ANP with FQDN rules does not work correctly on TCP traffic

[wenyingd]

Describe the bug

In some cases, TCP port 53 is also used for DNS protocol. When configuring with ANP rules on FQDN, we expected to send the DNS response to antrea-agent no matter it is using UDP or TCP protocol. When it is using TCP protocol, the relevant OpenFlow flow is supposed to be something like,

cookie=0x1020000000000, table=AntreaPolicyIngressRule, priority=64991,tcp,tp_src=53,tcp_flags=+psh+ack actions=conjunction(1,1/2)

However, the real flow installed on OVS is like this,

cookie=0x47020000000000, duration=261903.244s, table=AntreaPolicyIngressRule, n_packets=0, n_bytes=0, idle_age=65535, priority=64991,tcp,tcp_flags=+psh+ack actions=conjunction(1,1/2)

It means that all TCP packets marked wth "ack" and "push" packet sending to the "appliedTo" Pod would be sent to antrea-agent via the PacketIn mechnism.

To Reproduce

Install antrea v1.12, and create an ANP with fqdn rules. Then dump OpenFlow entries on antrea-agent Pod.

Expected

Only TCP DNS response ( tp_src=53 and tcp_flags=+ack+psh ) would be sent to antrea-agent when FQDN rules are applied.

Actual behavior

After ANP with FQDN rules are applied, all TCP packets marked with ack and psh which are sending to the appliedTo Pods are sent to antrea-agent.

Versions:

Antrea v1.12

Additional context