Fixed

• Fix ACNP applied to NodePort failing to reject traffic in noEncap/hybrid mode. (#7265, @hongliangl)
• Use a more robust way to extract the source Node IP from encapsulated IGMP messages for Multicast. (#7282, @hongliangl)
• Fix agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
• Enhance OVS commands for Antrea Windows to accelerate container recovery and improve robustness. (#7228, @XinShuYang)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg)
• Fix race condition when getting metrics via antctl for FlowAggregator. (#7230, @antoninbas)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)

Fixed

• Fix agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
• Ignore conntrack connections denied by policy for FlowExporter. (#7361, @antoninbas)
• Add missing policy UIDs for denied connections for FlowExporter. (#7388, @antoninbas)
• Fix ACNP applied to NodePort failing to reject traffic in noEncap/hybrid mode. (#7265, @hongliangl)
• Use a more robust way to extract the source Node IP from encapsulated IGMP messages for Multicast. (#7282, @hongliangl)
• Upgrade CNI plugins to v1.8.0 to fix CVEs. (#7397, @luolanzone)

Added

• Add resource requests for Windows container in Antrea deployment. (#7254, @XinShuYang)

Fixed

• Add missing Run calls for nodeStore / serviceStore to start the garbage collection routines and fix a memory leak for FlowAggregator. (#7343, @antoninbas)
• Improve SR-IOV device assignment to ensure it's idempotent. (#7322, @luolanzone)
• Add validation to ensure IP range start is not greater than end in IPPool. (#7308, @wenqiq)
• Improve secondary interface reconciliation and fix a nil pointer exception when both SR-IOV and VLAN interfaces are enabled in Antrea SecondaryNetwork. (#7286, @jianjuns)
• Remove trailing whitespace from default manifests to fix antrea-config ConfigMap formatting issues. (#7311, @antoninbas)

Fixed

• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Fix Agent crash when deleting the Secret storing BGP passwords. (#7042, @hongliangl)
• Filter out the hostNetwork Pods locally on Linux to fix K8s compatibility issue, since the spec.hostNetwork field selector for Pods is not supported before K8s v1.28. (#7012, @wenyingd)
• Add -ComputerName localhost explicitly for VMSwitch commands to avoid potential validation issues on Windows with Active Directory. (#6985, @XinShuYang)

Added

• Add BGP confederation support in BGPPolicy. (#6927 #6905, @hongliangl)
• Support mTLS when exporting flows to an external flow collector for FlowAggregator. (#7212, @antoninbas)
• Add k8s.v1.cni.cncf.io/network-status annotation to make SecondaryNetwork Pod IP visible. (#7069, @wenqiq)
• Add protocolFilter config to FlowExporter to filter and export flows only with the specified protocols. (#7145, @petertran-avgo)
• Add antctl get fqdncache sub-command to fetch the DNS mapping entries for FQDN policies. (#6868, @Dhruv-J)
• Add TCP flags filter support for PacketCapture. (#7070, @AryanBakliwal)
• Add bidirectional packet capture support for PacketCapture. (#6882, @AryanBakliwal)
• Add ICMP messages filter support for PacketCapture. (#7164, @AryanBakliwal)
• Support antctl packetcapture sub-commands for PacketCapture. (#6884, @hangyan)
• Support enabling multicast snooping for SecondaryNetwork. (#7200, @tnqn)
• Allow defining static MAC addresses for SecondaryInterfaces for VLAN network. (#7137, @KMAnju-2021 @rajnkamr)

Changed

• Multiple enhancements for FlowAggregator are introduced:
  • Move aggregation logic from go-ipfix to Antrea for FlowAggregator. (#7227, @antoninbas)
  • Remove several instances of log spam in the Flow Aggregator, and improve handling of connection failures. (#7223, @antoninbas)
  • Set priorityClassName to system-node-critical by default for FlowAggregator. (#7124, @luolanzone)
  • Support custom ClusterIDs attached to exported flow records for FlowAggregator. (#7197, @petertran-avgo)
  • Clean up RBAC for FlowAggregator. (#7125, @antoninbas)
  • Use Protobuf message in FlowAggregator to represent flows. (#7253, @antoninbas)
  • Use Protobuf / gRPC between FlowExporter and FlowAggregator by default, and allow disabling IPFIX collector via aggregatorTransportProtocol. (#7264, @antoninbas)
  • Add ability to export K8s UIDs in the IPFIX exporter. (#7279, @antoninbas)
  • Add more configuration values to the flow-aggregator chart. (#7138, @antoninbas)
  • Push flow-aggregator image to ghcr.io registry. (#7036, @antoninbas)
• Log error when OVS meter drops packets, which helps to evaluate whether increasing the packetInRate configuration is needed. (#7242, @tnqn)
• Log PacketIn drops when dispatching to per-category queues to improve troubleshooting. (#7174, @tnqn)
• Increase the default packet-in rate limit to 5000. (#7243, @tnqn)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg)
• Decouple sending of ICMP probes & latency reporting for NodeLatencyMonitor, which can improve accuracy of measurements and reduce system load. (#7189, @g4rud4kun)
• Add ICMP Rule for NodeLatencyMonitor to make it work when the Node is configured with iptables default DROP policy. (#7011, @Dhruv-J)
• Handle Pod UID updates in PodStore to account for the corner case where old and new Pods from update handler are actually different objects. (#6964, @antoninbas)
• Support configuring file permissions for the Antrea CNI configuration file. (#7098, @luolanzone)
• Install iptables rules to allow WireGuard packets to ensure Antrea with WireGuard can work properly when the Node is configured with iptables default DROP policy. (#7030, @wenyingd)
• Make IPPool prefixLength and gateway immutable. (#7186, @wenqiq)
• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
• Rename a SR-IOV VF device, which is configured as a secondary Pod interface, back to the original name when the Pod is deleted. (#7144, @luolanzone)
• Support removing the whole k8s.v1.cni.cncf.io/networks annotation or resetting it to an empty value, which deletes the Pod's SecondaryNetwork interfaces. (#7119, @wenqiq)
• Document Antrea native secondary network support for SR-IOV interfaces. (#7076, @tnqn)

Fixed

• Enhance OVS commands for Antrea Windows to accelerate container recovery and improve robustness. (#7228, @XinShuYang)
• Configure routes via ip route add to avoid incorrect replacement of routes when the interface is managed by a network daemon. (#7134, @luolanzone)
• Restore secondary VLAN interface information and reconcile OVS ports after Agent restarts. (#6853, @KMAnju-2021)
• Persist container netns with OVS port external IDs. (#7199, @[@jianjuns)
• Restore the existing SR-IOV secondary interface information when Agent restarts, using the information stored in the Pod NetworkStatus annotation, which ensures correct IP release and VF device name restoration after Pod deletion. (#7240, @luolanzone)
• Fix invalid template ID in FlowAggregator for IPFIX exporter. (#7208, @antoninbas)
• Fix race condition when getting metrics via antctl for FlowAggregator. (#7230, @antoninbas)
• Fix invalid IPFIX UDP traffic fragmentation in the Flow Aggregator. (#7080, @antoninbas)
• Fix invalid Antrea IE registry ID in docs. (#7087, @ColonelBundy)
• Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)
• Fix Agent crash when deleting the Secret storing BGP passwords. (#7042, @hongliangl)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Upgrade otelhttp to v0.55.0 to fix WriteHeader logging flood. (#7196, @DeeBi9)

Changed

• Update go-ipfix to v0.14.0. (#7080, @antoninbas)
• Document SecondaryNetwork support for SR-IOV. (#7076, @tnqn)
• Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)

Fixed

• Enhance OVS commands for Antrea Windows to accelerate container recovery after OVS processes restart and improve robustness. (#7228, @XinShuYang)
• Sync affected groups in the Antrea Controller when a Pod goes into Terminated state, to ensure that the required updates are sent immediately to Agents. (#7217, @Dyanngg)
• Fix race condition when getting metrics via antctl for FlowAggregator. (#7230, @antoninbas)
• Fix rollback when configureContainerLinkVeth fails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn)
• Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)
• Fix Agent crash when deleting the Secret storing BGP passwords. (#7042, @hongliangl)

Changed

• Upgrade CNI plugins from v1.5.1 to v1.6.2. (#6796, @luolanzone)
• Update some golang.org/x dependencies to resolve CVEs. (#6930, @antoninbas)

Fixed

• Fix antrea-agent crash issue when deleting the Secret which is storing BGP passwords. (#7042, @hongliangl)
• Filter out the hostNetwork Pods locally on Linux to fix K8s compatibility issue, since the spec.hostNetwork field selector for Pods is not supported before K8s v1.28. (#7012, @wenyingd)
• Add -ComputerName localhost explicitly for VMSwitch commands to avoid potential validation issues on Windows with Active Directory. (#6985, @XinShuYang)
• Reconcile Pods with hostNetwork after Antrea Agent is restarted on Windows. (#6944, @wenyingd)
• Fix PacketCapture bpf filter issue to avoid receiving packets when the socket is created but the bpf filter is not applied yet. (#6821, @hangyan)
• Set the maximum packet size explicitly to fix an issue with reading PacketCapture pcapng files with tcpdump on macOS. (#6804, @hangyan)
• Remove stale OVS interfaces in the CNIServer reconciler if the original Pod interface is disconnected. (#6919, @wenyingd)
• Ensure that promote_secondaries is set on IPAssigner interfaces to avoid the automatic removal of all other IP addresses in the same subnet when the primary IP address is deleted. (#6898 #6900, @antoninbas)
• Ensure that OpenFlow rules for a Windows Pod are installed as long as the OpenFlow port is allocated, even if its state is incorrectly reported as "LINK_DOWN". (#6889, @wenyingd)
• Fix audit logging for default deny-all K8s NetworkPolicy rules. (#6855, @qiyueyao)
• Fix race condition when getting BGP routes in BGPController. (#6823, @Atish-iaf)

Added

• Add Proxy mode for Flow Aggregator to send flows directly without buffering or aggregation. (#6920 #6961, @antoninbas)
• Support version skew between Antrea Agent and Flow Aggregator to improve upgrade robustness. (#6912, @antoninbas)
• Add clusterId to aggregated records for Flow Aggregator. (#6769, @antoninbas)
• Add checksum/config annotation to the Deployment of Flow Aggregator. (#6967, @antoninbas)
• Support SecondaryNetwork of SR-IOV type for VM Nodes. (#6881, @tnqn)
• Add more printer columns for PacketCapture CRD. (#6977, @antoninbas)
• Add fallback log collection to the antctl supportbundle command for Antrea components for which regular Support Bundle collection has failed. (#3659, @hangyan)
• Add antreaProxy.disableServiceHealthCheckServer config to disable the health check server run by Antrea Proxy to avoid kube-proxy error logs. (#6939, @antoninbas)
• Add route info to the output of antctl get bgproutes. (#6803 #6823 #6835, @Atish-iaf)

Changed

• Promote feature EgressSeparateSubnet from Alpha to Beta. (#6982, @luolanzone)
• Promote feature ServiceExternalIP from Alpha to Beta. (#6903, @xliuxu)
• Allow running Flow Aggregator with no collector / sink. (#7006, @antoninbas)
• More efficient IP checks in the Flow Exporter when determining the type of flow being exported. (#6960, @antoninbas)
• Require k8s.v1.cni.cncf.io/resourceName annotations for SR-IOV type of NetworkAttachmentDefinitions for SecondaryNetwork. (#6999, @antoninbas)
• Remove stale OVS interfaces in the CNIServer reconciler if the original Pod interface is disconnected. (#6919, @wenyingd)
• Remove local ASN range limitation in BGPPolicy API. (#6914, @hongliangl)
• Support providing a fixed public host key for SFTP uploads with a new field hostPublicKey to PacketCapture and SupportBundleCollection CRDs. (#6848, @antoninbas)
• Upgrade CNI plugins from v1.5.1 to v1.6.2. (#6796, @luolanzone)
• Push Antrea Ubuntu-based images to ghcr.io. (#6834, @antoninbas)
• Upgrade go-ipfix to 0.13.0, which includes performance improvements and supports sending multiple data records in the same IPFIX message. (#6998, @antoninbas)

Fixed

• Add -ComputerName localhost explicitly for VMSwitch commands to avoid potential validation issues on Windows with Active Directory. (#6985, @XinShuYang)
• Fix that Antrea L7NetworkPolicies do not handle Service traffic correctly. (#6941, @hongliangl)
• Disable TX checksum offload for Antrea host gateway interface when disableTXChecksumOffload is set to true. (#6843, @hongliangl)
• Add fqdnCacheMinTTL configuration for Antrea-native policies which will ensure that resolved IPs are included in data path rules for at least the configured amount of time, in case some applications are caching the results of DNS queries. (#6808, @hkiiita)
• Ensure that OpenFlow rules for a Windows Pod are installed as long as the OpenFlow port is allocated, even if its state is incorrectly reported as "LINK_DOWN". (#6889, @wenyingd)
• Fix audit logging for default deny-all K8s NetworkPolicy rules. (#6855, @qiyueyao)
• Ensure that promote_secondaries is set on IPAssigner interfaces to avoid the automatic removal of all other IP addresses in the same subnet when the primary IP address is deleted. (#6898 #6900, @antoninbas)
• Set the maximum packet size explicitly to fix an issue with reading PacketCapture pcapng files with tcpdump on macOS. (#6804, @hangyan)
• Reconcile Pods with hostNetwork after Antrea Agent is restarted on Windows. (#6944, @wenyingd)
• Create a new kubeconfig for SupportBundleClient to fix antctl supportbundle failures on Windows. (#6840, @XinShuYang)
• Fix PacketCapture bpf filter issue to avoid receiving packets when the socket is created but the bpf filter is not applied yet. (#6821, @hangyan)

Added

• Add documentation for the NodeLatencyMonitor feature. (#6561, [@antoninbas])

Changed

• Close connection to IPFIX collector explicitly on Stop for FlowAggregator. (#6635, [@antoninbas])
• Run the IPPool webhook handler when SecondaryNetwork is enabled. (#6691, [@luolanzone])

Fixed

• On Windows, rely on PortStatus messages from OVS to install OpenFlow entries for a Pod instead of relying on a fixed timeout which can be hard to configure correctly; the code will now wait "indefinitely" but a NetworkNotReady event will be added to the Pod if the port is not ready after 30s. (#6763 #6889, [@wenyingd])
• Reconcile Pods with hostNetwork after Antrea Agent is restarted on Windows. (#6944, [@wenyingd])
• Match dstIP in ClassifierTable to fix a potential source MAC and IP mismatch issue on Windows when promiscuous mode is enabled. (#6528, [@XinShuYang])
• Ensure that promote_secondaries is set on IPAssigner interfaces to avoid the automatic removal of all other IP addresses in the same subnet when the primary IP address is deleted. (#6898 #6900, [@antoninbas])
• Fix audit logging for default deny all K8s NetworkPolicy rules. (#6855, [@qiyueyao])
• Improve memory copying logic to avoid a potential memory fault on Windows. (#6664 #6673, [@XinShuYang] [@tnqn])
• More robust system Tier creation / update for Antrea-native policies. (#6696, [@antoninbas])
• Fix an issue with ipset or iptables chain removal during Antrea Node NetworkPolicy updates or deletions. (#6707, [@hongliangl])
• Fix invalid template ID error in IPFIX exporter for FlowAggregator. (#6630, [@antoninbas])
• Fix the checker image tag when running antctl check cluster with a released antctl binary. (#6565, [@tnqn])
• Update the Finalizer of ResourceExport to be a domain-qualified string. (#6742, [@Dyanngg])

Added

• Add a new feature PacketCapture to allow users to capture live traffic and upload captured packets to a specified location:
  • Add PacketCapture API. (#6257, @hangyan)
  • Add PacketCapture data path support. (#6756, @hangyan)
  • Refer to this document for more information about this feature.
• Add a few new antctl sub-commands for the BGPPolicy feature to improve usability:
  • antctl get bgppolicy to get the effective BGP policy applied on the local Node. (#6646, @Atish-iaf)
  • antctl get bgppeers to print the current status of all BGP peers of the effective BGPPolicy applied on the local Node. (#6689 #6755, @Atish-iaf)
  • antctl get bgproutes to print the BGP routes advertised from the local Node. (#6734, @Atish-iaf)
• Add an except field to the Antrea-native policy field ipBlock to allow users to exclude certain CIDRs from ipBlock.cidr. (#6658 #6677, @Dyanngg)
• Add a new templateRefreshTimeout configuration for FlowAggregator to define the template retransmission interval when using the UDP protocol to export records. (#6699, @antoninbas)
• Add EnableLogging and LogLabel support for Antrea Node NetworkPolicy. (#6626, @hongliangl)
• Add ServiceTrafficDistribution feature in Antrea Proxy that enables traffic distribution for Services. (#6604, @hongliangl)
• Support --random-fully for iptables SNAT / MASQUERADE rules. (#6602, @antoninbas)
• Add antctl-darwin-arm64 to Antrea release assets. (#6640, @antoninbas)
• Add documentation for the NodeLatencyMonitor feature. (#6561, @antoninbas)

Changed

• Uniform BGP router ID selection for IPv4 and IPv6 for the BGPPolicy feature. (#6605, @Atish-iaf)
• Use the default protocol / port when the destination is a Service in Traceflow. (#6601, @Atish-iaf)
• Add validations for Antrea Node NetworkPolicy to fail invalid configurations. (#6613, @Atish-iaf)
• More robust system Tier creation / update for Antrea-native policies. (#6696, @antoninbas)
• Handle ExternalIPPool range changes in Egress controller. (#6685, @antoninbas)
• Close connection to IPFIX collector explicitly on Stop for FlowAggregator. (#6635, @antoninbas)
• Unify the checker image and make it configurable when running antctl check cluster. (#6579, @tnqn)
• Update the Finalizer of ResourceExport to be a domain-qualified string. (#6742, @Dyanngg)
• Upgrade Ubuntu to 24.04 (Noble). (#6575, @antoninbas)
• Upgrade Go to 1.23. (#6647, @antoninbas)
• Upgrade Suricata to 7.0. (#6589, @antoninbas)

Fixed

• Install OpenFlow entries by PortStatus to fix an Antrea Agent failure on Windows when the OF port allocation takes longer than 5s. (#6763, @wenyingd)
• Match dstIP in ClassifierTable to fix a potential source MAC and IP mismatched issue on Windows when promiscuous mode is enabled. (#6528, @XinShuYang)
• Fix the checker image tag when running antctl check cluster with a released antctl binary. (#6565, @tnqn)
• Use the same MTU as uplink for bridge ports to fix a potential MTU mismatch issue when the traffic mode is changed. (#6577, @antoninbas)
• Cache TTLs for individual IP addresses in DNS responses to avoid evicting valid IPs before they are expired. (#6732, @hkiiita)
• Fix an issue with ipset or iptables chain removal during Antrea Node NetworkPolicy updates or deletions. (#6707, @hongliangl)
• Fix an issue with logging support for L7 NetworkPolicy causing the wrong packet to be logged by Suricata for the default reject rule. From now on, enableLogging only controls L4 audit logging and we unconditionally log the packet data for all Suricata alert events. (#6651, @qiyueyao)
• Fix NetworkPolicy related antctl commands including antctl get networkpolicy and antctl get ovsflows. (#6487, @Dyanngg)
• Fix the template ID not existing error in IPFIX exporter for FlowAggregator. (#6630, @antoninbas)
• Fix an antrea-agent crash issue when the host interface is already attached to the OVS bridge for SecondaryNetwork. (#6666, @xliuxu)
• Delay the initialization of ARP / NDP responders to fix the ServiceExternalIP feature when SecondaryNetwork is enabled. (#6700, @xliuxu)
• Run the IPPool webhook handler when SecondaryNetwork is enabled. (#6691, @luolanzone)
• Fix a slice init length issue for NetworkPolicy controller. (#6715, @cuishuang)
• Improve memory copying logic to avoid a potential memory fault on Windows. (#6664 #6673, @XinShuYang @tnqn)
• Document a workaround for using EgressSeparateSubnet feature on OpenShift. (#6622 #6775, @luolanzone @jianjuns)
• Clean up stale resources when antctl check cluster fails. (#6597, @luolanzone)
• Fix hint annotation implementation in AntreaProxy. (#6607, @hongliangl)
• Initialize creationTimestamp when creating instances of NodeLatencyStats to prevent a null creationTimestamp issue. (#6574, @hkiiita)
• Avoid error log when unmarshalling config for Antrea Multi-cluster Controller. (#6744, @antoninbas)