antrea icon indicating copy to clipboard operation
antrea copied to clipboard

Published 20 hours ago verified publisher icon antrea-io

Improve support for Egress in Traceflow

Open antoninbas opened this issue 3 years ago • 7 comments

Describe the problem/challenge you have See discussion in https://github.com/antrea-io/antrea/pull/2227#discussion_r644425735

At the moment, we will generate the following observations for Egress traffic:

  • when Egressing from the same Node, the Forwarding component will report the ForwardedOutOfOverlay action
  • when Egressing from a remote Node, the Forwarding component will report the Forwarded action, with the Egress SNAT IP as the tunnel destination IP

Describe the solution you'd like It would be good to include more specific information for Egress. Maybe we could have an Egress component, which would be used when 1) sending the packet to a remote Node for Egress, and 2) egressing from the local Node (possibly after receiving the packet from a different Node over a tunnel). Different action names could be used for these 2 cases? In particular, it would be nice to always include the Egress SNAT IP, and if possible the Egress policy name.

antoninbas avatar Jun 07 '21 23:06 antoninbas

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment, or this will be closed in 180 days

github-actions[bot] avatar Dec 05 '21 00:12 github-actions[bot]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

github-actions[bot] avatar Mar 08 '22 00:03 github-actions[bot]

1. Create a new component for Egress in Traceflow

kind-worker2 is Egress Node Expeced Output:

  • [ ] When Egressing from same Node
root@kind-worker:/# antctl tf -S default/nginx -D 142.250.195.46
name: default-nginx-to-142.250.195.46-8lqzqtk5
phase: Succeeded
source: default/nginx
destination: 142.250.195.46
results:
- node: kind-worker2
  timestamp: 1652346862
  observations:
  - component: SpoofGuard
    action: Forwarded
  - component: Forwarding
    componentInfo: Output
    action: ForwardedOutOfOverlay
  - component: Egress
    action: ForwardedOutOfOverlay
    EgressPolicy: "foobar"
    EgressIP: 10.10.1.2
  • [ ] When Egressing from a remote Node
root@kind-worker:/# antctl tf -S testnamespace/nginx-deployment-66b6c48dd5-lhf2f -D 142.250.195.46
name: testnamespace-nginx-deployment-66b6c48dd5-lhf2f-to-142.250.195.46-9z8667mg
phase: Running
source: testnamespace/nginx-deployment-66b6c48dd5-lhf2f
destination: 142.250.195.46
results:
- node: kind-worker
  timestamp: 1652347679
  observations:
  - component: SpoofGuard
    action: Forwarded
  - component: Forwarding
    componentInfo: Output
    action: Forwarded
    tunnelDstIP: 10.10.1.2
- node: kind-worker2
  timestamp: 1652347679
  observations:
  - component: Egress
    action: ForwardedOutOfOverlay
    EgressPolicy: "foobar"
    EgressIP: 10.10.1.2

2. Add more fields in Forwarding component for Egress

  • [ ] When Egressing from same Node
root@kind-worker:/# antctl tf -S default/nginx -D 142.250.195.46
name: default-nginx-to-142.250.195.46-8lqzqtk5
phase: Succeeded
source: default/nginx
destination: 142.250.195.46
results:
- node: kind-worker2
  timestamp: 1652346862
  observations:
  - component: SpoofGuard
    action: Forwarded
  - component: Forwarding
    componentInfo: Output
    action: ForwardedOutOfOverlay
    EgressPolicy: "foobar"
    EgressIP: 10.10.1.2
  • [ ] When Egressing from a remote Node
root@kind-worker:/# antctl tf -S testnamespace/nginx-deployment-66b6c48dd5-lhf2f -D 142.250.195.46
name: testnamespace-nginx-deployment-66b6c48dd5-lhf2f-to-142.250.195.46-9z8667mg
phase: Running
source: testnamespace/nginx-deployment-66b6c48dd5-lhf2f
destination: 142.250.195.46
results:
- node: kind-worker
  timestamp: 1652347679
  observations:
  - component: SpoofGuard
    action: Forwarded
  - component: Forwarding
    componentInfo: Output
    action: Forwarded
    tunnelDstIP: 10.10.1.2
- node: kind-worker2
  timestamp: 1652347679
  observations:
  - component: Forwarding
    action: ForwardedOutOfOverlay
    EgressPolicy: "foobar"
    EgressIP: 10.10.1.2

Egress Node is the final Node for an Egress traffic, so when Node of Observation is Egress Node action: ForwardedOutOfOverlay because

ActionForwardedOutOfOverlay indicates that the packet has been forwarded out of the network managed by Antrea. This indicates that the Traceflow request can be considered complete.

I have kept EgressPolicy field only on one Node i.e. Egress Node, due to duplication i have not kept it on both source Node and Egress Node.

As far as output is concerned both approaches are very similar, fields are same only difference is in component name. I think first approach Create a new component for Egress is better, but I am not sure which approach is better implementation wise. @gran-vmv @antoninbas @xliuxu Any suggestions?

Atish-iaf avatar May 12 '22 11:05 Atish-iaf

I like having a dedicated Egress component (solution 1), but may @jianjuns has some insight on how this is typically done in other solutions with a similar feature.

Just a few comments on that first approach:

  • why is the Egress component after the Forwarding component? I think from an implementation perspective at least, the Forwarding component is populated based on information such as the output port, which is computed at the end of the pipeline.
  • why use the action ForwardedOutOfOverlay in the Egress component when it is used in the Forwarding component?
  • for the When Egressing from a remote Node case, why not show the Egress component for the source Node, even though the packet still goes through the SNATTable?

For that last case, in particular, I thought it could look like this:

name: testnamespace-nginx-deployment-66b6c48dd5-lhf2f-to-142.250.195.46-9z8667mg
phase: Running
source: testnamespace/nginx-deployment-66b6c48dd5-lhf2f
destination: 142.250.195.46
results:
- node: kind-worker
  timestamp: 1652347679
  observations:
  - component: SpoofGuard
    action: Forwarded
  - component: Egress
    action: ForwardedToEgressNode
    EgressPolicy: "foobar"
    EgressIP: 10.10.1.2
  - component: Forwarding
    componentInfo: Output
    action: Forwarded
    tunnelDstIP: 10.10.1.2
- node: kind-worker2
  timestamp: 1652347679
  observations:
  - component: Egress
    action: MarkedForSNATByHost
    EgressPolicy: "foobar"
    EgressIP: 10.10.1.2
  - component: Forwarding
    action: ForwardedOutOfOverlay

antoninbas avatar May 13 '22 19:05 antoninbas

I like @antoninbas 's above proposal.

jianjuns avatar May 13 '22 21:05 jianjuns

  • why is the Egress component after the Forwarding component? I think from an implementation perspective at least, the Forwarding component is populated based on information such as the output port, which is computed at the end of the pipeline.

I didn't had strong idea about implementation when i was writing, so just added Egress component at the end. I will make required changes.

  • why use the action ForwardedOutOfOverlay in the Egress component when it is used in the Forwarding component?

Will correct this.

  • for the When Egressing from a remote Node case, why not show the Egress component for the source Node, even though the packet still goes through the SNATTable?

For duplication issue, i kept in on one node only.

Thanks @antoninbas for your suggestions. I'll try to implement your proposal.

Atish-iaf avatar May 16 '22 05:05 Atish-iaf

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

github-actions[bot] avatar Aug 15 '22 00:08 github-actions[bot]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

github-actions[bot] avatar Nov 14 '22 00:11 github-actions[bot]