From 3cebf0538c82a2565428cdc3e983cc45f400f4c6 Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Fri, 18 Aug 2023 17:04:57 +0800 Subject: [PATCH] Set MTU of OVS ports for L7 NetworkPolicy at startup The MTU of OVS ports for L7 NetworkPolicy should be set to the calculated MTU value according to traffic mode at every startup. For example, before this commit, assuming that feature gate L7NetworkPolicy is enabled in encap mode, then the OVS ports for L7 NetworkPolicy will be created and their MTU is 1420. If the traffic mode is changed to noEncap, the MTU of the OVS ports is still 1420. However, the MTU of Pods ports and Antrea local gateway port is 1500 right now. Besides, when creating the L7 NetworkPolicy ports for the first time in a Node, without specifying the MTU value, the minimum MTU value from all OVS ports will be used. From above, we can see that the MTU value might be smaller than the MTU calculated by Antrea which is used in Antrea local gateway port and Pod ports, which results in the unavailability of L7 NetworkPolicy if the size of packet is greater than the value of L7 NetworkPolicy port MTU. Signed-off-by: Hongliang Liu --- pkg/agent/agent_linux.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/pkg/agent/agent_linux.go b/pkg/agent/agent_linux.go index a797c21349f..55b8f4fb5df 100644 --- a/pkg/agent/agent_linux.go +++ b/pkg/agent/agent_linux.go @@ -43,6 +43,11 @@ func (i *Initializer) prepareHostNetwork() error { return nil } +// Assuming a page cache of 4096, based on Suricata source code from L1752-L1798 +// at https://github.com/OISF/suricata/blob/49713ebaa0b8edb057d60f1cfe9126946645a848/src/source-af-packet.c#L1757C2-L1777C129. +// The maximum supported MTU by Suricata is 32678 after calculation. +const maxMTUSupportedBySuricata = 32678 + // prepareOVSBridgeForK8sNode returns immediately on Linux if connectUplinkToBridge is false. func (i *Initializer) prepareOVSBridgeForK8sNode() error { if !i.connectUplinkToBridge { @@ -358,13 +363,25 @@ func (i *Initializer) prepareL7NetworkPolicyInterfaces() error { returnPort, _ := i.ifaceStore.GetInterfaceByName(config.L7NetworkPolicyReturnPortName) i.l7NetworkPolicyConfig.TargetOFPort = uint32(targetPort.OFPort) i.l7NetworkPolicyConfig.ReturnOFPort = uint32(returnPort.OFPort) - // Set the ports with no-flood to reject ARP flood packets. + // Set the ports with no-flood to reject ARP flood packets at every startup. if err := i.ovsCtlClient.SetPortNoFlood(int(targetPort.OFPort)); err != nil { return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyTargetPortName, err) } if err := i.ovsCtlClient.SetPortNoFlood(int(returnPort.OFPort)); err != nil { return fmt.Errorf("failed to set port %s with no-flood config: %w", config.L7NetworkPolicyReturnPortName, err) } + // Set MTU of the ports to the calculated MTU value at every startup. + if err := i.setInterfaceMTU(config.L7NetworkPolicyTargetPortName, i.networkConfig.InterfaceMTU); err != nil { + return err + } + if err := i.setInterfaceMTU(config.L7NetworkPolicyReturnPortName, i.networkConfig.InterfaceMTU); err != nil { + return err + } + // Currently, the maximum of MTU supported by L7 NetworkPolicy engine Suricata is 32678 (assuming that the page size + // is 4096). If the calculated MTU value is greater than 32678, Suricata may fail to start. + if i.networkConfig.InterfaceMTU > maxMTUSupportedBySuricata { + klog.ErrorS(nil, "L7 NetworkPolicy engine Suricata may fail to start since the interface MTU is greater than the maximum MTU supported by Suricata", "interfaceMTU", i.networkConfig.InterfaceMTU, "maximumMTU", maxMTUSupportedBySuricata) + } return nil }