Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let agent, cloud-agent, connector use the same ipset names #422

Merged
merged 1 commit into from
Oct 20, 2023
Merged

Let agent, cloud-agent, connector use the same ipset names #422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions pkg/agent/iptables.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ func (m *Manager) ensureIPTablesRules() error {
subnetsIP4, subnetsIP6 := classifySubnets(current.Subnets)

if !areSubnetsEqual(current.Subnets, m.lastSubnets) {
m.ipt = iptables.NewApplierCleaner(iptables.ProtocolIPv4, jumpChains, buildRuleData(IPSetFabEdgePeerCIDR, subnetsIP4))
m.ipt6 = iptables.NewApplierCleaner(iptables.ProtocolIPv6, jumpChains, buildRuleData(IPSetFabEdgePeerCIDR6, subnetsIP6))
m.ipt = iptables.NewApplierCleaner(iptables.ProtocolIPv4, jumpChains, buildRuleData(ipset.RemoteCIDR, subnetsIP4))
m.ipt6 = iptables.NewApplierCleaner(iptables.ProtocolIPv6, jumpChains, buildRuleData(ipset.RemoteCIDR6, subnetsIP6))
m.lastSubnets = current.Subnets
}

Expand All @@ -84,8 +84,8 @@ func (m *Manager) ensureIPTablesRules() error {
peerIPSet sets.String
ipt iptables.ApplierCleaner
}{
{IPSetFabEdgePeerCIDR, ipset.ProtocolFamilyIPV4, peerIPSet4, m.ipt},
{IPSetFabEdgePeerCIDR6, ipset.ProtocolFamilyIPV6, peerIPSet6, m.ipt6},
{ipset.RemoteCIDR, ipset.ProtocolFamilyIPV4, peerIPSet4, m.ipt},
{ipset.RemoteCIDR6, ipset.ProtocolFamilyIPV6, peerIPSet6, m.ipt6},
}

var errors []error
Expand Down
5 changes: 0 additions & 5 deletions pkg/agent/manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,6 @@ import (
"github.com/fabedge/fabedge/third_party/ipvs"
)

const (
IPSetFabEdgePeerCIDR = "FABEDGE-PEER-CIDR"
IPSetFabEdgePeerCIDR6 = "FABEDGE-PEER-CIDR6"
)

type Manager struct {
Config

Expand Down
21 changes: 12 additions & 9 deletions pkg/cloud-agent/iptables.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,22 @@ package cloud_agent

import (
"bytes"
"text/template"

"k8s.io/apimachinery/pkg/util/sets"

"github.com/fabedge/fabedge/pkg/util/ipset"
ipsetutil "github.com/fabedge/fabedge/pkg/util/ipset"
"github.com/fabedge/fabedge/pkg/util/iptables"
"k8s.io/apimachinery/pkg/util/sets"
"text/template"
)

type IptablesHandler struct {
ipset ipsetutil.Interface
ipsetName string
hashFamily string
helper iptables.ApplierCleaner
rulesData []byte
ipset ipsetutil.Interface

helper iptables.ApplierCleaner
rulesData []byte
}

func newIptableHandler() (*IptablesHandler, error) {
Expand All @@ -40,7 +43,7 @@ func newIptableHandler() (*IptablesHandler, error) {

return &IptablesHandler{
ipset: ipsetutil.New(),
ipsetName: ipset.IPSetRemotePodCIDR,
ipsetName: ipset.RemotePodCIDR,
hashFamily: ipsetutil.ProtocolFamilyIPV4,
helper: iptables.NewApplierCleaner(iptables.ProtocolIPv4, jumpChains, rulesData.Bytes()),
rulesData: rulesData.Bytes(),
Expand All @@ -56,7 +59,7 @@ func newIp6tableHandler() (*IptablesHandler, error) {

return &IptablesHandler{
ipset: ipsetutil.New(),
ipsetName: ipset.IPSetRemotePodCIDR6,
ipsetName: ipset.RemotePodCIDR6,
hashFamily: ipsetutil.ProtocolFamilyIPV6,
helper: iptables.NewApplierCleaner(iptables.ProtocolIPv6, jumpChains, rulesData.Bytes()),
rulesData: rulesData.Bytes(),
Expand Down Expand Up @@ -88,7 +91,7 @@ var jumpChains = []iptables.JumpChain{
}

func (h IptablesHandler) maintainRules(remotePodCIDRs []string) {
if err := h.syncRemotePodCIDRSet(remotePodCIDRs); err != nil {
if err := h.ensureIPSet(remotePodCIDRs); err != nil {
logger.Error(err, "failed to sync ipset", "setName", h.ipsetName, "remotePodCIDRs", remotePodCIDRs)
} else {
logger.V(5).Info("ipset is synced", "setName", h.ipsetName, "remotePodCIDRs", remotePodCIDRs)
Expand All @@ -101,7 +104,7 @@ func (h IptablesHandler) maintainRules(remotePodCIDRs []string) {
}
}

func (h IptablesHandler) syncRemotePodCIDRSet(remotePodCIDRs []string) error {
func (h IptablesHandler) ensureIPSet(remotePodCIDRs []string) error {
set := &ipsetutil.IPSet{
Name: h.ipsetName,
HashFamily: h.hashFamily,
Expand Down
28 changes: 14 additions & 14 deletions pkg/connector/iptables.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,19 +38,19 @@ var tmpl = template.Must(template.New("iptables").Parse(`
-A FABEDGE-INPUT -p ah -j ACCEPT

-A FABEDGE-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .CloudPodCIDR }} src -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .CloudPodCIDR }} dst -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .CloudNodeCIDR }} src -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .CloudNodeCIDR }} dst -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .LocalPodCIDR }} src -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .LocalPodCIDR }} dst -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .LocalNodeCIDR }} src -j ACCEPT
-A FABEDGE-FORWARD -m set --match-set {{ .LocalNodeCIDR }} dst -j ACCEPT
COMMIT

*nat
:FABEDGE-POSTROUTING - [0:0]
-A FABEDGE-POSTROUTING -m set --match-set {{ .CloudPodCIDR }} src -m set --match-set {{ .EdgePodCIDR}} dst -j ACCEPT
-A FABEDGE-POSTROUTING -m set --match-set {{ .EdgePodCIDR }} src -m set --match-set {{ .CloudPodCIDR }} dst -j ACCEPT
-A FABEDGE-POSTROUTING -m set --match-set {{ .CloudPodCIDR }} src -m set --match-set {{ .EdgeNodeCIDR }} dst -j ACCEPT
-A FABEDGE-POSTROUTING -m set --match-set {{ .EdgePodCIDR }} src -m set --match-set {{ .CloudNodeCIDR }} dst -j MASQUERADE
-A FABEDGE-POSTROUTING -m set --match-set {{ .EdgeNodeCIDR }} src -m set --match-set {{ .CloudPodCIDR}} dst -j MASQUERADE
-A FABEDGE-POSTROUTING -m set --match-set {{ .LocalPodCIDR }} src -m set --match-set {{ .RemotePodCIDR}} dst -j ACCEPT
-A FABEDGE-POSTROUTING -m set --match-set {{ .RemotePodCIDR }} src -m set --match-set {{ .LocalPodCIDR }} dst -j ACCEPT
-A FABEDGE-POSTROUTING -m set --match-set {{ .LocalPodCIDR }} src -m set --match-set {{ .RemoteNodeCIDR }} dst -j ACCEPT
-A FABEDGE-POSTROUTING -m set --match-set {{ .RemotePodCIDR }} src -m set --match-set {{ .LocalNodeCIDR }} dst -j MASQUERADE
-A FABEDGE-POSTROUTING -m set --match-set {{ .RemoteNodeCIDR }} src -m set --match-set {{ .LocalPodCIDR}} dst -j MASQUERADE
COMMIT
`))

Expand Down Expand Up @@ -125,19 +125,19 @@ func (h *IPTablesHandler) setIPSetEntrySet(edgePodCIDRSet, edgeNodeCIDRSet, clou

h.specs = []IPSetSpec{
{
Name: h.names.EdgePodCIDR,
Name: h.names.RemotePodCIDR,
EntrySet: edgePodCIDRSet,
},
{
Name: h.names.EdgeNodeCIDR,
Name: h.names.RemoteNodeCIDR,
EntrySet: edgeNodeCIDRSet,
},
{
Name: h.names.CloudPodCIDR,
Name: h.names.LocalPodCIDR,
EntrySet: cloudPodCIDRSet,
},
{
Name: h.names.CloudNodeCIDR,
Name: h.names.LocalNodeCIDR,
EntrySet: cloudNodeCIDRSet,
},
}
Expand Down Expand Up @@ -179,7 +179,7 @@ func (h *IPTablesHandler) getEdgeNodeCIDRs() []string {
h.lock.RUnlock()

for _, spec := range specs {
if spec.Name == ipset.IPSetEdgeNodeCIDR {
if spec.Name == ipset.RemoteNodeCIDR {
return spec.EntrySet.List()
}
}
Expand Down
52 changes: 27 additions & 25 deletions pkg/util/ipset/ipset.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,42 +36,44 @@ const (
ProtocolFamilyIPV6 = ipset.ProtocolFamilyIPV6
)

// Remote refers to nodes or pods in different LANs, maybe even not in the same cluster,
// while Local refers to nodes or pods in the same LAN and the same cluster.
const (
IPSetEdgePodCIDR = "FABEDGE-EDGE-POD-CIDR"
IPSetEdgePodCIDR6 = "FABEDGE-EDGE-POD-CIDR6"
IPSetEdgeNodeCIDR = "FABEDGE-EDGE-NODE-CIDR"
IPSetEdgeNodeCIDR6 = "FABEDGE-EDGE-NODE-CIDR6"
IPSetCloudPodCIDR = "FABEDGE-CLOUD-POD-CIDR"
IPSetCloudPodCIDR6 = "FABEDGE-CLOUD-POD-CIDR6"
IPSetCloudNodeCIDR = "FABEDGE-CLOUD-NODE-CIDR"
IPSetCloudNodeCIDR6 = "FABEDGE-CLOUD-NODE-CIDR6"
IPSetRemotePodCIDR = "FABEDGE-REMOTE-POD-CIDR"
IPSetRemotePodCIDR6 = "FABEDGE-REMOTE-POD-CIDR6"
RemotePodCIDR = "FABEDGE-REMOTE-POD-CIDR"
RemotePodCIDR6 = "FABEDGE-REMOTE-POD-CIDR6"
RemoteNodeCIDR = "FABEDGE-REMOTE-NODE-CIDR"
RemoteNodeCIDR6 = "FABEDGE-REMOTE-NODE-CIDR6"
LocalPodCIDR = "FABEDGE-LOCAL-POD-CIDR"
LocalPodCIDR6 = "FABEDGE-LOCAL-POD-CIDR6"
LocalNodeCIDR = "FABEDGE-LOCAL-NODE-CIDR"
LocalNodeCIDR6 = "FABEDGE-LOCAL-NODE-CIDR6"
RemoteCIDR = "FABEDGE-REMOTE-CIDR"
RemoteCIDR6 = "FABEDGE-REMOTE-CIDR6"
)

type IPSetNames struct {
EdgePodCIDR string
EdgeNodeCIDR string
CloudPodCIDR string
CloudNodeCIDR string
RemotePodCIDR string
RemotePodCIDR string
RemoteNodeCIDR string
LocalPodCIDR string
LocalNodeCIDR string
RemoteCIDR string
}

var (
Names4 = IPSetNames{
EdgeNodeCIDR: IPSetEdgeNodeCIDR,
EdgePodCIDR: IPSetEdgePodCIDR,
CloudPodCIDR: IPSetCloudPodCIDR,
CloudNodeCIDR: IPSetCloudNodeCIDR,
RemotePodCIDR: IPSetRemotePodCIDR,
RemoteNodeCIDR: RemoteNodeCIDR,
RemotePodCIDR: RemotePodCIDR,
LocalPodCIDR: LocalPodCIDR,
LocalNodeCIDR: LocalNodeCIDR,
RemoteCIDR: RemoteCIDR,
}

Names6 = IPSetNames{
EdgeNodeCIDR: IPSetEdgeNodeCIDR6,
EdgePodCIDR: IPSetEdgePodCIDR6,
CloudPodCIDR: IPSetCloudPodCIDR6,
CloudNodeCIDR: IPSetCloudNodeCIDR6,
RemotePodCIDR: IPSetRemotePodCIDR6,
RemoteNodeCIDR: RemoteNodeCIDR6,
RemotePodCIDR: RemotePodCIDR6,
LocalPodCIDR: LocalPodCIDR6,
LocalNodeCIDR: LocalNodeCIDR6,
RemoteCIDR: RemoteCIDR6,
}
)

Expand Down
Loading