Set default flag to 2 for TCP traceflow #4948
Conversation
There was a problem hiding this comment.
I am fine with merging this, but maybe we should revisit this old issue (#1852) and instead make Traceflow more user-friendly by automatically setting the SYN bit. Users would still be able to clear the TCP flags by providing tcp_flags=0.
|
@antoninbas thanks for the input, I do feel we'd better to keep the same behaviors for both cases when Pod or Service as the destination. I noticed that the flag is set as 2 when the destination is Service by default in traceflow controller, not sure why it's not set for Pod case. Let's see what's @tnqn opinion. |
luolanzone
added
the
kind/documentation
I don't know the history regarding this. But defaulting tcp flags works for me. Where is the flag set for Service? |
|
@tnqn here is the code https://github.com/antrea-io/antrea/blob/main/pkg/agent/controller/traceflow/traceflow_controller.go#L500-L504, when it's not live traffic traceflow, it will set default flag as 2. |
luolanzone
force-pushed
the
update-example
branch
from
a5f7e2c
to
4e9a1a1
Compare
|
@tnqn @antoninbas could you review again? I updated the code to set a TCP flag to 2 by default. |
luolanzone
changed the title
luolanzone
force-pushed
the
update-example
branch
from
4e9a1a1
to
6aa14ab
Compare
| @@ -536,6 +536,9 @@ func (c *Controller) preparePacket(tf *crdv1alpha1.Traceflow, intf *interfacesto | |||
| if tf.Spec.Packet.TransportHeader.TCP.Flags != 0 { | |||
| packet.TCPFlags = uint8(tf.Spec.Packet.TransportHeader.TCP.Flags) | |||
| } | |||
| if !liveTraffic && tf.Spec.Packet.TransportHeader.TCP.Flags == 0 { | |||
There was a problem hiding this comment.
this code needs to be revisited for this PR:
antrea/pkg/agent/controller/traceflow/traceflow_controller.go
Lines 500 to 504 in 01817a5
The comment is no longer relevant and it is confusing to set the TCP flags in 2 places.
There was a problem hiding this comment.
Remove this part since we always set it as 2 by default.
There was a problem hiding this comment.
So I guess by setting the TCP flags here, it is not possible for the users to force the flags to be 0. I don't know if this is an issue at all though, since Traceflow is unlikely to be useful when the SYN flag is not set.
@tnqn what do you think? When we promote the API to beta, should be make the Flags field a pointer instead (*int32)?
There was a problem hiding this comment.
tcp_flags 0 seems only useful when we want to verify the pipeline can drop TCP NULL scan. I'm fine with changing the field to pointer to make the use case supported.
docs/antctl.md
Outdated
| # Start a Traceflow from pod1 to pod2, with a TCP SYN packet to destination port 1234 | ||
| # tcp_flags will be 2 by default when it's not provided. | ||
| $ antctl traceflow -S pod1 -D pod2 -f tcp,tcp_dst=1234,tcp_flags=2 |
There was a problem hiding this comment.
Not sure why we are adding this example at all, since the flags are now being set by default. Explicitly using tcp_flags=2 is a bit misleading?
docs/traceflow-guide.md
Outdated
| @@ -89,6 +89,7 @@ spec: | |||
| tcp: | |||
| srcPort: 10000 # Source port needs to be set when Protocol is TCP/UDP. | |||
| dstPort: 80 # Destination port needs to be set when Protocol is TCP/UDP. | |||
| flags: 2 # Construct a SYN packet, when Protocol is TCP, flags will be set to 2 by default when it's not provided. | |||
There was a problem hiding this comment.
| flags: 2 # Construct a SYN packet, when Protocol is TCP, flags will be set to 2 by default when it's not provided. | |
| flags: 2 # Construct a SYN packet: 2 is also the default value when the flags field is omitted. |
Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
force-pushed
the
update-example
branch
from
6aa14ab
to
be4460c
Compare
antoninbas
removed
the
kind/documentation
| @@ -536,6 +536,9 @@ func (c *Controller) preparePacket(tf *crdv1alpha1.Traceflow, intf *interfacesto | |||
| if tf.Spec.Packet.TransportHeader.TCP.Flags != 0 { | |||
| packet.TCPFlags = uint8(tf.Spec.Packet.TransportHeader.TCP.Flags) | |||
| } | |||
| if !liveTraffic && tf.Spec.Packet.TransportHeader.TCP.Flags == 0 { | |||
There was a problem hiding this comment.
So I guess by setting the TCP flags here, it is not possible for the users to force the flags to be 0. I don't know if this is an issue at all though, since Traceflow is unlikely to be useful when the SYN flag is not set.
@tnqn what do you think? When we promote the API to beta, should be make the Flags field a pointer instead (*int32)?
|
/test-all |
|
/test-e2e |
tnqn
added
the
action/release-note
Signed-off-by: Lan Luo <luola@vmware.com>
Resolves #4897