Support sending IPFIX flow records for Antrea flow exporter

build/images/ipfixcollector/Dockerfile

@@ -0,0 +1,20 @@
+FROM ubuntu:18.04
+
+LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
+LABEL description="A Docker image based on Ubuntu 18.04 which contains a simple IPFIX collector to run flow exporter tests"
+
+WORKDIR /ipfix
+
+ADD https://svwh.dl.sourceforge.net/project/libipfix/libipfix/libipfix-impd4e_110224.tgz .
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libc6-dev build-essential libpcap0.8-dev && \
+    tar -xvf libipfix-* && rm libipfix-* && \
+    cd libipfix_* && ./configure && make && make install && ldconfig && \
+    cp collector/ipfix_collector /usr/local/bin && \
+    cd .. && \
+    rm -rf libipfix_* && \
+    apt-get remove -y build-essential && \
+    rm -rf /var/cache/apt/* /var/lib/apt/lists/*
+
+ENTRYPOINT "ipfix_collector"

build/images/ipfixcollector/README.md

@@ -0,0 +1,17 @@
+# images/ipfixcollector
+
+This Docker image is based on Ubuntu 18.04 which includes an IPFIX collector based on [libipfix](http://libipfix.sourceforge.net/), a C library.
+In this image, IPFIX collector listening on tcp:4739 port.
+
+libipfix package is downloaded from https://svwh.dl.sourceforge.net/project/libipfix/libipfix/libipfix-impd4e_110224.tgz
+
+New version of the image can be built and pushed to Dockerhub using following instructions:
+
+```bash
+cd build/images/ipfixcollector
+docker build -t antrea/ipfixcollector:latest .
+docker push antrea/ipfixcollector:latest
+```
+
+The `docker push` command will fail if you do not have permission to push to the
+`antrea` Dockerhub repository.

build/yamls/antrea-aks.yml

@@ -722,6 +722,21 @@ data:
 
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     #enablePrometheusMetrics: false
+
+    # Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+    # the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+    # we consider tcp as default.
+    #flowCollectorAddr: ""
+
+    # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+    # Flow poll interval should be greater than or equal to 1s (one second).
+    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+    #flowPollInterval: "5s"
+
+    # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+    # the flow collector.
+    # Flow export frequency should be greater than or equal to 1.
+    #flowExportFrequency: 12
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -770,7 +785,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-24f6gdd4fb
+  name: antrea-config-62554ht95b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -876,7 +891,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-24f6gdd4fb
+          name: antrea-config-62554ht95b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1091,7 +1106,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-24f6gdd4fb
+          name: antrea-config-62554ht95b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -722,6 +722,21 @@ data:
 
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     #enablePrometheusMetrics: false
+
+    # Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+    # the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+    # we consider tcp as default.
+    #flowCollectorAddr: ""
+
+    # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+    # Flow poll interval should be greater than or equal to 1s (one second).
+    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+    #flowPollInterval: "5s"
+
+    # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+    # the flow collector.
+    # Flow export frequency should be greater than or equal to 1.
+    #flowExportFrequency: 12
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -770,7 +785,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-24f6gdd4fb
+  name: antrea-config-62554ht95b
   namespace: kube-system
 ---
 apiVersion: v1
@@ -876,7 +891,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-24f6gdd4fb
+          name: antrea-config-62554ht95b
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1093,7 +1108,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-24f6gdd4fb
+          name: antrea-config-62554ht95b
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -722,6 +722,21 @@ data:
 
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     #enablePrometheusMetrics: false
+
+    # Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+    # the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+    # we consider tcp as default.
+    #flowCollectorAddr: ""
+
+    # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+    # Flow poll interval should be greater than or equal to 1s (one second).
+    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+    #flowPollInterval: "5s"
+
+    # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+    # the flow collector.
+    # Flow export frequency should be greater than or equal to 1.
+    #flowExportFrequency: 12
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -770,7 +785,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-8gtt9dfdgg
+  name: antrea-config-9gt8khtcth
   namespace: kube-system
 ---
 apiVersion: v1
@@ -876,7 +891,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-8gtt9dfdgg
+          name: antrea-config-9gt8khtcth
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1091,7 +1106,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-8gtt9dfdgg
+          name: antrea-config-9gt8khtcth
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -722,6 +722,21 @@ data:
 
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     #enablePrometheusMetrics: false
+
+    # Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+    # the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+    # we consider tcp as default.
+    #flowCollectorAddr: ""
+
+    # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+    # Flow poll interval should be greater than or equal to 1s (one second).
+    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+    #flowPollInterval: "5s"
+
+    # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+    # the flow collector.
+    # Flow export frequency should be greater than or equal to 1.
+    #flowExportFrequency: 12
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -770,7 +785,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-76fcd44cth
+  name: antrea-config-gf96hhfdg8
   namespace: kube-system
 ---
 apiVersion: v1
@@ -885,7 +900,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-76fcd44cth
+          name: antrea-config-gf96hhfdg8
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1135,7 +1150,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-76fcd44cth
+          name: antrea-config-gf96hhfdg8
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -722,6 +722,21 @@ data:
 
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     #enablePrometheusMetrics: false
+
+    # Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+    # the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+    # we consider tcp as default.
+    #flowCollectorAddr: ""
+
+    # Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+    # Flow poll interval should be greater than or equal to 1s (one second).
+    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+    #flowPollInterval: "5s"
+
+    # Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+    # the flow collector.
+    # Flow export frequency should be greater than or equal to 1.
+    #flowExportFrequency: 12
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -770,7 +785,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-c6467gmm8c
+  name: antrea-config-mk822kf995
   namespace: kube-system
 ---
 apiVersion: v1
@@ -876,7 +891,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-c6467gmm8c
+          name: antrea-config-mk822kf995
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1091,7 +1106,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-c6467gmm8c
+          name: antrea-config-mk822kf995
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -60,3 +60,18 @@ featureGates:
 
 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
 #enablePrometheusMetrics: false
+
+# Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+# the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+# we consider tcp as default.
+#flowCollectorAddr: ""
+
+# Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+# Flow poll interval should be greater than or equal to 1s (one second).
+# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+#flowPollInterval: "5s"
+
+# Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+# the flow collector.
+# Flow export frequency should be greater than or equal to 1.
+#flowExportFrequency: 12

cmd/antrea-agent/agent.go

@@ -19,6 +19,7 @@ import (
 	"net"
 	"time"
 
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/informers"
 	"k8s.io/klog/v2"
 
@@ -31,6 +32,8 @@ import (
 	"github.com/vmware-tanzu/antrea/pkg/agent/controller/noderoute"
 	"github.com/vmware-tanzu/antrea/pkg/agent/controller/traceflow"
 	"github.com/vmware-tanzu/antrea/pkg/agent/flowexporter/connections"
+	"github.com/vmware-tanzu/antrea/pkg/agent/flowexporter/exporter"
+	"github.com/vmware-tanzu/antrea/pkg/agent/flowexporter/flowrecords"
 	"github.com/vmware-tanzu/antrea/pkg/agent/interfacestore"
 	"github.com/vmware-tanzu/antrea/pkg/agent/metrics"
 	"github.com/vmware-tanzu/antrea/pkg/agent/openflow"
@@ -234,11 +237,20 @@ func run(o *Options) error {
 	if features.DefaultFeatureGate.Enabled(features.Traceflow) {
 		go ofClient.StartPacketInHandler(stopCh)
 	}
-	// Create connection store that polls conntrack flows with a given polling interval.
+
+	// Initialize flow exporter to start go routines to poll conntrack flows and export IPFIX flow records
 	if features.DefaultFeatureGate.Enabled(features.FlowExporter) {
-		ctDumper := connections.NewConnTrackDumper(nodeConfig, serviceCIDRNet, connections.NewConnTrackInterfacer())
-		connStore := connections.NewConnectionStore(ctDumper, ifaceStore)
-		go connStore.Run(stopCh)
+		connStore := connections.NewConnectionStore(
+			connections.InitializeConnTrackDumper(nodeConfig, serviceCIDRNet, agentQuerier.GetOVSCtlClient(), o.config.OVSDatapathType),
+			ifaceStore,
+			o.pollInterval)
+		pollDone := make(chan struct{})
+		go connStore.Run(stopCh, pollDone)
+
+		flowExporter := exporter.NewFlowExporter(
+			flowrecords.NewFlowRecords(connStore),
+			o.config.FlowExportFrequency)
+		go wait.Until(func() { flowExporter.Export(o.flowCollector, stopCh, pollDone) }, 0, stopCh)
 	}
 
 	<-stopCh

cmd/antrea-agent/config.go

@@ -86,4 +86,18 @@ type AgentConfig struct {
 	// Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener
 	// Defaults to false.
 	EnablePrometheusMetrics bool `yaml:"enablePrometheusMetrics,omitempty"`
+	// Provide the flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also
+	// enables the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto
+	// is given, we consider tcp as default.
+	// Defaults to "".
+	FlowCollectorAddr string `yaml:"flowCollectorAddr,omitempty"`
+	// Provide flow poll interval in format "0s". This determines how often flow exporter dumps connections in conntrack module.
+	// Flow poll interval should be greater than or equal to 1s(one second).
+	// Defaults to "5s". Follow the time units of duration.
+	FlowPollInterval string `yaml:"flowPollInterval,omitempty"`
+	// Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+	// the flow collector.
+	// Flow export frequency should be greater than or equal to 1.
+	// Defaults to "12".
+	FlowExportFrequency uint `yaml:"flowExportFrequency,omitempty"`
 }