From 8441520d7d69096b9e2c4885481115c2310ecaff Mon Sep 17 00:00:00 2001
From: Dhruv-J <dhruvj@vmware.com>
Date: Thu, 20 Feb 2025 10:58:53 -0800
Subject: [PATCH] ICMP Rule with NodeLatencyMonitor

This PR provides the solution to an edge case with NodeLatencyMonitor, where
the feature does not work if ICMP queries are blocked by default. To fix this,
an iptable rule will be added if NodeLatencyMonitor is enabled, such that ICMP
requests via the Antrea gateway will be allowed.

Fixes issue #6952

Signed-off-by: Dhruv-J <dhruvj@vmware.com>
---
 build/yamls/antrea.yml           |  2 +-
 cmd/antrea-agent/agent.go        |  4 ++++
 pkg/agent/monitortool/monitor.go |  1 +
 pkg/agent/route/route_linux.go   | 19 +++++++++++++------
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
index 75ec209da0a..6197d2fec14 100644
--- a/build/yamls/antrea.yml
+++ b/build/yamls/antrea.yml
@@ -4078,7 +4078,7 @@ data:
     #  L7FlowExporter: false
 
     # Enable NodeLatencyMonitor to monitor the latency between Nodes.
-    #  NodeLatencyMonitor: false
+      NodeLatencyMonitor: true
 
     # Allow users to initiate BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs and Egress IPs to
     # remote BGP peers.
diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
index dfd740ed2e0..84016b51d6e 100644
--- a/cmd/antrea-agent/agent.go
+++ b/cmd/antrea-agent/agent.go
@@ -154,6 +154,8 @@ func run(o *Options) error {
 	enableBridgingMode := enableAntreaIPAM && o.config.EnableBridgingMode
 	l7NetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.L7NetworkPolicy)
 	nodeNetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.NodeNetworkPolicy)
+	klog.Infof("DBUG: featuregates: %v", o.config.FeatureGates[string(features.NodeLatencyMonitor)])
+	nodeLatencyMonitorEnabled := o.config.FeatureGates[string(features.NodeLatencyMonitor)]
 	l7FlowExporterEnabled := features.DefaultFeatureGate.Enabled(features.L7FlowExporter)
 	enableMulticlusterGW := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableGateway
 	_, multiclusterEncryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.Multicluster.TrafficEncryptionMode)
@@ -241,6 +243,7 @@ func run(o *Options) error {
 		o.config.AntreaProxy.ProxyAll,
 		connectUplinkToBridge,
 		nodeNetworkPolicyEnabled,
+		nodeLatencyMonitorEnabled,
 		multicastEnabled,
 		o.config.SNATFullyRandomPorts,
 		*o.config.Egress.SNATFullyRandomPorts,
@@ -295,6 +298,7 @@ func run(o *Options) error {
 	}
 
 	// Initialize agent and node network.
+	klog.Infof("DBUG: before initialization: %v", routeClient)
 	agentInitializer := agent.NewInitializer(
 		k8sClient,
 		crdClient,
diff --git a/pkg/agent/monitortool/monitor.go b/pkg/agent/monitortool/monitor.go
index 36d78f93abd..3cd9f030dbb 100644
--- a/pkg/agent/monitortool/monitor.go
+++ b/pkg/agent/monitortool/monitor.go
@@ -183,6 +183,7 @@ func (m *NodeLatencyMonitor) onNodeDelete(obj interface{}) {
 
 // onNodeLatencyMonitorAdd is the event handler for adding NodeLatencyMonitor.
 func (m *NodeLatencyMonitor) onNodeLatencyMonitorAdd(obj interface{}) {
+	// TODO maybe add the change here
 	nlm := obj.(*v1alpha1.NodeLatencyMonitor)
 	klog.V(4).InfoS("NodeLatencyMonitor added", "NodeLatencyMonitor", klog.KObj(nlm))
 
diff --git a/pkg/agent/route/route_linux.go b/pkg/agent/route/route_linux.go
index 050060e6844..e0bb95b6cad 100644
--- a/pkg/agent/route/route_linux.go
+++ b/pkg/agent/route/route_linux.go
@@ -122,12 +122,13 @@ type Client struct {
 	// markToSNATIP caches marks to SNAT IPs. It's used in Egress feature.
 	markToSNATIP sync.Map
 	// iptablesInitialized is used to notify when iptables initialization is done.
-	iptablesInitialized      chan struct{}
-	proxyAll                 bool
-	connectUplinkToBridge    bool
-	multicastEnabled         bool
-	isCloudEKS               bool
-	nodeNetworkPolicyEnabled bool
+	iptablesInitialized       chan struct{}
+	proxyAll                  bool
+	connectUplinkToBridge     bool
+	multicastEnabled          bool
+	isCloudEKS                bool
+	nodeNetworkPolicyEnabled  bool
+	nodeLatencyMonitorEnabled bool
 	// serviceRoutes caches ip routes about Services.
 	serviceRoutes sync.Map
 	// serviceExternalIPReferences tracks the references of Service IP. The key is the Service IP and the value is
@@ -170,6 +171,7 @@ func NewClient(networkConfig *config.NetworkConfig,
 	proxyAll bool,
 	connectUplinkToBridge bool,
 	nodeNetworkPolicyEnabled bool,
+	nodeLatencyMonitorEnabled bool,
 	multicastEnabled bool,
 	nodeSNATRandomFully bool,
 	egressSNATRandomFully bool,
@@ -679,6 +681,11 @@ func (c *Client) syncIPTables() error {
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.InputChain, antreaInputChain, "Antrea: jump to Antrea input rules", false})
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.OutputChain, antreaOutputChain, "Antrea: jump to Antrea output rules", false})
 	}
+	// TODO add jumprules for icmp if nodeLatencyMonitorEnabled is true
+	klog.Infof("DBUG: latency monitor enabled: %v", c.nodeLatencyMonitorEnabled)
+	if c.nodeLatencyMonitorEnabled {
+		klog.InfoS("DBUG: NODE LATENCY MONITOR ENABLED")
+	}
 	for _, rule := range jumpRules {
 		if err := c.iptables.EnsureChain(ipProtocol, rule.table, rule.dstChain); err != nil {
 			return err