Add "srcPodIP" field in Traceflow observations (#6247)

Signed-off-by: Kumar Atish <kumar.atish@broadcom.com>

build/charts/antrea/crds/traceflow.yaml

@@ -217,6 +217,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/yamls/antrea-aks.yml

@@ -3101,6 +3101,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/yamls/antrea-crds.yml

@@ -3074,6 +3074,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/yamls/antrea-eks.yml

@@ -3101,6 +3101,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/yamls/antrea-gke.yml

@@ -3101,6 +3101,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/yamls/antrea-ipsec.yml

@@ -3101,6 +3101,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

build/yamls/antrea.yml

@@ -3101,6 +3101,8 @@ spec:
                               type: string
                             egressNode:
                               type: string
+                            srcPodIP:
+                              type: string
                 capturedPacket:
                   properties:
                     srcIP:

pkg/agent/controller/traceflow/packetin.go

@@ -173,6 +173,17 @@ func (c *Controller) parsePacketIn(pktIn *ofctrl.PacketIn) (*crdv1beta1.Traceflo
 		ob := new(crdv1beta1.Observation)
 		ob.Component = crdv1beta1.ComponentSpoofGuard
 		ob.Action = crdv1beta1.ActionForwarded
+		// For SNATed packet(hairpin), ipSrc and ctNwSrc are different.
+		// We noticed that ctNwSrc is invalid for ICMPv6 packets: it should contain
+		// the original src Pod IP but it is always empty due to an issue in OVS.
+		// https://github.com/openvswitch/ovs-issues/issues/327
+		if isValidCtNw(ctNwSrc) {
+			ob.SrcPodIP = ctNwSrc
+		} else {
+			// In the case of ICMPv6, since ctNwSrc is invalid, we can use ipSrc as
+			// hairpin is not applicable, so ipSrc always contains src pod IP.
+			ob.SrcPodIP = ipSrc
+		}
 		obs = append(obs, *ob)
 	} else {
 		ob := new(crdv1beta1.Observation)
@@ -461,10 +472,7 @@ func isValidCtNw(ipStr string) bool {
 	}
 	// Reserved by IETF [RFC3513][RFC4291]
 	_, cidr, _ := net.ParseCIDR("0000::/8")
-	if cidr.Contains(ip) {
-		return false
-	}
-	return true
+	return !cidr.Contains(ip)
 }
 
 func parseCapturedPacket(pktIn *ofctrl.PacketIn) *crdv1beta1.Packet {

pkg/agent/controller/traceflow/packetin_test.go

@@ -209,8 +209,8 @@ func getTestPacketBytes(dstIP string) []byte {
 		Protocol: uint8(8),
 		DSCP:     1,
 		Length:   20,
-		NWSrc:    net.IP(pod1IPv4),
-		NWDst:    net.IP(dstIP),
+		NWSrc:    net.ParseIP(pod1IPv4),
+		NWDst:    net.ParseIP(dstIP),
 	}
 	ethernetPkt := protocol.NewEthernet()
 	ethernetPkt.HWSrc = pod1MAC
@@ -238,6 +238,13 @@ func TestParsePacketIn(t *testing.T) {
 			Data: 1,
 		},
 	}
+	matchCTSrc := &openflow15.MatchField{
+		Class: openflow15.OXM_CLASS_NXM_1,
+		Field: openflow15.NXM_NX_CT_NW_SRC,
+		Value: &openflow15.Ipv4SrcField{
+			Ipv4Src: net.ParseIP(pod1IPv4),
+		},
+	}
 	matchTunDst := openflow15.NewTunnelIpv4DstField(net.ParseIP(egressIP), nil)
 
 	conjData := make([]byte, 8)
@@ -298,7 +305,7 @@ func TestParsePacketIn(t *testing.T) {
 				PacketIn: &openflow15.PacketIn{
 					TableId: openflow.OutputTable.GetID(),
 					Match: openflow15.Match{
-						Fields: []openflow15.MatchField{*matchOutPort, *matchPktMark},
+						Fields: []openflow15.MatchField{*matchOutPort, *matchPktMark, *matchCTSrc},
 					},
 					Data: util.NewBuffer(pktBytesPodToIP),
 				},
@@ -329,6 +336,7 @@ func TestParsePacketIn(t *testing.T) {
 					{
 						Component: crdv1beta1.ComponentSpoofGuard,
 						Action:    crdv1beta1.ActionForwarded,
+						SrcPodIP:  pod1IPv4,
 					},
 					{
 						Component:  crdv1beta1.ComponentEgress,
@@ -365,6 +373,8 @@ func TestParsePacketIn(t *testing.T) {
 				PacketIn: &openflow15.PacketIn{
 					TableId: openflow.OutputTable.GetID(),
 					Match: openflow15.Match{
+						// We are omitting matchCTSrc intentionally here to test
+						// the case where there is no valid ct_nw_src match in the packet metadata.
 						Fields: []openflow15.MatchField{*matchTunDst, *matchOutPort},
 					},
 					Data: util.NewBuffer(pktBytesPodToIP),
@@ -396,6 +406,7 @@ func TestParsePacketIn(t *testing.T) {
 					{
 						Component: crdv1beta1.ComponentSpoofGuard,
 						Action:    crdv1beta1.ActionForwarded,
+						SrcPodIP:  pod1IPv4,
 					},
 					{
 						Component:  crdv1beta1.ComponentEgress,
@@ -489,7 +500,7 @@ func TestParsePacketIn(t *testing.T) {
 				PacketIn: &openflow15.PacketIn{
 					TableId: openflow.EgressRuleTable.GetID(),
 					Match: openflow15.Match{
-						Fields: []openflow15.MatchField{*matchTFEgressConjID},
+						Fields: []openflow15.MatchField{*matchTFEgressConjID, *matchCTSrc},
 					},
 					Data: util.NewBuffer(pktBytesPodToPod),
 				},
@@ -531,6 +542,7 @@ func TestParsePacketIn(t *testing.T) {
 					{
 						Component: crdv1beta1.ComponentSpoofGuard,
 						Action:    crdv1beta1.ActionForwarded,
+						SrcPodIP:  pod1IPv4,
 					},
 					{
 						Component:         crdv1beta1.ComponentNetworkPolicy,
@@ -618,7 +630,7 @@ func TestParsePacketIn(t *testing.T) {
 				PacketIn: &openflow15.PacketIn{
 					TableId: openflow.EgressMetricTable.GetID(),
 					Match: openflow15.Match{
-						Fields: []openflow15.MatchField{*matchAPConjID},
+						Fields: []openflow15.MatchField{*matchAPConjID, *matchCTSrc},
 					},
 					Data: util.NewBuffer(pktBytesPodToPod),
 				},
@@ -658,6 +670,7 @@ func TestParsePacketIn(t *testing.T) {
 					{
 						Component: crdv1beta1.ComponentSpoofGuard,
 						Action:    crdv1beta1.ActionForwarded,
+						SrcPodIP:  pod1IPv4,
 					},
 					{
 						Component:         crdv1beta1.ComponentNetworkPolicy,

pkg/apis/crd/v1beta1/types.go

@@ -1268,6 +1268,8 @@ type Observation struct {
 	EgressIP    string `json:"egressIP,omitempty" yaml:"egressIP,omitempty"`
 	// EgressNode is the name of the Egress Node.
 	EgressNode string `json:"egressNode,omitempty" yaml:"egressNode,omitempty"`
+	// SrcPodIP is the IP of source Pod.
+	SrcPodIP string `json:"srcPodIP,omitempty" yaml:"srcPodIP,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object