Added possibility to switch to iptables nf_tables

liqotech · Aug 24, 2023 · 65970b3 · 65970b3
1 parent 3e5276e
commit 65970b3
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 3 deletions.
diff --git a/deployments/liqo/README.md b/deployments/liqo/README.md
@@ -61,6 +61,7 @@
 | discovery.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the discovery pod. |
 | fullnameOverride | string | `""` | Override the standard full name used by Helm and associated to Kubernetes/Liqo resources. |
 | gateway.config.addressOverride | string | `""` | Override the default address where your network gateway service is available. You should configure it if the network gateway is behind a reverse proxy or NAT. |
+| gateway.config.iptablesMode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". |
 | gateway.config.listeningPort | int | `5871` | Port used by the network gateway. |
 | gateway.config.portOverride | string | `""` | Overrides the port where your network gateway service is available. You should configure it if the network gateway is behind a reverse proxy or NAT and is different from the listening port. |
 | gateway.config.wireguardImplementation | string | `"kernel"` | Implementation used by wireguard to establish the VPN tunnel between two clusters. Possible values are "userspace" and "kernel". Do not use "userspace" unless strictly necessary  (i.e., only if the Linux kernel does not support Wireguard). |
@@ -92,6 +93,7 @@
 | nameOverride | string | `""` | Override the standard name used by Helm and associated to Kubernetes/Liqo resources. |
 | networkConfig.mtu | int | `1340` | Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. The value is used by the gateway and route operators. The default value is configured to ensure correct behavior regardless of the combination of the underlying environments (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. |
 | networkManager.config.additionalPools | list | `[]` | Set of additional network pools to perform the automatic address mapping in Liqo. Network pools are used to map a cluster network into another one in order to prevent conflicts. Default set of network pools is: [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12] |
+| networkManager.config.iptablesMode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". |
 | networkManager.config.podCIDR | string | `""` | The subnet used by the pods in your cluster, in CIDR notation (e.g., 10.0.0.0/16). |
 | networkManager.config.reservedSubnets | list | `[]` | List of IP subnets that do not have to be used by Liqo. Liqo can perform automatic IP address remapping when a remote cluster is peering with you, e.g., in case IP address spaces (e.g., PodCIDR) overlaps. In order to prevent IP conflicting between locally used private subnets in your infrastructure and private subnets belonging to remote clusters you need tell liqo the subnets used in your cluster. E.g if your cluster nodes belong to the 192.168.2.0/24 subnet, then you should add that subnet to the reservedSubnets. PodCIDR and serviceCIDR used in the local cluster are automatically added to the reserved list. |
 | networkManager.config.serviceCIDR | string | `""` | The subnet used by the services in you cluster, in CIDR notation (e.g., 172.16.0.0/16). |
@@ -117,6 +119,7 @@
 | pullPolicy | string | `"IfNotPresent"` | The pullPolicy for liqo pods. |
 | reflection.skip.annotations | list | `["cloud.google.com/neg","cloud.google.com/neg-status","kubernetes.digitalocean.com/load-balancer-id","ingress.kubernetes.io/backends","ingress.kubernetes.io/forwarding-rule","ingress.kubernetes.io/target-proxy","ingress.kubernetes.io/url-map","metallb.universe.tf/address-pool","metallb.universe.tf/ip-allocated-from-pool","metallb.universe.tf/loadBalancerIPs"]` | List of annotations that must not be reflected on remote clusters. |
 | reflection.skip.labels | list | `[]` | List of labels that must not be reflected on remote clusters. |
+| route.config.iptablesMode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". |
 | route.imageName | string | `"ghcr.io/liqotech/liqonet"` | Image repository for the route pod. |
 | route.pod.annotations | object | `{}` | Annotations for the route pod. |
 | route.pod.extraArgs | list | `[]` | Extra arguments for the route pod. |

diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml
@@ -84,6 +84,9 @@ route:
   imageName: "ghcr.io/liqotech/liqonet"
   # -- Extra tolerations for the route daemonset.
   tolerations: []
+  config:
+    # -- Select the iptables mode to use. Possible values are "legacy" and "nf_tables".
+    iptablesMode: "nf_tables"
 
 gateway:
   # -- The number of gateway instances to run.
@@ -126,6 +129,8 @@ gateway:
     # Possible values are "userspace" and "kernel". Do not use "userspace" unless strictly necessary 
     # (i.e., only if the Linux kernel does not support Wireguard).
     wireguardImplementation: "kernel"
+    # -- Select the iptables mode to use. Possible values are "legacy" and "nf_tables".
+    iptablesMode: "nf_tables"
   metrics:
     # -- Expose metrics about network traffic towards cluster peers.
     enabled: false
@@ -184,6 +189,8 @@ networkManager:
     # Network pools are used to map a cluster network into another one in order to prevent conflicts.
     # Default set of network pools is: [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]
     additionalPools: []
+    # -- Select the iptables mode to use. Possible values are "legacy" and "nf_tables".
+    iptablesMode: "nf_tables"
 
 crdReplicator:
   pod:

diff --git a/go.mod b/go.mod
@@ -264,3 +264,6 @@ require (
 )
 
 replace github.com/grandcat/zeroconf => github.com/liqotech/zeroconf v1.0.1-0.20201020081245-6384f3f21ffb
+
+// Waitin for PR https://github.com/coreos/go-iptables/pull/110 to be merged
+replace github.com/coreos/go-iptables => github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548
diff --git a/go.sum b/go.sum
@@ -190,6 +190,8 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
 github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
+github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548 h1:tsUrWiCxLp1cI8TB7qDmHNezZavWgxghH+m+pW+04wA=
+github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -212,8 +214,6 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
-github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=

diff --git a/pkg/liqonet/iptables/iptables.go b/pkg/liqonet/iptables/iptables.go
@@ -17,6 +17,7 @@ package iptables
 import (
 	"encoding/csv"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/coreos/go-iptables/iptables"
@@ -95,10 +96,19 @@ type IPTHandler struct {
 
 // NewIPTHandler return the iptables handler used to configure the iptables rules.
 func NewIPTHandler() (IPTHandler, error) {
-	ipt, err := iptables.New()
+	selectedmode := os.Getenv("IPTABLES_MODE")
+	var ipt *iptables.IPTables
+	var err error
+	if iptables.ModeType(selectedmode) == iptables.ModeTypeNFTables || iptables.ModeType(selectedmode) == iptables.ModeTypeLegacy {
+		ipt, err = iptables.New(iptables.Mode(iptables.ModeType(selectedmode)))
+	} else {
+		ipt, err = iptables.New()
+	}
 	if err != nil {
 		return IPTHandler{}, err
 	}
+	v1, v2, v3, mode := ipt.GetIptablesVersion()
+	klog.Infof("Iptables version: %d.%d.%d, mode: %s", v1, v2, v3, mode)
 	return IPTHandler{
 		ipt: *ipt,
 	}, err