northd: set dl_src for packets redirected by router port (#6102)

zhangzujian · web-flow · commit c975191c96ed · 2025-12-25T10:35:37.000+08:00
Signed-off-by: zhangzujian &lt;zhangzujian.7@gmail.com&gt;
diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
@@ -64,6 +64,7 @@ ADD patches/03e35ed9c5b4de0fa8acbc2c057cdd5957a8d605.patch $SRC_DIR
 ADD patches/b5e2975eb65f37315545300254fc0f58a9df52b1.patch $SRC_DIR
 ADD patches/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch $SRC_DIR
 ADD patches/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch $SRC_DIR
+ADD patches/fb0108d8fc29c1bd29666f1eb2a27bf34628fa11.patch $SRC_DIR
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
@@ -128,7 +129,9 @@ RUN cd /usr/src/ && git clone -b branch-24.03 --depth=1 https://github.com/ovn-o
     # skip node local dns ip conntrack when set acl
     git apply $SRC_DIR/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch && \
     # select local backend first
-    git apply $SRC_DIR/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch
+    git apply $SRC_DIR/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch && \
+    # set dl_src for packets redirected by router port
+    git apply $SRC_DIR/fb0108d8fc29c1bd29666f1eb2a27bf34628fa11.patch
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
diff --git a/dist/images/patches/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch b/dist/images/patches/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch
@@ -42,7 +42,7 @@ index af0c92954c..71633ae788 100644
 +        struct ovn_northd_lb_backend *backend_nb =
 +            &lb_vip_nb->backends_nb[j];
 +        backend_nb->logical_port = xstrdup(port_name);
-+        
++
 +        free(port_name);
 +    }
 +
@@ -184,7 +184,7 @@ index a58db7dbde..0b84ac822e 100644
 +                bool reject = build_lb_vip_actions(lb, lb_vip, lb_vip_nb, action,
 +                                                   lb->selection_fields,
 +                                                   NULL, NULL, true, features,
-+                                                   svc_monitor_map, 
++                                                   svc_monitor_map,
 +                                                   entry->backend_ips, 
 +                                                   &entry->logical_ports);
 +
@@ -254,7 +254,7 @@ index a58db7dbde..0b84ac822e 100644
                                             lb->selection_fields,
                                             NULL, NULL, true, features,
 -                                           svc_monitor_map);
-+                                           svc_monitor_map, 
++                                           svc_monitor_map,
 +                                           NULL, NULL);
  
          ds_put_format(match, "ct.new && %s.dst == %s", ip_match,
diff --git a/dist/images/patches/fb0108d8fc29c1bd29666f1eb2a27bf34628fa11.patch b/dist/images/patches/fb0108d8fc29c1bd29666f1eb2a27bf34628fa11.patch
@@ -0,0 +1,100 @@
+From fb0108d8fc29c1bd29666f1eb2a27bf34628fa11 Mon Sep 17 00:00:00 2001
+From: zhangzujian <zhangzujian.7@gmail.com>
+Date: Thu, 25 Dec 2025 00:24:49 +0000
+Subject: [PATCH] set dl_src for packets redirected by router port
+
+Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
+---
+ northd/northd.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 69 insertions(+)
+
+diff --git a/northd/northd.c b/northd/northd.c
+index 0a9362d01..86d7084bc 100644
+--- a/northd/northd.c
++++ b/northd/northd.c
+@@ -8206,6 +8206,74 @@ build_lswitch_dnat_mod_dl_dst_rules(struct ovn_port *op,
+     }
+ }
+ 
++static void
++build_lswitch_mod_dl_src_rules(struct ovn_port *op,
++                               struct lflow_table *lflows,
++                               const struct hmap *lr_ports,
++                               struct ds *actions,
++                               struct ds *match)
++{
++    if (!op->nbsp || !op->od || !op->od->nbs ||
++        !op->od->n_router_ports || !op->od->n_localnet_ports) {
++        return;
++    }
++    if (!lsp_is_enabled(op->nbsp)) {
++        return;
++    }
++    if (!strcmp(op->nbsp->type, "virtual") ||
++        !strcmp(op->nbsp->type, "localport")) {
++        return;
++    }
++    if (lsp_is_external(op->nbsp) || lsp_is_router(op->nbsp) ||
++        op->has_unknown) {
++        return;
++    }
++
++    if (op->n_lsp_addrs != 1 || !strlen(op->lsp_addrs[0].ea_s) ||
++        (!op->lsp_addrs[0].n_ipv4_addrs && !op->lsp_addrs[0].n_ipv6_addrs)) {
++        return;
++    }
++
++    ds_clear(actions);
++    ds_put_format(actions, "eth.src = %s; next(pipeline=ingress, table=%d);",
++                  op->lsp_addrs[0].ea_s,
++                  ovn_stage_get_table(S_SWITCH_IN_L2_LKUP));
++
++    for (size_t i = 0; i < op->od->n_router_ports; i++) {
++        struct ovn_port *rp = op->od->router_ports[i];
++        if (!rp || !rp->nbsp) {
++            continue;
++        }
++        struct ovn_port *peer = ovn_port_get_peer(lr_ports, rp);
++        if (!peer || !peer->nbrp || peer->primary_port ||
++            peer->nbrp->n_gateway_chassis || peer->nbrp->ha_chassis_group) {
++            continue;
++        }
++
++        for (size_t j = 0; j < op->lsp_addrs[0].n_ipv4_addrs; j++) {
++            ds_clear(match);
++            ds_put_format(match,
++                          "inport == %s && ip4.src == %s && eth.src != %s",
++                          rp->json_key, op->lsp_addrs[0].ipv4_addrs[j].addr_s,
++                          op->lsp_addrs[0].ea_s);
++            ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 60,
++                                    ds_cstr(match), ds_cstr(actions),
++                                    &op->nbsp->header_, op->lflow_ref);
++        }
++
++        for (size_t j = 0; j < op->lsp_addrs[0].n_ipv6_addrs; j++) {
++            ds_clear(match);
++            ds_put_format(match,
++                          "inport == %s && ip6.src == %s && eth.src != %s",
++                          rp->json_key, op->lsp_addrs[0].ipv6_addrs[j].addr_s,
++                          op->lsp_addrs[0].ea_s);
++            ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 60,
++                                    ds_cstr(match), ds_cstr(actions),
++                                    &op->nbsp->header_, op->lflow_ref);
++        }
++    }
++}
++
+ static void
+ build_stateful(struct ovn_datapath *od,
+                const struct chassis_features *features,
+@@ -16755,6 +16823,7 @@ build_lswitch_and_lrouter_iterate_by_lsp(struct ovn_port *op,
+     build_lswitch_arp_nd_responder_known_ips(op, lflows, ls_ports,
+                                              meter_groups, actions, match);
+     build_lswitch_dnat_mod_dl_dst_rules(op, lflows, lr_ports, actions, match);
++    build_lswitch_mod_dl_src_rules(op, lflows, lr_ports, actions, match);
+     build_lswitch_arp_nd_forward_for_unknown_ips(op, lflows, actions, match);
+     build_lswitch_dhcp_options_and_response(op, lflows, meter_groups);
+     build_lswitch_external_port(op, lflows);
+-- 
+2.43.0
+
diff --git a/pkg/daemon/controller.go b/pkg/daemon/controller.go
@@ -54,7 +54,6 @@ type Controller struct {
 	podsLister     listerv1.PodLister
 	podsSynced     cache.InformerSynced
 	updatePodQueue workqueue.TypedRateLimitingInterface[string]
-	deletePodQueue workqueue.TypedRateLimitingInterface[*podEvent]
 
 	nodesLister listerv1.NodeLister
 	nodesSynced cache.InformerSynced
@@ -116,7 +115,6 @@ func NewController(config *Configuration, stopCh <-chan struct{}, podInformerFac
 		podsLister:     podInformer.Lister(),
 		podsSynced:     podInformer.Informer().HasSynced,
 		updatePodQueue: newTypedRateLimitingQueue[string]("UpdatePod", nil),
-		deletePodQueue: newTypedRateLimitingQueue[*podEvent]("DeletePod", nil),
 
 		nodesLister: nodeInformer.Lister(),
 		nodesSynced: nodeInformer.Informer().HasSynced,
@@ -178,7 +176,6 @@ func NewController(config *Configuration, stopCh <-chan struct{}, podInformerFac
 
 	if _, err = podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		UpdateFunc: controller.enqueueUpdatePod,
-		DeleteFunc: controller.enqueueDeletePod,
 	}); err != nil {
 		return nil, err
 	}
@@ -477,10 +474,6 @@ type serviceEvent struct {
 	oldObj, newObj any
 }
 
-type podEvent struct {
-	oldObj any
-}
-
 func (c *Controller) enqueueAddSubnet(obj any) {
 	c.subnetQueue.Add(&subnetEvent{newObj: obj})
 }
@@ -596,37 +589,11 @@ func (c *Controller) enqueueUpdatePod(oldObj, newObj any) {
 	}
 }
 
-func (c *Controller) enqueueDeletePod(obj any) {
-	var pod *v1.Pod
-	switch t := obj.(type) {
-	case *v1.Pod:
-		pod = t
-	case cache.DeletedFinalStateUnknown:
-		p, ok := t.Obj.(*v1.Pod)
-		if !ok {
-			klog.Warningf("unexpected object type: %T", t.Obj)
-			return
-		}
-		pod = p
-	default:
-		klog.Warningf("unexpected type: %T", obj)
-		return
-	}
-
-	klog.V(3).Infof("enqueue delete pod %s", pod.Name)
-	c.deletePodQueue.Add(&podEvent{oldObj: pod})
-}
-
 func (c *Controller) runUpdatePodWorker() {
 	for c.processNextUpdatePodWorkItem() {
 	}
 }
 
-func (c *Controller) runDeletePodWorker() {
-	for c.processNextDeletePodWorkItem() {
-	}
-}
-
 func (c *Controller) processNextUpdatePodWorkItem() bool {
 	key, shutdown := c.updatePodQueue.Get()
 	if shutdown {
@@ -649,28 +616,6 @@ func (c *Controller) processNextUpdatePodWorkItem() bool {
 	return true
 }
 
-func (c *Controller) processNextDeletePodWorkItem() bool {
-	event, shutdown := c.deletePodQueue.Get()
-	if shutdown {
-		return false
-	}
-
-	err := func(event *podEvent) error {
-		defer c.deletePodQueue.Done(event)
-		if err := c.handleDeletePod(event); err != nil {
-			c.deletePodQueue.AddRateLimited(event)
-			return fmt.Errorf("error syncing pod event: %w, requeuing", err)
-		}
-		c.deletePodQueue.Forget(event)
-		return nil
-	}(event)
-	if err != nil {
-		utilruntime.HandleError(err)
-		return true
-	}
-	return true
-}
-
 var lastNoPodOvsPort map[string]bool
 
 func (c *Controller) markAndCleanInternalPort() error {
@@ -706,7 +651,6 @@ func (c *Controller) Run(stopCh <-chan struct{}) {
 	defer c.subnetQueue.ShutDown()
 	defer c.serviceQueue.ShutDown()
 	defer c.updatePodQueue.ShutDown()
-	defer c.deletePodQueue.ShutDown()
 
 	go wait.Until(ovs.CleanLostInterface, time.Minute, stopCh)
 	go wait.Until(recompute, 10*time.Minute, stopCh)
@@ -725,7 +669,6 @@ func (c *Controller) Run(stopCh <-chan struct{}) {
 	go wait.Until(c.runDeleteProviderNetworkWorker, time.Second, stopCh)
 	go wait.Until(c.runSubnetWorker, time.Second, stopCh)
 	go wait.Until(c.runUpdatePodWorker, time.Second, stopCh)
-	go wait.Until(c.runDeletePodWorker, time.Second, stopCh)
 	go wait.Until(c.runGateway, 3*time.Second, stopCh)
 	go wait.Until(c.loopEncapIPCheck, 3*time.Second, stopCh)
 	go wait.Until(c.ovnMetricsUpdate, 3*time.Second, stopCh)
diff --git a/pkg/daemon/controller_linux.go b/pkg/daemon/controller_linux.go
diff --git a/pkg/ovs/ovs-ofctl.go b/pkg/ovs/ovs-ofctl.go
