Fix Pod-to-external traffic on EKS in policyOnly mode

[antoninbas]

When using Antrea in policyOnly mode on an EKS cluster, an additional
iptables rule is needed in the PREROUTING chain of the nat table. The
rule ensures that Pod-to-external traffic coming from Pods whose IP
address comes from a secondary network interface (secondary ENI) is
marked correctly, so that it hits the appropriate routing table. Without
this, traffic is SNATed with the source IP address of the primary
network interface, while being sent out of the secondary network
interface, causing the VPC to drop the traffic.

Relevant rules (before the fix):

-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -i eni+ -m comment --comment "AWS, outbound connections" -m state --state NEW -j AWS-CONNMARK-CHAIN-0
-A PREROUTING -m comment --comment "AWS, CONNMARK" -j CONNMARK --restore-mark --nfmask 0x80 --ctmask 0x80
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -m comment --comment "AWS SNAT CHAIN" -j AWS-SNAT-CHAIN-0
-A POSTROUTING -m comment --comment "Antrea: jump to Antrea postrouting rules" -j ANTREA-POSTROUTING
-A ANTREA-POSTROUTING -o antrea-gw0 -m comment --comment "Antrea: masquerade LOCAL traffic" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE --random-fully
-A AWS-CONNMARK-CHAIN-0 ! -d 192.168.0.0/16 -m comment --comment "AWS CONNMARK CHAIN, VPC CIDR" -j AWS-CONNMARK-CHAIN-1
-A AWS-CONNMARK-CHAIN-1 -m comment --comment "AWS, CONNMARK" -j CONNMARK --set-xmark 0x80/0x80
-A AWS-SNAT-CHAIN-0 ! -d 192.168.0.0/16 -m comment --comment "AWS SNAT CHAIN" -j AWS-SNAT-CHAIN-1
-A AWS-SNAT-CHAIN-1 ! -o vlan+ -m comment --comment "AWS, SNAT" -m addrtype ! --dst-type LOCAL -j SNAT --to-source 192.168.18.153 --random-fully

0:	from all lookup local
512:	from all to 192.168.29.56 lookup main
512:	from all to 192.168.24.134 lookup main
512:	from all to 192.168.31.135 lookup main
512:	from all to 192.168.31.223 lookup main
512:	from all to 192.168.29.27 lookup main
512:	from all to 192.168.16.158 lookup main
512:	from all to 192.168.2.135 lookup main
1024:	from all fwmark 0x80/0x80 lookup main
1536:	from 192.168.31.223 lookup 2
1536:	from 192.168.29.27 lookup 2
1536:	from 192.168.16.158 lookup 2
1536:	from 192.168.2.135 lookup 2
32766:	from all lookup main
32767:	from all lookup default

default via 192.168.0.1 dev eth1
192.168.0.1 dev eth1 scope link

The fix is to add new PREROUTING rules, in the ANTREA-PREROUTING chain:

-A ANTREA-PREROUTING -i antrea-gw0 -m comment --comment "Antrea: AWS, outbound connections" -j AWS-CONNMARK-CHAIN-0
-A ANTREA-PREROUTING -m comment --comment "Antrea: AWS, CONNMARK (first packet)" -j CONNMARK --restore-mark --nfmask 0x80 --ctmask 0x80

Fixes #3946

Signed-off-by: Antonin Bas abas@vmware.com

[codecov-commenter]

Codecov Report

Merging #3975 (200197a) into main (f022dd8) will increase coverage by 3.22%.
The diff coverage is 37.93%.

@@            Coverage Diff             @@
##             main    #3975      +/-   ##
==========================================
+ Coverage   61.65%   64.88%   +3.22%     
==========================================
  Files         295      295              
  Lines       43740    44115     +375     
==========================================
+ Hits        26968    28623    +1655     
+ Misses      14538    13192    -1346     
- Partials     2234     2300      +66     

Flag	Coverage Δ
e2e-tests	41.19% <25.86%> (?)
kind-e2e-tests	51.45% <37.93%> (+6.66%)	⬆️
unit-tests	44.31% <0.00%> (+0.02%)	⬆️

Impacted Files	Coverage Δ
pkg/agent/route/route_linux.go	48.30% <36.84%> (+20.20%)	⬆️
pkg/agent/util/iptables/iptables.go	43.52% <100.00%> (ø)
pkg/agent/nodeportlocal/k8s/annotations.go	84.44% <0.00%> (-15.56%)	⬇️
pkg/apiserver/handlers/endpoint/handler.go	56.52% <0.00%> (-13.05%)	⬇️
pkg/agent/controller/networkpolicy/reconciler.go	69.26% <0.00%> (+0.36%)	⬆️
pkg/agent/controller/egress/egress_controller.go	73.93% <0.00%> (+0.51%)	⬆️
pkg/ipam/ipallocator/allocator.go	88.02% <0.00%> (+0.52%)	⬆️
pkg/controller/ipam/validate.go	80.32% <0.00%> (+0.54%)	⬆️
...ntroller/networkpolicy/networkpolicy_controller.go	73.29% <0.00%> (+0.60%)	⬆️
pkg/agent/multicluster/mc_route_controller.go	52.27% <0.00%> (+1.13%)	⬆️
... and 53 more

[tnqn]

LGTM, one question

[tnqn]

Does it have NodePort IPv6 case? If yes, is the rule still needed for IPv6, otherwise reverse path may be different?

[antoninbas]

yes, I think you're right. This one should always be installed.
Note that we don't test Antrea on EKS with IPv6 enabled, so there may be other issues, but I'll fix that one.

[antoninbas]

Actually scratch that. The AWS rules are only installed for IPv4: https://github.com/aws/amazon-vpc-cni-k8s/blob/d43309bdfdb5034df86907944e682d78608ba165/pkg/networkutils/network.go#L402-L418. Not entirely sure why, but I would think that routing is configured differently for IPv6, and these rules are not needed.

[antoninbas]

There is this comment:

		//Essentially a stub function for now in V6 mode. We will need it when we support v6 in secondary IP and
		//custom networking modes. We don't need to install any SNAT rules in v6 mode and currently there is no need
		//to mark packets entering via Primary ENI as all the pods in v6 mode will be behind primary ENI. Will have to
		//start doing that once we start supporting custom networking mode in v6.

So that explains why there is no need for the rule: only the primary ENI is used, with no secondary route table.

[tnqn]

got it, thanks

[tnqn]

Is this still true? I didn't find this code.

[antoninbas]

This is part of the TODO paragraph. We don't implement this as the moment, we assume that aws-node (the AWS DaemonSet) is running with default configuration, which is likely to be the case for 99% of users.

[antoninbas]

@tnqn feel free to merge this if you're ok with the change. The EKS CI test is passing for this PR.

[antoninbas]

/test-all