OCPBUGS-64771: Force Global IP forwarding for DPU host mode

Ensure DPU host nodes always use Global IP forwarding mode regardless
of cluster-wide configuration.

- Force ip_forwarding_mode="Global" for dpu-host mode
- Add comprehensive test cases for IP forwarding behavior
- Document DPU host IP forwarding requirements and rationale

DPU hosts require IP forwarding enabled to allow traffic flow between
management and data plane interfaces. This change ensures proper DPU
operation even when cluster-wide IPForwarding is set to Restricted.

Author: tsorya

README.md

@@ -167,7 +167,9 @@ OVN-Kubernetes supports specialized hardware deployments such as DPU (Data Proce
 - Multi-network policies and admin network policies
 - Network segmentation features
 
-This per-node feature enforcement is implemented through conditional logic in the startup scripts, allowing the same cluster configuration to work across heterogeneous node types. For detailed information about node modes and the technical implementation, see `docs/ovn_node_mode.md`.
+Additionally, **IP forwarding is always forced to Global mode** on DPU host nodes, regardless of the cluster-wide `IPForwarding` setting in `gatewayConfig`. This is required for DPU hosts to properly forward traffic across management and data plane interfaces.
+
+This per-node feature enforcement is implemented through conditional logic in the startup scripts, allowing the same cluster configuration to work across heterogeneous node types. For detailed information about node modes, IP forwarding behavior, and the technical implementation, see `docs/ovn_node_mode.md`.
 
 These configuration flags are only in the Operator configuration object.
 

bindata/network/ovn-kubernetes/common/008-script-lib.yaml

@@ -548,6 +548,9 @@ data:
       # enable multicast
       enable_multicast_flag="--enable-multicast"
 
+      # set ip_forwarding_mode to the value of IP_FORWARDING_MODE
+      ip_forwarding_mode="{{.IP_FORWARDING_MODE}}"
+
       # Use OVN_NODE_MODE environment variable, default to "full" if not set
       OVN_NODE_MODE=${OVN_NODE_MODE:-full}
       # We check only dpu-host mode and not smart-nic mode here as currently we do not support it yet
@@ -568,6 +571,28 @@ data:
 
         # disable multi-external-gateway for dpu-host mode as it is not supported
         multi_external_gateway_enable_flag=""
+
+        # Force ip_forwarding_mode to Global for dpu-host mode.
+        # DPU hosts require IP forwarding to be enabled at all times to allow proper 
+        # traffic flow between the host management interface and the DPU's data plane 
+        # interfaces. This overrides any cluster-wide IPForwarding configuration.
+        # See docs/ovn_node_mode.md for more details.
+        ip_forwarding_mode="Global"
+      fi
+
+      # If IP Forwarding mode is global set it in the host here. IPv6 IP Forwarding shuld be
+      # enabled for all interfaces at all times if cluster is configured as single stack IPv6
+      # or dual stack. This will be taken care by ovn-kubernetes(ovn-org/ovn-kubernetes#4376).
+      # Setting net.ipv6.conf.all.forwarding to '0' when ipForwarding is Restricted to make 
+      # sure IPv6 IP Forwarding is disabled when cluster is configured as single stack IPv4.
+      ip_forwarding_flag=
+      if [ ${ip_forwarding_mode} == "Global" ]; then
+        sysctl -w net.ipv4.ip_forward=1
+        sysctl -w net.ipv6.conf.all.forwarding=1
+      else
+        ip_forwarding_flag="--disable-forwarding"
+        sysctl -w net.ipv4.ip_forward=0
+        sysctl -w net.ipv6.conf.all.forwarding=0
       fi
 
       if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then
@@ -653,21 +678,6 @@ data:
         dns_name_resolver_enabled_flag="--enable-dns-name-resolver"
       fi
 
-      # If IP Forwarding mode is global set it in the host here. IPv6 IP Forwarding shuld be
-      # enabled for all interfaces at all times if cluster is configured as single stack IPv6
-      # or dual stack. This will be taken care by ovn-kubernetes(ovn-org/ovn-kubernetes#4376).
-      # Setting net.ipv6.conf.all.forwarding to '0' when ipForwarding is Restricted to make 
-      # sure IPv6 IP Forwarding is disabled when cluster is configured as single stack IPv4.
-      ip_forwarding_flag=
-      if [ "{{.IP_FORWARDING_MODE}}" == "Global" ]; then
-        sysctl -w net.ipv4.ip_forward=1
-        sysctl -w net.ipv6.conf.all.forwarding=1
-      else
-        ip_forwarding_flag="--disable-forwarding"
-        sysctl -w net.ipv4.ip_forward=0
-        sysctl -w net.ipv6.conf.all.forwarding=0
-      fi
-
       if [[ "{{.AdvertisedUDNIsolationMode}}" != "" ]]; then
         ovn_advertised_udn_isolation_mode_flag="--advertised-udn-isolation-mode={{.AdvertisedUDNIsolationMode}}"
       fi

docs/ovn_node_mode.md

@@ -24,6 +24,7 @@ This change introduces `OVN_NODE_MODE` as an environment variable injected into
   - `enable_multicast_flag=""` (disabled)
   - `egress_features_enable_flag=""` (egress IP and related features disabled)
   - `multi_external_gateway_enable_flag=""` (multi-external gateway disabled)
+  - `ip_forwarding_mode="Global"` (forced to Global to allow traffic forwarding across interfaces)
   - Multi-network, network segmentation, and multi-network policy/admin network policy are gated and not enabled in this mode.
 
 ### Manifests
@@ -87,6 +88,24 @@ The following table shows how cluster-wide configuration translates to per-node
   - Correct multi-network enablement logic (OVN_MULTI_NETWORK_ENABLE or OVN_NETWORK_SEGMENTATION_ENABLE)
 - Tests verify both positive cases (features enabled in full mode) and negative cases (features disabled in DPU host mode).
 
+### IP Forwarding Mode Behavior
+
+IP forwarding configuration is handled differently based on the node mode:
+
+#### Full Mode (default)
+- Respects the cluster-wide `IPForwarding` configuration from `gatewayConfig`
+- When set to `Global`: enables IP forwarding (`net.ipv4.ip_forward=1`, `net.ipv6.conf.all.forwarding=1`)
+- When set to `Restricted` or empty (default): disables IP forwarding and passes `--disable-forwarding` flag to ovnkube
+
+#### DPU Host Mode
+- **Always forces IP forwarding to `Global` mode**, regardless of cluster-wide configuration
+- This is required for DPU hosts to properly forward traffic across management and data plane interfaces
+- The script automatically overrides `ip_forwarding_mode="Global"` when `OVN_NODE_MODE="dpu-host"`
+- System-level IP forwarding is enabled: `net.ipv4.ip_forward=1` and `net.ipv6.conf.all.forwarding=1`
+- The `--disable-forwarding` flag is never passed to ovnkube on DPU host nodes
+
+**Rationale**: DPU hosts require IP forwarding to be enabled at all times to allow proper traffic flow between the host management interface and the DPU's data plane interfaces. Disabling IP forwarding on these nodes would break connectivity and prevent proper operation of the DPU hardware offload.
+
 ### Migration Notes
 
 When upgrading clusters that previously relied on ConfigMap-based feature control:
@@ -95,6 +114,7 @@ When upgrading clusters that previously relied on ConfigMap-based feature contro
 2. The startup scripts (both node and control-plane) now contain the authoritative feature enablement logic
 3. Control-plane components automatically enable all features (always run in "full" mode)
 4. DPU host nodes will automatically have incompatible features disabled regardless of previous ConfigMap settings
-5. No manual intervention is required - the migration is handled automatically during the upgrade process
+5. DPU host nodes will have IP forwarding forced to Global mode regardless of the cluster-wide `IPForwarding` setting
+6. No manual intervention is required - the migration is handled automatically during the upgrade process
 
 

pkg/network/ovn_kubernetes_test.go

@@ -4455,6 +4455,66 @@ func TestOVNKubernetesScriptLibCombined(t *testing.T) {
 			},
 			mustNotContain: []string{},
 		},
+		{
+			name: "dpu-host mode: IP forwarding forced to Global",
+			overrides: map[string]interface{}{
+				"OVN_NODE_MODE":        "dpu-host",
+				"IP_FORWARDING_MODE":   "", // Restricted/default
+			},
+			mustContain: []string{
+				"ip_forwarding_mode=\"Global\"",
+				"sysctl -w net.ipv4.ip_forward=1",
+				"sysctl -w net.ipv6.conf.all.forwarding=1",
+			},
+			mustNotContain: []string{
+				"ip_forwarding_flag=\"--disable-forwarding\"",
+				"sysctl -w net.ipv4.ip_forward=0",
+				"sysctl -w net.ipv6.conf.all.forwarding=0",
+			},
+		},
+		{
+			name: "dpu-host mode: IP forwarding Global even when template says Restricted",
+			overrides: map[string]interface{}{
+				"OVN_NODE_MODE":        "dpu-host",
+				"IP_FORWARDING_MODE":   "Restricted",
+			},
+			mustContain: []string{
+				"ip_forwarding_mode=\"Global\"",
+				"sysctl -w net.ipv4.ip_forward=1",
+				"sysctl -w net.ipv6.conf.all.forwarding=1",
+			},
+			mustNotContain: []string{
+				"ip_forwarding_flag=\"--disable-forwarding\"",
+			},
+		},
+		{
+			name: "full mode: IP forwarding Global when configured",
+			overrides: map[string]interface{}{
+				"OVN_NODE_MODE":        "full",
+				"IP_FORWARDING_MODE":   "Global",
+			},
+			mustContain: []string{
+				"ip_forwarding_mode=\"Global\"",
+				"sysctl -w net.ipv4.ip_forward=1",
+				"sysctl -w net.ipv6.conf.all.forwarding=1",
+			},
+			mustNotContain: []string{
+				"ip_forwarding_flag=\"--disable-forwarding\"",
+			},
+		},
+		{
+			name: "full mode: IP forwarding Restricted by default",
+			overrides: map[string]interface{}{
+				"OVN_NODE_MODE":        "full",
+				"IP_FORWARDING_MODE":   "",
+			},
+			mustContain: []string{
+				"ip_forwarding_flag=\"--disable-forwarding\"",
+				"sysctl -w net.ipv4.ip_forward=0",
+				"sysctl -w net.ipv6.conf.all.forwarding=0",
+			},
+			mustNotContain: []string{},
+		},
 	}
 
 	for _, tc := range testCases {