openstack/octavia
Code Issues Proposed changes

Merge "Disable conntrack for TCP flows in the amphora"

Browse Source
This commit is contained in:
Zuul
2021-09-15 10:36:34 +00:00
committed by Gerrit Code Review
parent 6455173cf0 b3f59eeb73
commit b8ddbc94a1
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
elements/amphora-agent/static/usr/local/bin/lvs-masquerade.sh
View File

@@ -38,12 +38,21 @@ if [ "$1" == "add" ]; then
nft add rule ip octavia-ipv4 ip-udp-masq oifname "$3" meta l4proto udp masquerade nft add rule ip octavia-ipv4 ip-udp-masq oifname "$3" meta l4proto udp masquerade
nft add chain ip octavia-ipv4 ip-sctp-masq { type nat hook postrouting priority 100\;} nft add chain ip octavia-ipv4 ip-sctp-masq { type nat hook postrouting priority 100\;}
nft add rule ip octavia-ipv4 ip-sctp-masq oifname "$3" meta l4proto sctp masquerade nft add rule ip octavia-ipv4 ip-sctp-masq oifname "$3" meta l4proto sctp masquerade
nft add chain ip octavia-ipv4 prerouting { type filter hook prerouting priority -300 \; }
nft add rule ip octavia-ipv4 prerouting iifname "$3" meta l4proto tcp notrack
nft add chain ip octavia-ipv4 output { type filter hook output priority -300 \; }
nft add rule ip octavia-ipv4 output oifname "$3" meta l4proto tcp notrack
elif [ "$2" == "ipv6" ]; then elif [ "$2" == "ipv6" ]; then
nft add table ip6 octavia-ipv6 nft add table ip6 octavia-ipv6
nft add chain ip6 octavia-ipv6 ip6-udp-masq { type nat hook postrouting priority 100\;} nft add chain ip6 octavia-ipv6 ip6-udp-masq { type nat hook postrouting priority 100\;}
nft add rule ip6 octavia-ipv6 ip6-udp-masq oifname "$3" meta l4proto udp masquerade nft add rule ip6 octavia-ipv6 ip6-udp-masq oifname "$3" meta l4proto udp masquerade
nft add chain ip6 octavia-ipv6 ip6-sctp-masq { type nat hook postrouting priority 100\;} nft add chain ip6 octavia-ipv6 ip6-sctp-masq { type nat hook postrouting priority 100\;}
nft add rule ip6 octavia-ipv6 ip6-sctp-masq oifname "$3" meta l4proto sctp masquerade nft add rule ip6 octavia-ipv6 ip6-sctp-masq oifname "$3" meta l4proto sctp masquerade
nft add chain ip6 octavia-ipv6 prerouting { type filter hook prerouting priority -300 \; }
nft add rule ip6 octavia-ipv6 prerouting iifname "$3" meta l4proto tcp notrack
nft add chain ip6 octavia-ipv6 output { type filter hook output priority -300 \; }
nft add rule ip6 octavia-ipv6 output oifname "$3" meta l4proto tcp notrack
else else
usage usage
fi fi
@@ -52,9 +61,15 @@ if [ "$1" == "add" ]; then
if [ "$2" == "ipv4" ]; then if [ "$2" == "ipv4" ]; then
/sbin/iptables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -p sctp -o $3 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -p sctp -o $3 -j MASQUERADE
/sbin/iptables -t raw -A PREROUTING -p tcp -i $3 -j NOTRACK
/sbin/iptables -t raw -A OUTPUT -p tcp -o $3 -j NOTRACK
elif [ "$2" == "ipv6" ]; then elif [ "$2" == "ipv6" ]; then
/sbin/ip6tables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE /sbin/ip6tables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
/sbin/ip6tables -t nat -A POSTROUTING -p sctp -o $3 -j MASQUERADE /sbin/ip6tables -t nat -A POSTROUTING -p sctp -o $3 -j MASQUERADE
/sbin/ip6tables -t raw -A PREROUTING -p tcp -i $3 -j NOTRACK
/sbin/ip6tables -t raw -A OUTPUT -p tcp -o $3 -j NOTRACK
else else
usage usage
fi fi
@@ -68,11 +83,19 @@ elif [ "$1" == "delete" ]; then
nft delete chain ip octavia-ipv4 ip-udp-masq nft delete chain ip octavia-ipv4 ip-udp-masq
nft flush chain ip octavia-ipv4 ip-sctp-masq nft flush chain ip octavia-ipv4 ip-sctp-masq
nft delete chain ip octavia-ipv4 ip-sctp-masq nft delete chain ip octavia-ipv4 ip-sctp-masq
nft flush chain ip octavia-ipv4 prerouting
nft delete chain ip octavia-ipv4 prerouting
nft flush chain ip octavia-ipv4 output
nft delete chain ip octavia-ipv4 output
elif [ "$2" == "ipv6" ]; then elif [ "$2" == "ipv6" ]; then
nft flush chain ip6 octavia-ipv6 ip-udp-masq nft flush chain ip6 octavia-ipv6 ip-udp-masq
nft delete chain ip6 octavia-ipv6 ip-udp-masq nft delete chain ip6 octavia-ipv6 ip-udp-masq
nft flush chain ip6 octavia-ipv6 ip-sctp-masq nft flush chain ip6 octavia-ipv6 ip-sctp-masq
nft delete chain ip6 octavia-ipv6 ip-sctp-masq nft delete chain ip6 octavia-ipv6 ip-sctp-masq
nft flush chain ip6 octavia-ipv6 prerouting
nft delete chain ip6 octavia-ipv6 prerouting
nft flush chain ip6 octavia-ipv6 output
nft delete chain ip6 octavia-ipv6 output
else else
usage usage
fi fi
@@ -81,9 +104,13 @@ elif [ "$1" == "delete" ]; then
if [ "$2" == "ipv4" ]; then if [ "$2" == "ipv4" ]; then
/sbin/iptables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE /sbin/iptables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
/sbin/iptables -t nat -D POSTROUTING -p sctp -o $3 -j MASQUERADE /sbin/iptables -t nat -D POSTROUTING -p sctp -o $3 -j MASQUERADE
/sbin/iptables -t raw -D PREROUTING -p tcp -i $3 -j NOTRACK
/sbin/iptables -t raw -D OUTPUT -p tcp -o $3 -j NOTRACK
elif [ "$2" == "ipv6" ]; then elif [ "$2" == "ipv6" ]; then
/sbin/ip6tables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE /sbin/ip6tables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
/sbin/ip6tables -t nat -D POSTROUTING -p sctp -o $3 -j MASQUERADE /sbin/ip6tables -t nat -D POSTROUTING -p sctp -o $3 -j MASQUERADE
/sbin/ip6tables -t raw -D PREROUTING -p tcp -i $3 -j NOTRACK
/sbin/ip6tables -t raw -D OUTPUT -p tcp -o $3 -j NOTRACK
else else
usage usage
fi fi

6
releasenotes/notes/disable-conntrack-for-tcp-01ef6948d99353c2.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
fixes:
- |
Disable conntrack for TCP flows in the Amphora, it reduces memory usage for
HAProxy-based listeners and prevents some kernel warnings about dropped
packets.