ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

ipmasq: fix nftables backend

Browse Source 
Rename
SetupIPMasqForNetwork -> SetupIPMasqForNetworks
TeardownIPMasqForNetwork -> TeardownIPMasqForNetworks
and have them take []*net.IPNet instead of *net.IPNet.

This allow the nftables backend to cleanup stale rules and recreate all
needed rules in a single transaction, where previously the stale rules
cleanup was breaking all but the last IPNet.

Fixes 61d078645a6d2a2391a1555ecda3d0a080a45831

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
This commit is contained in:
Etienne Champetier 2024-11-11 15:48:35 -05:00 committed by Casey Callendrello
parent 9296c5f80a
commit 6de8a9853c
6 changed files with 120 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
pkg/ip/ipmasq_iptables_linux.go
View File

@ -15,8 +15,10 @@
package ip package ip
import ( import (
"errors"
"fmt" "fmt"
"net" "net"
"strings"
"github.com/coreos/go-iptables/iptables" "github.com/coreos/go-iptables/iptables"
@ -24,17 +26,22 @@ import (
"github.com/containernetworking/plugins/pkg/utils" "github.com/containernetworking/plugins/pkg/utils"
) )
// setupIPMasqIPTables is the iptables-based implementation of SetupIPMasqForNetwork // setupIPMasqIPTables is the iptables-based implementation of SetupIPMasqForNetworks
func setupIPMasqIPTables(ipn *net.IPNet, network, _, containerID string) error { func setupIPMasqIPTables(ipns []*net.IPNet, network, _, containerID string) error {
// Note: for historical reasons, the iptables implementation ignores ifname. // Note: for historical reasons, the iptables implementation ignores ifname.
chain := utils.FormatChainName(network, containerID) chain := utils.FormatChainName(network, containerID)
comment := utils.FormatComment(network, containerID) comment := utils.FormatComment(network, containerID)
return SetupIPMasq(ipn, chain, comment) for _, ip := range ipns {
if err := SetupIPMasq(ip, chain, comment); err != nil {
return err
}
}
return nil
} }
// SetupIPMasq installs iptables rules to masquerade traffic // SetupIPMasq installs iptables rules to masquerade traffic
// coming from ip of ipn and going outside of ipn. // coming from ip of ipn and going outside of ipn.
// Deprecated: This function only supports iptables. Use SetupIPMasqForNetwork, which // Deprecated: This function only supports iptables. Use SetupIPMasqForNetworks, which
// supports both iptables and nftables. // supports both iptables and nftables.
func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error { func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
isV6 := ipn.IP.To4() == nil isV6 := ipn.IP.To4() == nil
@ -87,16 +94,28 @@ func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment) return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
} }
// teardownIPMasqIPTables is the iptables-based implementation of TeardownIPMasqForNetwork // teardownIPMasqIPTables is the iptables-based implementation of TeardownIPMasqForNetworks
func teardownIPMasqIPTables(ipn *net.IPNet, network, _, containerID string) error { func teardownIPMasqIPTables(ipns []*net.IPNet, network, _, containerID string) error {
// Note: for historical reasons, the iptables implementation ignores ifname. // Note: for historical reasons, the iptables implementation ignores ifname.
chain := utils.FormatChainName(network, containerID) chain := utils.FormatChainName(network, containerID)
comment := utils.FormatComment(network, containerID) comment := utils.FormatComment(network, containerID)
return TeardownIPMasq(ipn, chain, comment)
var errs []string
for _, ipn := range ipns {
err := TeardownIPMasq(ipn, chain, comment)
if err != nil {
errs = append(errs, err.Error())
}
}
if errs == nil {
return nil
}
return errors.New(strings.Join(errs, "\n"))
} }
// TeardownIPMasq undoes the effects of SetupIPMasq. // TeardownIPMasq undoes the effects of SetupIPMasq.
// Deprecated: This function only supports iptables. Use TeardownIPMasqForNetwork, which // Deprecated: This function only supports iptables. Use TeardownIPMasqForNetworks, which
// supports both iptables and nftables. // supports both iptables and nftables.
func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error { func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
isV6 := ipn.IP.To4() == nil isV6 := ipn.IP.To4() == nil

18
pkg/ip/ipmasq_linux.go
View File

@ -24,11 +24,11 @@ import (
"github.com/containernetworking/plugins/pkg/utils" "github.com/containernetworking/plugins/pkg/utils"
) )
// SetupIPMasqForNetwork installs rules to masquerade traffic coming from ip of ipn and // SetupIPMasqForNetworks installs rules to masquerade traffic coming from ips of ipns and
// going outside of ipn, using a chain name based on network, ifname, and containerID. The // going outside of ipns, using a chain name based on network, ifname, and containerID. The
// backend can be either "iptables" or "nftables"; if it is nil, then a suitable default // backend can be either "iptables" or "nftables"; if it is nil, then a suitable default
// implementation will be used. // implementation will be used.
func SetupIPMasqForNetwork(backend *string, ipn *net.IPNet, network, ifname, containerID string) error { func SetupIPMasqForNetworks(backend *string, ipns []*net.IPNet, network, ifname, containerID string) error {
if backend == nil { if backend == nil {
// Prefer iptables, unless only nftables is available // Prefer iptables, unless only nftables is available
defaultBackend := "iptables" defaultBackend := "iptables"
@ -40,27 +40,27 @@ func SetupIPMasqForNetwork(backend *string, ipn *net.IPNet, network, ifname, con
switch *backend { switch *backend {
case "iptables": case "iptables":
return setupIPMasqIPTables(ipn, network, ifname, containerID) return setupIPMasqIPTables(ipns, network, ifname, containerID)
case "nftables": case "nftables":
return setupIPMasqNFTables(ipn, network, ifname, containerID) return setupIPMasqNFTables(ipns, network, ifname, containerID)
default: default:
return fmt.Errorf("unknown ipmasq backend %q", *backend) return fmt.Errorf("unknown ipmasq backend %q", *backend)
} }
} }
// TeardownIPMasqForNetwork undoes the effects of SetupIPMasqForNetwork // TeardownIPMasqForNetworks undoes the effects of SetupIPMasqForNetworks
func TeardownIPMasqForNetwork(ipn *net.IPNet, network, ifname, containerID string) error { func TeardownIPMasqForNetworks(ipns []*net.IPNet, network, ifname, containerID string) error {
var errs []string var errs []string
// Do both the iptables and the nftables cleanup, since the pod may have been // Do both the iptables and the nftables cleanup, since the pod may have been
// created with a different version of this plugin or a different configuration. // created with a different version of this plugin or a different configuration.
err := teardownIPMasqIPTables(ipn, network, ifname, containerID) err := teardownIPMasqIPTables(ipns, network, ifname, containerID)
if err != nil && utils.SupportsIPTables() { if err != nil && utils.SupportsIPTables() {
errs = append(errs, err.Error()) errs = append(errs, err.Error())
} }
err = teardownIPMasqNFTables(ipn, network, ifname, containerID) err = teardownIPMasqNFTables(ipns, network, ifname, containerID)
if err != nil && utils.SupportsNFTables() { if err != nil && utils.SupportsNFTables() {
errs = append(errs, err.Error()) errs = append(errs, err.Error())
} }

50
pkg/ip/ipmasq_nftables_linux.go
View File

@ -72,16 +72,16 @@ func commentForInstance(network, ifname, containerID string) string {
return comment return comment
} }
// setupIPMasqNFTables is the nftables-based implementation of SetupIPMasqForNetwork // setupIPMasqNFTables is the nftables-based implementation of SetupIPMasqForNetworks
func setupIPMasqNFTables(ipn *net.IPNet, network, ifname, containerID string) error { func setupIPMasqNFTables(ipns []*net.IPNet, network, ifname, containerID string) error {
nft, err := knftables.New(knftables.InetFamily, ipMasqTableName) nft, err := knftables.New(knftables.InetFamily, ipMasqTableName)
if err != nil { if err != nil {
return err return err
} }
return setupIPMasqNFTablesWithInterface(nft, ipn, network, ifname, containerID) return setupIPMasqNFTablesWithInterface(nft, ipns, network, ifname, containerID)
} }
func setupIPMasqNFTablesWithInterface(nft knftables.Interface, ipn *net.IPNet, network, ifname, containerID string) error { func setupIPMasqNFTablesWithInterface(nft knftables.Interface, ipns []*net.IPNet, network, ifname, containerID string) error {
staleRules, err := findRules(nft, hashForInstance(network, ifname, containerID)) staleRules, err := findRules(nft, hashForInstance(network, ifname, containerID))
if err != nil { if err != nil {
return err return err
@ -128,37 +128,39 @@ func setupIPMasqNFTablesWithInterface(nft knftables.Interface, ipn *net.IPNet, n
for _, rule := range staleRules { for _, rule := range staleRules {
tx.Delete(rule) tx.Delete(rule)
} }
ip := "ip" for _, ipn := range ipns {
if ipn.IP.To4() == nil { ip := "ip"
ip = "ip6" if ipn.IP.To4() == nil {
ip = "ip6"
}
// e.g. if ipn is "192.168.1.4/24", then dstNet is "192.168.1.0/24"
dstNet := &net.IPNet{IP: ipn.IP.Mask(ipn.Mask), Mask: ipn.Mask}
tx.Add(&knftables.Rule{
Chain: ipMasqChainName,
Rule: knftables.Concat(
ip, "saddr", "==", ipn.IP,
ip, "daddr", "!=", dstNet,
"masquerade",
),
Comment: knftables.PtrTo(commentForInstance(network, ifname, containerID)),
})
} }
// e.g. if ipn is "192.168.1.4/24", then dstNet is "192.168.1.0/24"
dstNet := &net.IPNet{IP: ipn.IP.Mask(ipn.Mask), Mask: ipn.Mask}
tx.Add(&knftables.Rule{
Chain: ipMasqChainName,
Rule: knftables.Concat(
ip, "saddr", "==", ipn.IP,
ip, "daddr", "!=", dstNet,
"masquerade",
),
Comment: knftables.PtrTo(commentForInstance(network, ifname, containerID)),
})
return nft.Run(context.TODO(), tx) return nft.Run(context.TODO(), tx)
} }
// teardownIPMasqNFTables is the nftables-based implementation of TeardownIPMasqForNetwork // teardownIPMasqNFTables is the nftables-based implementation of TeardownIPMasqForNetworks
func teardownIPMasqNFTables(ipn *net.IPNet, network, ifname, containerID string) error { func teardownIPMasqNFTables(ipns []*net.IPNet, network, ifname, containerID string) error {
nft, err := knftables.New(knftables.InetFamily, ipMasqTableName) nft, err := knftables.New(knftables.InetFamily, ipMasqTableName)
if err != nil { if err != nil {
return err return err
} }
return teardownIPMasqNFTablesWithInterface(nft, ipn, network, ifname, containerID) return teardownIPMasqNFTablesWithInterface(nft, ipns, network, ifname, containerID)
} }
func teardownIPMasqNFTablesWithInterface(nft knftables.Interface, _ *net.IPNet, network, ifname, containerID string) error { func teardownIPMasqNFTablesWithInterface(nft knftables.Interface, _ []*net.IPNet, network, ifname, containerID string) error {
rules, err := findRules(nft, hashForInstance(network, ifname, containerID)) rules, err := findRules(nft, hashForInstance(network, ifname, containerID))
if err != nil { if err != nil {
return err return err

61
pkg/ip/ipmasq_nftables_linux_test.go
View File

@ -15,6 +15,7 @@
package ip package ip
import ( import (
"net"
"strings" "strings"
"testing" "testing"
@ -31,43 +32,55 @@ func Test_setupIPMasqNFTables(t *testing.T) {
network string network string
ifname string ifname string
containerID string containerID string
addr string addrs []string
}{ }{
{ {
network: "unit-test", network: "unit-test",
ifname: "eth0", ifname: "eth0",
containerID: "one", containerID: "one",
addr: "192.168.1.1/24", addrs: []string{"192.168.1.1/24"},
}, },
{ {
network: "unit-test", network: "unit-test",
ifname: "eth0", ifname: "eth0",
containerID: "two", containerID: "two",
addr: "192.168.1.2/24", addrs: []string{"192.168.1.2/24", "2001:db8::2/64"},
}, },
{ {
network: "unit-test", network: "unit-test",
ifname: "eth0", ifname: "eth0",
containerID: "three", containerID: "three",
addr: "192.168.99.5/24", addrs: []string{"192.168.99.5/24"},
}, },
{ {
network: "alternate", network: "alternate",
ifname: "net1", ifname: "net1",
containerID: "three", containerID: "three",
addr: "10.0.0.5/24", addrs: []string{
"10.0.0.5/24",
"10.0.0.6/24",
"10.0.1.7/24",
"2001:db8::5/64",
"2001:db8::6/64",
"2001:db8:1::7/64",
},
}, },
} }
for _, c := range containers { for _, c := range containers {
addr, err := netlink.ParseAddr(c.addr) ipns := []*net.IPNet{}
if err != nil { for _, addr := range c.addrs {
t.Fatalf("failed to parse test addr: %v", err) nladdr, err := netlink.ParseAddr(addr)
if err != nil {
t.Fatalf("failed to parse test addr: %v", err)
}
ipns = append(ipns, nladdr.IPNet)
} }
err = setupIPMasqNFTablesWithInterface(nft, addr.IPNet, c.network, c.ifname, c.containerID) err := setupIPMasqNFTablesWithInterface(nft, ipns, c.network, c.ifname, c.containerID)
if err != nil { if err != nil {
t.Fatalf("error from setupIPMasqNFTables: %v", err) t.Fatalf("error from setupIPMasqNFTables: %v", err)
} }
} }
expected := strings.TrimSpace(` expected := strings.TrimSpace(`
@ -76,8 +89,14 @@ add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; } add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.1 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-287fc69eff0574a2, net: unit-test, if: eth0, id: one" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.1 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-287fc69eff0574a2, net: unit-test, if: eth0, id: one"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::2 ip6 daddr != 2001:db8::/64 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three" add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.6 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.1.7 ip daddr != 10.0.1.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::5 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::6 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8:1::7 ip6 daddr != 2001:db8:1::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
add rule inet cni_plugins_masquerade postrouting goto masq_checks add rule inet cni_plugins_masquerade postrouting goto masq_checks
@ -88,22 +107,18 @@ add rule inet cni_plugins_masquerade postrouting goto masq_checks
} }
// Add a new container reusing "one"'s address, before deleting "one" // Add a new container reusing "one"'s address, before deleting "one"
addr, err := netlink.ParseAddr(containers[0].addr) c := containers[0]
addr, err := netlink.ParseAddr(c.addrs[0])
if err != nil { if err != nil {
t.Fatalf("failed to parse test addr: %v", err) t.Fatalf("failed to parse test addr: %v", err)
} }
err = setupIPMasqNFTablesWithInterface(nft, addr.IPNet, "unit-test", "eth0", "four") err = setupIPMasqNFTablesWithInterface(nft, []*net.IPNet{addr.IPNet}, "unit-test", "eth0", "four")
if err != nil { if err != nil {
t.Fatalf("error from setupIPMasqNFTables: %v", err) t.Fatalf("error from setupIPMasqNFTables: %v", err)
} }
// Remove "one" // Remove "one"
c := containers[0] err = teardownIPMasqNFTablesWithInterface(nft, []*net.IPNet{addr.IPNet}, c.network, c.ifname, c.containerID)
addr, err = netlink.ParseAddr(c.addr)
if err != nil {
t.Fatalf("failed to parse test addr: %v", err)
}
err = teardownIPMasqNFTablesWithInterface(nft, addr.IPNet, c.network, c.ifname, c.containerID)
if err != nil { if err != nil {
t.Fatalf("error from teardownIPMasqNFTables: %v", err) t.Fatalf("error from teardownIPMasqNFTables: %v", err)
} }
@ -114,8 +129,14 @@ add table inet cni_plugins_masquerade { comment "Masquerading for plugins from g
add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; } add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; }
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; } add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::2 ip6 daddr != 2001:db8::/64 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three" add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.6 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.1.7 ip daddr != 10.0.1.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::5 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::6 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8:1::7 ip6 daddr != 2001:db8:1::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.1 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-e766de567ef6c543, net: unit-test, if: eth0, id: four" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.1 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-e766de567ef6c543, net: unit-test, if: eth0, id: four"
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
@ -150,8 +171,14 @@ add table inet cni_plugins_masquerade { comment "Masquerading for plugins from g
add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; } add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; }
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; } add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::2 ip6 daddr != 2001:db8::/64 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three" add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three" add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.6 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.1.7 ip daddr != 10.0.1.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::5 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::6 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8:1::7 ip6 daddr != 2001:db8:1::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
add rule inet cni_plugins_masquerade postrouting goto masq_checks add rule inet cni_plugins_masquerade postrouting goto masq_checks

14
plugins/main/bridge/bridge.go
View File

@ -668,10 +668,12 @@ func cmdAdd(args *skel.CmdArgs) error {
} }
if n.IPMasq { if n.IPMasq {
ipns := []*net.IPNet{}
for _, ipc := range result.IPs { for _, ipc := range result.IPs {
if err = ip.SetupIPMasqForNetwork(n.IPMasqBackend, &ipc.Address, n.Name, args.IfName, args.ContainerID); err != nil { ipns = append(ipns, &ipc.Address)
return err }
} if err = ip.SetupIPMasqForNetworks(n.IPMasqBackend, ipns, n.Name, args.IfName, args.ContainerID); err != nil {
return err
} }
} }
} else if !n.DisableContainerInterface { } else if !n.DisableContainerInterface {
@ -807,10 +809,8 @@ func cmdDel(args *skel.CmdArgs) error {
} }
if isLayer3 && n.IPMasq { if isLayer3 && n.IPMasq {
for _, ipn := range ipnets { if err := ip.TeardownIPMasqForNetworks(ipnets, n.Name, args.IfName, args.ContainerID); err != nil {
if err := ip.TeardownIPMasqForNetwork(ipn, n.Name, args.IfName, args.ContainerID); err != nil { return err
return err
}
} }
} }

12
plugins/main/ptp/ptp.go
View File

@ -229,10 +229,12 @@ func cmdAdd(args *skel.CmdArgs) error {
} }
if conf.IPMasq { if conf.IPMasq {
ipns := []*net.IPNet{}
for _, ipc := range result.IPs { for _, ipc := range result.IPs {
if err = ip.SetupIPMasqForNetwork(conf.IPMasqBackend, &ipc.Address, conf.Name, args.IfName, args.ContainerID); err != nil { ipns = append(ipns, &ipc.Address)
return err }
} if err = ip.SetupIPMasqForNetworks(conf.IPMasqBackend, ipns, conf.Name, args.IfName, args.ContainerID); err != nil {
return err
} }
} }
@ -291,8 +293,8 @@ func cmdDel(args *skel.CmdArgs) error {
} }
if len(ipnets) != 0 && conf.IPMasq { if len(ipnets) != 0 && conf.IPMasq {
for _, ipn := range ipnets { if err := ip.TeardownIPMasqForNetworks(ipnets, conf.Name, args.IfName, args.ContainerID); err != nil {
err = ip.TeardownIPMasqForNetwork(ipn, conf.Name, args.IfName, args.ContainerID) return err
} }
} }