- Fix ACNP applied to NodePort failing to reject traffic in noEncap/hybrid mode. (#7265, @hongliangl)
- Use a more robust way to extract the source Node IP from encapsulated IGMP messages for Multicast. (#7282, @hongliangl)
- Fix agent crash issue which is caused by unexpected interface store initialization for FlexibleIPAM uplink internal port. (#7389, @gran-vmv)
- Periodically sync permanent neighbors to ensure route correctness for Antrea host gateway interface. (#7238, @hongliangl)
- Enhance OVS commands for Antrea Windows to accelerate container recovery and improve robustness. (#7228, @XinShuYang)
- Sync affected groups in the Antrea Controller when a Pod goes into
Terminatedstate, to ensure that the Pod is excluded from NetworkPolicy source and destination immediately. (#7217, @Dyanngg) - Fix race condition when getting metrics via
antctlfor FlowAggregator. (#7230, @antoninbas) - Fix rollback when
configureContainerLinkVethfails, to ensure subsequent retries can succeed. (#7210 #7213, @tnqn) - Remove stale local members in the group cache for Multicast, which resolves an issue that the same receiver may fail to receive multicast packets after it rejoins the group. (#7154, @wenyingd)
- Upgrade CNI plugins from v1.5.1 to v1.6.2. (#6796, @luolanzone)
- Update some golang.org/x dependencies to resolve CVEs. (#6930, @antoninbas)
- Fix antrea-agent crash issue when deleting the Secret which is storing BGP passwords. (#7042, @hongliangl)
- Filter out the
hostNetworkPods locally on Linux to fix K8s compatibility issue, since thespec.hostNetworkfield selector for Pods is not supported before K8s v1.28. (#7012, @wenyingd) - Add
-ComputerName localhostexplicitly for VMSwitch commands to avoid potential validation issues on Windows with Active Directory. (#6985, @XinShuYang) - Reconcile Pods with
hostNetworkafter Antrea Agent is restarted on Windows. (#6944, @wenyingd) - Fix PacketCapture bpf filter issue to avoid receiving packets when the socket is created but the bpf filter is not applied yet. (#6821, @hangyan)
- Set the maximum packet size explicitly to fix an issue with reading
PacketCapturepcapng files withtcpdumpon macOS. (#6804, @hangyan) - Remove stale OVS interfaces in the CNIServer reconciler if the original Pod interface is disconnected. (#6919, @wenyingd)
- Ensure that
promote_secondariesis set onIPAssignerinterfaces to avoid the automatic removal of all other IP addresses in the same subnet when the primary IP address is deleted. (#6898 #6900, @antoninbas) - Ensure that OpenFlow rules for a Windows Pod are installed as long as the OpenFlow port is allocated, even if its state is incorrectly reported as "LINK_DOWN". (#6889, @wenyingd)
- Fix audit logging for default deny-all K8s NetworkPolicy rules. (#6855, @qiyueyao)
- Fix race condition when getting BGP routes in BGPController. (#6823, @Atish-iaf)
- Add a new feature
PacketCaptureto allow users to capture live traffic and upload captured packets to a specified location:- Add PacketCapture API. (#6257, @hangyan)
- Add PacketCapture data path support. (#6756, @hangyan)
- Refer to this document for more information about this feature.
- Add a few new antctl sub-commands for the
BGPPolicyfeature to improve usability:antctl get bgppolicyto get the effective BGP policy applied on the local Node. (#6646, @Atish-iaf)antctl get bgppeersto print the current status of all BGP peers of the effective BGPPolicy applied on the local Node. (#6689 #6755, @Atish-iaf)antctl get bgproutesto print the BGP routes advertised from the local Node. (#6734, @Atish-iaf)
- Add an
exceptfield to the Antrea-native policy fieldipBlockto allow users to exclude certain CIDRs fromipBlock.cidr. (#6658 #6677, @Dyanngg) - Add a new
templateRefreshTimeoutconfiguration forFlowAggregatorto define the template retransmission interval when using the UDP protocol to export records. (#6699, @antoninbas) - Add
EnableLoggingandLogLabelsupport for Antrea Node NetworkPolicy. (#6626, @hongliangl) - Add
ServiceTrafficDistributionfeature in Antrea Proxy that enables traffic distribution for Services. (#6604, @hongliangl) - Support
--random-fullyfor iptables SNAT / MASQUERADE rules. (#6602, @antoninbas) - Add
antctl-darwin-arm64to Antrea release assets. (#6640, @antoninbas) - Add documentation for the
NodeLatencyMonitorfeature. (#6561, @antoninbas)
- Uniform BGP router ID selection for IPv4 and IPv6 for the
BGPPolicyfeature. (#6605, @Atish-iaf) - Use the default protocol / port when the destination is a Service in Traceflow. (#6601, @Atish-iaf)
- Add validations for Antrea Node NetworkPolicy to fail invalid configurations. (#6613, @Atish-iaf)
- More robust system Tier creation / update for Antrea-native policies. (#6696, @antoninbas)
- Handle
ExternalIPPoolrange changes in Egress controller. (#6685, @antoninbas) - Close connection to IPFIX collector explicitly on Stop for
FlowAggregator. (#6635, @antoninbas) - Unify the checker image and make it configurable when running
antctl check cluster. (#6579, @tnqn) - Update the
FinalizerofResourceExportto be a domain-qualified string. (#6742, @Dyanngg) - Upgrade Ubuntu to 24.04 (Noble). (#6575, @antoninbas)
- Upgrade Go to 1.23. (#6647, @antoninbas)
- Upgrade Suricata to 7.0. (#6589, @antoninbas)
- Install OpenFlow entries by PortStatus to fix an Antrea Agent failure on Windows when the OF port allocation takes longer than 5s. (#6763, @wenyingd)
- Match
dstIPinClassifierTableto fix a potential source MAC and IP mismatched issue on Windows whenpromiscuousmode is enabled. (#6528, @XinShuYang) - Fix the checker image tag when running
antctl check clusterwith a releasedantctlbinary. (#6565, @tnqn) - Use the same MTU as uplink for bridge ports to fix a potential MTU mismatch issue when the traffic mode is changed. (#6577, @antoninbas)
- Cache TTLs for individual IP addresses in DNS responses to avoid evicting valid IPs before they are expired. (#6732, @hkiiita)
- Fix an issue with ipset or iptables chain removal during Antrea Node NetworkPolicy updates or deletions. (#6707, @hongliangl)
- Fix an issue with logging support for L7 NetworkPolicy causing the wrong packet to be logged by Suricata for the default reject rule. From now on,
enableLoggingonly controls L4 audit logging and we unconditionally log the packet data for all Suricata alert events. (#6651, @qiyueyao) - Fix
NetworkPolicyrelated antctl commands includingantctl get networkpolicyandantctl get ovsflows. (#6487, @Dyanngg) - Fix the template ID not existing error in IPFIX exporter for
FlowAggregator. (#6630, @antoninbas) - Fix an antrea-agent crash issue when the host interface is already attached to the OVS bridge for
SecondaryNetwork. (#6666, @xliuxu) - Delay the initialization of ARP / NDP responders to fix the
ServiceExternalIPfeature whenSecondaryNetworkis enabled. (#6700, @xliuxu) - Run the
IPPoolwebhook handler whenSecondaryNetworkis enabled. (#6691, @luolanzone) - Fix a slice init length issue for
NetworkPolicycontroller. (#6715, @cuishuang) - Improve memory copying logic to avoid a potential memory fault on Windows. (#6664 #6673, @XinShuYang @tnqn)
- Document a workaround for using
EgressSeparateSubnetfeature on OpenShift. (#6622 #6775, @luolanzone @jianjuns) - Clean up stale resources when
antctl check clusterfails. (#6597, @luolanzone) - Fix hint annotation implementation in
AntreaProxy. (#6607, @hongliangl) - Initialize
creationTimestampwhen creating instances ofNodeLatencyStatsto prevent a nullcreationTimestampissue. (#6574, @hkiiita) - Avoid error log when unmarshalling config for Antrea Multi-cluster Controller. (#6744, @antoninbas)