Skip to content

Commit

Permalink
Add missing rules when NodePort support is disabled
Browse files Browse the repository at this point in the history
* the rules that need to be installed for NodePort support and SNAT
  support are very similar. The same traffic mark is needed for both. As
  a result, rules that are currently installed only when NodePort
  support is enabled should also be installed when external SNAT is
  disabled, which is the case by default.
* remove "-m state --state NEW" from a rule in the nat table. This is
  always true for packets that traverse the nat table.
* fix typo in one rule's name (extra whitespace).

Fixes aws#2025

Co-authored-by: Quan Tian <qtian@vmware.com>

Signed-off-by: Antonin Bas <abas@vmware.com>
  • Loading branch information
antoninbas committed Jul 12, 2022
1 parent b01d356 commit 5b68c84
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions pkg/networkutils/network.go
Original file line number Diff line number Diff line change
Expand Up @@ -276,7 +276,7 @@ func (n *linuxNetwork) SetupHostNetwork(vpcv4CIDRs []string, primaryMAC string,
var err error
primaryIntf := "eth0"
//RP Filter setting is only needed if IPv4 mode is enabled.
if v4Enabled && n.nodePortSupportEnabled {
if v4Enabled && (n.nodePortSupportEnabled || !n.useExternalSNAT) {
primaryIntf, err = findPrimaryInterfaceName(primaryMAC)
if err != nil {
return errors.Wrapf(err, "failed to SetupHostNetwork")
Expand Down Expand Up @@ -340,7 +340,7 @@ func (n *linuxNetwork) SetupHostNetwork(vpcv4CIDRs []string, primaryMAC string,
return errors.Wrapf(err, "host network setup: failed to delete old main ENI rule")
}

if n.nodePortSupportEnabled {
if n.nodePortSupportEnabled || !n.useExternalSNAT {
err = n.netLink.RuleAdd(mainENIRule)
if err != nil {
log.Errorf("Failed to add host main ENI rule: %v", err)
Expand Down Expand Up @@ -528,7 +528,7 @@ func (n *linuxNetwork) buildIptablesSNATRules(vpcCIDRs []string, primaryAddr *ne

iptableRules = append(iptableRules, iptablesRule{
name: "connmark restore for primary ENI",
shouldExist: n.nodePortSupportEnabled,
shouldExist: n.nodePortSupportEnabled || !n.useExternalSNAT,
table: "mangle",
chain: "PREROUTING",
rule: []string{
Expand Down Expand Up @@ -579,7 +579,7 @@ func (n *linuxNetwork) buildIptablesConnmarkRules(vpcCIDRs []string, ipt iptable
chain: "PREROUTING",
rule: []string{
"-i", n.vethPrefix + "+", "-m", "comment", "--comment", "AWS, outbound connections",
"-m", "state", "--state", "NEW", "-j", "AWS-CONNMARK-CHAIN-0",
"-m", "state", "-j", "AWS-CONNMARK-CHAIN-0",
}})

for i, cidr := range allCIDRs {
Expand All @@ -603,7 +603,7 @@ func (n *linuxNetwork) buildIptablesConnmarkRules(vpcCIDRs []string, ipt iptable
}

iptableRules = append(iptableRules, iptablesRule{
name: "connmark rule for external outbound traffic",
name: "connmark rule for external outbound traffic",
shouldExist: !n.useExternalSNAT,
table: "nat",
chain: chains[len(chains)-1],
Expand All @@ -625,6 +625,8 @@ func (n *linuxNetwork) buildIptablesConnmarkRules(vpcCIDRs []string, ipt iptable
},
})

// Being in the nat table, this only applies to the first packet of the connection. The mark
// will be restored in the mangle table for subsequent packets.
iptableRules = append(iptableRules, iptablesRule{
name: "connmark to fwmark copy",
shouldExist: !n.useExternalSNAT,
Expand Down

0 comments on commit 5b68c84

Please sign in to comment.