Set MTU of OVS ports for L7 NetworkPolicy at startup

The MTU of OVS ports for L7 NetworkPolicy should be set to the calculated MTU value according to traffic mode at every startup. For example, before this commit, assuming that feature gate L7NetworkPolicy is enabled in encap mode, then the OVS ports for L7 NetworkPolicy will be created and their MTU is 1420. If the traffic mode is changed to noEncap, the MTU of the OVS ports is still 1420. However, the MTU of Pods ports and Antrea local gateway port is 1500 right now. Besides, when creating the L7 NetworkPolicy ports for the first time in a Node, without specifying the MTU value, the minimum MTU value from all OVS ports will be used. From above, we can see that the MTU value might be smaller than the MTU calculated by Antrea which is used in Antrea local gateway port and Pod ports, which results in the unavailability of L7 NetworkPolicy if the size of packet is bigger than the value of L7 NetworkPolicy port MTU. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
antrea-io · Aug 28, 2023 · 0a42524 · 0a42524
1 parent e04c95c
commit 0a42524
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/pkg/agent/agent_linux.go b/pkg/agent/agent_linux.go
@@ -43,6 +43,8 @@ func (i *Initializer) prepareHostNetwork() error {
 	return nil
 }
 
+const maxMTUSupportedBySuricata = 32678
+
 // prepareOVSBridgeForK8sNode returns immediately on Linux if connectUplinkToBridge is false.
 func (i *Initializer) prepareOVSBridgeForK8sNode() error {
 	if !i.connectUplinkToBridge {
@@ -358,13 +360,26 @@ func (i *Initializer) prepareL7NetworkPolicyInterfaces() error {
 	returnPort, _ := i.ifaceStore.GetInterfaceByName(config.L7NetworkPolicyReturnPortName)
 	i.l7NetworkPolicyConfig.TargetOFPort = uint32(targetPort.OFPort)
 	i.l7NetworkPolicyConfig.ReturnOFPort = uint32(returnPort.OFPort)
-	// Set the ports with no-flood to reject ARP flood packets.
+	// Set the ports with no-flood to reject ARP flood packets at every startup.
 	if err := i.ovsCtlClient.SetPortNoFlood(int(targetPort.OFPort)); err != nil {
 		return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyTargetPortName, err)
 	}
 	if err := i.ovsCtlClient.SetPortNoFlood(int(returnPort.OFPort)); err != nil {
 		return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyReturnPortName, err)
 	}
+	// Set MTU of the ports to the calculated MTU value at every startup.
+	if err := i.setInterfaceMTU(config.L7NetworkPolicyTargetPortName, i.networkConfig.InterfaceMTU); err != nil {
+		return err
+	}
+	if err := i.setInterfaceMTU(config.L7NetworkPolicyReturnPortName, i.networkConfig.InterfaceMTU); err != nil {
+		return err
+	}
+	// Currently, the maximum of MTU supported by L7 NetworkPolicy engine Suricata is 32678 (assuming that the page size
+	// is 4096). If the calculated MTU value is greater than 32678, Suricata will start.
+	if i.networkConfig.InterfaceMTU > maxMTUSupportedBySuricata {
+		klog.ErrorS(fmt.Errorf("L7 NetworkPolicy engine Suricata will not start since the calculated MTU is greater than %d", maxMTUSupportedBySuricata),
+			fmt.Sprintf("The maxmum of MTU supported by Suricata is %d", maxMTUSupportedBySuricata))
+	}
 
 	return nil
 }