[IPv6] Support flow exporter

[lzhecheng]

Support IPv4 or IPv6 flow exporter address.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[lzhecheng]

@antoninbas could you please help push a newer version of ipfix-collector? --enable-ipv6 is needede for libipfix.
https://github.com/vmware-tanzu/antrea/pull/1444/files#diff-f6c3a6c603b9babc9ec5a69428cc251e937906c8e25e2ea753afbdb69795a9f8

[codecov-io]

Codecov Report

Merging #1444 into ipv6 will decrease coverage by 26.10%.
The diff coverage is 22.82%.

@@             Coverage Diff             @@
##             ipv6    #1444       +/-   ##
===========================================
- Coverage   67.71%   41.61%   -26.11%     
===========================================
  Files         165       85       -80     
  Lines       13060    10729     -2331     
===========================================
- Hits         8844     4465     -4379     
- Misses       3284     5864     +2580     
+ Partials      932      400      -532     

Flag	Coverage Δ
integration-tests	?
kind-e2e-tests	?
unit-tests	41.61% <22.82%> (-0.68%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/agent.go	12.20% <0.00%> (-37.65%)	⬇️
pkg/agent/config/node_config.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/util/iptables/iptables.go	0.00% <0.00%> (-62.50%)	⬇️
pkg/agent/util/net.go	31.81% <0.00%> (-32.47%)	⬇️
pkg/agent/util/net_linux.go	0.00% <0.00%> (-46.25%)	⬇️
pkg/antctl/antctl.go	100.00% <ø> (ø)
pkg/ovs/openflow/ofctrl_builder.go	21.34% <0.00%> (-56.95%)	⬇️
pkg/agent/openflow/pipeline.go	21.17% <12.44%> (-59.98%)	⬇️
pkg/agent/openflow/client.go	10.38% <37.03%> (-57.48%)	⬇️
pkg/agent/flowexporter/connections/connections.go	64.48% <50.00%> (-17.07%)	⬇️
... and 146 more

[antoninbas]

@lzhecheng please review and merge #1449
I have already pushed the new tag (antrea/ipfix-collector:10282020.1) to Dockerhub

[lzhecheng]

/test-e2e
/test-ipv6-e2e
/test-ipv6-only-e2e

[lzhecheng]

/test-e2e
/test-ipv6-e2e
/test-ipv6-only-e2e

[lzhecheng]

/test-e2e
/test-ipv6-e2e
/test-ipv6-only-e2e

[lzhecheng]

/test-e2e
/test-ipv6-e2e
/test-ipv6-only-e2e

[srikartati]

Thanks for the PR, Zhecheng.

As Antrea Proxy plans to support IPv6, "destinationClusterIP" IPFIX field in Antrea registry need to support both fields IPv4 and IPv6. Currently, in Antrea registry, we have only IPv4 field for clusterIP. Will raise a PR in go-ipfix to support both fields.

[srikartati]

Don't we need 16 bytes for IPv6 slice?

[lzhecheng]

I think we are using string as input and output here?

[srikartati]

My question was about number of bytes in considered address: fe80:1:2::3. I think rest of the bytes are 0s in 16 byte address--is that correct? Maybe a better example for IPv6 address is to consider whole 16 byte address?

[lzhecheng]

Yes. Got it. Updated.

[srikartati]

why no test with IANAInfoElementsIPv6? Are you waiting for the fix in go-ipfix?

[lzhecheng]

Make sense. Updated test for IPv6.

[srikartati]

Are we seeing correct IPv6 address in flow records?
With the current go-ipfix code, ipv6 addresses do not get encoded on to flow records in the exporter code.
https://github.com/vmware/go-ipfix/blob/master/pkg/entities/ie.go#L390

[srikartati]

I see that ipv6 encoding is being supported in release-0.2.0 branch, which is currently used in Antrea. However, it is missing in the master branch. This needs to be fixed if we move to future releases.

https://github.com/vmware/go-ipfix/blob/release-0.2.0/pkg/entities/record.go#L208

Ignore the above comment.

[srikartati]

Just FYI, the master branch issue is taken care of in this PR: vmware/go-ipfix#64

[srikartati]

We support destination clusterIP IPv6 address in this patch release: https://github.com/vmware/go-ipfix/releases/tag/v0.2.3
Please use that to add IPv6 destination cluster IP for Pod-To-Service flows.

[srikartati]

My question was about number of bytes in considered address: fe80:1:2::3. I think rest of the bytes are 0s in 16 byte address--is that correct? Maybe a better example for IPv6 address is to consider whole 16 byte address?

[srikartati]

Just FYI, the master branch issue is taken care of in this PR: vmware/go-ipfix#64

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-all-features-conformance: to trigger conformance tests with all alpha features enabled.
• /skip-all-features-conformance: to skip conformance tests with all alpha features enabled.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[srikartati]

I see there are a lot of commits are added to the PR--a total of 86 files. Is this PR still valid? Is it because of rebasing the ipv6 branch with the master?

[lzhecheng]

I see there are a lot of commits are added to the PR--a total of 86 files. Is this PR still valid? Is it because of rebasing the ipv6 branch with the master?

Yes, it is due to ipv6 branch updating to the master. This PR should rebase then.

[jianjuns]

Maybe add a comment in antrea-agent.conf about IPv6 is supported for flowCollectorAddr.

[lzhecheng]

Updated.

[jianjuns]

If ConnectionStore.serviceCIDR is used only here, we just need to pass and save a v4 or v6 flag in the ConnectionStore struct?

[lzhecheng]

Make sense. Updated.

[lzhecheng]

PR #1541 replaces this PR after ipv6 branch is merged to master.