Merge pull request ovn-kubernetes#5053 from crnithya/gw_vlans_rel1

girishmg · web-flow · commit db7072290a78 · 2025-02-20T21:11:32.000-08:00
Update OVS bridge flows for supporting gateway VLANs
diff --git a/dist/images/ovnkube.sh b/dist/images/ovnkube.sh
@@ -1828,6 +1828,14 @@ ovnkube-controller-with-node() {
     fi
   fi
 
+  if [[ ${ovnkube_node_mode} != "dpu-host" && ! ${ovn_gateway_opts} =~ "gateway-vlanid" ]]; then
+      # get the gateway vlanid
+      gw_vlanid=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-vlanid | tr -d \")
+      if [[ -n ${gw_vlanid} ]]; then
+        ovn_gateway_opts+="--gateway-vlanid=${gw_vlanid}"
+      fi
+  fi
+
   ovnkube_node_mgmt_port_netdev_flag=
   if [[ ${ovnkube_node_mgmt_port_netdev} != "" ]]; then
     ovnkube_node_mgmt_port_netdev_flag="--ovnkube-node-mgmt-port-netdev=${ovnkube_node_mgmt_port_netdev}"
@@ -2444,6 +2452,14 @@ ovn-node() {
 
   fi
 
+  if [[ ${ovnkube_node_mode} != "dpu-host" && ! ${ovn_gateway_opts} =~ "gateway-vlanid" ]]; then
+      # get the gateway vlanid
+      gw_vlanid=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-vlanid | tr -d \")
+      if [[ -n ${gw_vlanid} ]]; then
+        ovn_gateway_opts+="--gateway-vlanid=${gw_vlanid}"
+      fi
+  fi
+
   local ovn_node_ssl_opts=""
   if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then
       [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
diff --git a/go-controller/pkg/node/gateway_shared_intf.go b/go-controller/pkg/node/gateway_shared_intf.go
@@ -401,9 +401,18 @@ func (npw *nodePortWatcher) generateARPBypassFlow(ofPorts []string, ipAddr strin
 			}
 			arpPortsFiltered = append(arpPortsFiltered, port)
 		}
-		arpFlow = fmt.Sprintf("cookie=%s, priority=110, in_port=%s, %s, %s=%s, "+
-			"actions=output:%s",
-			cookie, npw.ofportPhys, addrResProto, addrResDst, ipAddr, strings.Join(arpPortsFiltered, ","))
+
+		// If vlan tagged traffic is received from physical interface, it has to be untagged before sending to access ports
+		if config.Gateway.VLANID != 0 {
+			match_vlan := fmt.Sprintf("dl_vlan=%d,", config.Gateway.VLANID)
+			arpFlow = fmt.Sprintf("cookie=%s, priority=110, in_port=%s, %s, %s, %s=%s, "+
+				"actions=strip_vlan,output:%s",
+				cookie, npw.ofportPhys, match_vlan, addrResProto, addrResDst, ipAddr, strings.Join(arpPortsFiltered, ","))
+		} else {
+			arpFlow = fmt.Sprintf("cookie=%s, priority=110, in_port=%s, %s, %s=%s, "+
+				"actions=output:%s",
+				cookie, npw.ofportPhys, addrResProto, addrResDst, ipAddr, strings.Join(arpPortsFiltered, ","))
+		}
 	}
 
 	return arpFlow
@@ -1099,6 +1108,15 @@ func flowsForDefaultBridge(bridge *bridgeConfiguration, extraIPs []net.IP) ([]st
 	// 14 bytes of overhead for ethernet header (does not include VLAN)
 	maxPktLength := getMaxFrameLength()
 
+	strip_vlan := ""
+	mod_vlan_id := ""
+	match_vlan := ""
+	if config.Gateway.VLANID != 0 {
+		strip_vlan = "strip_vlan,"
+		match_vlan = fmt.Sprintf("dl_vlan=%d,", config.Gateway.VLANID)
+		mod_vlan_id = fmt.Sprintf("mod_vlan_vid:%d,", config.Gateway.VLANID)
+	}
+
 	if config.IPv4Mode {
 		// table0, Geneve packets coming from external. Skip conntrack and go directly to host
 		// if dest mac is the shared mac send directly to host.
@@ -1282,14 +1300,15 @@ func flowsForDefaultBridge(bridge *bridgeConfiguration, extraIPs []net.IP) ([]st
 
 			// table 1, established and related connections in zone 64000 with ct_mark ctMarkHost go to host
 			dftFlows = append(dftFlows,
-				fmt.Sprintf("cookie=%s, priority=100, table=1, ip, ct_state=+trk+est, ct_mark=%s, "+
-					"actions=output:%s",
-					defaultOpenFlowCookie, ctMarkHost, ofPortHost))
+				fmt.Sprintf("cookie=%s, priority=100, table=1, %s ip, ct_state=+trk+est, ct_mark=%s, "+
+					"actions=%soutput:%s",
+					defaultOpenFlowCookie, match_vlan, ctMarkHost, strip_vlan, ofPortHost))
 
 			dftFlows = append(dftFlows,
-				fmt.Sprintf("cookie=%s, priority=100, table=1, ip, ct_state=+trk+rel, ct_mark=%s, "+
-					"actions=output:%s",
-					defaultOpenFlowCookie, ctMarkHost, ofPortHost))
+				fmt.Sprintf("cookie=%s, priority=100, table=1, %s ip, ct_state=+trk+rel, ct_mark=%s, "+
+					"actions=%soutput:%s",
+					defaultOpenFlowCookie, match_vlan, ctMarkHost, strip_vlan, ofPortHost))
+
 		}
 
 		if config.IPv6Mode {
@@ -1306,32 +1325,33 @@ func flowsForDefaultBridge(bridge *bridgeConfiguration, extraIPs []net.IP) ([]st
 
 			// table 1, established and related connections in zone 64000 with ct_mark ctMarkHost go to host
 			dftFlows = append(dftFlows,
-				fmt.Sprintf("cookie=%s, priority=100, table=1, ip6, ct_state=+trk+est, ct_mark=%s, "+
-					"actions=output:%s",
-					defaultOpenFlowCookie, ctMarkHost, ofPortHost))
+				fmt.Sprintf("cookie=%s, priority=100, table=1, %s ip6, ct_state=+trk+est, ct_mark=%s, "+
+					"actions=%soutput:%s",
+					defaultOpenFlowCookie, match_vlan, ctMarkHost, strip_vlan, ofPortHost))
 
 			dftFlows = append(dftFlows,
-				fmt.Sprintf("cookie=%s, priority=100, table=1, ip6, ct_state=+trk+rel, ct_mark=%s, "+
-					"actions=output:%s",
-					defaultOpenFlowCookie, ctMarkHost, ofPortHost))
+				fmt.Sprintf("cookie=%s, priority=100, table=1, %s ip6, ct_state=+trk+rel, ct_mark=%s, "+
+					"actions=%soutput:%s",
+					defaultOpenFlowCookie, match_vlan, ctMarkHost, strip_vlan, ofPortHost))
+
 		}
 
 		// table 1, we check to see if this dest mac is the shared mac, if so send to host
 		dftFlows = append(dftFlows,
-			fmt.Sprintf("cookie=%s, priority=10, table=1, dl_dst=%s, actions=output:%s",
-				defaultOpenFlowCookie, bridgeMacAddress, ofPortHost))
+			fmt.Sprintf("cookie=%s, priority=10, table=1, %s dl_dst=%s, actions=%soutput:%s",
+				defaultOpenFlowCookie, match_vlan, bridgeMacAddress, strip_vlan, ofPortHost))
 	}
 
 	// table 2, dispatch from Host -> OVN
 	dftFlows = append(dftFlows,
 		fmt.Sprintf("cookie=%s, table=2, "+
-			"actions=set_field:%s->eth_dst,output:%s", defaultOpenFlowCookie, bridgeMacAddress, ofPortPatch))
+			"actions=set_field:%s->eth_dst,%soutput:%s", defaultOpenFlowCookie, bridgeMacAddress, mod_vlan_id, ofPortPatch))
 
 	// table 3, dispatch from OVN -> Host
 	dftFlows = append(dftFlows,
-		fmt.Sprintf("cookie=%s, table=3, "+
-			"actions=move:NXM_OF_ETH_DST[]->NXM_OF_ETH_SRC[],set_field:%s->eth_dst,output:%s",
-			defaultOpenFlowCookie, bridgeMacAddress, ofPortHost))
+		fmt.Sprintf("cookie=%s, table=3, %s "+
+			"actions=move:NXM_OF_ETH_DST[]->NXM_OF_ETH_SRC[],set_field:%s->eth_dst,%soutput:%s",
+			defaultOpenFlowCookie, match_vlan, bridgeMacAddress, strip_vlan, ofPortHost))
 
 	// table 4, hairpinned pkts that need to go from OVN -> Host
 	// We need to SNAT and masquerade OVN GR IP, send to table 3 for dispatch to Host
@@ -1374,11 +1394,20 @@ func commonFlows(subnets []*net.IPNet, bridge *bridgeConfiguration) ([]string, e
 
 	var dftFlows []string
 
+	strip_vlan := ""
+	match_vlan := ""
+	mod_vlan_id := ""
+	if config.Gateway.VLANID != 0 {
+		strip_vlan = "strip_vlan,"
+		match_vlan = fmt.Sprintf("dl_vlan=%d,", config.Gateway.VLANID)
+		mod_vlan_id = fmt.Sprintf("mod_vlan_vid:%d,", config.Gateway.VLANID)
+	}
+
 	if ofPortPhys != "" {
 		// table 0, we check to see if this dest mac is the shared mac, if so flood to both ports
 		dftFlows = append(dftFlows,
-			fmt.Sprintf("cookie=%s, priority=10, table=0, in_port=%s, dl_dst=%s, actions=output:%s,output:%s",
-				defaultOpenFlowCookie, ofPortPhys, bridgeMacAddress, ofPortPatch, ofPortHost))
+			fmt.Sprintf("cookie=%s, priority=10, table=0, in_port=%s, %s dl_dst=%s, actions=output:%s,%soutput:%s",
+				defaultOpenFlowCookie, ofPortPhys, match_vlan, bridgeMacAddress, ofPortPatch, strip_vlan, ofPortHost))
 	}
 
 	// table 0, check packets coming from OVN have the correct mac address. Low priority flows that are a catch all
@@ -1419,8 +1448,8 @@ func commonFlows(subnets []*net.IPNet, bridge *bridgeConfiguration) ([]string, e
 			// so that reverse direction goes back to the host.
 			dftFlows = append(dftFlows,
 				fmt.Sprintf("cookie=%s, priority=100, in_port=%s, ip, "+
-					"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:%s",
-					defaultOpenFlowCookie, ofPortHost, config.Default.ConntrackZone, ctMarkHost, ofPortPhys))
+					"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), %soutput:%s",
+					defaultOpenFlowCookie, ofPortHost, config.Default.ConntrackZone, ctMarkHost, mod_vlan_id, ofPortPhys))
 		}
 		if config.Gateway.Mode == config.GatewayModeLocal {
 			// table 0, any packet coming from OVN send to host in LGW mode, host will take care of sending it outside if needed.
@@ -1481,8 +1510,9 @@ func commonFlows(subnets []*net.IPNet, bridge *bridgeConfiguration) ([]string, e
 			// so that reverse direction goes back to the host.
 			dftFlows = append(dftFlows,
 				fmt.Sprintf("cookie=%s, priority=100, in_port=%s, ipv6, "+
-					"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), output:%s",
-					defaultOpenFlowCookie, ofPortHost, config.Default.ConntrackZone, ctMarkHost, ofPortPhys))
+					"actions=ct(commit, zone=%d, exec(set_field:%s->ct_mark)), %soutput:%s",
+					defaultOpenFlowCookie, ofPortHost, config.Default.ConntrackZone, ctMarkHost, mod_vlan_id, ofPortPhys))
+
 		}
 		if config.Gateway.Mode == config.GatewayModeLocal {
 			// table 0, any packet coming from OVN send to host in LGW mode, host will take care of sending it outside if needed.
@@ -1569,8 +1599,8 @@ func commonFlows(subnets []*net.IPNet, bridge *bridgeConfiguration) ([]string, e
 
 		// table 1, we check to see if this dest mac is the shared mac, if so send to host
 		dftFlows = append(dftFlows,
-			fmt.Sprintf("cookie=%s, priority=10, table=1, dl_dst=%s, actions=output:%s",
-				defaultOpenFlowCookie, bridgeMacAddress, ofPortHost))
+			fmt.Sprintf("cookie=%s, priority=10, table=1, %s dl_dst=%s, actions=%soutput:%s",
+				defaultOpenFlowCookie, match_vlan, bridgeMacAddress, strip_vlan, ofPortHost))
 
 		if config.IPv6Mode {
 			// REMOVEME(trozet) when https://bugzilla.kernel.org/show_bug.cgi?id=11797 is resolved
