Fix the issue of local probe bypassing flows on Windows #3510
Conversation
hongliangl
force-pushed
the
fix-bypassing-local-probe-flows
branch
from
3cb947c to
863b6ba
Compare
Codecov Report
@@ Coverage Diff @@
## main #3510 +/- ##
==========================================
- Coverage 64.66% 57.41% -7.25%
==========================================
Files 278 392 +114
Lines 39363 54837 +15474
==========================================
+ Hits 25454 31485 +6031
- Misses 11939 20906 +8967
- Partials 1970 2446 +476
Flags with carried forward coverage won't be shown. Click here to find out more.
|
pkg/agent/openflow/pipeline.go
Outdated
| Cookie(cookieID). | ||
| MatchProtocol(ipProtocol). | ||
| MatchSrcIP(gatewayIP). | ||
| Action().GotoStage(stageConntrack). | ||
| MatchSrcIP(gatewayIP) |
There was a problem hiding this comment.
From my side, I would prefer to match gw port as the in_port or match the fromSource reg instead of gatewayIP, because ingress stage is after post routing stage, I am not sure if SNAT is taken for no Service IP in future. Matching in_port or source reg is more compatible.
There was a problem hiding this comment.
For request packets of non-Service connections, FromGatewayRegMark && NotServiceCTMark -> stageConntrack
- ✅ client is the local Node, destination is a local Pod
- ❎ client is a remote Pod or remote Node, destination is a local Pod (Windows noEncap mode, remote traffic from remote Pod CIDR is sent to local Pod CIDR via Antrea gateway, not uplink)
I think the packets of the second case should not bypass ingress rules.
There was a problem hiding this comment.
You remind me, we should add state -rpl+trk to avoid impact on reply packets , since reply packets are possible to goto Metric table for statistics collection.
There was a problem hiding this comment.
Thanks, updated.
hongliangl
force-pushed
the
fix-bypassing-local-probe-flows
branch
from
863b6ba to
a43fdc9
Compare
|
/test-all-features-conformance |
|
/test-windows-conformance |
|
/test-multicluster-e2e |
hongliangl
force-pushed
the
fix-bypassing-local-probe-flows
branch
from
a43fdc9 to
8ccc892
Compare
|
/test-all-features-conformance |
|
/test-integration |
|
/test-integration |
|
/test-flexible-ipam-e2e |
|
/test-integration |
1 similar comment
|
/test-integration |
|
You need to fix the integration test:
|
hongliangl
force-pushed
the
fix-bypassing-local-probe-flows
branch
from
8ccc892 to
9c6558f
Compare
|
/test-multicluster-e2e |
|
/test-ipv6-only-e2e |
|
/test-ipv6-e2e |
Fixed, and I think there is something wrong with test ipv6-e2e and multicluster-e2e since other PRs always get failed for these two tests. |
|
/test-e2e |
|
/test-networkpolicy |
|
/test-e2e |
1 similar comment
|
/test-e2e |
hongliangl
added
the
action/release-note
|
/test-e2e |
hongliangl
force-pushed
the
fix-bypassing-local-probe-flows
branch
from
3153e42 to
23560c1
Compare
When proxyAll is enabled, kube-proxy can be replaced by AntreaProxy, then Service traffic and non-Service traffic can be distinguished by ServiceCTMark and NotServiceCTMark. Service traffic with ServiceCTMark should not bypass Network Policies, and non-Service traffic generated by kubelet with NotServiceCTMark should bypass Network Policies. Signed-off-by: Hongliang Liu <[email protected]>
hongliangl
force-pushed
the
fix-bypassing-local-probe-flows
branch
from
23560c1 to
5fc6a24
Compare
|
/test-all-features-conformance |
|
/test-all-features-conformance |
|
/test-hw-offload |
|
/test-flexible-ipam-e2e |
|
/test-windows-networkpolicy |
|
/test-networkpolicy |
|
/test-networkpolicy |
1 similar comment
|
/test-networkpolicy |
| // a local gateway IP to bypass Network Policies. See https://github.com/antrea-io/antrea/issues/280. | ||
| // TODO: Fix it after replacing kube-proxy with AntreaProxy. | ||
| func (f *featurePodConnectivity) localProbeFlow() []binding.Flow { | ||
| // When proxyAll is disabled, the probe packets are identified by matching the source IP is the Antrea gateway IP; |
When proxyAll is enabled, kube-proxy can be replaced by AntreaProxy, then
Service traffic and non-Service traffic can be distinguished by ServiceCTMark
and NotServiceCTMark. Service traffic with ServiceCTMark should not bypass
Network Policies, and non-Service traffic generated by kubelet with
NotServiceCTMark should bypass Network Policies.
This PR also fixes the issue that the reply packets of Pod -> local Antrea gateway
bypasses EgressMetricTable.
Signed-off-by: Hongliang Liu [email protected]