Skip to content

Commit

Permalink
underlay CNI supports
Browse files Browse the repository at this point in the history
  • Loading branch information
dcwbq committed Oct 9, 2023
1 parent d0fbae2 commit 39ad3dd
Show file tree
Hide file tree
Showing 5 changed files with 470 additions and 6 deletions.
4 changes: 4 additions & 0 deletions charts/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ feature:
tunnelIpv6Subnet: "fd11::/112"
## @param feature.tunnelDetectMethod Tunnel base on which interface [`defaultRouteInterface`, `interface=eth0`]
tunnelDetectMethod: "defaultRouteInterface"
## @param feature.replyRouteTable host Reply routing table number on gateway node
replyRouteTable: 600
## @param feature.replyRouteTable host iptables mark for reply packet
replyRouteMark: 39
iptables:
## @param feature.iptables.backendMode Iptables mode can be specified as `nft` or `legacy`, with `auto` meaning automatic detection. The default value is `auto`.
backendMode: "auto"
Expand Down
54 changes: 51 additions & 3 deletions pkg/agent/police.go
Original file line number Diff line number Diff line change
Expand Up @@ -275,9 +275,9 @@ func (r *policeReconciler) initApplyPolicy() error {

if _, ok := r.ipsetMap.Load(name); !ok {
err = r.ipset.DestroySet(name)

Check failure on line 277 in pkg/agent/police.go

View workflow job for this annotation

GitHub Actions / lint-golang

ineffectual assignment to err (ineffassign)
if err != nil {
r.log.Error(err, "clean ipset", "ipset", name)
}
// if err != nil {
// r.log.Error(err, "clean ipset", "ipset", name)
// }
}
}

Expand Down Expand Up @@ -449,6 +449,54 @@ func (r *policeReconciler) getPolicySrcIPs(policyNs, policyName string, filter f
return ipv4List, ipv6List, nil
}

func (r *policeReconciler) buildReplyRules(policyNs, policyName string) ([]egressv1.EgressEndpoint, error) {
ctx := context.Background()
selector, err := metav1.LabelSelectorAsSelector(&metav1.LabelSelector{
MatchLabels: map[string]string{egressv1.LabelPolicyName: policyName},
})
if err != nil {
return nil, err
}
opt := &client.ListOptions{LabelSelector: selector}

notEgressNodeEPs := make([]egressv1.EgressEndpoint, 0)

if policyNs == "" {
eps := new(egressv1.EgressClusterEndpointSliceList)
err = r.client.List(ctx, eps, opt)
if err != nil {
return nil, err
}
for _, ep := range eps.Items {
if ep.DeletionTimestamp.IsZero() {
for _, e := range ep.Endpoints {
if e.Node != r.cfg.EnvConfig.NodeName {
notEgressNodeEPs = append(notEgressNodeEPs, e)

}
}
}
}
} else {
eps := new(egressv1.EgressEndpointSliceList)
err = r.client.List(ctx, eps, opt)
if err != nil {
return nil, err
}
for _, ep := range eps.Items {
if ep.DeletionTimestamp.IsZero() {
for _, e := range ep.Endpoints {
if e.Node != r.cfg.EnvConfig.NodeName {
notEgressNodeEPs = append(notEgressNodeEPs, e)
}
}
}
}
}

return nil, nil
}

func buildEipRule(policyName string, eip IP, version uint8, isIgnoreInternalCIDR bool) *iptables.Rule {
if eip.V4 == "" && eip.V6 == "" {
return nil
Expand Down
87 changes: 84 additions & 3 deletions pkg/agent/route/route.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,14 +68,14 @@ func (r *RuleRoute) Ensure(linkName string, ipv4, ipv6 *net.IP, table int, mark
log := r.log.WithValues("linkName", linkName, "table", table, "mark", mark)

if ipv4 != nil {
err := r.ensureRule(netlink.FAMILY_V4, table, mark, log)
err := r.EnsureRule(netlink.FAMILY_V4, table, mark, log)
if err != nil {
return err
}
}

if ipv6 != nil {
err := r.ensureRule(netlink.FAMILY_V6, table, mark, log)
err := r.EnsureRule(netlink.FAMILY_V6, table, mark, log)
if err != nil {
return err
}
Expand Down Expand Up @@ -139,7 +139,7 @@ func (r *RuleRoute) ensureRoute(link netlink.Link, ip *net.IP, family int, table
return nil
}

func (r *RuleRoute) ensureRule(family int, table int, mark int, log logr.Logger) error {
func (r *RuleRoute) EnsureRule(family int, table int, mark int, log logr.Logger) error {
log = log.WithValues("family", family)
log.V(1).Info("ensure rule")

Expand Down Expand Up @@ -190,3 +190,84 @@ func (r *RuleRoute) ensureRule(family int, table int, mark int, log logr.Logger)
}
return nil
}

func (r *RuleRoute) ensureReplyRoute(link netlink.Link, ip, via net.IP, family int, table int, log logr.Logger) error {
log = log.WithValues("family", family, "ip", ip)
log.V(1).Info("ensure route")

if ip == nil {
return nil
}

routeFilter := &netlink.Route{Table: table}
routes, err := netlink.RouteListFiltered(family, routeFilter, netlink.RT_FILTER_TABLE)
if err != nil {
return err
}

var find bool
for _, route := range routes {
if route.Table == table {
if route.Dst.String() == ip.String() {
if route.Via.String() != via.String() {
log.Info("delete route", "route", route.String())
err := netlink.RouteDel(&route)
if err != nil {
return err
}
continue
}
find = true
}
}
}

if !find {
index := link.Attrs().Index
err = netlink.RouteAdd(&netlink.Route{LinkIndex: index, Dst: &net.IPNet{IP: ip, Mask: net.CIDRMask(1, 32)}, Gw: via, Table: table})
if err != nil {
return err
}
}

return nil
}

func (r *RuleRoute) EnsureReplyRoute(linkName string, ipv4, ipv6, viaIpv4, viaIpv6 net.IP, table int, mark int) error {
if mark == 0 {
return nil
}

log := r.log.WithValues("linkName", linkName, "table", table, "mark", mark)

if ipv4 != nil {
err := r.EnsureRule(netlink.FAMILY_V4, table, mark, log)
if err != nil {
return err
}
}

if ipv6 != nil {
err := r.EnsureRule(netlink.FAMILY_V6, table, mark, log)
if err != nil {
return err
}
}

link, err := netlink.LinkByName(linkName)
if err != nil {
return err
}

log.V(1).Info("get link")

err = r.ensureReplyRoute(link, ipv4, viaIpv4, netlink.FAMILY_V4, table, log)
if err != nil {
return err
}
err = r.ensureReplyRoute(link, ipv6, viaIpv6, netlink.FAMILY_V6, table, log)
if err != nil {
return err
}
return nil
}
Loading

0 comments on commit 39ad3dd

Please sign in to comment.