From d89b2819b69c1dced86acfd79bd6d780432dbc6a Mon Sep 17 00:00:00 2001
From: Hongliang Liu <lhongliang@vmware.com>
Date: Fri, 18 Aug 2023 17:04:57 +0800
Subject: [PATCH] Set MTU of OVS ports for L7 NetworkPolicy at startup

The MTU of OVS ports for L7 NetworkPolicy should be set to the
calculated MTU value according to traffic mode at every startup.
For example, before this commit, assuming that feature gate
L7NetworkPolicy is enabled in encap mode, then the OVS ports for
L7 NetworkPolicy will be created and their MTU is 1420. If the
traffic mode is changed to noEncap, the MTU of the OVS ports is
still 1420. However, the MTU of Pods ports and Antrea local gateway
port is 1500 right now. Besides, when creating the L7 NetworkPolicy
ports for the first time in a Node, without specifying the MTU value,
the minimum MTU value from all OVS ports will be used.

From above, we can see that the MTU value might be smaller than the
MTU calculated by Antrea which is used in Antrea local gateway port
and Pod ports, which results in the unavailability of L7 NetworkPolicy
if the size of packet is bigger than the value of L7 NetworkPolicy port
MTU.

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
---
 pkg/agent/agent_linux.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/agent/agent_linux.go b/pkg/agent/agent_linux.go
index a797c21349f..736a9a02cb1 100644
--- a/pkg/agent/agent_linux.go
+++ b/pkg/agent/agent_linux.go
@@ -358,13 +358,22 @@ func (i *Initializer) prepareL7NetworkPolicyInterfaces() error {
 	returnPort, _ := i.ifaceStore.GetInterfaceByName(config.L7NetworkPolicyReturnPortName)
 	i.l7NetworkPolicyConfig.TargetOFPort = uint32(targetPort.OFPort)
 	i.l7NetworkPolicyConfig.ReturnOFPort = uint32(returnPort.OFPort)
-	// Set the ports with no-flood to reject ARP flood packets.
+	// Set the ports with no-flood to reject ARP flood packets at every startup.
 	if err := i.ovsCtlClient.SetPortNoFlood(int(targetPort.OFPort)); err != nil {
 		return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyTargetPortName, err)
 	}
 	if err := i.ovsCtlClient.SetPortNoFlood(int(returnPort.OFPort)); err != nil {
 		return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyReturnPortName, err)
 	}
+	// Set MTU of the ports to the calculated MTU value at every startup.
+	// TODO(lhongliang): when MTU value is bigger than 32678(assuming page size is 4096), Suricata cannot start with these
+	//  two ports.
+	if err := i.setInterfaceMTU(config.L7NetworkPolicyTargetPortName, i.networkConfig.InterfaceMTU); err != nil {
+		return err
+	}
+	if err := i.setInterfaceMTU(config.L7NetworkPolicyReturnPortName, i.networkConfig.InterfaceMTU); err != nil {
+		return err
+	}
 
 	return nil
 }