diff --git a/network/ovs_endpointclient_linux.go b/network/ovs_endpointclient_linux.go index 848ab31c25..7c88e5086e 100644 --- a/network/ovs_endpointclient_linux.go +++ b/network/ovs_endpointclient_linux.go @@ -75,6 +75,11 @@ func (client *OVSEndpointClient) AddEndpoints(epInfo *EndpointInfo) error { return err } + if err := addOrDeletePrivateIPBlockRule("A"); err != nil { + log.Printf("addPrivateIPBlockRule failed with error %v", err) + return err + } + if err := addMasqueradeRule(client.snatBridgeIP); err != nil { log.Printf("Adding snat rule failed with error %v", err) return err diff --git a/network/ovs_networkclient_linux.go b/network/ovs_networkclient_linux.go index 2e8afd4520..77d56b50ec 100644 --- a/network/ovs_networkclient_linux.go +++ b/network/ovs_networkclient_linux.go @@ -29,6 +29,21 @@ const ( ovsOpt = "OVS_CTL_OPTS='--delete-bridges'" ) +func getPrivateIPSpace() []string { + privateIPAddresses := []string{"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"} + return privateIPAddresses +} + +func getFilterChains() []string { + chains := []string{"FORWARD", "INPUT", "OUTPUT"} + return chains +} + +func getFilterchainTarget() []string { + actions := []string{"ACCEPT", "DROP"} + return actions +} + func updateOVSConfig(option string) error { f, err := os.OpenFile(ovsConfigFile, os.O_APPEND|os.O_RDWR, 0666) if err != nil { @@ -86,6 +101,11 @@ func (client *OVSNetworkClient) CreateBridge() error { return err } + if err := addOrDeletePrivateIPBlockRule("A"); err != nil { + log.Printf("addPrivateIPBlockRule failed with error %v", err) + return err + } + if err := addMasqueradeRule(client.snatBridgeIP); err != nil { return err } @@ -171,6 +191,10 @@ func (client *OVSNetworkClient) DeleteBridge() error { log.Printf("Deleting ebtable vlan drop rule failed with error %v", err) } + if err := addOrDeletePrivateIPBlockRule("D"); err != nil { + log.Printf("Deleting PrivateIP Block rules failed with error %v", err) + } + if err := ovsctl.DeletePortFromOVS(client.bridgeName, azureSnatVeth1); err != nil { return err } @@ -258,6 +282,60 @@ func createSnatBridge(snatBridgeIP string, mainInterface string) error { return nil } +func addOrDeleteFilterRule(action string, ipAddress string, chainName string, target string) error { + option := "i" + + if chainName == "OUTPUT" { + option = "o" + } + + if action != "D" { + cmd := fmt.Sprintf("iptables -t filter -C %v -%v %v -d %v -j %v", chainName, option, snatBridgeName, ipAddress, target) + _, err := platform.ExecuteCommand(cmd) + if err == nil { + log.Printf("Iptable filter for private ipaddr %v on %v chain %v target rule already exists", ipAddress, chainName, target) + return nil + } + } + + cmd := fmt.Sprintf("iptables -t filter -%v %v -%v %v -d %v -j %v", action, chainName, option, snatBridgeName, ipAddress, target) + _, err := platform.ExecuteCommand(cmd) + if err != nil { + log.Printf("Iptable filter %v action for private ipaddr %v on %v chain %v target failed with %v", action, ipAddress, chainName, target, err) + return err + } + + return nil +} + +func addOrDeletePrivateIPBlockRule(action string) error { + privateIPAddresses := getPrivateIPSpace() + chains := getFilterChains() + target := getFilterchainTarget() + + for _, chain := range chains { + if err := addOrDeleteFilterRule(action, "10.0.0.10", chain, target[0]); err != nil { + return err + } + } + + for _, ipAddress := range privateIPAddresses { + if err := addOrDeleteFilterRule(action, ipAddress, chains[0], target[1]); err != nil { + return err + } + + if err := addOrDeleteFilterRule(action, ipAddress, chains[1], target[1]); err != nil { + return err + } + + if err := addOrDeleteFilterRule(action, ipAddress, chains[2], target[1]); err != nil { + return err + } + } + + return nil +} + func addStaticRoute(ip string, interfaceName string) error { log.Printf("[ovs] Adding %v static route", ip) var routes []RouteInfo