As show in the docs, iptables conditions can also start with '!'
Fixes 01a94e17c77e6ff8e5019e15c42d8d92cf87194f
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Rename
SetupIPMasqForNetwork -> SetupIPMasqForNetworks
TeardownIPMasqForNetwork -> TeardownIPMasqForNetworks
and have them take []*net.IPNet instead of *net.IPNet.
This allow the nftables backend to cleanup stale rules and recreate all
needed rules in a single transaction, where previously the stale rules
cleanup was breaking all but the last IPNet.
Fixes 61d078645a6d2a2391a1555ecda3d0a080a45831
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
We can't use dnat from the input hook,
depending on nftables (and kernel ?) version we get
"Error: Could not process rule: Operation not supported"
iptables backend also uses prerouting.
Also 'ip6 protocol tcp' is invalid, so rework / simplify the rules
Fixes 01a94e17c77e6ff8e5019e15c42d8d92cf87194f
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
The dhcp server is systemd-networkd, and the dhcp
plugin can request an ip but can not renew it.
The systemd-networkd just ignore the renew request.
```
2024/09/14 21:46:00 no DHCP packet received within 10s
2024/09/14 21:46:00 retrying in 31.529038 seconds
2024/09/14 21:46:42 no DHCP packet received within 10s
2024/09/14 21:46:42 retrying in 63.150490 seconds
2024/09/14 21:47:45 98184616c91f15419f5cacd012697f85afaa2daeb5d3233e28b0ec21589fb45a/iot/eth1: no more tries
2024/09/14 21:47:45 98184616c91f15419f5cacd012697f85afaa2daeb5d3233e28b0ec21589fb45a/iot/eth1: renewal time expired, rebinding
2024/09/14 21:47:45 Link "eth1" down. Attempting to set up
2024/09/14 21:47:45 98184616c91f15419f5cacd012697f85afaa2daeb5d3233e28b0ec21589fb45a/iot/eth1: lease rebound, expiration is 2024-09-14 22:47:45.309270751 +0800 CST m=+11730.048516519
```
Follow the https://datatracker.ietf.org/doc/html/rfc2131#section-4.3.6,
following options must not be sent in renew
- Requested IP Address
- Server Identifier
Since the upstream code has been inactive for 6 years,
we should switch to another dhcpv4 library.
The new selected one is https://github.com/insomniacslk/dhcp.
Signed-off-by: Songmin Li <lisongmin@protonmail.com>
Without waiting for the local/host routes to be added
by the kernel after the IP address is being added to
an interface. The routes requiring the local/host routes
may failed. This caused flaky e2e tests, but could also
happen during the execution of the VRF plugin when the
IPv6 addresses were being re-added to the interface and
when the route were being moved to the VRF table.
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
This reverts commit ef076afac1af0b9a8446f72e3343666567bc04dc, reversing
changes made to 597408952e3e7247fb0deef26a3a935c405aa0cf.
Signed-off-by: h0nIg <h0nIg@users.noreply.github.com>
The tests were flaky due to a route with the link-local IP being
automatically added after the test run saves the initial state
(routes before SBR plugin is ran). When the SBR plugin is ran,
the new state is compared with the old state. The new state will
then contain the route with the link-local IP (that has been
added after saving the old state), the old state was not
containing it, so the tests were failing
The solution here is to ignore routes with the link-local IP
for the tests.
fixes: #1096
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
* ci, go.mod: bump to go 1.23
Now that go.mod matches our go version, we can stop setting go version
in CI separately.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* minor: fix lint errors
Bumping golangci-lint to v1.61 introduced some new reasonable checks;
fix the errors they found.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* ci: bump golangci-lint to v1.61.0
Also, fix some deprecated config directives.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
---------
Signed-off-by: Casey Callendrello <c1@caseyc.net>
Currently, we can not set the metric of routes in dhcp.
It's ok if there is only a network interface.
But if there are multiple network interfaces, and both have a default route,
We need to set the metric of the route to make the traffic
go through the correct network interface.
For host-local and static, we can set the metric with the route.priority option.
But there is no such option for dhcp.
Signed-off-by: Songmin Li <lisongmin@protonmail.com>
* Use of Table ID in IPAM
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
* SBR: option to pass the table id
Using the option to set the table number in the SBR meta plugin will
create a policy route for each IP added for the interface returned by
the main plugin.
Unlike the default behavior, the routes will not be moved to the table.
The default behavior of the SBR plugin is kept if the table id is not set.
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
---------
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
From the dhcp daemon log, we can see that dhcp will fail to acquire
the lease when the link is down, and success on retry.
```
2024/08/21 21:30:44 macvlan-dhcp/eth1: acquiring lease
2024/08/21 21:30:44 Link "eth1" down. Attempting to set up
2024/08/21 21:30:44 network is down
2024/08/21 21:30:44 retrying in 2.641696 seconds
2024/08/21 21:30:49 macvlan-dhcp/eth1: lease acquired, expiration is 2024-08-22 09:30:49.755367962 +0800 CST m=+43205.712107889
```
After move the code of set up link to the beginning of the function, the
dhcp success on first time.
```
2024/08/21 22:04:02 macvlan-dhcp/eth1: acquiring lease
2024/08/21 22:04:02 Link "eth1" down. Attempting to set up
2024/08/21 22:04:05 macvlan-dhcp/eth1: lease acquired, expiration is 2024-08-22 10:04:05.297887726 +0800 CST m=+43203.081141304
```
Signed-off-by: Songmin Li <lisongmin@protonmail.com>
We were using the go.mod version, which we don't change as frequently.
Switch to use the GO_VERSION defined in the workflow file.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
