Remove the associated stale conntrack entries when UDP Endpoints are removed

build/charts/antrea/conf/antrea-agent.conf

@@ -20,6 +20,10 @@ featureGates:
 # enabled, otherwise this flag will not take effect.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TopologyAwareHints" "default" true) }}
 
+# Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
+# be enabled, otherwise this flag will not take effect.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "CleanupStaleUDPSvcConntrack" "default" false) }}
+
 # Enable traceflow which provides packet tracing feature to diagnose network issue.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }}
 

build/yamls/antrea-aks.yml

@@ -3111,6 +3111,10 @@ data:
     # enabled, otherwise this flag will not take effect.
     #  TopologyAwareHints: true
 
+    # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
+    # be enabled, otherwise this flag will not take effect.
+    #  CleanupStaleUDPSvcConntrack: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -4553,7 +4557,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: e3208d24eb3232bd1fa2936e6b7a265c2ff3b462b5091828467c88f9df0e0b42
       labels:
         app: antrea
         component: antrea-agent
@@ -4794,7 +4798,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: e3208d24eb3232bd1fa2936e6b7a265c2ff3b462b5091828467c88f9df0e0b42
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3111,6 +3111,10 @@ data:
     # enabled, otherwise this flag will not take effect.
     #  TopologyAwareHints: true
 
+    # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
+    # be enabled, otherwise this flag will not take effect.
+    #  CleanupStaleUDPSvcConntrack: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -4553,7 +4557,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: e3208d24eb3232bd1fa2936e6b7a265c2ff3b462b5091828467c88f9df0e0b42
       labels:
         app: antrea
         component: antrea-agent
@@ -4795,7 +4799,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: e3208d24eb3232bd1fa2936e6b7a265c2ff3b462b5091828467c88f9df0e0b42
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3111,6 +3111,10 @@ data:
     # enabled, otherwise this flag will not take effect.
     #  TopologyAwareHints: true
 
+    # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
+    # be enabled, otherwise this flag will not take effect.
+    #  CleanupStaleUDPSvcConntrack: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -4553,7 +4557,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 48b346133ac76c11a6c456d99aa93c2421e5598a13b9d18d5dd58d6cce5408ff
+        checksum/config: cec624c3579d3f07e29b6842e3bcc09a12963c97da2c4e24afa646b6c3875809
       labels:
         app: antrea
         component: antrea-agent
@@ -4792,7 +4796,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 48b346133ac76c11a6c456d99aa93c2421e5598a13b9d18d5dd58d6cce5408ff
+        checksum/config: cec624c3579d3f07e29b6842e3bcc09a12963c97da2c4e24afa646b6c3875809
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3124,6 +3124,10 @@ data:
     # enabled, otherwise this flag will not take effect.
     #  TopologyAwareHints: true
 
+    # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
+    # be enabled, otherwise this flag will not take effect.
+    #  CleanupStaleUDPSvcConntrack: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -4566,7 +4570,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c464a20c63a45190125a9bacb8d0b25cf04ad0e1f45e9bc2be76ebdb74d758bf
+        checksum/config: 711e1747ccd17b291d523080c4942e215d7499a6b00f936149c488cdaef6d342
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4851,7 +4855,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c464a20c63a45190125a9bacb8d0b25cf04ad0e1f45e9bc2be76ebdb74d758bf
+        checksum/config: 711e1747ccd17b291d523080c4942e215d7499a6b00f936149c488cdaef6d342
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -3111,6 +3111,10 @@ data:
     # enabled, otherwise this flag will not take effect.
     #  TopologyAwareHints: true
 
+    # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
+    # be enabled, otherwise this flag will not take effect.
+    #  CleanupStaleUDPSvcConntrack: false
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -4553,7 +4557,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 38c3b07d25dc21a29a2e7c91aaa95475191b53ca77639ceada4a2604b6425666
+        checksum/config: 96448ab5ddc455d898d31956cc9d15fae055b4fb4bdc9acc9dc765ca125c0867
       labels:
         app: antrea
         component: antrea-agent
@@ -4792,7 +4796,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 38c3b07d25dc21a29a2e7c91aaa95475191b53ca77639ceada4a2604b6425666
+        checksum/config: 96448ab5ddc455d898d31956cc9d15fae055b4fb4bdc9acc9dc765ca125c0867
       labels:
         app: antrea
         component: antrea-controller

docs/feature-gates.md

@@ -32,28 +32,29 @@ edit the Agent configuration in the
 
 ## List of Available Features
 
-| Feature Name              | Component          | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes |
-|---------------------------|--------------------|---------|-------|---------------|--------------| ---------- |--------------------| ----- |
-| `AntreaProxy`             | Agent              | `true`  | Beta  | v0.8          | v0.11        | N/A        | Yes                | Must be enabled for Windows. |
-| `EndpointSlice`           | Agent              | `true`  | Beta  | v0.13.0       | v1.11        | N/A        | Yes                |       |
-| `TopologyAwareHints`      | Agent              | `true`  | Beta  | v1.8          | v1.12        | N/A        | Yes                |       |
-| `LoadBalancerModeDSR`     | Agent              | `false` | Alpha | v1.13         | N/A          | N/A        | Yes                |       |
-| `AntreaPolicy`            | Agent + Controller | `true`  | Beta  | v0.8          | v1.0         | N/A        | No                 | Agent side config required from v0.9.0+. |
-| `Traceflow`               | Agent + Controller | `true`  | Beta  | v0.8          | v0.11        | N/A        | Yes                |       |
-| `FlowExporter`            | Agent              | `false` | Alpha | v0.9          | N/A          | N/A        | Yes                |       |
-| `NetworkPolicyStats`      | Agent + Controller | `true`  | Beta  | v0.10         | v1.2         | N/A        | No                 |       |
-| `NodePortLocal`           | Agent              | `true`  | Beta  | v0.13         | v1.4         | N/A        | Yes                | Important user-facing change in v1.2.0 |
-| `Egress`                  | Agent + Controller | `true`  | Beta  | v1.0          | v1.6         | N/A        | Yes                |       |
-| `NodeIPAM`                | Controller         | `true`  | Beta  | v1.4          | v1.12        | N/A        | Yes                |       |
-| `AntreaIPAM`              | Agent + Controller | `false` | Alpha | v1.4          | N/A          | N/A        | Yes                |       |
-| `Multicast`               | Agent + Controller | `true`  | Beta  | v1.5          | v1.12        | N/A        | Yes                |       |
-| `SecondaryNetwork`        | Agent              | `false` | Alpha | v1.5          | N/A          | N/A        | Yes                |       |
-| `ServiceExternalIP`       | Agent + Controller | `false` | Alpha | v1.5          | N/A          | N/A        | Yes                |       |
-| `TrafficControl`          | Agent              | `false` | Alpha | v1.7          | N/A          | N/A        | No                 |       |
-| `Multicluster`            | Agent + Controller | `false` | Alpha | v1.7          | N/A          | N/A        | Yes                | Controller side feature gate added in v1.10.0 |
-| `ExternalNode`            | Agent              | `false` | Alpha | v1.8          | N/A          | N/A        | Yes                |       |
-| `SupportBundleCollection` | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |       |
-| `L7NetworkPolicy`         | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |       |
+| Feature Name                  | Component           | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes |
+|-------------------------------|---------------------|---------|-------|---------------|--------------| ---------- |--------------------| ----- |
+| `AntreaProxy`                 | Agent               | `true`  | Beta  | v0.8          | v0.11        | N/A        | Yes                | Must be enabled for Windows. |
+| `EndpointSlice`               | Agent               | `true`  | Beta  | v0.13.0       | v1.11        | N/A        | Yes                |       |
+| `TopologyAwareHints`          | Agent               | `true`  | Beta  | v1.8          | v1.12        | N/A        | Yes                |       |
+| `CleanupStaleUDPSvcConntrack` | Agent               | `false` | Alpha | v1.13         | N/A          | N/A        | Yes                |       |
+| `LoadBalancerModeDSR`         | Agent               | `false` | Alpha | v1.13         | N/A          | N/A        | Yes                |       |
+| `AntreaPolicy`                | Agent + Controller  | `true`  | Beta  | v0.8          | v1.0         | N/A        | No                 | Agent side config required from v0.9.0+. |
+| `Traceflow`                   | Agent + Controller  | `true`  | Beta  | v0.8          | v0.11        | N/A        | Yes                |       |
+| `FlowExporter`                | Agent               | `false` | Alpha | v0.9          | N/A          | N/A        | Yes                |       |
+| `NetworkPolicyStats`          | Agent + Controller  | `true`  | Beta  | v0.10         | v1.2         | N/A        | No                 |       |
+| `NodePortLocal`               | Agent               | `true`  | Beta  | v0.13         | v1.4         | N/A        | Yes                | Important user-facing change in v1.2.0 |
+| `Egress`                      | Agent + Controller  | `true`  | Beta  | v1.0          | v1.6         | N/A        | Yes                |       |
+| `NodeIPAM`                    | Controller          | `true`  | Beta  | v1.4          | v1.12        | N/A        | Yes                |       |
+| `AntreaIPAM`                  | Agent + Controller  | `false` | Alpha | v1.4          | N/A          | N/A        | Yes                |       |
+| `Multicast`                   | Agent + Controller  | `true`  | Beta  | v1.5          | v1.12        | N/A        | Yes                |       |
+| `SecondaryNetwork`            | Agent               | `false` | Alpha | v1.5          | N/A          | N/A        | Yes                |       |
+| `ServiceExternalIP`           | Agent + Controller  | `false` | Alpha | v1.5          | N/A          | N/A        | Yes                |       |
+| `TrafficControl`              | Agent               | `false` | Alpha | v1.7          | N/A          | N/A        | No                 |       |
+| `Multicluster`                | Agent + Controller  | `false` | Alpha | v1.7          | N/A          | N/A        | Yes                | Controller side feature gate added in v1.10.0 |
+| `ExternalNode`                | Agent               | `false` | Alpha | v1.8          | N/A          | N/A        | Yes                |       |
+| `SupportBundleCollection`     | Agent + Controller  | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |       |
+| `L7NetworkPolicy`             | Agent + Controller  | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |       |
 
 ## Description and Requirements of Features
 
@@ -117,6 +118,14 @@ antrea-proxy.md#configuring-load-balancer-mode-for-external-traffic) for more in
 - Linux Nodes only.
 - Encap mode only.
 
+### CleanupStaleUDPSvcConntrack
+
+`CleanupStaleUDPSvcConntrack` enables support for cleaning up stale UDP Service conntrack connections in AntreaProxy.
+
+#### Requirements for this Feature
+
+- `AntreaProxy` is enabled.
+
 ### AntreaPolicy
 
 `AntreaPolicy` enables Antrea ClusterNetworkPolicy and Antrea NetworkPolicy CRDs to be handled by Antrea