Ensure MTU is set correctly when WireGuard interface already exists (#…

…5926) In ce46eb1 ("Fix incorrect MTU configurations"), we changed WireGuard interface's MTU in IPv4 case. However, if a cluster already enables WireGuard, the WireGuard interface's MTU would remain unchanged while new Pod would use a higher MTU, causing problems. Signed-off-by: Quan Tian <qtian@vmware.com>
antrea-io · Mar 26, 2024 · de35ceb · de35ceb
1 parent b343486
commit de35ceb
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 7 deletions.
diff --git a/pkg/agent/wireguard/client_linux.go b/pkg/agent/wireguard/client_linux.go
@@ -52,6 +52,7 @@ var _ Interface = (*client)(nil)
 var (
 	linkAdd                    = netlink.LinkAdd
 	linkSetUp                  = netlink.LinkSetUp
+	linkSetMTU                 = netlink.LinkSetMTU
 	utilConfigureLinkAddresses = util.ConfigureLinkAddresses
 )
 
@@ -85,12 +86,18 @@ func New(nodeConfig *config.NodeConfig, wireGuardConfig *config.WireGuardConfig)
 func (client *client) Init(ipv4 net.IP, ipv6 net.IP) (string, error) {
 	link := &netlink.Wireguard{LinkAttrs: netlink.LinkAttrs{Name: client.wireGuardConfig.Name, MTU: client.wireGuardConfig.MTU}}
 	err := linkAdd(link)
-	// Ignore existing link as it may have already been created or managed by userspace process.
-	if err != nil && !errors.Is(err, unix.EEXIST) {
-		if errors.Is(err, unix.EOPNOTSUPP) {
+	if err != nil {
+		// Ignore existing link as it may have already been created or managed by userspace process, just ensure the MTU
+		// is set correctly.
+		if errors.Is(err, unix.EEXIST) {
+			if err := linkSetMTU(link, client.wireGuardConfig.MTU); err != nil {
+				return "", fmt.Errorf("failed to change WireGuard link MTU to %d: %w", client.wireGuardConfig.MTU, err)
+			}
+		} else if errors.Is(err, unix.EOPNOTSUPP) {
 			return "", fmt.Errorf("WireGuard not supported by the Linux kernel (netlink: %w), make sure the WireGuard kernel module is loaded", err)
+		} else {
+			return "", err
 		}
-		return "", err
 	}
 	if err := linkSetUp(link); err != nil {
 		return "", err

diff --git a/pkg/agent/wireguard/client_test.go b/pkg/agent/wireguard/client_test.go
@@ -390,7 +390,8 @@ func Test_Init(t *testing.T) {
 	tests := []struct {
 		name          string
 		linkAddErr    error
-		lindSetupErr  error
+		linkSetUpErr  error
+		linkSetMTUErr error
 		utilConfigErr error
 		expectedErr   string
 		extraIPv4     net.IP
@@ -404,14 +405,24 @@ func Test_Init(t *testing.T) {
 			linkAddErr:  unix.EOPNOTSUPP,
 			expectedErr: "WireGuard not supported by the Linux kernel (netlink: operation not supported), make sure the WireGuard kernel module is loaded",
 		},
+		{
+			name:       "init successfully with unix.EEXIST error",
+			linkAddErr: unix.EEXIST,
+		},
+		{
+			name:          "failed to init due to linkSetMTU error",
+			linkAddErr:    unix.EEXIST,
+			linkSetMTUErr: errors.New("link set mtu failed"),
+			expectedErr:   "failed to change WireGuard link MTU to 1420: link set mtu failed",
+		},
 		{
 			name:        "failed to init due to link add error",
 			linkAddErr:  errors.New("link add failed"),
 			expectedErr: "link add failed",
 		},
 		{
 			name:         "failed to init due to link setup error",
-			lindSetupErr: errors.New("link setup failed"),
+			linkSetUpErr: errors.New("link setup failed"),
 			expectedErr:  "link setup failed",
 		},
 		{
@@ -441,7 +452,10 @@ func Test_Init(t *testing.T) {
 				return tt.linkAddErr
 			}
 			linkSetUp = func(link netlink.Link) error {
-				return tt.lindSetupErr
+				return tt.linkSetUpErr
+			}
+			linkSetMTU = func(link netlink.Link, mtu int) error {
+				return tt.linkSetMTUErr
 			}
 			utilConfigureLinkAddresses = func(idx int, ipNets []*net.IPNet) error {
 				return tt.utilConfigErr