Revert "Add flow for host -> localnet on same node"

tssurya · tssurya · commit b3760a19578b · 2025-05-07T16:13:23.000+02:00
This reverts commit 0ee80bf. Conflict in gateway_shared_intf.go because of not having https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5153/files#diff-d3aa58d9b58a0a09264f072df46ab01d0501eb508c4656411ae2dc1ac68fb3c4 Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> (cherry picked from commit ebb7339)
diff --git a/go-controller/pkg/node/gateway_shared_intf.go b/go-controller/pkg/node/gateway_shared_intf.go
@@ -1937,10 +1937,9 @@ func commonFlows(hostSubnets []*net.IPNet, bridge *bridgeConfiguration) ([]strin
 							defaultOpenFlowCookie, netConfig.ofPortPatch, bridgeMacAddress, config.Default.ConntrackZone,
 							netConfig.masqCTMark, ofPortPhys))
 
-					// Allow (a) OVN->host traffic on the same node
-					// (b) host->host traffic on the same node
+					// Allow OVN->Host traffic on the same node
 					if config.Gateway.Mode == config.GatewayModeShared || config.Gateway.Mode == config.GatewayModeLocal {
-						dftFlows = append(dftFlows, hostNetworkNormalActionFlows(netConfig, bridgeMacAddress, hostSubnets, false)...)
+						dftFlows = append(dftFlows, ovnToHostNetworkNormalActionFlows(netConfig, bridgeMacAddress, hostSubnets, false)...)
 					}
 				} else {
 					//  for UDN we additionally SNAT the packet from masquerade IP -> node IP
@@ -2034,10 +2033,9 @@ func commonFlows(hostSubnets []*net.IPNet, bridge *bridgeConfiguration) ([]strin
 							"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:%s",
 							defaultOpenFlowCookie, netConfig.ofPortPatch, bridgeMacAddress, config.Default.ConntrackZone, netConfig.masqCTMark, ofPortPhys))
 
-					// Allow (a) OVN->host traffic on the same node
-					// (b) host->host traffic on the same node
+					// Allow OVN->Host traffic on the same node
 					if config.Gateway.Mode == config.GatewayModeShared || config.Gateway.Mode == config.GatewayModeLocal {
-						dftFlows = append(dftFlows, hostNetworkNormalActionFlows(netConfig, bridgeMacAddress, hostSubnets, true)...)
+						dftFlows = append(dftFlows, ovnToHostNetworkNormalActionFlows(netConfig, bridgeMacAddress, hostSubnets, true)...)
 					}
 				} else {
 					//  for UDN we additionally SNAT the packet from masquerade IP -> node IP
@@ -2217,15 +2215,23 @@ func commonFlows(hostSubnets []*net.IPNet, bridge *bridgeConfiguration) ([]strin
 	return dftFlows, nil
 }
 
-// hostNetworkNormalActionFlows returns the flows that allow IP{v4,v6} traffic:
-// a. from pods in the OVN network to pods in a localnet network, on the same node
-// b. from pods on the host to pods in a localnet network, on the same node
-// when the localnet is mapped to breth0.
-// The expected srcMAC is the MAC address of breth0 and the expected hostSubnets is the host subnets found on the node
-// primary interface.
-func hostNetworkNormalActionFlows(netConfig *bridgeUDNConfiguration, srcMAC string, hostSubnets []*net.IPNet, isV6 bool) []string {
+// ovnToHostNetworkNormalActionFlows returns the flows that allow IP{v4,v6} traffic from the OVN network to the host network
+// when the destination is on the same node as the sender. This is necessary for pods in the default network to reach
+// localnet pods on the same node, when the localnet is mapped to breth0. The expected srcMAC is the MAC address of breth0
+// and the expected hostSubnets is the host subnets found on the node primary interface.
+func ovnToHostNetworkNormalActionFlows(netConfig *bridgeUDNConfiguration, srcMAC string, hostSubnets []*net.IPNet, isV6 bool) []string {
+	var inPort, ctMark, ipFamily, ipFamilyDest string
 	var flows []string
-	var ipFamily, ipFamilyDest string
+
+	if config.Gateway.Mode == config.GatewayModeShared {
+		inPort = netConfig.ofPortPatch
+		ctMark = netConfig.masqCTMark
+	} else if config.Gateway.Mode == config.GatewayModeLocal {
+		inPort = "LOCAL"
+		ctMark = ctMarkHost
+	} else {
+		return nil
+	}
 
 	if isV6 {
 		ipFamily = "ipv6"
@@ -2235,69 +2241,38 @@ func hostNetworkNormalActionFlows(netConfig *bridgeUDNConfiguration, srcMAC stri
 		ipFamilyDest = "nw_dst"
 	}
 
-	formatFlow := func(inPort, destIP, ctMark string) string {
-		// Matching IP traffic will be handled by the bridge instead of being output directly
-		// to the NIC by the existing flow at prio=100.
-		flowTemplate := "cookie=%s, priority=102, in_port=%s, dl_src=%s, %s, %s=%s, " +
-			"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:NORMAL"
-		return fmt.Sprintf(flowTemplate,
-			defaultOpenFlowCookie,
-			inPort,
-			srcMAC,
-			ipFamily,
-			ipFamilyDest,
-			destIP,
-			config.Default.ConntrackZone,
-			ctMark)
-	}
-
-	// Traffic path (a): OVN->localnet for shared gw mode
-	if config.Gateway.Mode == config.GatewayModeShared {
-		for _, hostSubnet := range hostSubnets {
-			if utilnet.IsIPv6(hostSubnet.IP) != isV6 {
-				continue
-			}
-			flows = append(flows, formatFlow(netConfig.ofPortPatch, hostSubnet.String(), netConfig.masqCTMark))
-		}
-	}
-
-	// Traffic path (a): OVN->localnet for local gw mode
-	// Traffic path (b): host->localnet for both gw modes
 	for _, hostSubnet := range hostSubnets {
-		if utilnet.IsIPv6(hostSubnet.IP) != isV6 {
+		if (hostSubnet.IP.To4() == nil) != isV6 {
 			continue
 		}
-		flows = append(flows, formatFlow("LOCAL", hostSubnet.String(), ctMarkHost))
-	}
-
-	if isV6 {
-		// IPv6 neighbor discovery uses ICMPv6 messages sent to a special destination (ff02::1:ff00:0/104)
-		// that is unrelated to the host subnets matched in the prio=102 flow above.
-		// Allow neighbor discovery by matching against ICMP type and ingress port.
-		formatICMPFlow := func(inPort, ctMark string, icmpType int) string {
-			icmpFlowTemplate := "cookie=%s, priority=102, in_port=%s, dl_src=%s, icmp6, icmpv6_type=%d, " +
-				"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:NORMAL"
-			return fmt.Sprintf(icmpFlowTemplate,
+		// IP traffic from the OVN network to the host network should be handled normally by the bridge instead of
+		// being output directly to the NIC by the existing flow at prio=100.
+		flows = append(flows,
+			fmt.Sprintf("cookie=%s, priority=102, in_port=%s, dl_src=%s, %s, %s=%s, "+
+				"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:NORMAL",
 				defaultOpenFlowCookie,
 				inPort,
 				srcMAC,
-				icmpType,
+				ipFamily,
+				ipFamilyDest,
+				hostSubnet.String(),
 				config.Default.ConntrackZone,
-				ctMark)
-		}
+				ctMark))
+	}
 
+	if isV6 {
+		// Neighbor discovery in IPv6 happens through ICMPv6 messages to a special destination (ff02::1:ff00:0/104),
+		// which has nothing to do with the host subnets we're matching against in the flow above at prio=102.
+		// Let's allow neighbor discovery by matching against icmp type and in_port.
 		for _, icmpType := range []int{types.NeighborSolicitationICMPType, types.NeighborAdvertisementICMPType} {
-			// Traffic path (a) for ICMP: OVN-> localnet for shared gw mode
-			if config.Gateway.Mode == config.GatewayModeShared {
-				flows = append(flows,
-					formatICMPFlow(netConfig.ofPortPatch, netConfig.masqCTMark, icmpType))
-			}
-
-			// Traffic path (a) for ICMP: OVN->localnet for local gw mode
-			// Traffic path (b) for ICMP: host->localnet for both gw modes
-			flows = append(flows, formatICMPFlow("LOCAL", ctMarkHost, icmpType))
+			flows = append(flows,
+				fmt.Sprintf("cookie=%s, priority=102, in_port=%s, dl_src=%s, icmp6, icmpv6_type=%d, "+
+					"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:NORMAL",
+					defaultOpenFlowCookie, inPort, srcMAC, icmpType,
+					config.Default.ConntrackZone, ctMark))
 		}
 	}
+
 	return flows
 }
 
