Allow egress-router to connect to its node's IP, via the SDN

openshift · May 30, 2018 · f782553 · f782553
1 parent e9277a4
commit f782553
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 11 deletions.
diff --git a/images/egress/router/egress-router.sh b/images/egress/router/egress-router.sh
@@ -106,7 +106,7 @@ function gen_iptables_rules() {
             fi
         fi
     done <<< "${EGRESS_DESTINATION}"
-    echo -A POSTROUTING -j SNAT --to-source "${EGRESS_SOURCE}"
+    echo -A POSTROUTING -o macvlan0 -j SNAT --to-source "${EGRESS_SOURCE}"
 }
 
 function setup_iptables() {

diff --git a/images/egress/router/egress_router_test.go b/images/egress/router/egress_router_test.go
@@ -20,7 +20,7 @@ func TestEgressRouter(t *testing.T) {
 			dest:    "10.1.2.3",
 			output: `
 -A PREROUTING -i eth0 -j DNAT --to-destination 10.1.2.3
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -29,7 +29,7 @@ func TestEgressRouter(t *testing.T) {
 			dest:    "10.1.2.3",
 			output: `
 -A PREROUTING -i eth0 -j DNAT --to-destination 10.1.2.3
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -38,7 +38,7 @@ func TestEgressRouter(t *testing.T) {
 			dest:    "10.1.2.3",
 			output: `
 -A PREROUTING -i eth0 -j DNAT --to-destination 10.1.2.3
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -47,7 +47,7 @@ func TestEgressRouter(t *testing.T) {
 			dest:    "10.1.2.3\n",
 			output: `
 -A PREROUTING -i eth0 -j DNAT --to-destination 10.1.2.3
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -56,7 +56,7 @@ func TestEgressRouter(t *testing.T) {
 			dest:    "80 tcp 10.4.5.6",
 			output: `
 -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.5.6
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -65,7 +65,7 @@ func TestEgressRouter(t *testing.T) {
 			dest:    "8080 tcp 10.7.8.9 80",
 			output: `
 -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.7.8.9:80
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -75,7 +75,7 @@ func TestEgressRouter(t *testing.T) {
 			output: `
 -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.5.6
 -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.7.8.9:80
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -86,7 +86,7 @@ func TestEgressRouter(t *testing.T) {
 -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.5.6
 -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.7.8.9:80
 -A PREROUTING -i eth0 -j DNAT --to-destination 10.1.2.3
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 		{
@@ -115,7 +115,7 @@ func TestEgressRouter(t *testing.T) {
 -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.4.5.6
 -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.7.8.9:80
 -A PREROUTING -i eth0 -j DNAT --to-destination 10.1.2.3
--A POSTROUTING -j SNAT --to-source 1.2.3.4
+-A POSTROUTING -o macvlan0 -j SNAT --to-source 1.2.3.4
 `,
 		},
 	}

diff --git a/pkg/network/sdn-cni-plugin/openshift-sdn.go b/pkg/network/sdn-cni-plugin/openshift-sdn.go
@@ -146,6 +146,7 @@ func (p *cniPlugin) CmdAdd(args *skel.CmdArgs) error {
 	if err != nil {
 		return fmt.Errorf("failed to convert IPAM result: %v", err)
 	}
+	defaultGW := result020.IP4.Gateway
 	result020.IP4.Gateway = nil
 
 	result030, err := current.NewResultFromResult(result020)
@@ -164,7 +165,7 @@ func (p *cniPlugin) CmdAdd(args *skel.CmdArgs) error {
 	}
 	result030.IPs[0].Interface = current.Int(0)
 
-	err = ns.WithNetNSPath(args.Netns, func(ns.NetNS) error {
+	err = ns.WithNetNSPath(args.Netns, func(hostNS ns.NetNS) error {
 		// Set up eth0
 		if err := ip.SetHWAddrByIP(args.IfName, result030.IPs[0].Address.IP, nil); err != nil {
 			return fmt.Errorf("failed to set pod interface MAC address: %v", err)
@@ -186,9 +187,37 @@ func (p *cniPlugin) CmdAdd(args *skel.CmdArgs) error {
 		link, err = netlink.LinkByName("macvlan0")
 		if err == nil {
 			err = netlink.LinkSetUp(link)
+			if err != nil {
+				return fmt.Errorf("failed to enable macvlan device: %v", err)
+			}
+
+			// A macvlan can't reach its parent interface's IP, so we need to
+			// add a route to that via the SDN
+			var addrs []netlink.Addr
+			err = hostNS.Do(func(ns.NetNS) error {
+				parent, err := netlink.LinkByIndex(link.Attrs().ParentIndex)
+				if err != nil {
+					return err
+				}
+				addrs, err = netlink.AddrList(parent, netlink.FAMILY_V4)
+				return err
+			})
 			if err != nil {
 				return fmt.Errorf("failed to configure macvlan device: %v", err)
 			}
+			for _, addr := range addrs {
+				route := &netlink.Route{
+					Dst: &net.IPNet{
+						IP:   addr.IP,
+						Mask: net.CIDRMask(32, 32),
+					},
+					Gw: defaultGW,
+				}
+				err = netlink.RouteAdd(route)
+				if err != nil {
+					return fmt.Errorf("failed to configure macvlan device: %v", err)
+				}
+			}
 		}
 
 		return nil