[Bug Fix]Fix infinite rejection loop by adding ingress/egress bypass flows

[GraysonWu]

This PR fixes issue #2548
This PR added some bypass flows in the ingress and egress table to make sure reject responses won't be enforced by network policies.

Why we need it
Previously, reject responses are controlled by network policies, which means that reject responses could also be rejected. It may cause an infinite loop of rejecting reject responses in the OVS pipeline.
Instead of Reject reject response, now we choose to Allow the reject responses.

Added Flows

table=45/50/60/85/90/100, priority=64990,ct_state=-new+rel,ip actions=resubmit(,61/101)
table=45/50/60/85/90/100, priority=64990,ip,reg0=0x2000000/0x7000000 actions=resubmit(,61/101)

Example
Suppose we have:

• PodA on NodeA
• PodB on NodeB
• PolicyA: appliedTo: PodA, ingress: Reject from PodB
• PolicyB: appliedTo: PodB, ingress: Reject from PodA, egress: Reject to PodA

When PodA tries to talk to PodB using UDP, the process will be:

1. The packet will commit a conntrack on NodeA, then leave NodeA.
2. NodeB receives this packet. Due to the ingress rule of PolicyB, a reject response is generated by the controller with reg loaded.
3. Thanks to the second bypass flow above this reject response can bypass the egress rule of PolicyB, then leave NodeB
4. NodeA receives this reject response, an ICMP Destination Host Prohibited, whose ct_state is -new+rel.
5. Thanks to the first bypass flow above this reject response can bypass the ingress rule of PolicyA, then PodA will receive it.

If in the beginning, PodA uses TCP to talk to PodB, then in step 4 above a TCP RST whose ct_state is -new+est will be received. And the bypass flow for ct_state=-new+est has already existed, so we don't need to handle it in this PR.

[codecov-commenter]

Codecov Report

Merging #2579 (7f9d488) into main (fe12a1b) will increase coverage by 0.15%.
The diff coverage is 93.93%.

@@            Coverage Diff             @@
##             main    #2579      +/-   ##
==========================================
+ Coverage   60.23%   60.38%   +0.15%     
==========================================
  Files         282      282              
  Lines       22337    22403      +66     
==========================================
+ Hits        13454    13529      +75     
+ Misses       7459     7444      -15     
- Partials     1424     1430       +6     

Flag	Coverage Δ
e2e-tests	∅ <ø> (?)
kind-e2e-tests	47.34% <93.93%> (+0.16%)	⬆️
unit-tests	42.05% <0.00%> (-0.14%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/openflow/client.go	58.51% <0.00%> (-0.57%)	⬇️
pkg/agent/openflow/pipeline.go	74.86% <100.00%> (+1.22%)	⬆️
pkg/agent/util/ethtool/ethtool_linux.go	70.00% <0.00%> (-10.00%)	⬇️
pkg/agent/cniserver/pod_configuration.go	56.74% <0.00%> (+1.19%)	⬆️
pkg/ovs/openflow/ofctrl_builder.go	58.04% <0.00%> (+1.26%)	⬆️
...gent/controller/noderoute/node_route_controller.go	58.89% <0.00%> (+1.29%)	⬆️
pkg/monitor/controller.go	29.10% <0.00%> (+1.49%)	⬆️
pkg/controller/networkpolicy/status_controller.go	73.20% <0.00%> (+1.96%)	⬆️

[tnqn]

Code LGTM, but DCO and commit message is missing

[GraysonWu]

Added.

[GraysonWu]

/test-all

[Dyanngg]

code LGTM, nit in the PR description: let's mention the TCP reject response will also hit ct_state -new+rel?

[GraysonWu]

code LGTM, nit in the PR description: let's mention the TCP reject response will also hit ct_state -new+rel?

@Dyanngg For TCP, it will hit the flow with ct_state=-new+est which we already have. Updated the description to reduce confusion.

[antoninbas]

I don't understand why these flows are added by the establishedConnectionFlows function. A related connection is not an established connection, and the flow used to match reject traffic injected by the agent has nothing to do with established connections either?

[GraysonWu]

Good one. I separated them.

[antoninbas]

LGTM, will wait for @tnqn to approve

[GraysonWu]

/test-all

[tnqn]

LGTM

[tnqn]

I edited the commit message when merging it. It would be better to wrap the message to ~76 characters per line in the original commit in the future.