[Multicast] Multicast route configuration

1. Add and delete static multicast route entries for inbound and outbound multicast traffic. 2. Configure OVS bridge to support multicast snooping and disable flooding of unregistered multicast packets to all ports. 3. Add an iptables rule to prevent multicast traffic masquerade. Signed-off-by: Ruochen Shen <[email protected]>
antrea-io · Jan 14, 2022 · ac9081e · ac9081e
1 parent 2ee6ad1
commit ac9081e
Show file tree

Hide file tree

Showing 31 changed files with 1,251 additions and 53 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -4146,6 +4146,10 @@ data:
     # 3. The Node IP
     #transportInterface:
 
+    # The names of the interfaces on Nodes that are used to forward multicast traffic.
+    # Defaults to transport interface if not set.
+    #multicastInterfaces: []
+
     # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
     # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
     # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
@@ -4290,7 +4294,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-mtdf878cgd
+  name: antrea-config-hc65bkbcgm
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4361,7 +4365,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-mtdf878cgd
+          value: antrea-config-hc65bkbcgm
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4412,7 +4416,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-mtdf878cgd
+          name: antrea-config-hc65bkbcgm
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4693,7 +4697,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-mtdf878cgd
+          name: antrea-config-hc65bkbcgm
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -4146,6 +4146,10 @@ data:
     # 3. The Node IP
     #transportInterface:
 
+    # The names of the interfaces on Nodes that are used to forward multicast traffic.
+    # Defaults to transport interface if not set.
+    #multicastInterfaces: []
+
     # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
     # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
     # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
@@ -4290,7 +4294,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-mtdf878cgd
+  name: antrea-config-hc65bkbcgm
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4361,7 +4365,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-mtdf878cgd
+          value: antrea-config-hc65bkbcgm
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4412,7 +4416,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-mtdf878cgd
+          name: antrea-config-hc65bkbcgm
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4695,7 +4699,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-mtdf878cgd
+          name: antrea-config-hc65bkbcgm
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -4146,6 +4146,10 @@ data:
     # 3. The Node IP
     #transportInterface:
 
+    # The names of the interfaces on Nodes that are used to forward multicast traffic.
+    # Defaults to transport interface if not set.
+    #multicastInterfaces: []
+
     # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
     # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
     # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
@@ -4290,7 +4294,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-f42d6k25t4
+  name: antrea-config-9mch246h2k
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4361,7 +4365,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-f42d6k25t4
+          value: antrea-config-9mch246h2k
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4412,7 +4416,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-f42d6k25t4
+          name: antrea-config-9mch246h2k
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4696,7 +4700,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-f42d6k25t4
+          name: antrea-config-9mch246h2k
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -4151,6 +4151,10 @@ data:
     # 3. The Node IP
     #transportInterface:
 
+    # The names of the interfaces on Nodes that are used to forward multicast traffic.
+    # Defaults to transport interface if not set.
+    #multicastInterfaces: []
+
     # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
     # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
     # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
@@ -4295,7 +4299,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-24g5gkf4m9
+  name: antrea-config-2thm85m7gt
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4375,7 +4379,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-24g5gkf4m9
+          value: antrea-config-2thm85m7gt
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4426,7 +4430,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-24g5gkf4m9
+          name: antrea-config-2thm85m7gt
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4742,7 +4746,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-24g5gkf4m9
+          name: antrea-config-2thm85m7gt
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-kind.yml b/build/yamls/antrea-kind.yml
@@ -4151,6 +4151,10 @@ data:
     # 3. The Node IP
     #transportInterface:
 
+    # The names of the interfaces on Nodes that are used to forward multicast traffic.
+    # Defaults to transport interface if not set.
+    #multicastInterfaces: []
+
     # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
     # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
     # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
@@ -4295,7 +4299,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-h5hctb5f9b
+  name: antrea-config-44dgfghbf4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4366,7 +4370,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-h5hctb5f9b
+          value: antrea-config-44dgfghbf4
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4417,7 +4421,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-h5hctb5f9b
+          name: antrea-config-44dgfghbf4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4694,7 +4698,7 @@ spec:
           type: CharDevice
         name: dev-tun
       - configMap:
-          name: antrea-config-h5hctb5f9b
+          name: antrea-config-44dgfghbf4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -4151,6 +4151,10 @@ data:
     # 3. The Node IP
     #transportInterface:
 
+    # The names of the interfaces on Nodes that are used to forward multicast traffic.
+    # Defaults to transport interface if not set.
+    #multicastInterfaces: []
+
     # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
     # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
     # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
@@ -4295,7 +4299,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-h9276948gc
+  name: antrea-config-c4m4ghgm7d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4366,7 +4370,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-h9276948gc
+          value: antrea-config-c4m4ghgm7d
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4417,7 +4421,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-h9276948gc
+          name: antrea-config-c4m4ghgm7d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4698,7 +4702,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-h9276948gc
+          name: antrea-config-c4m4ghgm7d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/yamls/base/conf/antrea-agent.conf
@@ -186,6 +186,10 @@ nodePortLocal:
 # 3. The Node IP
 #transportInterface:
 
+# The names of the interfaces on Nodes that are used to forward multicast traffic.
+# Defaults to transport interface if not set.
+#multicastInterfaces: []
+
 # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
 # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
 # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of

diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
@@ -21,6 +21,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/informers"
 	coreinformers "k8s.io/client-go/informers/core/v1"
@@ -162,7 +163,7 @@ func run(o *Options) error {
 	egressConfig := &config.EgressConfig{
 		ExceptCIDRs: exceptCIDRs,
 	}
-	routeClient, err := route.NewClient(networkConfig, o.config.NoSNAT, o.config.AntreaProxy.ProxyAll, connectUplinkToBridge)
+	routeClient, err := route.NewClient(networkConfig, o.config.NoSNAT, o.config.AntreaProxy.ProxyAll, connectUplinkToBridge, features.DefaultFeatureGate.Enabled(features.Multicast))
 	if err != nil {
 		return fmt.Errorf("error creating route client: %v", err)
 	}
@@ -508,7 +509,17 @@ func run(o *Options) error {
 	}
 
 	if features.DefaultFeatureGate.Enabled(features.Multicast) {
-		mcastController := multicast.NewMulticastController(ofClient, nodeConfig, ifaceStore)
+		multicastSocket, err := multicast.CreateMulticastSocket()
+		if err != nil {
+			return fmt.Errorf("failed to create multicast socket")
+		}
+		mcastController := multicast.NewMulticastController(
+			ofClient,
+			nodeConfig,
+			ifaceStore,
+			multicastSocket,
+			sets.NewString(append(o.config.MulticastInterfaces, networkConfig.TransportIface)...),
+			ovsBridgeClient)
 		if err := mcastController.Initialize(); err != nil {
 			return err
 		}

diff --git a/hack/update-codegen-dockerized.sh b/hack/update-codegen-dockerized.sh
@@ -158,6 +158,7 @@ MOCKGEN_TARGETS=(
   "pkg/agent/cniserver/ipam IPAMDriver testing"
   "pkg/agent/flowexporter/connections ConnTrackDumper,NetFilterConnTrack testing"
   "pkg/agent/interfacestore InterfaceStore testing"
+  "pkg/agent/multicast RouteInterface testing"
   "pkg/agent/nodeportlocal/portcache LocalPortOpener testing"
   "pkg/agent/nodeportlocal/rules PodPortRules testing"
   "pkg/agent/openflow Client,OFEntryOperations testing"

diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -782,6 +782,7 @@ func (i *Initializer) initNodeLocalConfig() error {
 	}
 
 	var nodeIPv4Addr, nodeIPv6Addr, transportIPv4Addr, transportIPv6Addr *net.IPNet
+	var transportInterfaceName string
 	var localIntf *net.Interface
 	// Find the interface configured with Node IP and use it for Pod traffic.
 	ipAddrs, err := k8s.GetNodeAddrs(node)
@@ -794,9 +795,11 @@ func (i *Initializer) initNodeLocalConfig() error {
 	}
 	transportIPv4Addr = nodeIPv4Addr
 	transportIPv6Addr = nodeIPv6Addr
+	transportInterfaceName = localIntf.Name
 	if i.networkConfig.TransportIface != "" {
 		// Find the configured transport interface, and update its IP address in Node's annotation.
 		transportIPv4Addr, transportIPv6Addr, localIntf, err = getTransportIPNetDeviceByName(i.networkConfig.TransportIface, i.ovsBridge)
+		transportInterfaceName = localIntf.Name
 		if err != nil {
 			return fmt.Errorf("failed to get local IPNet device with transport interface %s: %v", i.networkConfig.TransportIface, err)
 		}
@@ -813,6 +816,7 @@ func (i *Initializer) initNodeLocalConfig() error {
 		}
 	} else if len(i.networkConfig.TransportIfaceCIDRs) > 0 {
 		transportIPv4Addr, transportIPv6Addr, localIntf, err = getIPNetDeviceByCIDRs(i.networkConfig.TransportIfaceCIDRs)
+		transportInterfaceName = localIntf.Name
 		if err != nil {
 			return fmt.Errorf("failed to get local IPNet device with transport Address CIDR %s: %v", i.networkConfig.TransportIfaceCIDRs, err)
 		}
@@ -834,6 +838,7 @@ func (i *Initializer) initNodeLocalConfig() error {
 			i.patchNodeAnnotations(nodeName, types.NodeTransportAddressAnnotationKey, nil)
 		}
 	}
+	i.networkConfig.TransportIface = transportInterfaceName
 
 	// Update the Node's MAC address in the annotations of the Node. The MAC address will be used for direct routing by
 	// OVS in noencap case on Windows Nodes. As a mixture of Linux and Windows nodes is possible, Linux Nodes' MAC