skip conntrack when access node dns ip (#3894) (#4762)

* skip conntrack when access node local dns ip

Signed-off-by: Changlu Yi <[email protected]>

Author: changluyi

dist/images/Dockerfile.base

@@ -50,7 +50,9 @@ RUN cd /usr/src/ && git clone -b branch-22.12 --depth=1 https://github.com/ovn-o
     # lflow: do not send direct traffic between lports to conntrack
     curl -s https://github.com/kubeovn/ovn/commit/54cbe0d1ba2051e640dd3e53498f373362547691.patch | git apply && \
     # northd: add nb option version_compatibility
-    curl -s https://github.com/kubeovn/ovn/commit/06f5a7c684a6030036e2663eecf934b37c3e666e.patch | git apply
+    curl -s https://github.com/kubeovn/ovn/commit/06f5a7c684a6030036e2663eecf934b37c3e666e.patch | git apply && \
+    # northd: skip conntrack when access node local dns ip
+    curl -s https://github.com/kubeovn/ovn/commit/1ea964886da774506962d6bf23f8f894d93a10eb.patch | git apply
 
 RUN apt install -y build-essential fakeroot \
     autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \

mocks/pkg/ovs/interface.go

@@ -297,6 +297,11 @@ func ParseFlags() (*Configuration, error) {
 		return nil, fmt.Errorf("check system cidr failed, %v", err)
 	}
 
+	if err := util.CheckNodeDNSIP(config.NodeLocalDNSIP); err != nil {
+		klog.Error(err)
+		return nil, err
+	}
+
 	klog.Infof("config is %+v", config)
 	return config, nil
 }

pkg/controller/config.go

@@ -755,6 +755,10 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips")
 	}
 
+	if err := c.OVNNbClient.SetNodeLocalDNSIP(c.config.NodeLocalDNSIP); err != nil {
+		util.LogFatalAndExit(err, "failed to set NB_Global option node_local_dns_ip")
+	}
+
 	if err := c.InitOVN(); err != nil {
 		util.LogFatalAndExit(err, "failed to initialize ovn resources")
 	}

pkg/controller/controller.go

@@ -18,6 +18,7 @@ type NBGlobal interface {
 	SetICAutoRoute(enable bool, blackList []string) error
 	SetLsDnatModDlDst(enabled bool) error
 	SetLsCtSkipDstLportIPs(enabled bool) error
+	SetNodeLocalDNSIP(nodeLocalDNSIP string) error
 	GetNbGlobal() (*ovnnb.NBGlobal, error)
 }
 

pkg/ovs/interface.go

@@ -157,3 +157,28 @@ func (c *OVNNbClient) SetLsDnatModDlDst(enabled bool) error {
 func (c *OVNNbClient) SetLsCtSkipDstLportIPs(enabled bool) error {
 	return c.SetNbGlobalOptions("ls_ct_skip_dst_lport_ips", enabled)
 }
+
+func (c *OVNNbClient) SetNodeLocalDNSIP(nodeLocalDNSIP string) error {
+	if nodeLocalDNSIP != "" {
+		return c.SetNbGlobalOptions("node_local_dns_ip", nodeLocalDNSIP)
+	}
+
+	nbGlobal, err := c.GetNbGlobal()
+	if err != nil {
+		return fmt.Errorf("get nb global: %v", err)
+	}
+
+	options := make(map[string]string, len(nbGlobal.Options))
+	for k, v := range nbGlobal.Options {
+		options[k] = v
+	}
+
+	delete(options, "node_local_dns_ip")
+
+	nbGlobal.Options = options
+	if err := c.UpdateNbGlobal(nbGlobal, &nbGlobal.Options); err != nil {
+		return fmt.Errorf("remove option node_local_dns_ip failed , %v", err)
+	}
+
+	return nil
+}

pkg/ovs/ovn-nb_global.go

@@ -536,6 +536,14 @@ func CheckSystemCIDR(cidrs []string) error {
 	return nil
 }
 
+func CheckNodeDNSIP(nodeLocalDNSIP string) error {
+	if nodeLocalDNSIP != "" && !IsValidIP(nodeLocalDNSIP) {
+		err := fmt.Errorf("node dns ip %s is not valid ip", nodeLocalDNSIP)
+		return err
+	}
+	return nil
+}
+
 // GetExternalNetwork returns the external network name
 // if the external network is not specified, return the default external network name
 func GetExternalNetwork(externalNet string) string {