fix: ipt wrong order and add cluster route

(cherry picked from commit a27e176)
kubeovn · Oct 26, 2020 · df8530a · df8530a
1 parent 33afdd1
commit df8530a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh
@@ -7,6 +7,7 @@ iptables -t nat -D POSTROUTING -m set --match-set ovn40local-pod-ip-nat src -m s
 iptables -t nat -D POSTROUTING -m set ! --match-set ovn40subnets src -m set --match-set ovn40subnets-nat dst -j RETURN
 iptables -t nat -D POSTROUTING -m set ! --match-set ovn40subnets src -m set --match-set ovn40local-pod-ip-nat dst -j RETURN
 iptables -t nat -D POSTROUTING -m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j MASQUERADE
+iptables -t nat -D POSTROUTING -m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j RETURN
 iptables -t filter -D INPUT -m set --match-set ovn40subnets dst -j ACCEPT
 iptables -t filter -D INPUT -m set --match-set ovn40subnets src -j ACCEPT
 iptables -t filter -D FORWARD -m set --match-set ovn40subnets dst -j ACCEPT
@@ -21,6 +22,7 @@ ip6tables -t nat -D POSTROUTING -m set --match-set ovn60local-pod-ip-nat src -m
 ip6tables -t nat -D POSTROUTING -m set ! --match-set ovn60subnets src -m set --match-set ovn60subnets-nat dst -j RETURN
 ip6tables -t nat -D POSTROUTING -m set ! --match-set ovn60subnets src -m set --match-set ovn60local-pod-ip-nat dst -j RETURN
 ip6tables -t nat -D POSTROUTING -m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j MASQUERADE
+ip6tables -t nat -D POSTROUTING -m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j RETURN
 ip6tables -t filter -D INPUT -m set --match-set ovn60subnets dst -j ACCEPT
 ip6tables -t filter -D INPUT -m set --match-set ovn60subnets src -j ACCEPT
 ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets dst -j ACCEPT

diff --git a/pkg/daemon/controller.go b/pkg/daemon/controller.go
@@ -185,7 +185,8 @@ func (c *Controller) reconcileRouters() error {
 		klog.Errorf("failed to list namespace %v", err)
 		return err
 	}
-	cidrs := make([]string, 0, len(subnets))
+	cidrs := make([]string, 0, len(subnets)+1)
+	cidrs = append(cidrs, c.config.ServiceClusterIPRange)
 	for _, subnet := range subnets {
 		if !subnet.Status.IsReady() || subnet.Spec.UnderlayGateway {
 			continue
@@ -234,8 +235,14 @@ func (c *Controller) reconcileRouters() error {
 		_, cidr, _ := net.ParseCIDR(r)
 		gw := net.ParseIP(gateway)
 		src := net.ParseIP(c.internalIP)
-		if err = netlink.RouteReplace(&netlink.Route{Dst: cidr, LinkIndex: nic.Attrs().Index, Scope: netlink.SCOPE_UNIVERSE, Gw: gw, Src: src}); err != nil {
-			klog.Errorf("failed to add route %v", err)
+		if r == c.config.ServiceClusterIPRange {
+			if err = netlink.RouteReplace(&netlink.Route{Dst: cidr, LinkIndex: nic.Attrs().Index, Scope: netlink.SCOPE_UNIVERSE, Gw: gw}); err != nil {
+				klog.Errorf("failed to add route %v", err)
+			}
+		} else {
+			if err = netlink.RouteReplace(&netlink.Route{Dst: cidr, LinkIndex: nic.Attrs().Index, Scope: netlink.SCOPE_UNIVERSE, Gw: gw, Src: src}); err != nil {
+				klog.Errorf("failed to add route %v", err)
+			}
 		}
 	}
 	return err

diff --git a/pkg/daemon/gateway.go b/pkg/daemon/gateway.go
@@ -26,7 +26,7 @@ const (
 var (
 	v4Rules = []util.IPTableRule{
 		// This rule makes sure we don't NAT traffic within overlay network
-		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j MASQUERADE`, " ")},
+		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j RETURN`, " ")},
 		// Prevent performing Masquerade on external traffic which arrives from a Node that owns the Pod/Subnet IP
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn40local-pod-ip-nat dst -j RETURN`, " ")},
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn40subnets-nat dst -j RETURN`, " ")},
@@ -42,7 +42,7 @@ var (
 	}
 	v6Rules = []util.IPTableRule{
 		// This rule makes sure we don't NAT traffic within overlay network
-		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j MASQUERADE`, " ")},
+		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j RETURN`, " ")},
 		// Prevent performing Masquerade on external traffic which arrives from a Node that owns the Pod/Subnet IP
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn60local-pod-ip-nat dst -j RETURN`, " ")},
 		{Table: "nat", Chain: "POSTROUTING", Rule: strings.Split(`-m set ! --match-set ovn40subnets src -m set --match-set ovn60subnets-nat dst -j RETURN`, " ")},
@@ -97,6 +97,8 @@ func (c *Controller) runGateway() {
 	} else {
 		iptableRules = v6Rules
 	}
+	iptableRules[0], iptableRules[1], iptableRules[3], iptableRules[4] =
+		iptableRules[4], iptableRules[3], iptableRules[1], iptableRules[0]
 	for _, iptRule := range iptableRules {
 		exists, err := c.iptable.Exists(iptRule.Table, iptRule.Chain, iptRule.Rule...)
 		if err != nil {