Set MTU of OVS ports for L7 NetworkPolicy at startup

The MTU of OVS ports for L7 NetworkPolicy should be set to the calculated MTU value according to traffic mode at every startup. For example, before this commit, assuming that feature gate L7NetworkPolicy is enabled in encap mode, then the OVS ports for L7 NetworkPolicy will be created and their MTU is 1420. If the traffic mode is changed to noEncap, the MTU of the OVS ports is still 1420. However, the MTU of Pods ports and Antrea local gateway port is 1500 right now. Besides, when creating the L7 NetworkPolicy ports for the first time in a Node, without specifying the MTU value, the minimum MTU value from all OVS ports will be used. From above, we can see that the MTU value might be smaller than the MTU calculated by Antrea which is used in Antrea local gateway port and Pod ports, which results in the unavailability of L7 NetworkPolicy if the size of packet is bigger than the value of L7 NetworkPolicy port MTU. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
antrea-io · Aug 28, 2023 · d89b281 · d89b281
1 parent e04c95c
commit d89b281
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/pkg/agent/agent_linux.go b/pkg/agent/agent_linux.go
@@ -358,13 +358,22 @@ func (i *Initializer) prepareL7NetworkPolicyInterfaces() error {
 	returnPort, _ := i.ifaceStore.GetInterfaceByName(config.L7NetworkPolicyReturnPortName)
 	i.l7NetworkPolicyConfig.TargetOFPort = uint32(targetPort.OFPort)
 	i.l7NetworkPolicyConfig.ReturnOFPort = uint32(returnPort.OFPort)
-	// Set the ports with no-flood to reject ARP flood packets.
+	// Set the ports with no-flood to reject ARP flood packets at every startup.
 	if err := i.ovsCtlClient.SetPortNoFlood(int(targetPort.OFPort)); err != nil {
 		return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyTargetPortName, err)
 	}
 	if err := i.ovsCtlClient.SetPortNoFlood(int(returnPort.OFPort)); err != nil {
 		return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyReturnPortName, err)
 	}
+	// Set MTU of the ports to the calculated MTU value at every startup.
+	// TODO(lhongliang): when MTU value is bigger than 32678(assuming page size is 4096), Suricata cannot start with these
+	//  two ports.
+	if err := i.setInterfaceMTU(config.L7NetworkPolicyTargetPortName, i.networkConfig.InterfaceMTU); err != nil {
+		return err
+	}
+	if err := i.setInterfaceMTU(config.L7NetworkPolicyReturnPortName, i.networkConfig.InterfaceMTU); err != nil {
+		return err
+	}
 
 	return nil
 }