Accelerate Service traffic in the Node's host network when proxyAll is enabled#7833
Accelerate Service traffic in the Node's host network when proxyAll is enabled#7833hongliangl wants to merge 1 commit intoantrea-io:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends host network acceleration (nftables flowtable offload) to cover Service traffic (NodePort / ExternalIP / LoadBalancer) in addition to Pod-to-Pod traffic, with a configurable packet-count threshold to avoid accelerating short-lived flows.
Changes:
- Add
serviceAccelerationPacketThresholdconfiguration (default 20, range 0–1000) and validation / defaults wiring. - Add nftables flowtable rules to offload established Service connections once they exceed the packet threshold.
- Update unit + integration tests and Helm / YAML manifests to reflect the new behavior and config.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| test/integration/agent/route_test.go | Updates expected nftables rules in integration tests for Service offload. |
| pkg/config/agent/config.go | Adds the new HostNetworkAcceleration config field and documentation. |
| pkg/agent/route/route_linux_test.go | Adds/updates tests for nftables sync and Service sets/rules. |
| pkg/agent/route/route_linux.go | Implements Service flowtable offload rules + nftables set sync changes. |
| pkg/agent/config/node_config.go | Adds ServiceAccelerationPacketThreshold to runtime NetworkConfig. |
| cmd/antrea-agent/options_test.go | Adds validation tests for the threshold range. |
| cmd/antrea-agent/options.go | Sets default threshold and validates range. |
| cmd/antrea-agent/agent.go | Wires the threshold into NetworkConfig passed to the agent. |
| build/yamls/antrea*.yml | Exposes the new config option in generated manifests and updates checksums. |
| build/charts/antrea/values.yaml | Adds Helm value for serviceAccelerationPacketThreshold. |
| build/charts/antrea/conf/antrea-agent.conf | Renders the new Helm-configurable field into antrea-agent.conf. |
| build/charts/antrea/README.md | Documents the new Helm value in the chart parameter table. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
hongliangl
force-pushed
the
20260226-svc-nft-fastpath
branch
from
c0a4be0 to
ca91716
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
hongliangl
force-pushed
the
20260226-svc-nft-fastpath
branch
3 times, most recently
from
0b27d64 to
436ba77
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
hongliangl
force-pushed
the
20260226-svc-nft-fastpath
branch
from
436ba77 to
41d0edf
Compare
hongliangl
force-pushed
the
20260226-svc-nft-fastpath
branch
from
41d0edf to
2b8d8f8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
antoninbas
left a comment
antoninbas
left a comment
There was a problem hiding this comment.
Before I do a more in-depth review:
- I don't see any mention of proxyAll in the PR description. Doesn't this only apply with proxyAll, or is my understanding off?
- Did we discuss why a threshold makes sense for Service traffic but not Pod-to-Pod traffic?
…s enabled When host network acceleration and proxyAll are both enabled, external-to-Service (NodePort, externalIP, and LoadBalancer ingress IPs) connections can now be accelerated in the Node's host network. A configurable packet threshold (default 20) limits acceleration to the Service connections that have seen enough packets, reducing overhead for short-lived flows. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
hongliangl
force-pushed
the
20260226-svc-nft-fastpath
branch
from
2b8d8f8 to
b00a345
Compare
hongliangl
changed the title
When host network acceleration and proxyAll are both enabled, external-to-Service
(NodePort, externalIP, and LoadBalancer ingress IPs) connections can now be
accelerated in the Node's host network. A configurable packet threshold (default 20)
limits acceleration to the Service connections that have seen enough packets, reducing
overhead for short-lived flows.