From a57d40c94b8d5a712b793b9595309df75eead2b2 Mon Sep 17 00:00:00 2001
From: Shuyang Xin <gavinx@vmware.com>
Date: Wed, 17 Jul 2024 10:21:20 +0800
Subject: [PATCH] Match dstIP in Classifier to address windows promiscuous mode
 issue

When multiple VMs have duplicate MAC addresses and promiscuous mode is enabled, OVS incorrectly
forwards packets destined for non-local IP addresses from the uplink to the host interface.
This patch matches dstIP field in ClassifierTable to ensure proper packet handling
and preventing unintended forwarding.

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
---
 pkg/agent/openflow/pipeline.go         | 19 -------------------
 pkg/agent/openflow/pipeline_other.go   | 19 +++++++++++++++++++
 pkg/agent/openflow/pipeline_windows.go | 22 ++++++++++++++++++++++
 3 files changed, 41 insertions(+), 19 deletions(-)

diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go
index b5f75df9327..bdb7464a2e3 100644
--- a/pkg/agent/openflow/pipeline.go
+++ b/pkg/agent/openflow/pipeline.go
@@ -2962,25 +2962,6 @@ func (f *featurePodConnectivity) l3FwdFlowToExternal() binding.Flow {
 		Done()
 }
 
-// hostBridgeLocalFlows generates the flows to match the packets forwarded between bridge local port and uplink port.
-func (f *featurePodConnectivity) hostBridgeLocalFlows() []binding.Flow {
-	cookieID := f.cookieAllocator.Request(f.category).Raw()
-	return []binding.Flow{
-		// This generates the flow to forward the packets from uplink port to bridge local port.
-		ClassifierTable.ofTable.BuildFlow(priorityNormal).
-			Cookie(cookieID).
-			MatchInPort(f.uplinkPort).
-			Action().Output(f.hostIfacePort).
-			Done(),
-		// This generates the flow to forward the packets from bridge local port to uplink port.
-		ClassifierTable.ofTable.BuildFlow(priorityNormal).
-			Cookie(cookieID).
-			MatchInPort(f.hostIfacePort).
-			Action().Output(f.uplinkPort).
-			Done(),
-	}
-}
-
 // hostBridgeUplinkVLANFlows generates the flows to match VLAN packets from uplink port.
 func (f *featurePodConnectivity) hostBridgeUplinkVLANFlows() []binding.Flow {
 	vlanMask := uint16(openflow15.OFPVID_PRESENT)
diff --git a/pkg/agent/openflow/pipeline_other.go b/pkg/agent/openflow/pipeline_other.go
index 60459fba878..7846f6c9f6f 100644
--- a/pkg/agent/openflow/pipeline_other.go
+++ b/pkg/agent/openflow/pipeline_other.go
@@ -25,6 +25,25 @@ import (
 	binding "antrea.io/antrea/pkg/ovs/openflow"
 )
 
+// hostBridgeLocalFlows generates the flows to match the packets forwarded between bridge local port and uplink port.
+func (f *featurePodConnectivity) hostBridgeLocalFlows() []binding.Flow {
+	cookieID := f.cookieAllocator.Request(f.category).Raw()
+	return []binding.Flow{
+		// This generates the flow to forward the packets from uplink port to bridge local port.
+		ClassifierTable.ofTable.BuildFlow(priorityNormal).
+			Cookie(cookieID).
+			MatchInPort(f.uplinkPort).
+			Action().Output(f.hostIfacePort).
+			Done(),
+		// This generates the flow to forward the packets from bridge local port to uplink port.
+		ClassifierTable.ofTable.BuildFlow(priorityNormal).
+			Cookie(cookieID).
+			MatchInPort(f.hostIfacePort).
+			Action().Output(f.uplinkPort).
+			Done(),
+	}
+}
+
 // hostBridgeUplinkFlows generates the flows that forward traffic between the bridge local port and the uplink port to
 // support the host traffic.
 // TODO(gran): sync latest changes from pipeline_windows.go
diff --git a/pkg/agent/openflow/pipeline_windows.go b/pkg/agent/openflow/pipeline_windows.go
index 2557d3f6ffb..4389e0c2fd8 100644
--- a/pkg/agent/openflow/pipeline_windows.go
+++ b/pkg/agent/openflow/pipeline_windows.go
@@ -23,6 +23,28 @@ import (
 	binding "antrea.io/antrea/pkg/ovs/openflow"
 )
 
+// hostBridgeLocalFlows generates the flows to match the packets forwarded between bridge local port and uplink port.
+// IPAM is not currently supported on Windows, otherwise MatchDstMAC would need to be modified.
+func (f *featurePodConnectivity) hostBridgeLocalFlows() []binding.Flow {
+	cookieID := f.cookieAllocator.Request(f.category).Raw()
+	return []binding.Flow{
+		// This generates the flow to forward the packets from uplink port to bridge local port.
+		ClassifierTable.ofTable.BuildFlow(priorityNormal).
+			Cookie(cookieID).
+			MatchInPort(f.uplinkPort).
+			MatchProtocol(binding.ProtocolIP).
+			MatchDstIP(f.nodeConfig.NodeTransportIPv4Addr.IP).
+			Action().Output(f.hostIfacePort).
+			Done(),
+		// This generates the flow to forward the packets from bridge local port to uplink port.
+		ClassifierTable.ofTable.BuildFlow(priorityNormal).
+			Cookie(cookieID).
+			MatchInPort(f.hostIfacePort).
+			Action().Output(f.uplinkPort).
+			Done(),
+	}
+}
+
 // hostBridgeUplinkFlows generates the flows that forward traffic between the bridge local port and the uplink port to
 // support the host traffic with outside.
 func (f *featurePodConnectivity) hostBridgeUplinkFlows() []binding.Flow {