Make disabling TX checksum offload configurable

[tnqn]

Add a configuration parameter disableTXChecksumOffload for Antrea Agent to support cases in which the datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum.

Signed-off-by: Quan Tian qtian@vmware.com

This is required when using TrafficControl Redirect action with threat detection engines' certain packet capture methods, e.g. Suricata AF_PACKET, with which skb csum state is messed up after it's processed by engines' userspace, leading to packet drop on destination.

[codecov-commenter]

Codecov Report

Merging #3832 (6fd87c5) into main (6445ee1) will decrease coverage by 16.08%.
The diff coverage is 85.71%.

❗ Current head 6fd87c5 differs from pull request most recent head 5196f83. Consider uploading reports for the commit 5196f83 to get more accurate results

@@             Coverage Diff             @@
##             main    #3832       +/-   ##
===========================================
- Coverage   62.18%   46.10%   -16.09%     
===========================================
  Files         281      247       -34     
  Lines       40091    35913     -4178     
===========================================
- Hits        24931    16556     -8375     
- Misses      13190    17720     +4530     
+ Partials     1970     1637      -333     

Flag	Coverage Δ
e2e-tests	46.10% <85.71%> (?)
kind-e2e-tests	?
unit-tests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...g/agent/cniserver/interface_configuration_linux.go	12.77% <75.00%> (-3.98%)	⬇️
pkg/agent/cniserver/pod_configuration.go	44.84% <100.00%> (-9.75%)	⬇️
pkg/agent/cniserver/server.go	41.88% <100.00%> (-25.39%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	4.58% <0.00%> (-88.08%)	⬇️
pkg/util/flowexport/flowexport.go	0.00% <0.00%> (-84.62%)	⬇️
pkg/agent/util/iptables/lock.go	0.00% <0.00%> (-80.00%)	⬇️
pkg/controller/networkpolicy/crd_utils.go	13.63% <0.00%> (-78.58%)	⬇️
pkg/cni/client.go	0.00% <0.00%> (-77.78%)	⬇️
...lowaggregator/clickhouseclient/clickhouseclient.go	0.00% <0.00%> (-76.62%)	⬇️
pkg/controller/externalippool/validate.go	0.00% <0.00%> (-75.87%)	⬇️
... and 156 more

[tnqn]

/test-all

[jianjuns]

@tnqn : does that mean to use Suricata for IPS/FW, we must disable checksum offload? It sounds not ideal.

[jianjuns]

Add a comment saying disableTXChecksumOffload is ignored on Windows?

[jianjuns]

We should say it is on Linux only?

[tnqn]

@tnqn : does that mean to use Suricata for IPS/FW, we must disable checksum offload? It sounds not ideal.

Yes. I remember it's also the case of Snort. I saw this issue in several places where packets are passed to userspace and sent back to kernel for transmission. Not sure if it's specific to AF_PACKET, I will try other capture methods.

[jianjuns]

Ok. Anyway, let us merge it for this release. And we can think about any better solution (seems not quite possible).

[tnqn]

/test-all

[antoninbas]

I'm also fine with this change, but I agree with Jianjun that it is really not ideal if this is required when integrating with IDS solutions.

[tnqn]

Sure @jianjuns @antoninbas, I will explore better solutions.