From a27e176039549b00d8d914c387f565013f5315d3 Mon Sep 17 00:00:00 2001 From: Mengxin Liu Date: Tue, 20 Oct 2020 16:38:51 +0800 Subject: [PATCH] fix: ipt wrong order and add cluster route --- dist/images/uninstall.sh | 2 ++ pkg/daemon/controller.go | 13 ++++++++++--- pkg/daemon/gateway.go | 6 ++++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh index f30688692db..11124c56863 100644 --- a/dist/images/uninstall.sh +++ b/dist/images/uninstall.sh @@ -7,6 +7,7 @@ iptables -t nat -D POSTROUTING -m set --match-set ovn40local-pod-ip-nat src -m s iptables -t nat -D POSTROUTING -m set ! --match-set ovn40subnets src -m set --match-set ovn40subnets-nat dst -j RETURN iptables -t nat -D POSTROUTING -m set ! --match-set ovn40subnets src -m set --match-set ovn40local-pod-ip-nat dst -j RETURN iptables -t nat -D POSTROUTING -m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j MASQUERADE +iptables -t nat -D POSTROUTING -m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j RETURN iptables -t filter -D INPUT -m set --match-set ovn40subnets dst -j ACCEPT iptables -t filter -D INPUT -m set --match-set ovn40subnets src -j ACCEPT iptables -t filter -D FORWARD -m set --match-set ovn40subnets dst -j ACCEPT @@ -21,6 +22,7 @@ ip6tables -t nat -D POSTROUTING -m set --match-set ovn60local-pod-ip-nat src -m ip6tables -t nat -D POSTROUTING -m set ! --match-set ovn60subnets src -m set --match-set ovn60subnets-nat dst -j RETURN ip6tables -t nat -D POSTROUTING -m set ! --match-set ovn60subnets src -m set --match-set ovn60local-pod-ip-nat dst -j RETURN ip6tables -t nat -D POSTROUTING -m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j MASQUERADE +ip6tables -t nat -D POSTROUTING -m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j RETURN ip6tables -t filter -D INPUT -m set --match-set ovn60subnets dst -j ACCEPT ip6tables -t filter -D INPUT -m set --match-set ovn60subnets src -j ACCEPT ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets dst -j ACCEPT diff --git a/pkg/daemon/controller.go b/pkg/daemon/controller.go index 66b1b3c54c6..24493c65091 100644 --- a/pkg/daemon/controller.go +++ b/pkg/daemon/controller.go @@ -185,7 +185,8 @@ func (c *Controller) reconcileRouters() error { klog.Errorf("failed to list namespace %v", err) return err } - cidrs := make([]string, 0, len(subnets)) + cidrs := make([]string, 0, len(subnets)+1) + cidrs = append(cidrs, c.config.ServiceClusterIPRange) for _, subnet := range subnets { if !subnet.Status.IsReady() || subnet.Spec.UnderlayGateway { continue @@ -234,8 +235,14 @@ func (c *Controller) reconcileRouters() error { _, cidr, _ := net.ParseCIDR(r) gw := net.ParseIP(gateway) src := net.ParseIP(c.internalIP) - if err = netlink.RouteReplace(&netlink.Route{Dst: cidr, LinkIndex: nic.Attrs().Index, Scope: netlink.SCOPE_UNIVERSE, Gw: gw, Src: src}); err != nil { - klog.Errorf("failed to add route %v", err) + if r == c.config.ServiceClusterIPRange { + if err = netlink.RouteReplace(&netlink.Route{Dst: cidr, LinkIndex: nic.Attrs().Index, Scope: netlink.SCOPE_UNIVERSE, Gw: gw}); err != nil { + klog.Errorf("failed to add route %v", err) + } + } else { + if err = netlink.RouteReplace(&netlink.Route{Dst: cidr, LinkIndex: nic.Attrs().Index, Scope: netlink.SCOPE_UNIVERSE, Gw: gw, Src: src}); err != nil { + klog.Errorf("failed to add route %v", err) + } } } return err diff --git a/pkg/daemon/gateway.go b/pkg/daemon/gateway.go index a9f46982c3d..0cc6c673ab5 100644 --- a/pkg/daemon/gateway.go +++ b/pkg/daemon/gateway.go @@ -26,7 +26,7 @@ const ( var ( v4Rules = []util.IPTableRule{ // This rule makes sure we don't NAT traffic within overlay network - {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j MASQUERADE`, " ")}, + {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j RETURN`, " ")}, // Prevent performing Masquerade on external traffic which arrives from a Node that owns the Pod/Subnet IP {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn40local-pod-ip-nat dst -j RETURN`, " ")}, {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn40subnets-nat dst -j RETURN`, " ")}, @@ -42,7 +42,7 @@ var ( } v6Rules = []util.IPTableRule{ // This rule makes sure we don't NAT traffic within overlay network - {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j MASQUERADE`, " ")}, + {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j RETURN`, " ")}, // Prevent performing Masquerade on external traffic which arrives from a Node that owns the Pod/Subnet IP {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn60local-pod-ip-nat dst -j RETURN`, " ")}, {Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn60subnets-nat dst -j RETURN`, " ")}, @@ -97,6 +97,8 @@ func (c *Controller) runGateway() { } else { iptableRules = v6Rules } + iptableRules[0], iptableRules[1], iptableRules[3], iptableRules[4] = + iptableRules[4], iptableRules[3], iptableRules[1], iptableRules[0] for _, iptRule := range iptableRules { exists, err := c.iptable.Exists(iptRule.Table, iptRule.Chain, iptRule.Rule...) if err != nil {