Send NDP NA message upon assigning egress IP

[wenqiq]

Send NDP NA message upon assigning egress IP

Implement Neighbor Discovery Protocol(NDP) neighbor advertisement for Egress IPv6 support.
Once an IPv6 IP address has been assigned to Node, an unsolicited Neighbor Advertisement ICMPv6
multicast packet will be sent, announcing the IP to all IPv6 nodes as per RFC4861.

Signed-off-by: Wenqi Qiu wenqiq@vmware.com

For #2128

[codecov-commenter]

Codecov Report

Merging #2196 (3f9890e) into main (1829d3a) will increase coverage by 4.55%.
The diff coverage is 42.00%.

@@            Coverage Diff             @@
##             main    #2196      +/-   ##
==========================================
+ Coverage   60.76%   65.32%   +4.55%     
==========================================
  Files         286      287       +1     
  Lines       23096    26548    +3452     
==========================================
+ Hits        14034    17342    +3308     
- Misses       7592     7615      +23     
- Partials     1470     1591     +121     

Flag	Coverage Δ
e2e-tests	56.07% <6.00%> (?)
kind-e2e-tests	47.46% <0.00%> (-0.29%)	⬇️
unit-tests	41.46% <47.36%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
.../controller/egress/ipassigner/ip_assigner_linux.go	62.50% <33.33%> (+62.50%)	⬆️
pkg/util/ip/ip.go	67.04% <40.00%> (-8.67%)	⬇️
pkg/agent/util/ndp/ndp_linux.go	44.44% <44.44%> (ø)
pkg/controller/egress/ipallocator/allocator.go	65.00% <0.00%> (-15.42%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	77.64% <0.00%> (-13.79%)	⬇️
pkg/apis/controlplane/v1beta1/conversion.go	72.51% <0.00%> (-12.19%)	⬇️
pkg/legacyapis/core/v1alpha2/register.go	69.23% <0.00%> (-10.77%)	⬇️
pkg/apis/stats/register.go	71.42% <0.00%> (-10.39%)	⬇️
pkg/legacyapis/stats/register.go	71.42% <0.00%> (-10.39%)	⬇️
pkg/ovs/openflow/ofctrl_meter.go	33.84% <0.00%> (-10.16%)	⬇️
... and 274 more

[tnqn]

Thanks @wenqiq. Want to check with you if it can be simplified.

[wenqiq]

@tnqn @xliuxu I updated the patch and used a function to implement NDP neighbor advertisement. PTAL. Thanks.

[tnqn]

Suggested change

	// NeighborAdvertisement sends an NDP Neighbor Advertisement over interface 'iface' from 'srcIP'.
	// NeighborAdvertisement sends a NDP Neighbor Advertisement over interface 'iface' from 'srcIP'.

[wenqiq]

done

[tnqn]

Suggested change

	ipAddr := &net.IPAddr{}
	var ipAddr *net.IPAddr

Since you create a new instance in the loop.

[wenqiq]

done

[tnqn]

why it needs to listen incoming icmp packets? I thought it just sends an unsolicited NA?

[wenqiq]

done, use syscall.Socket to send a NA message
syscall.Socket(syscall.AF_INET6, syscall.SOCK_RAW, syscall.IPPROTO_ICMPV6)

[tnqn]

why the hopLimit is set multiple times? I assume only one takes effect.

[wenqiq]

done

[tnqn]

If we don't set src, will the OS pick one from the interface?

[wenqiq]

updated, PTAL.

[wenqiq]

Do you have any comments or considerations about this PR? @tnqn

[tnqn]

I assume you have tested this PR in a IPv6 cluster and it worked? Have you checked whether the generated NDP packet can fresh an external Node's ip neighbor cache?

[tnqn]

as we have verified the IP, maybe just use "else" to avoid a repeated conversion.

[wenqiq]

Done

I assume you have tested this PR in a IPv6 cluster and it worked? Have you checked whether the generated NDP packet can fresh an external Node's ip neighbor cache?

I have tested and I will put some test data here soon.

[wenqiq]

The external Node can receive the NDP NA or GratuitousARP packets, but IP neighbor cache didn't fresh.

[tnqn]

IIRC, receiving GARP will only flush the stale entry and won't add a new entry, is this your observation? or the stale entry was not deleted? You mean both NDP NA and GARP didn't work?

[wenqiq]

I think both NDP NA and GARP can work, sent message packets successfully. The integration test seems back to normal.

I have tested the basic IPv6 SNAT function and put some info in my repo. PTAL. @tnqn

https://github.com/wenqiq/antrea/blob/egress-ndp-demonstration/docs/egress-ipv6/egress-ipv6-practice.md

[tnqn]

Maybe put it to pkg/util/ip/ip.go like

antrea/pkg/util/ip/ip.go

Lines 174 to 181 in fe4457f

	// MustParseCIDR turns the given string into IPNet or panics, for tests or other cases where the string must be valid.
	func MustParseCIDR(cidr string) *net.IPNet {
	_, ipNet, err := net.ParseCIDR(cidr)
	if err != nil {
	panic(fmt.Errorf("cannot parse '%v': %v", cidr, err))
	}
	return ipNet
	}

It can be used in other cases too. I think you don't need to check the result since it's only used when we know the IP must be valid.

[wenqiq]

Done

[tnqn]

LGTM

[tnqn]

integration test failed:

failed to send neighbor advertisement: new NDP Neighbor Advertisement Message error: hardwareAddr length error: 

[tnqn]

It seems that the code for IPv4 is also wrong as HardwareAddr is always empty if the dummy device is newly created.

Requested changed

[wenqiq]

It seems that the code for IPv4 is also wrong as HardwareAddr is always empty if the dummy device is newly created.

In the test case we use local IP "127.0.0.1" to get IPNetDevice and the interface doesn't have a HardwareAddr which cause testing fail.

ipassigner.NewIPAssigner(net.ParseIP("127.0.0.1"), dummyDeviceName)

func NewIPAssigner(nodeIPAddr net.IP, dummyDeviceName string) (*ipAssigner, error) {
	_, egressInterface, err := util.GetIPNetDeviceFromIP(nodeIPAddr)

[wenqiq]

Rebased upstream main branch and fixed grammer issues in commit message.
/test-all

[tnqn]

LGTM, will wait for one day before merging in case anyone wants to take another look

[tnqn]

/test-all

[tnqn]

/test-ipv6-all

[tnqn]

@wenqiq I just notice the tests still don't run on IPv6 clusters. Can you have a following-up PR to enable egress tests on IPv6 and dual-stack clusters? otherwise we wouldn't know when it's broken by accident.

[tnqn]

"Go / Check tidy, code generation and manifest (pull_request)" failed, which may be because go 1.17 update. Please update your local go version and regenerate the code.

[wenqiq]

@wenqiq I just notice the tests still don't run on IPv6 clusters. Can you have a following-up PR to enable egress tests on IPv6 and dual-stack clusters? otherwise we wouldn't know when it's broken by accident.

Sure, will implement it.

"Go / Check tidy, code generation and manifest (pull_request)" failed, which may be because go 1.17 update. Please update your local go version and regenerate the code.

It seems there is no generated code or manifest changes in this PR.

[wenqiq]

Rebased upstream/main.
/test-all

[tnqn]

/test-ipv6-all

[tnqn]

/test-ipv6-only-all

[tnqn]

/test-e2e

[wenqiq]

It seems jenkins-ipv6-only-e2e test failed? How can we get the test result details?

[tnqn]

I checked the IPv6 e2e tests failed on go build issue, which may be related to Go version upgrade. Since we haven't enabled egress test on IPv6, it shouldn't be affected in theory. I'm going to merge this. @wenqiq will have a follow-up PR for enabling egress test on IPv6 cluster.