Fix Traceflow with WireGuard enabled

WireGuard uses direct routing for same-subnet traffic similar to hybrid
mode, but Traceflow was not checking for WireGuard mode when determining
packet actions and forwarding behavior.

This commit adds WireGuard mode checks in the Traceflow packet parsing
and flow generation logic to correctly handle packets when WireGuard
encryption is enabled.

Signed-off-by: xliuxu <[email protected]>

Author: xliuxu

pkg/agent/controller/traceflow/packetin.go

@@ -349,7 +349,10 @@ func (c *Controller) parsePacketIn(pktIn *ofctrl.PacketIn) (*crdv1beta1.Traceflo
 			}
 
 			ob.Action = crdv1beta1.ActionForwardedOutOfNetwork
-			if c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid && c.podSubnetChecker != nil {
+			// In hybrid mode or WireGuard mode, packets to Pod IPs in the same subnet are forwarded
+			// directly without encapsulation. Check if the destination is a Pod IP to determine
+			// the correct action (Forwarded vs ForwardedOutOfNetwork).
+			if (c.networkConfig.TrafficEncapMode == config.TrafficEncapModeHybrid || c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard) && c.podSubnetChecker != nil {
 				netAddrDst, _ := netip.AddrFromSlice(netIPDst)
 				isPodIP, _ := c.podSubnetChecker.LookupIPInPodSubnets(netAddrDst)
 				if isPodIP {

pkg/agent/openflow/pipeline.go

@@ -974,8 +974,10 @@ func (f *featurePodConnectivity) flowsToTrace(dataplaneTag uint8,
 		return fb
 	}
 	// Output the packets if traffic mode is noEncap or hybrid.
+	// Also include WireGuard mode since it uses direct routing (no encapsulation) for same-subnet
+	// traffic, similar to noEncap/hybrid modes.
 	ifSupportsNoEncap := func(fb binding.FlowBuilder) binding.FlowBuilder {
-		if f.networkConfig.TrafficEncapMode.SupportsNoEncap() {
+		if f.networkConfig.TrafficEncapMode.SupportsNoEncap() || f.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard {
 			fb = fb.Action().OutputToRegField(TargetOFPortField)
 		}
 		return fb