Add FQDN TCP DNS support #4612

GraysonWu · 2023-02-07T22:08:55Z

Use tp_src=53,tcp_flags=+psh+ack to match the TCP DNS response,
which can skip the handshake packets and match the packet containing
the actual data.
To achieve 1., an additional OVS fix patch should be applied.
While parsing TCP DNS response, we need to trim the TCP option
part to retrieve the data. And while sending it out via packetOut we
should construct the exact packet received by the Antrea agent.

Signed-off-by: graysonwu wgrayson@vmware.com

codecov · 2023-02-07T22:58:56Z

Codecov Report

Merging #4612 (f247791) into main (a63314f) will decrease coverage by 1.19%.
The diff coverage is 41.66%.

@@            Coverage Diff             @@
##             main    #4612      +/-   ##
==========================================
- Coverage   69.58%   68.39%   -1.19%     
==========================================
  Files         400      403       +3     
  Lines       59122    60199    +1077     
==========================================
+ Hits        41141    41175      +34     
- Misses      15175    16169     +994     
- Partials     2806     2855      +49

Flag	Coverage Δ		*Carryforward flag
e2e-tests	`38.32% <ø> (-0.02%)`	⬇️	Carriedforward from 480f02e
integration-tests	`34.34% <0.00%> (-0.14%)`	⬇️
kind-e2e-tests	`27.10% <10.18%> (-20.59%)`	⬇️
unit-tests	`59.84% <41.66%> (+0.22%)`	⬆️

*This pull request uses carry forward flags. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/controller/networkpolicy/fqdn.go	`70.51% <0.00%> (-6.33%)`	⬇️
pkg/agent/types/networkpolicy.go	`94.59% <ø> (ø)`
pkg/ovs/openflow/ofctrl_packetin.go	`75.00% <54.54%> (-1.67%)`	⬇️
pkg/agent/openflow/network_policy.go	`80.92% <100.00%> (-0.37%)`	⬇️
pkg/agent/openflow/pipeline.go	`87.88% <100.00%> (-1.16%)`	⬇️
pkg/ovs/openflow/ofctrl_builder.go	`84.83% <100.00%> (+0.15%)`	⬆️
...g/agent/controller/serviceexternalip/controller.go	`35.83% <0.00%> (-43.35%)`	⬇️
...nt/apiserver/handlers/serviceexternalip/handler.go	`29.62% <0.00%> (-22.23%)`	⬇️
pkg/agent/flowexporter/connections/conntrack.go	`75.75% <0.00%> (-18.19%)`	⬇️
pkg/agent/ipassigner/responder/arp_responder.go	`55.29% <0.00%> (-17.65%)`	⬇️
... and 66 more

tnqn

LGTM overall

pkg/agent/openflow/network_policy.go

pkg/agent/openflow/pipeline.go

pkg/agent/openflow/network_policy.go

pkg/agent/types/networkpolicy.go

pkg/ovs/openflow/ofctrl_packetin.go

test/e2e/antreapolicy_test.go

pkg/agent/controller/networkpolicy/fqdn.go

pkg/agent/openflow/network_policy.go

pkg/ovs/openflow/ofctrl_packetin.go

pkg/ovs/openflow/ofctrl_packetin_test.go

go.mod

tnqn

LGTM

tnqn · 2023-03-15T10:40:48Z

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

tnqn · 2023-03-15T12:14:58Z

@GraysonWu please resolve the conflict so we can merge

1. Use tp_src=53,tcp_flags=+psh+ack to match the TCP DNS response, which can skip the handshake packets and match the packet containing the actual data. 2. To achieve 1., additional OVS fix patch should be applied. 3. While paresing TCP DNS response, we need to trim the TCP option part to retrieve the data. And while sending it out via packetOut we should construct the exact packet received by the Antrea agent. 4. Using SendEthPacketOut to send the eth packet via packetOut save us from retrieving all L2/3/4 info and make sure that we send out the packet which is exactly the same as what we received. Signed-off-by: graysonwu <wgrayson@vmware.com>

Signed-off-by: graysonwu <wgrayson@vmware.com>

GraysonWu · 2023-03-15T20:51:40Z

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

Signed-off-by: graysonwu <wgrayson@vmware.com>

GraysonWu · 2023-03-16T00:51:03Z

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

hjiajing · 2023-03-16T02:23:13Z

/test-multicluster-e2e

GraysonWu · 2023-03-16T16:42:41Z

/test-all
/test-ipv6-e2e
/test-ipv6-only-e2e

GraysonWu · 2023-03-16T21:02:33Z

/test-ipv6-only-e2e

GraysonWu · 2023-03-16T23:15:00Z

The failure in ipv6-only-e2e is not related. Tried to run it on main branch and also failed. Opened issue #4717 to track it.

tnqn

LGTM

1. Use tp_src=53,tcp_flags=+psh+ack to match the TCP DNS response, which can skip the handshake packets and match the packet containing the actual data. 2. To achieve 1., additional OVS fix patch should be applied. 3. While paresing TCP DNS response, we need to trim the TCP option part to retrieve the data. And while sending it out via packetOut we should construct the exact packet received by the Antrea agent. 4. Using SendEthPacketOut to send the eth packet via packetOut save us from retrieving all L2/3/4 info and make sure that we send out the packet which is exactly the same as what we received. Signed-off-by: graysonwu <wgrayson@vmware.com>

GraysonWu force-pushed the fqdn-tcp branch from 2092fa4 to 29a39a4 Compare February 7, 2023 22:42

GraysonWu force-pushed the fqdn-tcp branch 5 times, most recently from dc613c8 to 480f02e Compare February 15, 2023 00:13

tnqn mentioned this pull request Feb 24, 2023

Update OVS to 2.17.3 #4402

Merged

GraysonWu force-pushed the fqdn-tcp branch 6 times, most recently from dbf63b3 to 7daa730 Compare March 2, 2023 01:08

GraysonWu changed the title ~~[WIP] Add FQDN TCP DNS support~~ Add FQDN TCP DNS support Mar 2, 2023

GraysonWu requested review from Dyanngg, wenyingd and tnqn March 2, 2023 08:05

vicky-liu added this to the Antrea v1.11 release milestone Mar 2, 2023

GraysonWu force-pushed the fqdn-tcp branch 6 times, most recently from 23c8fd8 to 4e7b113 Compare March 7, 2023 03:08

tnqn reviewed Mar 7, 2023

View reviewed changes

GraysonWu force-pushed the fqdn-tcp branch 4 times, most recently from 5b59f03 to 782dec7 Compare March 7, 2023 23:29

GraysonWu force-pushed the fqdn-tcp branch 2 times, most recently from 2db5e01 to de3a491 Compare March 9, 2023 07:10

tnqn reviewed Mar 9, 2023

View reviewed changes

GraysonWu force-pushed the fqdn-tcp branch from de3a491 to 359ac02 Compare March 12, 2023 06:20

tnqn reviewed Mar 14, 2023

View reviewed changes

pkg/ovs/openflow/ofctrl_packetin.go Outdated Show resolved Hide resolved

pkg/ovs/openflow/ofctrl_packetin.go Outdated Show resolved Hide resolved

pkg/ovs/openflow/ofctrl_packetin_test.go Outdated Show resolved Hide resolved

go.mod Outdated Show resolved Hide resolved

GraysonWu force-pushed the fqdn-tcp branch from 359ac02 to 387247a Compare March 14, 2023 21:46

tnqn previously approved these changes Mar 15, 2023

View reviewed changes

tnqn added the action/release-note Indicates a PR that should be included in release notes. label Mar 15, 2023

GraysonWu added 2 commits March 15, 2023 12:09

Address comments

9cfee14

Signed-off-by: graysonwu <wgrayson@vmware.com>

GraysonWu dismissed tnqn’s stale review via 9cfee14 March 15, 2023 19:09

GraysonWu force-pushed the fqdn-tcp branch from 387247a to 9cfee14 Compare March 15, 2023 19:09

Send PacketOut when parseing failed

e4e9d01

Signed-off-by: graysonwu <wgrayson@vmware.com>

GraysonWu force-pushed the fqdn-tcp branch from 7e0219b to e4e9d01 Compare March 15, 2023 23:13

GraysonWu requested a review from tnqn March 16, 2023 23:43

tnqn approved these changes Mar 17, 2023

View reviewed changes

tnqn merged commit 88f524b into antrea-io:main Mar 17, 2023

tnqn mentioned this pull request Mar 24, 2023

test-ipv6-e2e failed #4633

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add FQDN TCP DNS support #4612

Add FQDN TCP DNS support #4612

GraysonWu commented Feb 7, 2023 •

edited

Loading

codecov bot commented Feb 7, 2023 •

edited

Loading

tnqn left a comment

tnqn left a comment

tnqn commented Mar 15, 2023

tnqn commented Mar 15, 2023

GraysonWu commented Mar 15, 2023

GraysonWu commented Mar 16, 2023

hjiajing commented Mar 16, 2023

GraysonWu commented Mar 16, 2023

GraysonWu commented Mar 16, 2023

GraysonWu commented Mar 16, 2023

tnqn left a comment

Add FQDN TCP DNS support #4612

Add FQDN TCP DNS support #4612

Conversation

GraysonWu commented Feb 7, 2023 • edited Loading

codecov bot commented Feb 7, 2023 • edited Loading

Codecov Report

tnqn left a comment

Choose a reason for hiding this comment

tnqn left a comment

Choose a reason for hiding this comment

tnqn commented Mar 15, 2023

tnqn commented Mar 15, 2023

GraysonWu commented Mar 15, 2023

GraysonWu commented Mar 16, 2023

hjiajing commented Mar 16, 2023

GraysonWu commented Mar 16, 2023

GraysonWu commented Mar 16, 2023

GraysonWu commented Mar 16, 2023

tnqn left a comment

Choose a reason for hiding this comment

GraysonWu commented Feb 7, 2023 •

edited

Loading

codecov bot commented Feb 7, 2023 •

edited

Loading