Test Wireguard

xliuxu · xliuxu · commit 6f2f8b16b8ad · 2025-11-27T12:14:39.000+08:00
Signed-off-by: Xu Liu &lt;xu.liu@broadcom.com&gt;
diff --git a/pkg/agent/route/route_linux.go b/pkg/agent/route/route_linux.go
@@ -316,14 +316,14 @@ func (c *Client) Initialize(nodeConfig *config.NodeConfig, done func()) error {
 		}
 	}
 
-	// In hybrid mode, traffic originating from remote Pod CIDRs is forwarded like this:
+	// In hybrid mode, or encap mode with WireGuard enabled, traffic originating from remote Pod CIDRs is forwarded like this:
 	//     remote Pods -> tunnel (remote Node OVS) -> tunnel (local Node OVS) -> antrea-gw0 (local Node) -> external network.
 	//
 	// To ensure reply packets follow a symmetric path, Antrea uses policy routing on the local Node. However, the
 	// kernel's strict RPF check only validates source paths against the main routing table. Since the transport
 	// interface (not antrea‑gw0) is listed as the next-hop for these routes, strict RPF drops the reply packets
 	// (because policy routing is ignored by rp_filter). As a result, we set its rp_filter to loose mode (2).
-	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {
+	if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard) {
 		if err := util.EnsureRPFilterOnInterface(c.nodeConfig.GatewayConfig.Name, 2); err != nil {
 			return fmt.Errorf("failed to set %s rp_filter to 2 (loose mode): %w", c.nodeConfig.GatewayConfig.Name, err)
 		}
@@ -337,7 +337,7 @@ func (c *Client) Initialize(nodeConfig *config.NodeConfig, done func()) error {
 		}
 	}
 	// Set up the policy routing ip rule to support Egress in hybrid mode.
-	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {
+	if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard) {
 		if err := c.initEgressIPRules(); err != nil {
 			return fmt.Errorf("failed to initialize ip rules for Egress in hybrid mode: %w", err)
 		}
@@ -540,7 +540,7 @@ func (c *Client) syncNeighbor() error {
 			return restoreNeighbor(v.(*netlink.Neigh))
 		})
 	}
-	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {
+	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard {
 		c.egressNeighbors.Range(func(_, v interface{}) bool {
 			return restoreNeighbor(v.(*netlink.Neigh))
 		})
@@ -902,7 +902,7 @@ func (c *Client) syncIPTables(cleanupStaleJumpRules bool) error {
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.InputChain, antreaInputChain, "Antrea: jump to Antrea input rules", false})
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.OutputChain, antreaOutputChain, "Antrea: jump to Antrea output rules", false})
 	}
-	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {
+	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard {
 		jumpRules = append(jumpRules, jumpRule{iptables.MangleTable, iptables.PostRoutingChain, antreaPostRoutingChain, "Antrea: jump to Antrea postrouting rules", false})
 	}
 
@@ -1152,7 +1152,7 @@ func (c *Client) restoreIptablesData(podCIDR *net.IPNet,
 	writeLine(iptablesData, "*mangle")
 	writeLine(iptablesData, iptables.MakeChainLine(antreaPreRoutingChain))
 	writeLine(iptablesData, iptables.MakeChainLine(antreaOutputChain))
-	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {
+	if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard) {
 		writeLine(iptablesData, iptables.MakeChainLine(antreaPostRoutingChain))
 	}
 
@@ -1163,7 +1163,7 @@ func (c *Client) restoreIptablesData(podCIDR *net.IPNet,
 		c.writeEKSMangleRules(iptablesData)
 	}
 
-	if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {
+	if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard) {
 		writeLine(iptablesData, []string{
 			"-A", antreaPreRoutingChain,
 			"-m", "comment", "--comment", `"Antrea: restore fwmark from connmark for reply Egress packets to remote Pods"`,

Original file line number	Diff line number	Diff line change
`@@ -316,14 +316,14 @@ func (c Client) Initialize(nodeConfig config.NodeConfig, done func()) error {`
`316`	`316`	`}`
`317`	`317`	`}`
`318`	`318`
`319`		`- // In hybrid mode, traffic originating from remote Pod CIDRs is forwarded like this:`
	`319`	`+ // In hybrid mode, or encap mode with WireGuard enabled, traffic originating from remote Pod CIDRs is forwarded like this:`
`320`	`320`	`// remote Pods -> tunnel (remote Node OVS) -> tunnel (local Node OVS) -> antrea-gw0 (local Node) -> external network.`
`321`	`321`	`//`
`322`	`322`	`// To ensure reply packets follow a symmetric path, Antrea uses policy routing on the local Node. However, the`
`323`	`323`	`// kernel's strict RPF check only validates source paths against the main routing table. Since the transport`
`324`	`324`	`// interface (not antrea‑gw0) is listed as the next-hop for these routes, strict RPF drops the reply packets`
`325`	`325`	`// (because policy routing is ignored by rp_filter). As a result, we set its rp_filter to loose mode (2).`
`326`		`- if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {`
	`326`	`+ if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid \|\| c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard) {`
`327`	`327`	`if err := util.EnsureRPFilterOnInterface(c.nodeConfig.GatewayConfig.Name, 2); err != nil {`
`328`	`328`	`return fmt.Errorf("failed to set %s rp_filter to 2 (loose mode): %w", c.nodeConfig.GatewayConfig.Name, err)`
`329`	`329`	`}`
`@@ -337,7 +337,7 @@ func (c Client) Initialize(nodeConfig config.NodeConfig, done func()) error {`
`337`	`337`	`}`
`338`	`338`	`}`
`339`	`339`	`// Set up the policy routing ip rule to support Egress in hybrid mode.`
`340`		`- if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {`
	`340`	`+ if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid \|\| c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard) {`
`341`	`341`	`if err := c.initEgressIPRules(); err != nil {`
`342`	`342`	`return fmt.Errorf("failed to initialize ip rules for Egress in hybrid mode: %w", err)`
`343`	`343`	`}`
`@@ -540,7 +540,7 @@ func (c *Client) syncNeighbor() error {`
`540`	`540`	`return restoreNeighbor(v.(*netlink.Neigh))`
`541`	`541`	`})`
`542`	`542`	`}`
`543`		`- if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {`
	`543`	`+ if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid \|\| c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard {`
`544`	`544`	`c.egressNeighbors.Range(func(_, v interface{}) bool {`
`545`	`545`	`return restoreNeighbor(v.(*netlink.Neigh))`
`546`	`546`	`})`
`@@ -902,7 +902,7 @@ func (c *Client) syncIPTables(cleanupStaleJumpRules bool) error {`
`902`	`902`	`jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.InputChain, antreaInputChain, "Antrea: jump to Antrea input rules", false})`
`903`	`903`	`jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.OutputChain, antreaOutputChain, "Antrea: jump to Antrea output rules", false})`
`904`	`904`	`}`
`905`		`- if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {`
	`905`	`+ if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid \|\| c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard {`
`906`	`906`	`jumpRules = append(jumpRules, jumpRule{iptables.MangleTable, iptables.PostRoutingChain, antreaPostRoutingChain, "Antrea: jump to Antrea postrouting rules", false})`
`907`	`907`	`}`
`908`	`908`
`@@ -1152,7 +1152,7 @@ func (c Client) restoreIptablesData(podCIDR net.IPNet,`
`1152`	`1152`	`writeLine(iptablesData, "*mangle")`
`1153`	`1153`	`writeLine(iptablesData, iptables.MakeChainLine(antreaPreRoutingChain))`
`1154`	`1154`	`writeLine(iptablesData, iptables.MakeChainLine(antreaOutputChain))`
`1155`		`- if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {`
	`1155`	`+ if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid \|\| c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard) {`
`1156`	`1156`	`writeLine(iptablesData, iptables.MakeChainLine(antreaPostRoutingChain))`
`1157`	`1157`	`}`
`1158`	`1158`
`@@ -1163,7 +1163,7 @@ func (c Client) restoreIptablesData(podCIDR net.IPNet,`
`1163`	`1163`	`c.writeEKSMangleRules(iptablesData)`
`1164`	`1164`	`}`
`1165`	`1165`
`1166`		`- if c.egressEnabled && c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid {`
	`1166`	`+ if c.egressEnabled && (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid \|\| c.networkConfig.TrafficEncapMode == config.TrafficEncryptionModeWireGuard) {`
`1167`	`1167`	`writeLine(iptablesData, []string{`
`1168`	`1168`	`"-A", antreaPreRoutingChain,`
`1169`	`1169`	"-m", "comment", "--comment", `"Antrea: restore fwmark from connmark for reply Egress packets to remote Pods"`,