Refine the default flow in ARPSpoofGuardTable

[hongliangl]

The current default flow in ARPSpoofGuardTable forwards packets to ARPResponderTable, which is ineffective in preventing ARP spoofing. To rectify this, the proposed solution is to modify the action of the default flow within ARPSpoofGuardTable to drop the packets.

[hongliangl]

@gran-vmv Could you help verify that if this change will affect AntreaIPAM?

[gran-vmv]

@gran-vmv Could you help verify that if this change will affect AntreaIPAM?

I think current flows can handle AntreaIPAM ARP request, but you should run e2e to check.

[hongliangl]

/test-all

[wenyingd]

Question: what kind of traffic is expected to go into ARPResponderTable? If the default behavior in ARPSpoofGuardTable is drop, I didn't find a flow explicitly resubmit packets to ARPResponderTable, does it mean flows in responder table are not consumed?

[hongliangl]

Question: what kind of traffic is expected to go into ARPResponderTable? If the default behavior in ARPSpoofGuardTable is drop, I didn't find a flow explicitly resubmit packets to ARPResponderTable, does it mean flows in responder table are not consumed?

For example:

1. table=ARPSpoofGuard, priority=200,arp,in_port="antrea-gw0",arp_spa=10.10.0.1,arp_sha=26:4a:01:f6:69:05 actions=resubmit(,ARPResponder)
2. table=ARPSpoofGuard, priority=200,arp,in_port="coredns--24abdc",arp_spa=10.10.0.2,arp_sha=ce:3f:72:79:fa:e5 actions=resubmit(,ARPResponder)
3. table=ARPSpoofGuard, priority=200,arp,in_port="coredns--f86959",arp_spa=10.10.0.3,arp_sha=ca:90:de:6e:d4:06 actions=resubmit(,ARPResponder)
4. table=ARPSpoofGuard, priority=0 actions=drop

The packets matched by flows 1-3 will be consumed in ARPResponderTable.

[wenyingd]

LGTM

[tnqn]

LGTM

[tnqn]

/test-conformance

[gran-vmv]

Why jenkins-flexible-ipam-e2e is not in CI pipelines?

[tnqn]

/test-flexible-ipam-e2e

[tnqn]

Please check if the failure in jenkins-flexible-ipam-e2e is related

[hongliangl]

/test-flexible-ipam-e2e

[hongliangl]

/test-flexible-ipam-e2e

[hongliangl]

/test-flexible-ipam-e2e

[hongliangl]

/test-flexible-ipam-e2e

[hongliangl]

/test-flexible-ipam-e2e

[hongliangl]

Flexible IPAM e2e also gets the same failure test cases without any code change. These cases are:

• TestClusterIPv4/HostNetwork_Endpoints/Connect_to_Service_ClusterIP_from_Pod
• TestPrometheus/testPrometheusServerAgentMetrics

[hongliangl]

Flexible IPAM e2e also gets the same failure test cases without any code change. These cases are:

• TestClusterIPv4/HostNetwork_Endpoints/Connect_to_Service_ClusterIP_from_Pod
• TestPrometheus/testPrometheusServerAgentMetrics

@tnqn @gran-vmv I think the failure of these two cases is not lated to the current patch. Could we merge this first?

[gran-vmv]

/test-flexible-ipam-e2e

[gran-vmv]

Flexible IPAM e2e also gets the same failure test cases without any code change. These cases are:

• TestClusterIPv4/HostNetwork_Endpoints/Connect_to_Service_ClusterIP_from_Pod
• TestPrometheus/testPrometheusServerAgentMetrics

@tnqn @gran-vmv I think the failure of these two cases is not lated to the current patch. Could we merge this first?

It seems some recent changes broke these e2e cases.