antrea-io
diff --git a/‎cmd/antrea-agent/agent.go
+3-1 b/‎cmd/antrea-agent/agent.go
+3-1
diff --git a/‎pkg/agent/route/route_linux.go
+74-3 b/‎pkg/agent/route/route_linux.go
+74-3
@@ -244,7 +244,9 @@ func run(o *Options) error {
 		multicastEnabled,
 		o.config.SNATFullyRandomPorts,
 		*o.config.Egress.SNATFullyRandomPorts,
-		serviceCIDRProvider)
+		serviceCIDRProvider,
+		wireguardConfig.Port,
+	)
 	if err != nil {
 		return fmt.Errorf("error creating route client: %v", err)
 	}
 
@@ -28,6 +28,7 @@ import (
 	"github.com/containernetworking/plugins/pkg/ip"
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
@@ -158,10 +159,17 @@ type Client struct {
 	nodeNetworkPolicyIPTablesIPv4 sync.Map
 	// nodeNetworkPolicyIPTablesIPv6 caches all existing IPv6 iptables chains and rules for NodeNetworkPolicy.
 	nodeNetworkPolicyIPTablesIPv6 sync.Map
+	// wireguardIPTablesIPv4 caches all existing IPv4 iptables chains and rules for Wireguard.
+	wireguardIPTablesIPv4 sync.Map
+	// wireguardIPTablesIPv6 caches all existing IPv6 iptables chains and rules for Wireguard.
+	wireguardIPTablesIPv6 sync.Map
 	// deterministic represents whether to write iptables chains and rules for NodeNetworkPolicy deterministically when
 	// syncIPTables is called. Enabling it may carry a performance impact. It's disabled by default and should only be
 	// used in testing.
 	deterministic bool
+	// wireguardPort is the port at which to listen the wireguard traffic. iptables rules are added to accept the UDP
+	// packets destined at the wireguard port when wireguard is used as the encryption mode.
+	wireguardPort int
 }
 
 // NewClient returns a route client.
@@ -173,7 +181,8 @@ func NewClient(networkConfig *config.NetworkConfig,
 	multicastEnabled bool,
 	nodeSNATRandomFully bool,
 	egressSNATRandomFully bool,
-	serviceCIDRProvider servicecidr.Interface) (*Client, error) {
+	serviceCIDRProvider servicecidr.Interface,
+	wireguardPort int) (*Client, error) {
 	return &Client{
 		networkConfig:               networkConfig,
 		noSNAT:                      noSNAT,
@@ -194,6 +203,7 @@ func NewClient(networkConfig *config.NetworkConfig,
 			antreaExternalIPIPSet:  {},
 			antreaExternalIPIP6Set: {},
 		},
+		wireguardPort: wireguardPort,
 	}, nil
 }
 
@@ -265,7 +275,9 @@ func (c *Client) Initialize(nodeConfig *config.NodeConfig, done func()) error {
 	if c.nodeNetworkPolicyEnabled {
 		c.initNodeNetworkPolicy()
 	}
-
+	if c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard {
+		c.initWireguard()
+	}
 	return nil
 }
 
@@ -675,7 +687,7 @@ func (c *Client) syncIPTables() error {
 	if c.proxyAll {
 		jumpRules = append(jumpRules, jumpRule{iptables.NATTable, iptables.OutputChain, antreaOutputChain, "Antrea: jump to Antrea output rules", true})
 	}
-	if c.nodeNetworkPolicyEnabled {
+	if c.nodeNetworkPolicyEnabled || c.networkConfig.TrafficEncryptionMode == config.TrafficEncryptionModeWireGuard {
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.InputChain, antreaInputChain, "Antrea: jump to Antrea input rules", false})
 		jumpRules = append(jumpRules, jumpRule{iptables.FilterTable, iptables.OutputChain, antreaOutputChain, "Antrea: jump to Antrea output rules", false})
 	}
@@ -726,6 +738,34 @@ func (c *Client) syncIPTables() error {
 		return true
 	})
 
+	// Merge rules defined in wireguardIPTablesIPv4 into nodeNetworkPolicyIPTablesIPv4, since both two feature
+	// has added rules in antreaInputChain and antreaOutputChain.
+	c.wireguardIPTablesIPv4.Range(func(key, value interface{}) bool {
+		chain := key.(string)
+		rules := value.([]string)
+		existingRules, found := nodeNetworkPolicyIPTablesIPv4[chain]
+		if !found {
+			existingRules = make([]string, 0)
+		}
+		existingRules = append(existingRules, rules...)
+		nodeNetworkPolicyIPTablesIPv4[chain] = existingRules
+		return true
+	})
+
+	// Merge rules defined in wireguardIPTablesIPv6 into nodeNetworkPolicyIPTablesIPv6, since both two feature
+	// has added rules in antreaInputChain and antreaOutputChain.
+	c.wireguardIPTablesIPv6.Range(func(key, value interface{}) bool {
+		chain := key.(string)
+		rules := value.([]string)
+		existingRules, found := nodeNetworkPolicyIPTablesIPv6[chain]
+		if !found {
+			existingRules = make([]string, 0)
+		}
+		existingRules = append(existingRules, rules...)
+		nodeNetworkPolicyIPTablesIPv6[chain] = existingRules
+		return true
+	})
+
 	// Use iptables-restore to configure IPv4 settings.
 	if c.networkConfig.IPv4Enabled {
 		iptablesData := c.restoreIptablesData(c.nodeConfig.PodIPv4CIDR,
@@ -1198,6 +1238,37 @@ func (c *Client) initNodeNetworkPolicy() {
 	}
 }
 
+func (c *Client) initWireguard() {
+	wireguardPort := intstr.FromInt(c.wireguardPort)
+	antreaInputChainRules := []string{
+		iptables.NewRuleBuilder(antreaInputChain).
+			SetComment("Antrea: allow input packets destined at the wireguard port").
+			MatchTransProtocol("udp").
+			MatchPortDst(&wireguardPort, nil).
+			SetTarget(iptables.AcceptTarget).
+			Done().
+			GetRule(),
+	}
+	antreaOutputChainRules := []string{
+		iptables.NewRuleBuilder(antreaOutputChain).
+			SetComment("Antrea: allow output packets destined at the wireguard port").
+			MatchTransProtocol("udp").
+			MatchPortDst(&wireguardPort, nil).
+			SetTarget(iptables.AcceptTarget).
+			Done().
+			GetRule(),
+	}
+
+	if c.networkConfig.IPv6Enabled {
+		c.wireguardIPTablesIPv6.Store(antreaInputChain, antreaInputChainRules)
+		c.wireguardIPTablesIPv6.Store(antreaOutputChain, antreaOutputChainRules)
+	}
+	if c.networkConfig.IPv4Enabled {
+		c.wireguardIPTablesIPv4.Store(antreaInputChain, antreaInputChainRules)
+		c.wireguardIPTablesIPv4.Store(antreaOutputChain, antreaOutputChainRules)
+	}
+}
+
 // Reconcile removes orphaned podCIDRs from ipset and removes routes to orphaned podCIDRs
 // based on the desired podCIDRs.
 func (c *Client) Reconcile(podCIDRs []string) error {