As show in the docs, iptables conditions can also start with '!'
Fixes 01a94e17c77e6ff8e5019e15c42d8d92cf87194f
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
We can't use dnat from the input hook,
depending on nftables (and kernel ?) version we get
"Error: Could not process rule: Operation not supported"
iptables backend also uses prerouting.
Also 'ip6 protocol tcp' is invalid, so rework / simplify the rules
Fixes 01a94e17c77e6ff8e5019e15c42d8d92cf87194f
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Without waiting for the local/host routes to be added
by the kernel after the IP address is being added to
an interface. The routes requiring the local/host routes
may failed. This caused flaky e2e tests, but could also
happen during the execution of the VRF plugin when the
IPv6 addresses were being re-added to the interface and
when the route were being moved to the VRF table.
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
This reverts commit ef076afac1af0b9a8446f72e3343666567bc04dc, reversing
changes made to 597408952e3e7247fb0deef26a3a935c405aa0cf.
Signed-off-by: h0nIg <h0nIg@users.noreply.github.com>
The tests were flaky due to a route with the link-local IP being
automatically added after the test run saves the initial state
(routes before SBR plugin is ran). When the SBR plugin is ran,
the new state is compared with the old state. The new state will
then contain the route with the link-local IP (that has been
added after saving the old state), the old state was not
containing it, so the tests were failing
The solution here is to ignore routes with the link-local IP
for the tests.
fixes: #1096
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
* ci, go.mod: bump to go 1.23
Now that go.mod matches our go version, we can stop setting go version
in CI separately.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* minor: fix lint errors
Bumping golangci-lint to v1.61 introduced some new reasonable checks;
fix the errors they found.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* ci: bump golangci-lint to v1.61.0
Also, fix some deprecated config directives.
Signed-off-by: Casey Callendrello <c1@caseyc.net>
---------
Signed-off-by: Casey Callendrello <c1@caseyc.net>
* Use of Table ID in IPAM
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
* SBR: option to pass the table id
Using the option to set the table number in the SBR meta plugin will
create a policy route for each IP added for the interface returned by
the main plugin.
Unlike the default behavior, the routes will not be moved to the table.
The default behavior of the SBR plugin is kept if the table id is not set.
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
---------
Signed-off-by: Lionel Jouin <lionel.jouin@est.tech>
even if json unmarshalling in golang with the standard libs is case unsensitive regarding the keys
Signed-off-by: Raphael <oOraph@users.noreply.github.com>
what changed:
we had to refactor the bandwidth plugin and switch from a classless qdisc (tbf)
to a classful qdisc (htb).
subnets are to be provided in config or runtimeconfig just like other parameters
unit and integration tests were also adapted in consequence
unrelated changes:
test fixes: the most important tests were just silently skipped due to ginkgo Measure deprecation
(the ones actually checking the effectiveness of the traffic control)
Signed-off-by: Raphael <oOraph@users.noreply.github.com>
current route filter uses RT_FILTER_IIF in conjunction with LinkIndex.
This combination is ignored by netlink, rendering the filter
ineffective
Signed-off-by: Poh Chiat Koh <poh@inter.link>
On a recent Fedora Rawhide, dbus-daemon-1.14.8-1 prints a string
prefixed by 'unix:path' instead of the expected 'unix:abstract', thereby
failing the test. Allowing this alternate prefix fixes the test, so for
communication with the daemon it is not relevant.
Signed-off-by: Phil Sutter <psutter@redhat.com>
Just attempt to delete the known rules referring to the custom chain,
then flush and delete it. If the latter succeeds, no referencing rules
are left and the job is done.
If the final flush'n'delete fails, fall back to the referencing rule
search which is slow with large rulesets.
Signed-off-by: Phil Sutter <psutter@redhat.com>
Starting with v0.5.0, go-iptables exports a fast ChainExists() which
does not rely upon listing all chains and searching the results but
probes chain existence by listing its first rule. This should make a
significant difference in rulesets with thousands of chains.
Signed-off-by: Phil Sutter <psutter@redhat.com>
Up until now, if previous plugin assigned routes to interface, movement of
this interface to new VRF cause routes to be deleted.
This patch adds funtionality to VRF plugin to save the routes before
interface is assgined to VRF, and then re-apply all saved routes to new VRF.
Signed-off-by: Artur Korzeniewski <artur.korzeniewski@travelping.com>
This commit updates the import of ginkgo to v2 in
all of the tests.
Signed-off-by: liornoy <lnoy@redhat.com>
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
