Match dstIP in Classifier to address windows promiscuous mode issue #6528
Conversation
|
/test-windows-e2e |
|
/test-windows-all |
|
/test-latest-all |
XinShuYang
force-pushed
the
windowsuplink
branch
from
5e6e462 to
6775c5e
Compare
|
/test-windows-all |
|
/test-windows-containerd-e2e |
|
/test-windows-containerd-conformance |
XinShuYang
changed the title
There was a problem hiding this comment.
I remember that we used to have a dedicated change trying to merge similar functions from pipeline_windows and pipeline_others into pipeline.go. So maybe we can think about introducing a mutateFunc in the the unique hostBridgeLocalFlows(), and provide different mutate implementations in the OS separate files?
XinShuYang
force-pushed
the
windowsuplink
branch
from
6775c5e to
44c8595
Compare
|
promiscuous mode is usually enabled for debugging, can we add documentation for this case ! |
XinShuYang
force-pushed
the
windowsuplink
branch
from
44c8595 to
a57d40c
Compare
On Windows, promiscuous mode is not enabled by Antrea. This patch is intended to enhance the pipeline by ensuring the packets destined for other nodes are not forwarded to the local port, which is also reasonable for the debugging purpose. |
|
/test-windows-containerd-e2e |
XinShuYang
force-pushed
the
windowsuplink
branch
from
a57d40c to
ca6d857
Compare
Ok, When promiscuous mode is enabled, the interface ignores the MAC address filter and captures all network traffic it can see. Are we also considering to match in case destip is ipv6 ? what about linux case, this problem can be seen on linux as well ! |
Currently Windows doesn‘t support IPv6, and in Linux, since uplink port is not added to the bridge by default, we didn't find the same issue. |
XinShuYang
force-pushed
the
windowsuplink
branch
3 times, most recently
from
14f5066 to
c74ca81
Compare
Sure, added mutate function implementation, PTAL. |
XinShuYang
force-pushed
the
windowsuplink
branch
from
c74ca81 to
7d23f4c
Compare
| @@ -23,6 +23,12 @@ import ( | |||
| binding "antrea.io/antrea/pkg/ovs/openflow" | |||
| ) | |||
|
|
|||
| func (f *featurePodConnectivity) uplinkMatchMutate(flowBuilder binding.FlowBuilder) binding.FlowBuilder { | |||
There was a problem hiding this comment.
Add some comments here to explain why we need this mutate function?
There was a problem hiding this comment.
Sure, comments updated.
XinShuYang
force-pushed
the
windowsuplink
branch
from
7d23f4c to
c3ec381
Compare
XinShuYang
force-pushed
the
windowsuplink
branch
from
6917edf to
fcaeced
Compare
Ok
Yes, I imagine that promiscuous mode works a bit differently in a virtual environment with a virtual switch. It's still hard for me to understand why the Windows OS would do IP forwarding on arbitrary packets with an unknown MAC address. |
XinShuYang
force-pushed
the
windowsuplink
branch
2 times, most recently
from
66e9ffe to
8b7cdc6
Compare
@antoninbas I can see the IP-to-MAC info in the ARP table for packets captured on br-int. Based on the behavior observed from Windows, it appears that packets indeed ignore MAC checks during IP forwarding. My guess is the Windows network stack completes the Layer 2 decapsulation before handling IP forwarding. When it decides to forward the packet back to br-int based on the default route, it encapsulates the packet with Layer 2 info, where the src MAC is the local host's MAC, and the dst MAC is the MAC maintained in the ARP table. |
|
/test-windows-all |
@antoninbas MatchInPort(f.uplinkPort) in podUplinkClassifierFlows is used for IPAM, which is a feature not currently supported by Windows. Another instance is in hostBridgeUplinkVLANFlows. Since the VLANTable is located after the Classifier in the pipeline, I also believe there is no need to modify the rules? |
luolanzone
added
the
area/OS/windows
|
@XinShuYang so this is actually a connection issue when the promiscuous mode is enabled on Windows, right? |
|
@XinShuYang got it, then maybe we should update the method name again, to something more specific such as @luolanzone sounds good to me. We can also backport as needed, there is very little risk involved with this change IMO. |
When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Shuyang Xin <[email protected]>
XinShuYang
force-pushed
the
windowsuplink
branch
from
8b7cdc6 to
22a3163
Compare
Sure, code updated. |
|
/test-windows-all |
|
Hi @antoninbas , windows CI passed, can we merged this PR? |
antoninbas
added
the
action/release-note
…ntrea-io#6528) When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Shuyang Xin <[email protected]>
…ntrea-io#6528) When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Shuyang Xin <[email protected]> Co-authored-by: Wenying Dong <[email protected]>
…ntrea-io#6528) When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Gavin Xin <[email protected]>
…ntrea-io#6528) When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Gavin Xin <[email protected]>
…6528) When promiscuous mode is enabled, OVS incorrectly forwards packets destined for non-local IP addresses from the uplink to the host interface. Due to IP forwarding being enabled, these packets are re-sent to br-int according to the default route and are eventually forwarded to the uplink. Since the source MAC of these packets has been changed to the local host’s MAC, this can potentially cause errors on the switch. This patch matches dstIP field in ClassifierTable to ensure proper packet handling and preventing unintended forwarding. Signed-off-by: Gavin Xin <[email protected]>
When promiscuous mode is enabled, OVS incorrectly forwards packets destined for
non-local IP addresses from the uplink to the host interface. Due to IP forwarding
being enabled, these packets are re-sent to br-int according to the default route
and are eventually forwarded to the uplink. Since the source MAC of these packets
has been changed to the local host’s MAC, this can potentially cause errors on the switch.
This patch matches dstIP field in ClassifierTable to ensure proper packet handling
and preventing unintended forwarding.