6de8a9853c
Rename SetupIPMasqForNetwork -> SetupIPMasqForNetworks TeardownIPMasqForNetwork -> TeardownIPMasqForNetworks and have them take []*net.IPNet instead of *net.IPNet. This allow the nftables backend to cleanup stale rules and recreate all needed rules in a single transaction, where previously the stale rules cleanup was breaking all but the last IPNet. Fixes 61d078645a6d2a2391a1555ecda3d0a080a45831 Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
214 lines
12 KiB
Go
214 lines
12 KiB
Go
// Copyright 2023 CNI authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package ip
|
|
|
|
import (
|
|
"net"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/vishvananda/netlink"
|
|
"sigs.k8s.io/knftables"
|
|
|
|
"github.com/containernetworking/cni/pkg/types"
|
|
)
|
|
|
|
func Test_setupIPMasqNFTables(t *testing.T) {
|
|
nft := knftables.NewFake(knftables.InetFamily, ipMasqTableName)
|
|
|
|
containers := []struct {
|
|
network string
|
|
ifname string
|
|
containerID string
|
|
addrs []string
|
|
}{
|
|
{
|
|
network: "unit-test",
|
|
ifname: "eth0",
|
|
containerID: "one",
|
|
addrs: []string{"192.168.1.1/24"},
|
|
},
|
|
{
|
|
network: "unit-test",
|
|
ifname: "eth0",
|
|
containerID: "two",
|
|
addrs: []string{"192.168.1.2/24", "2001:db8::2/64"},
|
|
},
|
|
{
|
|
network: "unit-test",
|
|
ifname: "eth0",
|
|
containerID: "three",
|
|
addrs: []string{"192.168.99.5/24"},
|
|
},
|
|
{
|
|
network: "alternate",
|
|
ifname: "net1",
|
|
containerID: "three",
|
|
addrs: []string{
|
|
"10.0.0.5/24",
|
|
"10.0.0.6/24",
|
|
"10.0.1.7/24",
|
|
"2001:db8::5/64",
|
|
"2001:db8::6/64",
|
|
"2001:db8:1::7/64",
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, c := range containers {
|
|
ipns := []*net.IPNet{}
|
|
for _, addr := range c.addrs {
|
|
nladdr, err := netlink.ParseAddr(addr)
|
|
if err != nil {
|
|
t.Fatalf("failed to parse test addr: %v", err)
|
|
}
|
|
ipns = append(ipns, nladdr.IPNet)
|
|
}
|
|
err := setupIPMasqNFTablesWithInterface(nft, ipns, c.network, c.ifname, c.containerID)
|
|
if err != nil {
|
|
t.Fatalf("error from setupIPMasqNFTables: %v", err)
|
|
}
|
|
|
|
}
|
|
|
|
expected := strings.TrimSpace(`
|
|
add table inet cni_plugins_masquerade { comment "Masquerading for plugins from github.com/containernetworking/plugins" ; }
|
|
add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; }
|
|
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.1 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-287fc69eff0574a2, net: unit-test, if: eth0, id: one"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::2 ip6 daddr != 2001:db8::/64 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.6 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.1.7 ip daddr != 10.0.1.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::5 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::6 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8:1::7 ip6 daddr != 2001:db8:1::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
|
|
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
|
|
add rule inet cni_plugins_masquerade postrouting goto masq_checks
|
|
`)
|
|
dump := strings.TrimSpace(nft.Dump())
|
|
if dump != expected {
|
|
t.Errorf("expected nftables state:\n%s\n\nactual:\n%s\n\n", expected, dump)
|
|
}
|
|
|
|
// Add a new container reusing "one"'s address, before deleting "one"
|
|
c := containers[0]
|
|
addr, err := netlink.ParseAddr(c.addrs[0])
|
|
if err != nil {
|
|
t.Fatalf("failed to parse test addr: %v", err)
|
|
}
|
|
err = setupIPMasqNFTablesWithInterface(nft, []*net.IPNet{addr.IPNet}, "unit-test", "eth0", "four")
|
|
if err != nil {
|
|
t.Fatalf("error from setupIPMasqNFTables: %v", err)
|
|
}
|
|
|
|
// Remove "one"
|
|
err = teardownIPMasqNFTablesWithInterface(nft, []*net.IPNet{addr.IPNet}, c.network, c.ifname, c.containerID)
|
|
if err != nil {
|
|
t.Fatalf("error from teardownIPMasqNFTables: %v", err)
|
|
}
|
|
|
|
// Check that "one" was deleted (and "four" wasn't)
|
|
expected = strings.TrimSpace(`
|
|
add table inet cni_plugins_masquerade { comment "Masquerading for plugins from github.com/containernetworking/plugins" ; }
|
|
add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; }
|
|
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::2 ip6 daddr != 2001:db8::/64 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.6 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.1.7 ip daddr != 10.0.1.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::5 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::6 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8:1::7 ip6 daddr != 2001:db8:1::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.1 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-e766de567ef6c543, net: unit-test, if: eth0, id: four"
|
|
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
|
|
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
|
|
add rule inet cni_plugins_masquerade postrouting goto masq_checks
|
|
`)
|
|
dump = strings.TrimSpace(nft.Dump())
|
|
if dump != expected {
|
|
t.Errorf("expected nftables state:\n%s\n\nactual:\n%s\n\n", expected, dump)
|
|
}
|
|
|
|
// GC "four" from the "unit-test" network
|
|
err = gcIPMasqNFTablesWithInterface(nft, "unit-test", []types.GCAttachment{
|
|
{IfName: "eth0", ContainerID: "two"},
|
|
{IfName: "eth0", ContainerID: "three"},
|
|
// (irrelevant extra element)
|
|
{IfName: "eth0", ContainerID: "one"},
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("error from gcIPMasqNFTables: %v", err)
|
|
}
|
|
// GC the "alternate" network without removing anything
|
|
err = gcIPMasqNFTablesWithInterface(nft, "alternate", []types.GCAttachment{
|
|
{IfName: "net1", ContainerID: "three"},
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("error from gcIPMasqNFTables: %v", err)
|
|
}
|
|
|
|
// Re-dump
|
|
expected = strings.TrimSpace(`
|
|
add table inet cni_plugins_masquerade { comment "Masquerading for plugins from github.com/containernetworking/plugins" ; }
|
|
add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; }
|
|
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.1.2 ip daddr != 192.168.1.0/24 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::2 ip6 daddr != 2001:db8::/64 masquerade comment "6fd94d501e58f0aa-d750b2c8f0f25d5f, net: unit-test, if: eth0, id: two"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 192.168.99.5 ip daddr != 192.168.99.0/24 masquerade comment "6fd94d501e58f0aa-a4d4adb82b669cfe, net: unit-test, if: eth0, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.5 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.0.6 ip daddr != 10.0.0.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip saddr == 10.0.1.7 ip daddr != 10.0.1.0/24 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::5 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8::6 ip6 daddr != 2001:db8::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade masq_checks ip6 saddr == 2001:db8:1::7 ip6 daddr != 2001:db8:1::/64 masquerade comment "82783ef24bdc7036-acb19d111858e348, net: alternate, if: net1, id: three"
|
|
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
|
|
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
|
|
add rule inet cni_plugins_masquerade postrouting goto masq_checks
|
|
`)
|
|
dump = strings.TrimSpace(nft.Dump())
|
|
if dump != expected {
|
|
t.Errorf("expected nftables state:\n%s\n\nactual:\n%s\n\n", expected, dump)
|
|
}
|
|
|
|
// GC everything
|
|
err = gcIPMasqNFTablesWithInterface(nft, "unit-test", []types.GCAttachment{})
|
|
if err != nil {
|
|
t.Fatalf("error from gcIPMasqNFTables: %v", err)
|
|
}
|
|
err = gcIPMasqNFTablesWithInterface(nft, "alternate", []types.GCAttachment{})
|
|
if err != nil {
|
|
t.Fatalf("error from gcIPMasqNFTables: %v", err)
|
|
}
|
|
|
|
expected = strings.TrimSpace(`
|
|
add table inet cni_plugins_masquerade { comment "Masquerading for plugins from github.com/containernetworking/plugins" ; }
|
|
add chain inet cni_plugins_masquerade masq_checks { comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet" ; }
|
|
add chain inet cni_plugins_masquerade postrouting { type nat hook postrouting priority 100 ; }
|
|
add rule inet cni_plugins_masquerade postrouting ip daddr == 224.0.0.0/4 return
|
|
add rule inet cni_plugins_masquerade postrouting ip6 daddr == ff00::/8 return
|
|
add rule inet cni_plugins_masquerade postrouting goto masq_checks
|
|
`)
|
|
dump = strings.TrimSpace(nft.Dump())
|
|
if dump != expected {
|
|
t.Errorf("expected nftables state:\n%s\n\nactual:\n%s\n\n", expected, dump)
|
|
}
|
|
}
|