Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove invalid flow when WireGuard is enabled #5909

Merged
merged 1 commit into from
Jan 24, 2024
Merged

Remove invalid flow when WireGuard is enabled #5909

merged 1 commit into from
Jan 24, 2024

Conversation

antoninbas
Copy link
Contributor

After merging #5885, the OVS tunnel port is no longer created when enabling WireGuard, as it is not being used. However, we were still trying to install flows referencing the tunnel port. Even though the port was non-existent, flow creation would succeed, but the condition matching on the tunnel port was being dropped silently. This would lead to invalid datapath behavior. We update the code to prevent installing these invalid flows when WireGuard is enabled.

Fixes #5905

@antoninbas antoninbas force-pushed the remove-invalid-flow-when-wireguard-enabled branch from 59744d5 to 909d062 Compare January 24, 2024 05:10
@antoninbas antoninbas requested a review from tnqn January 24, 2024 05:11
antoninbas
antoninbas commented Jan 24, 2024
View reviewed changes
pkg/agent/openflow/client.go
@@ -1625,10 +1625,6 @@ func (c *client) InstallMulticlusterClassifierFlows(tunnelOFPort uint32, isGatew
c.featurePodConnectivity.l2ForwardCalcFlow(GlobalVirtualMACForMulticluster, tunnelOFPort),
}

if c.networkConfig.TrafficEncapMode != config.TrafficEncapModeEncap {
Copy link
Contributor Author

@antoninbas antoninbas Jan 24, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should no longer be needed after the change to pod_connectivity.go

@antoninbas antoninbas force-pushed the remove-invalid-flow-when-wireguard-enabled branch from 909d062 to ef321d4 Compare January 24, 2024 06:13
@antoninbas
Copy link
Contributor Author

/test-all
/test-ipv6-all

@antoninbas antoninbas force-pushed the remove-invalid-flow-when-wireguard-enabled branch from ef321d4 to 572920c Compare January 24, 2024 06:16
tnqn
tnqn reviewed Jan 24, 2024
View reviewed changes
build/yamls/antrea.yml Outdated
@@ -5692,7 +5692,7 @@ data:
# the PSK value must be passed to Antrea Agent through an environment
# variable: ANTREA_IPSEC_PSK.
# - wireGuard: Enable WireGuard for tunnel traffic encryption.
trafficEncryptionMode: "none"
trafficEncryptionMode: "wireGuard"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it for testing only?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops I committed all local changes when I addressed your comment above
should be reverted now

@antoninbas antoninbas force-pushed the remove-invalid-flow-when-wireguard-enabled branch from 572920c to 6e84cb6 Compare January 24, 2024 06:22
@antoninbas
Remove invalid flow when WireGuard is enabled
b5d0b10 
After merging antrea-io#5885, the OVS tunnel port is no longer created when
enabling WireGuard, as it is not being used. However, we were still
trying to install flows referencing the tunnel port. Even though the
port was non-existent, flow creation would succeed, but the condition
matching on the tunnel port was being dropped silently. This would lead
to invalid datapath behavior. We update the code to prevent installing
these invalid flows when WireGuard is enabled.

Fixes antrea-io#5905

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
@antoninbas antoninbas force-pushed the remove-invalid-flow-when-wireguard-enabled branch from 6e84cb6 to b5d0b10 Compare January 24, 2024 06:23
tnqn
tnqn approved these changes Jan 24, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@antoninbas
Copy link
Contributor Author

/test-all
/test-ipv6-all

@tnqn
Copy link
Member

tnqn commented Jan 24, 2024

TestTraceflow/testTraceflowIntraNode/traceflowGroupTest/intraNodeTraceflowIPv6 failed because the test itself is wrong, introduced by #5667. It seems we haven't ran ipv6 test since then.

=== NAME  TestTraceflow/testTraceflowIntraNode/traceflowGroupTest/intraNodeTraceflowIPv6
    traceflow_test.go:2535: Observations should be [{SpoofGuard  Forwarded      0    } {NetworkPolicy EgressRule Forwarded   K8sNetworkPolicy:testtraceflow-7kmgj1vz/test-networkpolicy-allow-all-egress   0    } {NetworkPolicy IngressDefaultRule Dropped   K8sNetworkPolicy:testtraceflow-7kmgj1vz/test-networkpolicy-allow-all-egress   0    }], but got [{SpoofGuard  Forwarded      0    } {NetworkPolicy EgressRule Forwarded   K8sNetworkPolicy:testtraceflow-7kmgj1vz/test-networkpolicy-allow-all-egress   0    } {NetworkPolicy IngressDefaultRule Dropped      0    }]

@tnqn
Copy link
Member

tnqn commented Jan 24, 2024

/test-e2e

@Atish-iaf Atish-iaf mentioned this pull request Jan 24, 2024
Merged
@tnqn
Copy link
Member

tnqn commented Jan 24, 2024

/test-conformance
/test-networkpolicy

@tnqn
Copy link
Member

tnqn commented Jan 24, 2024

/skip-conformance
/skip-networkpolicy

@tnqn tnqn merged commit ea1a54f into antrea-io:main Jan 24, 2024
50 of 56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wireguard IPv6 connectivity issue in main branch
2 participants
@antoninbas @tnqn