diff --git a/pkg/pillar/devicenetwork/pbr.go b/pkg/pillar/devicenetwork/pbr.go index 091e41f35d..541d48dca7 100644 --- a/pkg/pillar/devicenetwork/pbr.go +++ b/pkg/pillar/devicenetwork/pbr.go @@ -17,15 +17,17 @@ const ( // (and persisted) for every network instance. NIBaseRTIndex = 800 - // PbrLocalDestPrio : IP rule priority for packets destined to locally owned addresses - PbrLocalDestPrio = 12000 - // PbrLocalOrigPrio : IP rule priority for locally generated packets - PbrLocalOrigPrio = 15000 - // PbrNatOutGatewayPrio : IP rule priority for packets destined to gateway(bridge ip) coming from apps. PbrNatOutGatewayPrio = 9999 // PbrNatOutPrio : IP rule priority for packets destined to internet coming from apps PbrNatOutPrio = 10000 // PbrNatInPrio : IP rule priority for external packets coming in towards apps PbrNatInPrio = 11000 + // PbrLocalDestPrio : IP rule priority for packets destined to locally owned addresses + PbrLocalDestPrio = 12000 + // PbrKubeNetworkPrio : IP rule priority for traffic flowing through the Kubernetes + // network. + PbrKubeNetworkPrio = 13000 + // PbrLocalOrigPrio : IP rule priority for locally (dom0) generated packets + PbrLocalOrigPrio = 15000 ) diff --git a/pkg/pillar/dpcreconciler/linux.go b/pkg/pillar/dpcreconciler/linux.go index 81d01a49c1..acf50567ac 100644 --- a/pkg/pillar/dpcreconciler/linux.go +++ b/pkg/pillar/dpcreconciler/linux.go @@ -14,6 +14,8 @@ import ( "syscall" "time" + "golang.org/x/sys/unix" + dg "github.com/lf-edge/eve-libs/depgraph" "github.com/lf-edge/eve-libs/reconciler" "github.com/lf-edge/eve/pkg/pillar/base" @@ -40,10 +42,15 @@ import ( // | | NetworkIO | | Global | | // | | | | | | // | | +-----------+ +------------+ | | +-------------+ +-------------+ | | -// | | | NetIO | | NetIO | | | | ResolvConf | | LocalIPRule | | | -// | | | (external)| | (external) | ... | | | (singleton) | | (singleton) | | | +// | | | NetIO | | NetIO | | | | ResolvConf | | IPRule | | | +// | | | (external)| | (external) | ... | | | (singleton) | | (Local RT) | | | // | | +-----------+ +------------+ | | +-------------+ +-------------+ | | -// | +--------------------------------------+ +------------------------------------+ | +// | +--------------------------------------+ | +-------------------+ | | +// | | | IPRule | ... | | +// | | | (for HV=kubevirt) | | | +// | | +-------------------+ | | +// | +------------------------------------+ | +// | | // | | // | +-----------------+ +------------------+ +-------------------------------------+ | // | | PhysicalIfs | | LogicalIO (L2) | | Wireless | | @@ -62,9 +69,9 @@ import ( // | | +-------------------------------+ | | // | | | IPRules | | | // | | +----------------------------------------+ | | | | -// | | | Adapters | | +---------+ +----------+ | | | -// | | | | | |SrcIPRule| |SrcIPRule | ... | | | -// | | | +---------+ +---------+ | | +---------+ +----------+ | | | +// | | | Adapters | | +-------+ +--------+ | | | +// | | | | | |IPRule | | IPRule | ... | | | +// | | | +---------+ +---------+ | | +-------+ +--------+ | | | // | | | | Adapter | | Adapter | ... | +-------------------------------+ | | // | | | +---------+ +---------+ | | | // | | | +------------+ +------------+ | +-------------------------------+ | | @@ -146,14 +153,11 @@ const ( intendedStateFile = "/run/nim-intended-state.dot" ) -const ( - // Network bridge used by Kubernetes CNI. - // Currently, this is hardcoded for the Flannel CNI plugin. - kubeCNIBridge = "cni0" +var ( // CIDR used for IP allocation for K3s pods. - kubePodCIDR = "10.42.0.0/16" + _, kubePodCIDR, _ = net.ParseCIDR("10.42.0.0/16") // CIDR used for IP allocation for K3s services. - kubeSvcCIDR = "10.43.0.0/16" + _, kubeSvcCIDR, _ = net.ParseCIDR("10.43.0.0/16") ) // LinuxDpcReconciler is a DPC-reconciler for Linux network stack, @@ -778,17 +782,6 @@ func (r *LinuxDpcReconciler) updateCurrentAdapterAddrs( func (r *LinuxDpcReconciler) updateCurrentRoutes(dpc types.DevicePortConfig) (changed bool) { sgPath := dg.NewSubGraphPath(L3SG, RoutesSG) currentRoutes := dg.New(dg.InitArgs{Name: RoutesSG}) - cniIfIndex := -1 - if r.HVTypeKube { - ifIndex, found, err := r.NetworkMonitor.GetInterfaceIndex(kubeCNIBridge) - if err != nil { - r.Log.Errorf("getIntendedRoutes: failed to get ifIndex for %s: %v", - kubeCNIBridge, err) - } - if err == nil && found { - cniIfIndex = ifIndex - } - } for _, port := range dpc.Ports { if port.IfName == "" || port.InvalidConfig { continue @@ -823,29 +816,6 @@ func (r *LinuxDpcReconciler) updateCurrentRoutes(dpc types.DevicePortConfig) (ch LastOperation: reconciler.OperationCreate, }) } - - if cniIfIndex != -1 { - cniRoutes, err := r.NetworkMonitor.ListRoutes(netmonitor.RouteFilters{ - FilterByTable: true, - Table: table, - FilterByIf: true, - IfIndex: cniIfIndex, - }) - if err != nil { - r.Log.Errorf("updateCurrentRoutes: ListRoutes failed for ifIndex %d: %v", - cniIfIndex, err) - } - for _, rt := range cniRoutes { - currentRoutes.PutItem(linux.Route{ - Route: rt.Data.(netlink.Route), - UnmanagedLink: true, - }, &reconciler.ItemStateData{ - State: reconciler.ItemStateCreated, - LastOperation: reconciler.OperationCreate, - }) - } - - } } prevSG := dg.GetSubGraph(r.currentState, sgPath) if len(prevSG.DiffItems(currentRoutes)) > 0 { @@ -877,7 +847,22 @@ func (r *LinuxDpcReconciler) getIntendedGlobalCfg(dpc types.DevicePortConfig) dg } intendedCfg := dg.New(graphArgs) // Move IP rule that matches local destined packets below network instance rules. - intendedCfg.PutItem(linux.LocalIPRule{Priority: devicenetwork.PbrLocalDestPrio}, nil) + intendedCfg.PutItem(linux.IPRule{ + Priority: devicenetwork.PbrLocalDestPrio, + Table: unix.RT_TABLE_LOCAL, + }, nil) + if r.HVTypeKube { + intendedCfg.PutItem(linux.IPRule{ + Dst: kubePodCIDR, + Priority: devicenetwork.PbrKubeNetworkPrio, + Table: unix.RT_TABLE_MAIN, + }, nil) + intendedCfg.PutItem(linux.IPRule{ + Dst: kubeSvcCIDR, + Priority: devicenetwork.PbrKubeNetworkPrio, + Table: unix.RT_TABLE_MAIN, + }, nil) + } if len(dpc.Ports) == 0 { return intendedCfg } @@ -1150,12 +1135,10 @@ func (r *LinuxDpcReconciler) getIntendedSrcIPRules(dpc types.DevicePortConfig) d continue } for _, ipAddr := range ipAddrs { - intendedRules.PutItem(linux.SrcIPRule{ - AdapterLL: port.Logicallabel, - AdapterIfName: port.IfName, - IPAddr: ipAddr.IP, - Priority: devicenetwork.PbrLocalOrigPrio, - Table: devicenetwork.DPCBaseRTIndex + ifIndex, + intendedRules.PutItem(linux.IPRule{ + Src: netutils.HostSubnet(ipAddr.IP), + Priority: devicenetwork.PbrLocalOrigPrio, + Table: devicenetwork.DPCBaseRTIndex + ifIndex, }, nil) } } @@ -1170,26 +1153,6 @@ func (r *LinuxDpcReconciler) getIntendedRoutes(dpc types.DevicePortConfig) dg.Gr intendedRoutes := dg.New(graphArgs) // Routes are copied from the main table. srcTable := syscall.RT_TABLE_MAIN - var cniRoutes []netmonitor.Route - if r.HVTypeKube { - ifIndex, found, err := r.NetworkMonitor.GetInterfaceIndex(kubeCNIBridge) - if err != nil { - r.Log.Errorf("getIntendedRoutes: failed to get ifIndex for %s: %v", - kubeCNIBridge, err) - } - if err == nil && found { - cniRoutes, err = r.NetworkMonitor.ListRoutes(netmonitor.RouteFilters{ - FilterByTable: true, - Table: srcTable, - FilterByIf: true, - IfIndex: ifIndex, - }) - if err != nil { - r.Log.Errorf("getIntendedRoutes: ListRoutes failed for ifIndex %d: %v", - ifIndex, err) - } - } - } for _, port := range dpc.Ports { if port.IfName == "" || port.InvalidConfig { continue @@ -1224,15 +1187,6 @@ func (r *LinuxDpcReconciler) getIntendedRoutes(dpc types.DevicePortConfig) dg.Gr AdapterLL: port.Logicallabel, }, nil) } - for _, rt := range cniRoutes { - rtCopy := rt.Data.(netlink.Route) - rtCopy.Table = dstTable - r.prepareRouteForCopy(&rtCopy) - intendedRoutes.PutItem(linux.Route{ - Route: rtCopy, - UnmanagedLink: true, - }, nil) - } } return intendedRoutes } @@ -1922,40 +1876,10 @@ func (r *LinuxDpcReconciler) getIntendedMarkingRules(dpc types.DevicePortConfig, TargetOpts: []string{"--set-mark", controlProtoMark("in_dhcp")}, Description: "Mark ingress DHCP traffic", } - // Mark all traffic from Kubernetes pods to Kubernetes services. - // Note that traffic originating from another node is already D-NATed - // and will get marked with the kube_pod mark. - markKubeSvc := iptables.Rule{ - RuleLabel: "Kubernetes service mark", - MatchOpts: []string{"-i", kubeCNIBridge, "-s", kubePodCIDR, "-d", kubeSvcCIDR}, - Target: "CONNMARK", - TargetOpts: []string{"--set-mark", controlProtoMark("kube_svc")}, - Description: "Mark traffic from Kubernetes pods to Kubernetes services", - } - // Mark all traffic forwarded between Kubernetes pods. - markKubePod := iptables.Rule{ - RuleLabel: "Kubernetes pod mark", - MatchOpts: []string{"-s", kubePodCIDR, "-d", kubePodCIDR}, - Target: "CONNMARK", - TargetOpts: []string{"--set-mark", controlProtoMark("kube_pod")}, - Description: "Mark all traffic directly forwarded between Kubernetes pods", - } - // Mark all DNS requests made from the Kubernetes network. - markKubeDNS := iptables.Rule{ - RuleLabel: "Kubernetes DNS mark", - MatchOpts: []string{"-s", kubePodCIDR, "-p", "udp", "--dport", "domain"}, - Target: "CONNMARK", - TargetOpts: []string{"--set-mark", controlProtoMark("kube_dns")}, - AppliedBefore: []string{markKubeSvc.RuleLabel, markKubePod.RuleLabel}, - Description: "Mark DNS requests made from the Kubernetes network", - } protoMarkV4Rules := []iptables.Rule{ markSSHAndGuacamole, markVnc, markIcmpV4, markDhcp, } - if r.HVTypeKube { - protoMarkV4Rules = append(protoMarkV4Rules, markKubeDNS, markKubeSvc, markKubePod) - } protoMarkV6Rules := []iptables.Rule{ markSSHAndGuacamole, markVnc, markIcmpV6, } diff --git a/pkg/pillar/dpcreconciler/linux_test.go b/pkg/pillar/dpcreconciler/linux_test.go index f1fa8b3871..8f129cba9d 100644 --- a/pkg/pillar/dpcreconciler/linux_test.go +++ b/pkg/pillar/dpcreconciler/linux_test.go @@ -170,7 +170,7 @@ func TestReconcileWithEmptyArgs(test *testing.T) { t.Expect(status.RS.ConfigError).To(BeEmpty()) t.Expect(status.DNS.Error).To(BeNil()) t.Expect(status.DNS.Servers).To(BeEmpty()) - t.Expect(itemCountWithType(linux.LocalIPRuleTypename)).To(Equal(1)) + t.Expect(itemCountWithType(linux.IPRuleTypename)).To(Equal(1)) t.Expect(itemCountWithType(iptables.ChainV4Typename)).To(Equal(14)) t.Expect(itemCountWithType(iptables.ChainV6Typename)).To(Equal(14)) t.Expect(itemCountWithType(iptables.RuleV4Typename)).To(Equal(22)) @@ -311,7 +311,7 @@ func TestSingleEthInterface(test *testing.T) { t.Expect(status.DNS.Servers["eth0"]).To(HaveLen(1)) t.Expect(status.DNS.Servers["eth0"][0].String()).To(Equal("8.8.8.8")) t.Expect(itemDescription(adapterAddrs)).To(Equal("Adapter mock-eth0 IP addresses: [192.168.10.5/24]")) - t.Expect(itemIsCreatedWithLabel("IP rule for mock-eth0/192.168.10.5")).To(BeTrue()) + t.Expect(itemIsCreatedWithLabel("15000: from 192.168.10.5/32 to all lookup 501")).To(BeTrue()) t.Expect(itemIsCreatedWithLabel("IPv4 route table 501 dst dev mock-eth0 via 192.168.10.1")).To(BeTrue()) t.Expect(itemIsCreated(resolvConf)).To(BeTrue()) t.Expect(itemDescription(resolvConf)).To(ContainSubstring("eth0: [8.8.8.8]")) @@ -537,8 +537,8 @@ func TestMultipleEthsSameSubnet(test *testing.T) { t.Expect(itemDescription(eth0AdapterAddrs)).To(Equal("Adapter mock-eth0 IP addresses: [192.168.10.5/24]")) eth1AdapterAddrs := dg.Reference(generic.AdapterAddrs{AdapterIfName: "eth1"}) t.Expect(itemDescription(eth1AdapterAddrs)).To(Equal("Adapter mock-eth1 IP addresses: [192.168.10.6/24]")) - t.Expect(itemIsCreatedWithLabel("IP rule for mock-eth0/192.168.10.5")).To(BeTrue()) - t.Expect(itemIsCreatedWithLabel("IP rule for mock-eth1/192.168.10.6")).To(BeTrue()) + t.Expect(itemIsCreatedWithLabel("15000: from 192.168.10.5/32 to all lookup 501")).To(BeTrue()) + t.Expect(itemIsCreatedWithLabel("15000: from 192.168.10.6/32 to all lookup 502")).To(BeTrue()) t.Expect(itemIsCreatedWithLabel("IPv4 route table 501 dst dev mock-eth0 via 192.168.10.1")).To(BeTrue()) t.Expect(itemIsCreatedWithLabel("IPv4 route table 502 dst dev mock-eth1 via 192.168.10.1")).To(BeTrue()) t.Expect(itemIsCreatedWithLabel("ARP entry 192.168.10.6 / 02:00:00:00:00:02 for mock-eth0")).To(BeTrue()) diff --git a/pkg/pillar/dpcreconciler/linuxitems/iprule.go b/pkg/pillar/dpcreconciler/linuxitems/iprule.go new file mode 100644 index 0000000000..0eab27f8ae --- /dev/null +++ b/pkg/pillar/dpcreconciler/linuxitems/iprule.go @@ -0,0 +1,190 @@ +// Copyright (c) 2024 Zededa, Inc. +// SPDX-License-Identifier: Apache-2.0 + +package linuxitems + +import ( + "context" + "errors" + "fmt" + "net" + + "golang.org/x/sys/unix" + + dg "github.com/lf-edge/eve-libs/depgraph" + "github.com/lf-edge/eve/pkg/pillar/base" + "github.com/lf-edge/eve/pkg/pillar/utils/netutils" + "github.com/vishvananda/netlink" +) + +const matchAll = "all" + +// Rule installed by default for the Local table. +var defaultLocalRule = IPRule{ + Priority: 0, + Table: unix.RT_TABLE_LOCAL, + Src: nil, + Dst: nil, +} + +// IPRule : Linux IP rule. +type IPRule struct { + Priority int + Table int + Src *net.IPNet + Dst *net.IPNet +} + +// Name combines all attributes to construct a unique identifier for IP rule. +func (r IPRule) Name() string { + return fmt.Sprintf("%d/%s/%s/%d", r.Priority, + r.srcToString(), r.dstToString(), r.Table) +} + +// Label is more human-readable than name. +// Label resembles the output of "ip rule list". +func (r IPRule) Label() string { + return fmt.Sprintf("%d: from %s to %s lookup %d", + r.Priority, r.srcToString(), r.dstToString(), r.Table) +} + +// Type of the item. +func (r IPRule) Type() string { + return IPRuleTypename +} + +// Equal compares two IPRule instances. +func (r IPRule) Equal(other dg.Item) bool { + r2, isIPRule := other.(IPRule) + if !isIPRule { + return false + } + return r.Priority == r2.Priority && + r.Table == r2.Table && + netutils.EqualIPNets(r.Src, r2.Src) && + netutils.EqualIPNets(r.Dst, r2.Dst) +} + +// External returns false. +func (r IPRule) External() bool { + return false +} + +// String describes IPRule in detail. +func (r IPRule) String() string { + return fmt.Sprintf("IP rule: "+ + "{prio: %d, Src: %s, Dst: %s, Table: %d}", + r.Priority, r.srcToString(), r.dstToString(), r.Table) +} + +// Dependencies returns no dependencies (table does not have to exist). +func (r IPRule) Dependencies() (deps []dg.Dependency) { + return nil +} + +func (r IPRule) srcToString() string { + src := matchAll + if r.Src != nil { + src = r.Src.String() + } + return src +} + +func (r IPRule) dstToString() string { + dst := matchAll + if r.Dst != nil { + dst = r.Dst.String() + } + return dst +} + +// Does this overwrites the rule created by default for the Local table? +func (r IPRule) replacesDefaultLocalRule() bool { + return r.Src == nil && r.Dst == nil && r.Table == unix.RT_TABLE_LOCAL +} + +// IPRuleConfigurator implements Configurator interface (libs/reconciler) +// for Linux IP rule. +type IPRuleConfigurator struct { + Log *base.LogObject +} + +// Create adds IP rule. +func (c *IPRuleConfigurator) Create(ctx context.Context, item dg.Item) error { + rule, isIPRule := item.(IPRule) + if !isIPRule { + return fmt.Errorf("invalid item type %T, expected IPRule", item) + } + if rule.replacesDefaultLocalRule() { + // First remove the default rule for the Local table. + netlinkRule := c.makeNetlinkRule(defaultLocalRule) + err := netlink.RuleDel(netlinkRule) + if err != nil { + err = fmt.Errorf("failed to delete default local IP rule %+v: %w", + netlinkRule, err) + c.Log.Error(err) + return err + } + } + netlinkRule := c.makeNetlinkRule(rule) + err := netlink.RuleAdd(netlinkRule) + if err != nil { + err = fmt.Errorf("failed to add IP rule %+v: %w", netlinkRule, err) + c.Log.Error(err) + return err + } + return nil +} + +func (c *IPRuleConfigurator) makeNetlinkRule(rule IPRule) *netlink.Rule { + r := netlink.NewRule() + r.Src = rule.Src + r.Dst = rule.Dst + r.Table = rule.Table + r.Priority = rule.Priority + r.Family = netlink.FAMILY_V4 + if rule.Src != nil && rule.Src.IP.To4() == nil { + r.Family = netlink.FAMILY_V6 + } + if rule.Dst != nil && rule.Dst.IP.To4() == nil { + r.Family = netlink.FAMILY_V6 + } + return r +} + +// Modify is not implemented. +func (c *IPRuleConfigurator) Modify(_ context.Context, _, _ dg.Item) (err error) { + return errors.New("not implemented") +} + +// Delete removes IP rule. +func (c *IPRuleConfigurator) Delete(ctx context.Context, item dg.Item) error { + rule, isIPRule := item.(IPRule) + if !isIPRule { + return fmt.Errorf("invalid item type %T, expected IPRule", item) + } + netlinkRule := c.makeNetlinkRule(rule) + err := netlink.RuleDel(netlinkRule) + if err != nil { + err = fmt.Errorf("failed to delete IP rule %+v: %w", netlinkRule, err) + c.Log.Error(err) + return err + } + if rule.replacesDefaultLocalRule() { + // Bring back the default rule for the Local table. + netlinkRule = c.makeNetlinkRule(defaultLocalRule) + err = netlink.RuleAdd(netlinkRule) + if err != nil { + err = fmt.Errorf("failed to add default local IP rule %+v: %w", + netlinkRule, err) + c.Log.Error(err) + return err + } + } + return nil +} + +// NeedsRecreate returns true - Modify is not implemented. +func (c *IPRuleConfigurator) NeedsRecreate(oldItem, newItem dg.Item) (recreate bool) { + return true +} diff --git a/pkg/pillar/dpcreconciler/linuxitems/localiprule.go b/pkg/pillar/dpcreconciler/linuxitems/localiprule.go deleted file mode 100644 index b7e719a4af..0000000000 --- a/pkg/pillar/dpcreconciler/linuxitems/localiprule.go +++ /dev/null @@ -1,118 +0,0 @@ -// Copyright (c) 2022 Zededa, Inc. -// SPDX-License-Identifier: Apache-2.0 - -package linuxitems - -import ( - "context" - "errors" - "fmt" - "syscall" - - "github.com/lf-edge/eve-libs/depgraph" - "github.com/lf-edge/eve/pkg/pillar/base" - "github.com/vishvananda/netlink" -) - -// LocalIPRule : singleton item representing IP rule for local RT -// This is for both IPv4 and IPv6. -type LocalIPRule struct { - Priority int -} - -// Name returns a constant string - LocalIPRule is a singleton. -func (r LocalIPRule) Name() string { - return LocalIPRuleTypename -} - -// Label is not defined. -func (r LocalIPRule) Label() string { - return "" -} - -// Type of the item. -func (r LocalIPRule) Type() string { - return LocalIPRuleTypename -} - -// Equal only compares the priority to check if it changed. -func (r LocalIPRule) Equal(other depgraph.Item) bool { - // Not relevant - Modify should never be called for this item. - r2 := other.(LocalIPRule) - return r.Priority == r2.Priority -} - -// External returns false. -func (r LocalIPRule) External() bool { - return false -} - -// String describes the Local IP rule (priority). -func (r LocalIPRule) String() string { - return fmt.Sprintf("IP rule for local RT with new priority: %v", - r.Priority) -} - -// Dependencies returns nothing. -func (r LocalIPRule) Dependencies() (deps []depgraph.Dependency) { - return nil -} - -// LocalIPRuleConfigurator implements Configurator interface (libs/reconciler) for local IP Rule. -type LocalIPRuleConfigurator struct { - Log *base.LogObject -} - -// Create modifies the priority of the (automatically created) local IP rule. -func (c *LocalIPRuleConfigurator) Create(ctx context.Context, item depgraph.Item) error { - prio := item.(LocalIPRule).Priority - // IPv4 - r := netlink.NewRule() - r.Table = syscall.RT_TABLE_LOCAL - r.Priority = prio - r.Family = syscall.AF_INET - if err := netlink.RuleAdd(r); err != nil { - err = fmt.Errorf("netlink.RuleAdd %v failed with %s", r, err) - c.Log.Error(err) - return err - } - r.Priority = 0 - if err := netlink.RuleDel(r); err != nil { - err = fmt.Errorf("netlink.RuleDel %v failed with %s", r, err) - c.Log.Error(err) - return err - } - - // IPv6 - r.Priority = prio - r.Family = syscall.AF_INET6 - if err := netlink.RuleAdd(r); err != nil { - err = fmt.Errorf("netlink.RuleAdd %v failed with %s", r, err) - c.Log.Error(err) - return err - } - r.Priority = 0 - if err := netlink.RuleDel(r); err != nil { - err = fmt.Errorf("netlink.RuleDel %v failed with %s", r, err) - c.Log.Error(err) - return err - } - return nil -} - -// Modify is not implemented. -func (c *LocalIPRuleConfigurator) Modify(_ context.Context, _, _ depgraph.Item) (err error) { - return errors.New("not implemented") -} - -// Delete always returns error. NIM never reverts back to the original priority -// of the local IP rule. -func (c *LocalIPRuleConfigurator) Delete(ctx context.Context, item depgraph.Item) error { - return errors.New("not implemented") -} - -// NeedsRecreate is not relevant here - neither Modify nor Delete should ever -// be called for this item. -func (c *LocalIPRuleConfigurator) NeedsRecreate(oldItem, newItem depgraph.Item) (recreate bool) { - return false -} diff --git a/pkg/pillar/dpcreconciler/linuxitems/registry.go b/pkg/pillar/dpcreconciler/linuxitems/registry.go index e253ace0f3..2cbd664673 100644 --- a/pkg/pillar/dpcreconciler/linuxitems/registry.go +++ b/pkg/pillar/dpcreconciler/linuxitems/registry.go @@ -22,10 +22,9 @@ func RegisterItems(log *base.LogObject, registry *reconciler.DefaultRegistry, {c: &AdapterConfigurator{Log: log, NetworkMonitor: monitor}, t: genericitems.AdapterTypename}, {c: &ArpConfigurator{Log: log}, t: genericitems.ArpTypename}, {c: &BondConfigurator{Log: log, NetworkMonitor: monitor}, t: genericitems.BondTypename}, - {c: &LocalIPRuleConfigurator{Log: log}, t: LocalIPRuleTypename}, + {c: &IPRuleConfigurator{Log: log}, t: IPRuleTypename}, {c: &RouteConfigurator{Log: log}, t: genericitems.IPv4RouteTypename}, {c: &RouteConfigurator{Log: log}, t: genericitems.IPv6RouteTypename}, - {c: &SrcIPRuleConfigurator{Log: log, NetworkMonitor: monitor}, t: SrcIPRuleTypename}, {c: &VlanConfigurator{Log: log, NetworkMonitor: monitor}, t: genericitems.VlanTypename}, {c: &WlanConfigurator{Log: log}, t: genericitems.WlanTypename}, } diff --git a/pkg/pillar/dpcreconciler/linuxitems/route.go b/pkg/pillar/dpcreconciler/linuxitems/route.go index e596fecd7a..b3331ad337 100644 --- a/pkg/pillar/dpcreconciler/linuxitems/route.go +++ b/pkg/pillar/dpcreconciler/linuxitems/route.go @@ -31,12 +31,6 @@ type Route struct { // AdapterLL : logical label of the associated interface. // Empty if this route is referencing unmanaged link. AdapterLL string - // True if this route is referencing link not managed by EVE. - // It is used by DPC Reconciler to install routes for the bridge cni0 created - // and used by Flannel CNI. - // Later this will likely go away as we find cleaner solution for integration - // between EVE and (possibly any) CNI plugin. - UnmanagedLink bool } // Name combines the interface name, route table ID and the destination @@ -49,9 +43,6 @@ func (r Route) Name() string { dst = r.Route.Dst.String() } ifName := r.AdapterIfName - if r.UnmanagedLink { - ifName = fmt.Sprintf("unmanaged-%d", r.LinkIndex) - } return fmt.Sprintf("%d/%s/%s", r.Table, ifName, dst) } @@ -64,14 +55,8 @@ func (r Route) Label() string { } else { dst = r.Route.Dst.String() } - var dev string - if r.UnmanagedLink { - dev = fmt.Sprintf("", r.LinkIndex) - } else { - dev = r.AdapterLL - } return fmt.Sprintf("%s route table %d dst %s dev %v via %v", - r.ipVersionStr(), r.Table, dst, dev, r.Gw) + r.ipVersionStr(), r.Table, dst, r.AdapterLL, r.Gw) } func (r Route) ipVersionStr() string { @@ -138,11 +123,6 @@ func (r Route) External() bool { // String describes the network route. func (r Route) String() string { - if r.UnmanagedLink { - return fmt.Sprintf( - "Network route for unmanaged link (index=%d) with priority %d: %s", - r.LinkIndex, r.Route.Priority, r.Route.String()) - } return fmt.Sprintf("Network route for adapter '%s' with priority %d: %s", r.AdapterLL, r.Route.Priority, r.Route.String()) } @@ -152,11 +132,6 @@ func (r Route) String() string { // - the "via" adapter must have an IP address assigned from the subnet // of the route gateway. func (r Route) Dependencies() (deps []depgraph.Dependency) { - if r.UnmanagedLink { - // Reconciler does not check dependencies for route associated - // with link not managed by EVE. - return nil - } return []depgraph.Dependency{ { RequiredItem: depgraph.ItemRef{ diff --git a/pkg/pillar/dpcreconciler/linuxitems/srciprule.go b/pkg/pillar/dpcreconciler/linuxitems/srciprule.go deleted file mode 100644 index b2c62465dd..0000000000 --- a/pkg/pillar/dpcreconciler/linuxitems/srciprule.go +++ /dev/null @@ -1,122 +0,0 @@ -// Copyright (c) 2022 Zededa, Inc. -// SPDX-License-Identifier: Apache-2.0 - -package linuxitems - -import ( - "context" - "errors" - "fmt" - "net" - - "github.com/lf-edge/eve-libs/depgraph" - "github.com/lf-edge/eve/pkg/pillar/base" - "github.com/lf-edge/eve/pkg/pillar/dpcreconciler/genericitems" - "github.com/lf-edge/eve/pkg/pillar/netmonitor" - "github.com/lf-edge/eve/pkg/pillar/utils/netutils" - "github.com/vishvananda/netlink" -) - -// SrcIPRule : IP rule for source-based IP routing. -type SrcIPRule struct { - // AdapterLL : Adapter's logical label. - AdapterLL string - AdapterIfName string - IPAddr net.IP - Priority int - Table int -} - -// Name combines interface name with the IP address to construct -// a unique identifier for the src IP rule. -func (r SrcIPRule) Name() string { - return fmt.Sprintf("%s/%s", r.AdapterIfName, r.IPAddr.String()) -} - -// Label is more human-readable than name. -func (r SrcIPRule) Label() string { - return fmt.Sprintf("IP rule for %s/%s", r.AdapterLL, r.IPAddr.String()) -} - -// Type of the item. -func (r SrcIPRule) Type() string { - return SrcIPRuleTypename -} - -// Equal is a comparison method for two equally-named src-IP-rule instances. -func (r SrcIPRule) Equal(other depgraph.Item) bool { - r2 := other.(SrcIPRule) - return r.Priority == r2.Priority && r.Table == r2.Table -} - -// External returns false. -func (r SrcIPRule) External() bool { - return false -} - -// String describes source-based IP rule. -func (r SrcIPRule) String() string { - return fmt.Sprintf("Source-based IP rule: "+ - "{adapter: %s, ifName: %s, ip: %s, prio: %d, table: %d}", - r.AdapterLL, r.AdapterIfName, r.IPAddr, r.Priority, r.Table) -} - -// Dependencies lists the referenced adapter as the only dependency. -// This dependency is not actually necessary. -// IP rule can be configured even if the adapter is missing. -func (r SrcIPRule) Dependencies() (deps []depgraph.Dependency) { - return []depgraph.Dependency{ - { - RequiredItem: depgraph.ItemRef{ - ItemType: genericitems.AdapterTypename, - ItemName: r.AdapterIfName, - }, - Description: "Not strictly necessary", - }, - } -} - -// SrcIPRuleConfigurator implements Configurator interface (libs/reconciler) for IP Rules. -type SrcIPRuleConfigurator struct { - Log *base.LogObject - NetworkMonitor netmonitor.NetworkMonitor -} - -// Create adds the source-based IP rule. -func (c *SrcIPRuleConfigurator) Create(ctx context.Context, item depgraph.Item) error { - rule := item.(SrcIPRule) - netlinkRule, err := c.makeNetlinkRule(rule) - if err != nil { - return err - } - return netlink.RuleAdd(netlinkRule) -} - -func (c *SrcIPRuleConfigurator) makeNetlinkRule(rule SrcIPRule) (*netlink.Rule, error) { - r := netlink.NewRule() - r.Table = rule.Table - r.Priority = rule.Priority - r.Family = netutils.HostFamily(rule.IPAddr) - r.Src = netutils.HostSubnet(rule.IPAddr) - return r, nil -} - -// Modify is not implemented. -func (c *SrcIPRuleConfigurator) Modify(_ context.Context, _, _ depgraph.Item) (err error) { - return errors.New("not implemented") -} - -// Delete removes the source-based IP rule. -func (c *SrcIPRuleConfigurator) Delete(ctx context.Context, item depgraph.Item) error { - rule := item.(SrcIPRule) - netlinkRule, err := c.makeNetlinkRule(rule) - if err != nil { - return err - } - return netlink.RuleDel(netlinkRule) -} - -// NeedsRecreate returns true - Modify is not implemented. -func (c *SrcIPRuleConfigurator) NeedsRecreate(oldItem, newItem depgraph.Item) (recreate bool) { - return true -} diff --git a/pkg/pillar/dpcreconciler/linuxitems/typenames.go b/pkg/pillar/dpcreconciler/linuxitems/typenames.go index 1d2ed33df3..ddfacdcc1b 100644 --- a/pkg/pillar/dpcreconciler/linuxitems/typenames.go +++ b/pkg/pillar/dpcreconciler/linuxitems/typenames.go @@ -4,8 +4,6 @@ package linuxitems const ( - // LocalIPRuleTypename : typename for singleton item representing IP rule for local RT. - LocalIPRuleTypename = "Local-IP-Rule" - // SrcIPRuleTypename : typename for source-based IP rules. - SrcIPRuleTypename = "Src-IP-Rule" + // IPRuleTypename : typename for Linux IP rules. + IPRuleTypename = "IPRule" ) diff --git a/pkg/pillar/iptables/connmark.go b/pkg/pillar/iptables/connmark.go index 9343b5d403..22cc7e1869 100644 --- a/pkg/pillar/iptables/connmark.go +++ b/pkg/pillar/iptables/connmark.go @@ -59,12 +59,6 @@ var ControlProtocolMarkingIDMap = map[string]uint32{ "app_http": 11, // ICMPv6 traffic to and from an application "app_icmpv6": 12, - // DNS requests from Kubernetes pods to CoreDNS and from CoreDNS to external DNS servers. - "kube_dns": 13, - // Traffic from Kubernetes pods to Kubernetes services. - "kube_svc": 14, - // Traffic directly forwarded between Kubernetes pods (not via services). - "kube_pod": 15, } // GetConnmark : create connection mark corresponding to the given attributes.