/agent/openflow/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,9 @@ func (c *client) InstallNodeFlows(hostname string,
} else {
flows = append(flows, c.l3FwdFlowToRemoteViaRouting(localGatewayMAC, remoteGatewayMAC, cookie.Node, tunnelPeerIP, peerPodCIDR)...)
}
if c.enableEgress {
flows = append(flows, c.snatSkipNodeFlow(tunnelPeerIP, cookie.Node))
}
}
if ipsecTunOFPort != 0 {
// When IPSec tunnel is enabled, packets received from the remote Node are
Expand Down
15 changes: 15 additions & 0 deletions pkg/agent/openflow/pipeline.go
Original file line number Diff line number Diff line change
Expand Up @@ -1853,6 +1853,21 @@ func (c *client) localProbeFlow(localGatewayIPs []net.IP, category cookie.Catego
return flows
}

// snatSkipNodeFlow installs a flow to skip SNAT for traffic to the remote K8s Nodes.
func (c *client) snatSkipNodeFlow(nodeIP net.IP, category cookie.Category) binding.Flow {
l3FwdTable := c.pipeline[l3ForwardingTable]
nextTable := l3FwdTable.GetNext()
ipProto := getIPProtocol(nodeIP)
// This flow is for the traffic to the remote Node IP.
return l3FwdTable.BuildFlow(priorityNormal).
MatchProtocol(ipProto).
MatchRegMark(FromLocalRegMark).
MatchDstIP(nodeIP).
Action().GotoTable(nextTable).
Cookie(c.cookieAllocator.Request(category).Raw()).
Done()
}

// snatCommonFlows installs the default flows for performing SNAT for traffic to
// the external network. The flows identify the packets to external, and send
// them to snatTable, where SNAT IPs are looked up for the packets.
Expand Down

0 comments on commit c5a1c1e

Please sign in to comment.