From 4740a2a22d8a0b22f567847884656a8647d5d993 Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Fri, 18 Aug 2023 17:04:57 +0800 Subject: [PATCH] Set MTU of OVS ports for L7 NetworkPolicy at startup The MTU of OVS ports for L7 NetworkPolicy should be set to the calculated MTU value according to traffic mode at every startup. For example, before this commit, assuming that feature gate L7NetworkPolicy is enabled in encap mode, then the OVS ports for L7 NetworkPolicy will be created and their MTU is 1420. If the traffic mode is changed to noEncap, the MTU of the OVS ports is still 1420. However, the MTU of Pods ports and Antrea local gateway port is 1500 right now. Besides, when creating the L7 NetworkPolicy ports for the first time in a Node, without specifying the MTU value, the minimum MTU value from all OVS ports will be used. From above, we can see that the MTU value might be smaller than the MTU calculated by Antrea which is used in Antrea local gateway port and Pod ports, which results in the unavailability of L7 NetworkPolicy if the size of packet is bigger than the value of L7 NetworkPolicy port MTU. Signed-off-by: Hongliang Liu --- pkg/agent/agent_linux.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pkg/agent/agent_linux.go b/pkg/agent/agent_linux.go index a797c21349f..28cd00500c0 100644 --- a/pkg/agent/agent_linux.go +++ b/pkg/agent/agent_linux.go @@ -43,6 +43,8 @@ func (i *Initializer) prepareHostNetwork() error { return nil } +const maxMTUSupportedBySuricata = 32678 + // prepareOVSBridgeForK8sNode returns immediately on Linux if connectUplinkToBridge is false. func (i *Initializer) prepareOVSBridgeForK8sNode() error { if !i.connectUplinkToBridge { @@ -358,13 +360,26 @@ func (i *Initializer) prepareL7NetworkPolicyInterfaces() error { returnPort, _ := i.ifaceStore.GetInterfaceByName(config.L7NetworkPolicyReturnPortName) i.l7NetworkPolicyConfig.TargetOFPort = uint32(targetPort.OFPort) i.l7NetworkPolicyConfig.ReturnOFPort = uint32(returnPort.OFPort) - // Set the ports with no-flood to reject ARP flood packets. + // Set the ports with no-flood to reject ARP flood packets at every startup. if err := i.ovsCtlClient.SetPortNoFlood(int(targetPort.OFPort)); err != nil { return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyTargetPortName, err) } if err := i.ovsCtlClient.SetPortNoFlood(int(returnPort.OFPort)); err != nil { return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyReturnPortName, err) } + // Set MTU of the ports to the calculated MTU value at every startup. + if err := i.setInterfaceMTU(config.L7NetworkPolicyTargetPortName, i.networkConfig.InterfaceMTU); err != nil { + return err + } + if err := i.setInterfaceMTU(config.L7NetworkPolicyReturnPortName, i.networkConfig.InterfaceMTU); err != nil { + return err + } + // Currently, the maximum of MTU supported by L7 NetworkPolicy engine Suricata is 32678 (assuming that the page size + // is 4096). If the calculated MTU value is greater than 32678, Suricata will start. + if i.networkConfig.InterfaceMTU > maxMTUSupportedBySuricata { + klog.ErrorS(fmt.Errorf("L7 NetworkPolicy engine Suricata will not start since the calculated MTU is greater than %d", maxMTUSupportedBySuricata), + fmt.Sprintf("The maximum of MTU supported by Suricata is %d", maxMTUSupportedBySuricata)) + } return nil }