ICMP Rule with NodeLatencyMonitor

This PR provides the solution to an edge case with NodeLatencyMonitor, where the feature does not work if ICMP queries are blocked by default. To fix this, an iptable rule will be added if NodeLatencyMonitor is enabled, such that ICMP requests via the Antrea gateway will be allowed. Fixes issue #6952 Signed-off-by: Dhruv-J <dhruvj@vmware.com>
antrea-io · Feb 20, 2025 · 8441520 · 8441520
1 parent b7f650d
commit 8441520
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -4078,7 +4078,7 @@ data:
     #  L7FlowExporter: false
 
     # Enable NodeLatencyMonitor to monitor the latency between Nodes.
-    #  NodeLatencyMonitor: false
+      NodeLatencyMonitor: true
 
     # Allow users to initiate BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs and Egress IPs to
     # remote BGP peers.

diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
@@ -154,6 +154,8 @@ func run(o *Options) error {
 	enableBridgingMode := enableAntreaIPAM && o.config.EnableBridgingMode
 	l7NetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.L7NetworkPolicy)
 	nodeNetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.NodeNetworkPolicy)
+	klog.Infof("DBUG: featuregates: %v", o.config.FeatureGates[string(features.NodeLatencyMonitor)])
+	nodeLatencyMonitorEnabled := o.config.FeatureGates[string(features.NodeLatencyMonitor)]
 	l7FlowExporterEnabled := features.DefaultFeatureGate.Enabled(features.L7FlowExporter)
 	enableMulticlusterGW := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableGateway
 	_, multiclusterEncryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.Multicluster.TrafficEncryptionMode)
@@ -241,6 +243,7 @@ func run(o *Options) error {
 		o.config.AntreaProxy.ProxyAll,
 		connectUplinkToBridge,
 		nodeNetworkPolicyEnabled,
+		nodeLatencyMonitorEnabled,
 		multicastEnabled,
 		o.config.SNATFullyRandomPorts,
 		*o.config.Egress.SNATFullyRandomPorts,
@@ -295,6 +298,7 @@ func run(o *Options) error {
 	}
 
 	// Initialize agent and node network.
+	klog.Infof("DBUG: before initialization: %v", routeClient)
 	agentInitializer := agent.NewInitializer(
 		k8sClient,
 		crdClient,

diff --git a/pkg/agent/monitortool/monitor.go b/pkg/agent/monitortool/monitor.go
@@ -183,6 +183,7 @@ func (m *NodeLatencyMonitor) onNodeDelete(obj interface{}) {
 
 // onNodeLatencyMonitorAdd is the event handler for adding NodeLatencyMonitor.
 func (m *NodeLatencyMonitor) onNodeLatencyMonitorAdd(obj interface{}) {
+	// TODO maybe add the change here
 	nlm := obj.(*v1alpha1.NodeLatencyMonitor)
 	klog.V(4).InfoS("NodeLatencyMonitor added", "NodeLatencyMonitor", klog.KObj(nlm))
 

diff --git a/pkg/agent/route/route_linux.go b/pkg/agent/route/route_linux.go
@@ -122,12 +122,13 @@ type Client struct {
 	// markToSNATIP caches marks to SNAT IPs. It's used in Egress feature.
 	markToSNATIP sync.Map
 	// iptablesInitialized is used to notify when iptables initialization is done.
-	iptablesInitialized      chan struct{}
-	proxyAll                 bool
-	connectUplinkToBridge    bool
-	multicastEnabled         bool
-	isCloudEKS               bool
-	nodeNetworkPolicyEnabled bool
+	iptablesInitialized       chan struct{}
+	proxyAll                  bool
+	connectUplinkToBridge     bool
+	multicastEnabled          bool
+	isCloudEKS                bool
+	nodeNetworkPolicyEnabled  bool
+	nodeLatencyMonitorEnabled bool
 	// serviceRoutes caches ip routes about Services.
 	serviceRoutes sync.Map
 	// serviceExternalIPReferences tracks the references of Service IP. The key is the Service IP and the value is
@@ -170,6 +171,7 @@ func NewClient(networkConfig *config.NetworkConfig,
 	proxyAll bool,
 	connectUplinkToBridge bool,
 	nodeNetworkPolicyEnabled bool,
+	nodeLatencyMonitorEnabled bool,
 	multicastEnabled bool,
 	nodeSNATRandomFully bool,
 	egressSNATRandomFully bool,
@@ -679,6 +681,11 @@ func (c *Client) syncIPTables() error {
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.InputChain, antreaInputChain, "Antrea: jump to Antrea input rules", false})
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.OutputChain, antreaOutputChain, "Antrea: jump to Antrea output rules", false})
 	}
+	// TODO add jumprules for icmp if nodeLatencyMonitorEnabled is true
+	klog.Infof("DBUG: latency monitor enabled: %v", c.nodeLatencyMonitorEnabled)
+	if c.nodeLatencyMonitorEnabled {
+		klog.InfoS("DBUG: NODE LATENCY MONITOR ENABLED")
+	}
 	for _, rule := range jumpRules {
 		if err := c.iptables.EnsureChain(ipProtocol, rule.table, rule.dstChain); err != nil {
 			return err