From de35ceb526b74c7ff56aedbb06cbbeae44055aa9 Mon Sep 17 00:00:00 2001
From: Quan Tian <qtian@vmware.com>
Date: Fri, 26 Jan 2024 13:03:49 +0800
Subject: [PATCH] Ensure MTU is set correctly when WireGuard interface already
 exists (#5926)

In ce46eb1e2cde ("Fix incorrect MTU configurations"), we changed
WireGuard interface's MTU in IPv4 case. However, if a cluster already
enables WireGuard, the WireGuard interface's MTU would remain unchanged
while new Pod would use a higher MTU, causing problems.

Signed-off-by: Quan Tian <qtian@vmware.com>
---
 pkg/agent/wireguard/client_linux.go | 15 +++++++++++----
 pkg/agent/wireguard/client_test.go  | 20 +++++++++++++++++---
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/pkg/agent/wireguard/client_linux.go b/pkg/agent/wireguard/client_linux.go
index b34c4631952..4fa56348a16 100644
--- a/pkg/agent/wireguard/client_linux.go
+++ b/pkg/agent/wireguard/client_linux.go
@@ -52,6 +52,7 @@ var _ Interface = (*client)(nil)
 var (
 	linkAdd                    = netlink.LinkAdd
 	linkSetUp                  = netlink.LinkSetUp
+	linkSetMTU                 = netlink.LinkSetMTU
 	utilConfigureLinkAddresses = util.ConfigureLinkAddresses
 )
 
@@ -85,12 +86,18 @@ func New(nodeConfig *config.NodeConfig, wireGuardConfig *config.WireGuardConfig)
 func (client *client) Init(ipv4 net.IP, ipv6 net.IP) (string, error) {
 	link := &netlink.Wireguard{LinkAttrs: netlink.LinkAttrs{Name: client.wireGuardConfig.Name, MTU: client.wireGuardConfig.MTU}}
 	err := linkAdd(link)
-	// Ignore existing link as it may have already been created or managed by userspace process.
-	if err != nil && !errors.Is(err, unix.EEXIST) {
-		if errors.Is(err, unix.EOPNOTSUPP) {
+	if err != nil {
+		// Ignore existing link as it may have already been created or managed by userspace process, just ensure the MTU
+		// is set correctly.
+		if errors.Is(err, unix.EEXIST) {
+			if err := linkSetMTU(link, client.wireGuardConfig.MTU); err != nil {
+				return "", fmt.Errorf("failed to change WireGuard link MTU to %d: %w", client.wireGuardConfig.MTU, err)
+			}
+		} else if errors.Is(err, unix.EOPNOTSUPP) {
 			return "", fmt.Errorf("WireGuard not supported by the Linux kernel (netlink: %w), make sure the WireGuard kernel module is loaded", err)
+		} else {
+			return "", err
 		}
-		return "", err
 	}
 	if err := linkSetUp(link); err != nil {
 		return "", err
diff --git a/pkg/agent/wireguard/client_test.go b/pkg/agent/wireguard/client_test.go
index cb10e6cda82..1062eb1c911 100644
--- a/pkg/agent/wireguard/client_test.go
+++ b/pkg/agent/wireguard/client_test.go
@@ -390,7 +390,8 @@ func Test_Init(t *testing.T) {
 	tests := []struct {
 		name          string
 		linkAddErr    error
-		lindSetupErr  error
+		linkSetUpErr  error
+		linkSetMTUErr error
 		utilConfigErr error
 		expectedErr   string
 		extraIPv4     net.IP
@@ -404,6 +405,16 @@ func Test_Init(t *testing.T) {
 			linkAddErr:  unix.EOPNOTSUPP,
 			expectedErr: "WireGuard not supported by the Linux kernel (netlink: operation not supported), make sure the WireGuard kernel module is loaded",
 		},
+		{
+			name:       "init successfully with unix.EEXIST error",
+			linkAddErr: unix.EEXIST,
+		},
+		{
+			name:          "failed to init due to linkSetMTU error",
+			linkAddErr:    unix.EEXIST,
+			linkSetMTUErr: errors.New("link set mtu failed"),
+			expectedErr:   "failed to change WireGuard link MTU to 1420: link set mtu failed",
+		},
 		{
 			name:        "failed to init due to link add error",
 			linkAddErr:  errors.New("link add failed"),
@@ -411,7 +422,7 @@ func Test_Init(t *testing.T) {
 		},
 		{
 			name:         "failed to init due to link setup error",
-			lindSetupErr: errors.New("link setup failed"),
+			linkSetUpErr: errors.New("link setup failed"),
 			expectedErr:  "link setup failed",
 		},
 		{
@@ -441,7 +452,10 @@ func Test_Init(t *testing.T) {
 				return tt.linkAddErr
 			}
 			linkSetUp = func(link netlink.Link) error {
-				return tt.lindSetupErr
+				return tt.linkSetUpErr
+			}
+			linkSetMTU = func(link netlink.Link, mtu int) error {
+				return tt.linkSetMTUErr
 			}
 			utilConfigureLinkAddresses = func(idx int, ipNets []*net.IPNet) error {
 				return tt.utilConfigErr