Skip to content

Instantly share code, notes, and snippets.

View trozet's full-sized avatar

Tim Rozet trozet

34 followers · 4 following
View GitHub Profile
@trozet
trozet / sbdb.rs
Created December 9, 2025 17:44
sbdb.rs
use std::collections::HashSet;
use std::net::IpAddr;
use once_cell::sync::Lazy;
use proxy_wasm::traits::*;
use proxy_wasm::types::*;
use serde::Deserialize;
use serde_json::Value;
static DEFAULT_ALLOWED_IPS: Lazy<HashSet<IpAddr>> = Lazy::new(HashSet::new);
@trozet
trozet / subnets_update.md
Last active November 14, 2025 21:11
feature interaction for okep to extend UDN with multiple subnets

Features Interaction with adding extra Subnets to a UDN

Egress Firewall

Whenever an IP block is provided as match criteria for Egress Firewall, we calculate if it overlaps with the current pod subnet. If so, then we add an exclusion match criteria to the ACL to ensure east/west traffic is not affected by the firewall. Today when a NAD changes, a handleNetworkEvent callback is made from the NAD Controller to the Egress Firewall controller. This callback causes any Egress Firewall in the NAD namespace to be reconciled. This should force the ACLs to be regenerated if the new subnet overlaps with the IP Block in the Egress Firewall.

@trozet
trozet / gist:447663b8df6316db27ae8a217484ea9b
Created October 30, 2025 19:27
host->nodeport udn same node
[root@ovn-worker2 ~]# ovs-appctl ofproto/trace breth0 in_port=LOCAL,dl_src=66:a6:bc:8d:62:3f,dl_dst=0a:58:a9:fe:00:04,tcp,tp_dst=80,nw_dst=10.96.134.186,nw_src=172.18.0.2,nw_ttl=25
Flow: tcp,in_port=LOCAL,vlan_tci=0x0000,dl_src=66:a6:bc:8d:62:3f,dl_dst=0a:58:a9:fe:00:04,nw_src=172.18.0.2,nw_dst=10.96.134.186,nw_tos=0,nw_ecn=0,nw_ttl=25,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0
bridge("breth0")
----------------
0. ip,in_port=LOCAL,nw_dst=10.96.0.0/16, priority 500, cookie 0xdeff105
ct(commit,table=2,zone=64001,nat(src=169.254.0.2))
nat(src=169.254.0.2)
-> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 2.
-> Sets the packet to an untracked state, and clears all the conntrack fields.
@trozet
trozet / benchmark_label_test.go
Created August 22, 2025 14:16
benchmark annotation vs label parsing
package trustzone
import (
"encoding/json"
"testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
)
@trozet
trozet / combined_filter.xml
Created April 25, 2025 21:34
<?xml version="1.0" encoding="utf-8"?>
<ItemFilter xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<name>Combined Warlock and Warpath Filter</name>
<filterIcon>0</filterIcon>
<filterIconColor>0</filterIconColor>
<description>Combined filter for Chthonic Fissure Warlock and Warpath Void Knight</description>
<lastModifiedInVersion>1.0.0.4</lastModifiedInVersion>
<lootFilterVersion>0</lootFilterVersion>
<rules>
<!-- Base rule to hide all items -->
@trozet
trozet / gist:ce52ac04afb0f78636af4def56947699
Created March 18, 2025 18:53
tcpdump ovnk pod -> nodeport, ETP=local on server side
root@ovn-worker2 ~]# tcpdump -i any 'port 80 or port 30973' -nneev
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:51:34.072883 genev_sys_6081 P ifindex 8 0a:58:64:58:00:03 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 17095, offset 0, flags [DF], proto TCP (6), length 60)
10.244.0.3.45952 > 172.18.0.2.30973: Flags [S], cksum 0x3355 (correct), seq 800905722, win 65280, options [mss 1360,sackOK,TS val 1346754696 ecr 0,nop,wscale 7], length 0
18:51:34.073256 ovn-k8s-mp0 In ifindex 6 0a:58:0a:f4:01:01 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 17095, offset 0, flags [DF], proto TCP (6), length 60)
10.244.0.3.45952 > 172.18.0.2.30973: Flags [S], cksum 0x3355 (correct), seq 800905722, win 65280, options [mss 1360,sackOK,TS val 1346754696 ecr 0,nop,wscale 7], length 0
18:51:34.073271 ov
@trozet
trozet / gist:3319bc7369b3959e0135018c5e96ce4f
Created March 17, 2025 21:09
reroute to other node via ovn drop
[root@ovn-worker ~]# ovn-trace --ct new ovn-worker 'inport == "k8s-ovn-worker" && eth.src == 0a:58:0a:f4:02:02 && eth.dst == 0a:58:0a:f4:02:01 && tcp && ip4.src==172.18.0.2 && ip4.dst==172.18.0.4 && ip.ttl==64 && tcp.dst==31470'
# tcp,reg14=0x2,vlan_tci=0x0000,dl_src=0a:58:0a:f4:02:02,dl_dst=0a:58:0a:f4:02:01,nw_src=172.18.0.2,nw_dst=172.18.0.4,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=31470,tcp_flags=0
ingress(dp="ovn-worker", inport="k8s-ovn-worker")
-------------------------------------------------
0. ls_in_check_port_sec (northd.c:9433): 1, priority 50, uuid 9c2358e2
reg0[15] = check_in_port_sec();
next;
4. ls_in_pre_acl (northd.c:6168): ip, priority 100, uuid 5c6ff985
reg0[0] = 1;
@trozet
trozet / gist:dcbfc48d7ae797f48f1477132217b31b
Created March 12, 2025 19:32
reply geneve drop
[root@ovn-worker ~]# ovn-trace --ct est,rpl b780a060-63b0-4a7b-a6c2-17dbd58a8ab5 'inport == "tstor-ovn-worker2" && eth.src == 0a:58:64:58:00:02 && eth.dst== 0a:58:64:58:00:03 && tcp && ip4.src==10.244.1.3 && ip4.dst==10.244.2.3 && ip.ttl==64 && tcp.dst==23453'
2025-03-12T19:25:22Z|00001|ovntrace|WARN|ct.new && ip4.dst == ^NODEIP_IPv4_1 && tcp.dst == 31844: parsing expression failed
2025-03-12T19:25:22Z|00002|ovntrace|WARN|ct.new && ip4.dst == ^NODEIP_IPv4_1 && tcp.dst == 31844: parsing expression failed (Syntax error at end of input expecting constant.)
2025-03-12T19:25:22Z|00003|ovntrace|WARN|reg0[2] == 1 && ip4.dst == ^NODEIP_IPv4_1 && udp.dst == 31411: parsing expression failed
2025-03-12T19:25:22Z|00004|ovntrace|WARN|reg0[2] == 1 && ip4.dst == ^NODEIP_IPv4_1 && udp.dst == 31411: parsing expression failed (Syntax error at end of input expecting constant.)
2025-03-12T19:25:22Z|00005|ovntrace|WARN|reg0[2] == 1 && ip4.dst == ^NODEIP_IPv4_0 && tcp.dst == 31844: parsing expression failed
2025-03-12T19:25:22
@trozet
trozet / gist:c16c425177b73bb9c901ff1f52688779
Created March 11, 2025 21:10
FRR +OVNK e2e
Load Balancer Service Tests with MetalLB Should ensure load balancer service works with 0 node ports when ETP=local
[root@ovn-worker ~]# tcpdump -i eth0 port 80 -nnnee
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:01:32.057015 8e:42:7f:b8:b0:07 > ea:0f:f1:82:32:59, ethertype IPv4 (0x0800), length 74: 172.22.0.3.46846 > 192.168.10.0.80: Flags [S], seq 808250019, win 64240, options [mss 1460,sackOK,TS val 1440740773 ecr 0,nop,wscale 7], length 0
21:01:32.059769 ea:0f:f1:82:32:59 > 7a:92:3c:cc:69:3a, ethertype IPv4 (0x0800), length 74: 192.168.10.0.80 > 172.22.0.3.46846: Flags [S.], seq 1401975101, ack 808250020, win 64704, options [mss 1360,sackOK,TS val 2702500104 ecr 1440740773,nop,wscale 7], length 0
21:01:33.105162 8e:42:7f:b8:b0:07 > ea:0f:f1:82:32:59, ethertype IPv4 (0x0800), length 74: 172.22.0.3.46846 > 192.168.10.0.80: Flags [S], seq 808250019, win 64240, options [mss 14
@trozet
trozet / gist:f77046b60869b01e6ba312aa50aa5a52
Created November 25, 2024 15:09
[root@ovn-worker2 ~]# ovn-trace --ct new default.l3.primary_ovn-worker2 'inport == "default.l3.primary_default_client" && eth.src == 0a:58:0a:14:02:04 && eth.dst==0a:58:0a:14:02:01 && tcp && ip4.src==10.20.2.4 && ip4.dst==10.20.1.3 && ip.ttl==64 && tcp.dst==80'
# tcp,reg14=0x3,vlan_tci=0x0000,dl_src=0a:58:0a:14:02:04,dl_dst=0a:58:0a:14:02:01,nw_src=10.20.2.4,nw_dst=10.20.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0
ingress(dp="default.l3.primary_ovn-worker2", inport="default.l3.primary_default_client")
----------------------------------------------------------------------------------------
0. ls_in_check_port_sec (northd.c:9432): 1, priority 50, uuid 8816ec3d
reg0[15] = check_in_port_sec();
next;
4. ls_in_pre_acl (northd.c:6167): ip, priority 100, uuid ebc0eec1
reg0[0] = 1;