From 4ec48b8500e387b70308b10b0299c60533c23e2d Mon Sep 17 00:00:00 2001
From: Antonin Bas <abas@vmware.com>
Date: Thu, 29 Apr 2021 16:59:39 -0700
Subject: [PATCH] Drop eth0 packets in PREROUTING on Kind Nodes

According to the OVS documentation:
On Linux, when a physical interface is in use by the userspace datapath,
packets received on the interface still also pass into the kernel TCP/IP
stack. This can cause surprising and incorrect behavior. You can use
"iptables" to avoid this behavior, by using it to drop received packets.

The OVS documentation suggests dropping packets in the INPUT and FORWARD
chains. However, this is not sufficient for some edge cases. For
example, when receiving a TCP RST packet, the packet will clear the
conntrack entry for the TCP connection before it can be dropped, which
can cause the "second" TCP RST packet (the one processed by OVS
userspace) to be marked as invalid when going through conntrack.

So instead we drop the packet in PREROUTING:
iptables -t raw -A PREROUTING -i eth0 -j DROP
This rule is added to the start_ovs_netdev script.

By adding this rule, we no longer need to skip TCP e2e tests for the
Reject NetworkPolicy Action in Kind clusters.

It's possible that this is also going to help with various connectivity
issues we observed with Antrea in Kind over time. For example, I believe
we may also be able to remove the hack which reduces the value of the
tcp_retries2 sysctl parameter. I need to run tests to confirm.

Fixes #2025

Signed-off-by: Antonin Bas <abas@vmware.com>
---
 build/images/scripts/start_ovs_netdev |  2 ++
 hack/kind-fix-networking.sh           |  2 --
 test/e2e/antreapolicy_test.go         |  6 ------
 test/e2e/fixtures.go                  | 10 ----------
 4 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/build/images/scripts/start_ovs_netdev b/build/images/scripts/start_ovs_netdev
index 89b5e883817..9ba89c2e455 100755
--- a/build/images/scripts/start_ovs_netdev
+++ b/build/images/scripts/start_ovs_netdev
@@ -35,6 +35,7 @@ function add_br_phy {
     ip addr flush dev eth0 2>/dev/null
     ip link set eth0 up
     ip route add default via "$gw" dev br-phy
+    iptables -t raw -A PREROUTING -i eth0 -j DROP
 }
 
 function del_br_phy {
@@ -44,6 +45,7 @@ function del_br_phy {
     ip addr add "$inet" dev eth0
     ip link set eth0 up
     ip route add default via "$gw" dev eth0
+    iptables -t raw -D PREROUTING -i eth0 -j DROP
 }
 
 function start_ovs {
diff --git a/hack/kind-fix-networking.sh b/hack/kind-fix-networking.sh
index c0460087569..e6351c4afcd 100755
--- a/hack/kind-fix-networking.sh
+++ b/hack/kind-fix-networking.sh
@@ -29,6 +29,4 @@ for node in "$@"; do
     peerName=$(docker run --net=host antrea/ethtool:latest ip link | grep ^"$peerIdx": | awk -F[:@] '{ print $2 }' | cut -c 2-)
     echo "Disabling TX checksum offload for node $node ($peerName)"
     docker run --net=host --privileged antrea/ethtool:latest ethtool -K "$peerName" tx off
-    # Workaround for https://github.com/antrea-io/antrea/issues/324
-    docker exec "$node" sysctl -w net.ipv4.tcp_retries2=4
 done
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
index bc1f488ecb4..4569a6489e7 100644
--- a/test/e2e/antreapolicy_test.go
+++ b/test/e2e/antreapolicy_test.go
@@ -32,7 +32,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 
-	"antrea.io/antrea/pkg/agent/config"
 	crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
 	crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2"
 	crdv1alpha3 "antrea.io/antrea/pkg/apis/crd/v1alpha3"
@@ -1796,11 +1795,6 @@ func testACNPRejectEgress(t *testing.T) {
 
 // testACNPRejectIngress tests that a ACNP is able to reject egress traffic from pods labelled A to namespace Z.
 func testACNPRejectIngress(t *testing.T, data *TestData, protocol v1.Protocol) {
-	// TCP rejection can't work on Kind when the traffic mode is noEncap. Skip it.
-	// https://github.com/antrea-io/antrea/issues/2025
-	if protocol == v1.ProtocolTCP {
-		skipIfEncapModeIsNotAndProviderIs(t, data, config.TrafficEncapModeEncap, "kind")
-	}
 	builder := &ClusterNetworkPolicySpecBuilder{}
 	builder = builder.SetName("acnp-reject-a-from-z-ingress").
 		SetPriority(1.0).
diff --git a/test/e2e/fixtures.go b/test/e2e/fixtures.go
index 22940065ddf..442dee74d30 100644
--- a/test/e2e/fixtures.go
+++ b/test/e2e/fixtures.go
@@ -93,16 +93,6 @@ func skipIfEncapModeIsNot(tb testing.TB, data *TestData, encapMode config.Traffi
 	}
 }
 
-func skipIfEncapModeIsNotAndProviderIs(tb testing.TB, data *TestData, encapMode config.TrafficEncapModeType, name string) {
-	currentEncapMode, err := data.GetEncapMode()
-	if err != nil {
-		tb.Fatalf("Failed to get encap mode: %v", err)
-	}
-	if currentEncapMode != encapMode && testOptions.providerName == name {
-		tb.Skipf("Skipping test when encap mode is '%s' and provider is '%s', test requires '%s'", currentEncapMode.String(), name, encapMode.String())
-	}
-}
-
 func skipIfHasWindowsNodes(tb testing.TB) {
 	if len(clusterInfo.windowsNodes) != 0 {
 		tb.Skipf("Skipping test as the cluster has Windows Nodes")