Skip to content

Add missing Node SNAT information to Antrea flow data #7544

New issue
New issue
Open
Open
Add missing Node SNAT information to Antrea flow data#7544
Labels
area/flow-visibilityIssues or PRs related to flow visibility support in Antreaarea/flow-visibility/exporterIssues or PRs related to the Flow Exporter functions in the Agentkind/featureCategorizes issue or PR as related to a new feature.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.
@antoninbas

Description

@antoninbas
antoninbas
opened on Nov 5, 2025

Describe the problem/challenge you have
The Antrea FlowExporter includes Egress SNAT information in exported flow records, when an Egress SNAT policy is applied to the source Pod and the destination is external. The relevant Information Elements are: egressName, egressIP, egressNodeName, egressUUID, egressNodeUUID.

However for Pod-to-External flows which use the "default" Node SNAT, we do not include the SNAT IP. This can make it difficult for an external collector to correlate Antrea flow records to records collected by the underlay network or at the destination.

Describe the solution you'd like
I would like a new Information Element to be introduced, e.g, nodeSnatIP, which will be set to the SNAT IP used when masquerading Pod-to-External traffic. The element will be unset / empty for 1) non Pod-to-External flows, 2) Pod-to-External flows using Egress SNAT, 3) Pod-to-External flows which do not use SNAT (typically, that means Antrea is configured with noSNAT: true).

For reference, this is the code responsible for adding the Node SNAT iptables rule:

antrea/pkg/agent/route/route_linux.go

Lines 1248 to 1260 in 3c81b27

if !c.noSNAT {
rule := []string{
"-A", antreaPostRoutingChain,
"-m", "comment", "--comment", `"Antrea: masquerade Pod to external packets"`,
"-s", podCIDR.String(), "-m", "set", "!", "--match-set", podIPSet, "dst",
"!", "-o", c.nodeConfig.GatewayConfig.Name,
"-j", iptables.MasqueradeTarget,
}
if c.nodeSNATRandomFully {
rule = append(rule, "--random-fully")
}
writeLine(iptablesData, rule...)
}

And this is an example rule:

-A ANTREA-POSTROUTING -m comment --comment "Antrea: masquerade Pod to external packets" -s 172.16.10.0/24 -m set ! --match-set ANTREA-POD-IP dst ! -o antrea-gw0 -j MASQUERADE

Note that Antrea itself does not know which SNAT IP will be used: it depends on routing and which egress interface is used. As a result, a comprehensive implementation of this feature is likely to look like #7483: the FlowExporter needs to get the information from the default conntrack zone.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/flow-visibilityIssues or PRs related to flow visibility support in Antreaarea/flow-visibility/exporterIssues or PRs related to the Flow Exporter functions in the Agentkind/featureCategorizes issue or PR as related to a new feature.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions