Periodically sync permanent neighbors to ensure route correctness (#7238) (#7257)

In the current implementation, permanent neighbors are installed only once at startup.
However, these neighbors are critical for the functionality of routes managed by antrea-agent.
If they are accidentally deleted, the affected routes will break and remain non-functional
until antrea-agent is restarted.

This commit adds periodic syncing of permanent neighbors to ensure they are reinstalled
automatically if missing, improving the robustness and reliability of route management.

Signed-off-by: Hongliang Liu <[email protected]>

Author: hongliangl

pkg/agent/route/route_linux.go

@@ -291,7 +291,11 @@ func (c *Client) syncIPInfra() {
 	if err := c.syncRoute(); err != nil {
 		klog.ErrorS(err, "Failed to sync route")
 	}
-	klog.V(3).Info("Successfully synced iptables, ipset and route")
+	if err := c.syncNeighbor(); err != nil {
+		klog.ErrorS(err, "Failed to sync neighbor")
+	}
+
+	klog.V(3).Info("Successfully synced iptables, ipset, route and neighbor")
 }
 
 type routeKey struct {
@@ -392,6 +396,56 @@ func (c *Client) syncRoute() error {
 	return nil
 }
 
+type neighborKey struct {
+	ip  string
+	mac string
+}
+
+// syncNeighbor ensures that necessary neighbors exist on the Antrea gateway interface, as some routes managed by Antrea
+// depend on these neighbors.
+func (c *Client) syncNeighbor() error {
+	msg := netlink.Ndmsg{
+		Family: netlink.FAMILY_ALL,
+		Index:  uint32(c.nodeConfig.GatewayConfig.LinkIndex),
+		State:  netlink.NUD_PERMANENT,
+	}
+	neighborList, err := c.netlink.NeighListExecute(msg)
+	if err != nil {
+		return err
+	}
+	neighborKeys := sets.New[neighborKey]()
+	for i := range neighborList {
+		n := neighborList[i]
+		neighborKeys.Insert(neighborKey{
+			ip:  n.IP.String(),
+			mac: n.HardwareAddr.String(),
+		})
+	}
+	restoreNeighbor := func(neighbor *netlink.Neigh) bool {
+		if neighborKeys.Has(neighborKey{
+			ip:  neighbor.IP.String(),
+			mac: neighbor.HardwareAddr.String(),
+		}) {
+			return true
+		}
+		if err := c.netlink.NeighSet(neighbor); err != nil {
+			klog.ErrorS(err, "failed to sync neighbor", "Neighbor", neighbor)
+			return false
+		}
+		return true
+	}
+	c.nodeNeighbors.Range(func(_, v interface{}) bool {
+		return restoreNeighbor(v.(*netlink.Neigh))
+	})
+	if c.proxyAll {
+		c.serviceNeighbors.Range(func(_, v interface{}) bool {
+			return restoreNeighbor(v.(*netlink.Neigh))
+		})
+	}
+
+	return nil
+}
+
 // syncIPSet ensures that the required ipset exists, and it has the initial members.
 func (c *Client) syncIPSet() error {
 	// Create the ipsets to store all Pod CIDRs for constructing full-mesh routing in encap/noEncap/hybrid modes. In

pkg/agent/route/route_linux_test.go

@@ -115,6 +115,41 @@ func TestSyncRoutes(t *testing.T) {
 	assert.NoError(t, c.syncRoute())
 }
 
+func TestSyncNeighbors(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	mockNetlink := netlinktest.NewMockInterface(ctrl)
+
+	c := &Client{
+		netlink:          mockNetlink,
+		proxyAll:         true,
+		nodeNeighbors:    sync.Map{},
+		serviceNeighbors: sync.Map{},
+		nodeConfig: &config.NodeConfig{
+			GatewayConfig: &config.GatewayConfig{LinkIndex: 10, IPv4: net.ParseIP("192.168.0.1"), IPv6: net.ParseIP("aabb:ccdd::1")},
+			PodIPv4CIDR:   ip.MustParseCIDR("192.168.0.0/24"),
+			PodIPv6CIDR:   ip.MustParseCIDR("aabb:ccdd::/64"),
+		},
+	}
+
+	tamperedMAC, _ := net.ParseMAC("de:ad:be:ef:12:34")
+	tamperedNodeNeighbor1 := &netlink.Neigh{LinkIndex: 10, Family: netlink.FAMILY_V6, State: netlink.NUD_PERMANENT, IP: net.ParseIP("aabb:ccee::1"), HardwareAddr: tamperedMAC}
+	nodeNeighbor1 := &netlink.Neigh{LinkIndex: 10, Family: netlink.FAMILY_V6, State: netlink.NUD_PERMANENT, IP: net.ParseIP("aabb:ccee::1"), HardwareAddr: globalVMAC}
+	nodeNeighbor2 := &netlink.Neigh{LinkIndex: 10, Family: netlink.FAMILY_V6, State: netlink.NUD_PERMANENT, IP: net.ParseIP("aabb:ccdd::1"), HardwareAddr: globalVMAC}
+	serviceNeighbor1 := &netlink.Neigh{LinkIndex: 10, Family: netlink.FAMILY_V4, State: netlink.NUD_PERMANENT, IP: config.VirtualServiceIPv4, HardwareAddr: globalVMAC}
+	serviceNeighbor2 := &netlink.Neigh{LinkIndex: 10, Family: netlink.FAMILY_V6, State: netlink.NUD_PERMANENT, IP: config.VirtualServiceIPv6, HardwareAddr: globalVMAC}
+	mockNetlink.EXPECT().NeighListExecute(netlink.Ndmsg{Family: netlink.FAMILY_ALL, Index: 10, State: netlink.NUD_PERMANENT}).Return([]netlink.Neigh{*tamperedNodeNeighbor1, *serviceNeighbor1}, nil)
+	mockNetlink.EXPECT().NeighSet(nodeNeighbor1)
+	mockNetlink.EXPECT().NeighSet(nodeNeighbor2)
+	mockNetlink.EXPECT().NeighSet(serviceNeighbor2)
+
+	c.nodeNeighbors.Store("aabb:ccee::1", nodeNeighbor1)
+	c.nodeNeighbors.Store("aabb:ccdd::1", nodeNeighbor2)
+	c.serviceNeighbors.Store(config.VirtualServiceIPv4.String(), serviceNeighbor1)
+	c.serviceNeighbors.Store(config.VirtualServiceIPv6.String(), serviceNeighbor2)
+
+	assert.NoError(t, c.syncNeighbor())
+}
+
 func TestRestoreEgressRoutesAndRules(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	mockNetlink := netlinktest.NewMockInterface(ctrl)

pkg/agent/util/netlink/netlink_linux.go

@@ -46,6 +46,8 @@ type Interface interface {
 
 	NeighList(linkIndex, family int) ([]netlink.Neigh, error)
 
+	NeighListExecute(msg netlink.Ndmsg) ([]netlink.Neigh, error)
+
 	NeighSet(neigh *netlink.Neigh) error
 
 	NeighDel(neigh *netlink.Neigh) error