Rename
SetupIPMasqForNetwork -> SetupIPMasqForNetworks
TeardownIPMasqForNetwork -> TeardownIPMasqForNetworks
and have them take []*net.IPNet instead of *net.IPNet.
This allow the nftables backend to cleanup stale rules and recreate all
needed rules in a single transaction, where previously the stale rules
cleanup was breaking all but the last IPNet.
Fixes 61d078645a6d2a2391a1555ecda3d0a080a45831
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
* ci, go.mod: bump to go 1.23
Now that go.mod matches our go version, we can stop setting go version
in CI separately.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* minor: fix lint errors
Bumping golangci-lint to v1.61 introduced some new reasonable checks;
fix the errors they found.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* ci: bump golangci-lint to v1.61.0
Also, fix some deprecated config directives.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
---------
Signed-off-by: Casey Callendrello <c1@caseyc.net>
Currently, we can not set the metric of routes in dhcp.
It's ok if there is only a network interface.
But if there are multiple network interfaces, and both have a default route,
We need to set the metric of the route to make the traffic
go through the correct network interface.
For host-local and static, we can set the metric with the route.priority option.
But there is no such option for dhcp.
Signed-off-by: Songmin Li <lisongmin@protonmail.com>
* Use of Table ID in IPAM
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
* SBR: option to pass the table id
Using the option to set the table number in the SBR meta plugin will
create a policy route for each IP added for the interface returned by
the main plugin.
Unlike the default behavior, the routes will not be moved to the table.
The default behavior of the SBR plugin is kept if the table id is not set.
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
---------
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
containernetwork/cni#890 introduces CNI_NETNS_OVERRIDE and plugin
testing requires this flag. This change enables CNI_NETNS_OVERRIDE
for further containernetwork/cni vendor update.
Signed-off-by: Tomofumi Hayashi <tohayash@redhat.com>
Starting with v0.5.0, go-iptables exports a fast ChainExists() which
does not rely upon listing all chains and searching the results but
probes chain existence by listing its first rule. This should make a
significant difference in rulesets with thousands of chains.
Signed-off-by: Phil Sutter <psutter@redhat.com>
Store the relevant applied config part for later to extract the rule to
delete from there instead of having to list the ruleset. This is much
faster especially with large rulesets.
Signed-off-by: Phil Sutter <psutter@redhat.com>
Using ptp plugin with non default routes, we get the following error
when cri-o call CheckNetworkList():
```
Expected Route {Dst:{IP:198.18.128.0 Mask:ffff8000} GW:<nil>} not found in routing table
```
Using cniVersion 0.3.1 to bypass the check, we can see that the
route is added with a gateway
```
$ ip r
198.18.0.0/17 via 198.18.0.1 dev eth0 src 198.18.3.102
198.18.0.1 dev eth0 scope link src 198.18.3.102
198.18.128.0/17 via 198.18.0.1 dev eth0
```
If GW is nil only check if we have a route with a DST that matches, and
ignore the GW.
Fixes #886
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Making sure the exec'ed nft command is executed in 55 secs allows for
CNI to fail early, thus preventing CRI from sending another CNI DEL
while the previous NFT call is still being processed.
This fix prevents part of the behavior described in [0], in which:
> cnv-bridge and nft comes pile up in a loop, increasing every 60, never
completes
The timeout had to be less than 60 seconds (otherwise CRI would still
trigger CNI DEL again) but large enough for this feature to have a
chance of working on older kernels (e.g. centOS 8), where it takes
longer to access even a specific chain/table.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
Rules are appendend by default, thus using an index is redundant.
Using an index also requires the full NFT cache, which causes a CNI ADD
to be extremely slow.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit updates the import of ginkgo to v2 in
all of the tests.
Signed-off-by: liornoy <lnoy@redhat.com>
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
1. get the right next IP of addresses of first byte 0
2. refactor some methods to handle illegal IPs or IPNets
3. add some unit tests
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
This PR bring V2 API support into win-overlay CNI. With the current V1
API, only docker runtime works for win-overlay. By bringing new changes, we
should be able to use containerd as the runtime.Below are the key
points regarding this implementation.
1. Clear seperation for V1 & V2 API support
2. New cni.conf sample that works for win-overlay
Signed-off-by: selansen <esiva@redhat.com>
Signed-off-by: mansikulkarni96 <mankulka@redhat.com>
Calling AddPort before AddProtocol returns an error, which means ConntrackDeleteFilter has been called without port filter.
Signed-off-by: Sang Heon Lee <developistBV@gmail.com>
This commit adds a new parameter `ingressPolicy` (`string`) to the `firewall` plugin.
The supported values are `open` and `same-bridge`.
- `open` is the default and does NOP.
- `same-bridge` creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2"
that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and
"DOCKER-ISOLATION-STAGE-2" rules.
e.g., when `ns1` and `ns2` are connected to bridge `cni1`, and `ns3` is
connected to bridge `cni2`, the `same-bridge` ingress policy disallows
communications between `ns1` and `ns3`, while allowing communications
between `ns1` and `ns2`.
Please refer to the comment lines in `ingresspolicy.go` for the actual iptables rules.
The `same-bridge` ingress policy is expected to be used in conjunction
with `bridge` plugin. May not work as expected with other "main" plugins.
It should be also noted that the `same-bridge` ingress policy executes
raw `iptables` commands directly, even when the `backend` is set to `firewalld`.
We could potentially use the "direct" API of firewalld [1] to execute
iptables via firewalld, but it doesn't seem to have a clear benefit over just directly
executing raw iptables commands.
(Anyway, we have been already executing raw iptables commands in the `portmap` plugin)
[1] https://firewalld.org/documentation/direct/options.html
This commit replaces the `isolation` plugin proposal (issue 573, PR 574).
The design of `ingressPolicy` was discussed in the comments of the withdrawn PR 574 ,
but `same-network` was renamed to `same-bridge` then.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Use the constants already defined in the golang.org/x/sys/unix package
instead of open-coding them.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
