Match dstIP in Classifier to address windows promiscuous mode issue #6528
Conversation
|
/test-windows-e2e |
|
/test-windows-all |
|
/test-latest-all |
XinShuYang
force-pushed
the
windowsuplink
branch
from
5e6e462
to
6775c5e
Compare
|
/test-windows-all |
|
/test-windows-containerd-e2e |
|
/test-windows-containerd-conformance |
XinShuYang
changed the title
There was a problem hiding this comment.
I remember that we used to have a dedicated change trying to merge similar functions from pipeline_windows and pipeline_others into pipeline.go. So maybe we can think about introducing a mutateFunc in the the unique hostBridgeLocalFlows(), and provide different mutate implementations in the OS separate files?
XinShuYang
force-pushed
the
windowsuplink
branch
from
6775c5e
to
44c8595
Compare
|
promiscuous mode is usually enabled for debugging, can we add documentation for this case ! |
XinShuYang
force-pushed
the
windowsuplink
branch
from
44c8595
to
a57d40c
Compare
On Windows, promiscuous mode is not enabled by Antrea. This patch is intended to enhance the pipeline by ensuring the packets destined for other nodes are not forwarded to the local port, which is also reasonable for the debugging purpose. |
|
/test-windows-containerd-e2e |
XinShuYang
force-pushed
the
windowsuplink
branch
from
a57d40c
to
ca6d857
Compare
Ok, When promiscuous mode is enabled, the interface ignores the MAC address filter and captures all network traffic it can see. Are we also considering to match in case destip is ipv6 ? what about linux case, this problem can be seen on linux as well ! |
Currently Windows doesn‘t support IPv6, and in Linux, since uplink port is not added to the bridge by default, we didn't find the same issue. |
XinShuYang
force-pushed
the
windowsuplink
branch
3 times, most recently
from
14f5066
to
c74ca81
Compare
Sure, added mutate function implementation, PTAL. |
XinShuYang
force-pushed
the
windowsuplink
branch
from
c74ca81
to
7d23f4c
Compare
| @@ -23,6 +23,12 @@ import ( | |||
| binding "antrea.io/antrea/pkg/ovs/openflow" | |||
| ) | |||
|
|
|||
| func (f *featurePodConnectivity) uplinkMatchMutate(flowBuilder binding.FlowBuilder) binding.FlowBuilder { | |||
There was a problem hiding this comment.
Add some comments here to explain why we need this mutate function?
There was a problem hiding this comment.
Sure, comments updated.
XinShuYang
force-pushed
the
windowsuplink
branch
from
7d23f4c
to
c3ec381
Compare
Hi @antoninbas I double checked and found that my previous description of the root cause was inaccurate. The root cause is when promiscuous mode is enabled, the Windows uplink receives all packets on the network without destination MAC checks. According to the previous OVS pipeline, these packets are forwarded to the local host. Since br-int on Windows must have IP forwarding enabled to support features like NodePort, these unrelated packets are sent back to br-int according to the default route (during this process, their source MAC is changed to the local machine's MAC). Then, again, these packets are forwarded to the uplink and leave the host according to the OVS pipeline. This result could affects the correct forwarding by the switch because it receives packets with incorrect source MAC. Given that we have to keep IP forwarding enabled on br-int, the fix is to add a filter to the existing uplink-to-local port rule. cc @wenyingd |
|
@XinShuYang do you know if the host interface is also in promiscuous mode? Otherwise I would expect the packet to be dropped after they are forwarded by OVS.
At least on Linux, I don't think the OS will do IP forwarding for packets with the wrong MAC, regardless of any promiscuous mode. Promiscuous mode allows a bridge to receive all packets regardless of their MAC address (useful to bridge VMs to a physical network), but the OS should still do a MAC check before IP / L3 forwarding. I could bd wrong though. |
Here is the result I got from powershell: This seems to indicate that even with promiscuous mode disabled on br-int, packets sent to it through the OVS pipeline will bypass the MAC check... BTW, in my vSphere lab network environment, the uplink interface always has promiscuous mode enabled, and only enabling promiscuous mode on the standard switch will send unrelated packets to the Windows host. |
pkg/agent/openflow/pipeline_other.go
Outdated
| @@ -25,6 +25,10 @@ import ( | |||
| binding "antrea.io/antrea/pkg/ovs/openflow" | |||
| ) | |||
|
|
|||
| func (f *featurePodConnectivity) matchUplinkInPort(flowBuilder binding.FlowBuilder) binding.FlowBuilder { | |||
| return flowBuilder | |||
There was a problem hiding this comment.
I think this comment means to update the function implementation like this,
func (f *featurePodConnectivity) matchUplinkInPort(flowBuilder binding.FlowBuilder) binding.FlowBuilder {
return flowBuilder.MatchInPort(f.uplinkPort)
}
And you shall remove line 2972 in pipeline.go
There was a problem hiding this comment.
I encountered error "antrea.io/antrea/pkg/ovs/openflow".FlowBuilder has no field or method matchUplinkInPort, is there a better way to add featurePodConnectivity in this function?
XinShuYang
force-pushed
the
windowsuplink
branch
from
6917edf
to
fcaeced
Compare
Ok
Yes, I imagine that promiscuous mode works a bit differently in a virtual environment with a virtual switch. It's still hard for me to understand why the Windows OS would do IP forwarding on arbitrary packets with an unknown MAC address. |
XinShuYang
force-pushed
the
windowsuplink
branch
2 times, most recently
from
66e9ffe
to
8b7cdc6
Compare
@antoninbas I can see the IP-to-MAC info in the ARP table for packets captured on br-int. Based on the behavior observed from Windows, it appears that packets indeed ignore MAC checks during IP forwarding. My guess is the Windows network stack completes the Layer 2 decapsulation before handling IP forwarding. When it decides to forward the packet back to br-int based on the default route, it encapsulates the packet with Layer 2 info, where the src MAC is the local host's MAC, and the dst MAC is the MAC maintained in the ARP table. |
|
/test-windows-all |
@antoninbas MatchInPort(f.uplinkPort) in podUplinkClassifierFlows is used for IPAM, which is a feature not currently supported by Windows. Another instance is in hostBridgeUplinkVLANFlows. Since the VLANTable is located after the Classifier in the pipeline, I also believe there is no need to modify the rules? |
luolanzone
added
the
area/OS/windows
|
@XinShuYang so this is actually a connection issue when the promiscuous mode is enabled on Windows, right? |
|
@XinShuYang got it, then maybe we should update the method name again, to something more specific such as @luolanzone sounds good to me. We can also backport as needed, there is very little risk involved with this change IMO. |
When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Shuyang Xin <[email protected]>
XinShuYang
force-pushed
the
windowsuplink
branch
from
8b7cdc6
to
22a3163
Compare
Sure, code updated. |
|
/test-windows-all |
|
Hi @antoninbas , windows CI passed, can we merged this PR? |
antoninbas
added
the
action/release-note
When promiscuous mode is enabled, OVS incorrectly forwards packets destined for
non-local IP addresses from the uplink to the host interface. Due to IP forwarding
being enabled, these packets are re-sent to br-int according to the default route
and are eventually forwarded to the uplink. Since the source MAC of these packets
has been changed to the local host’s MAC, this can potentially cause errors on the switch.
This patch matches dstIP field in ClassifierTable to ensure proper packet handling
and preventing unintended forwarding.