From d5bde5b1c71586204d907d03e5e2512055845e2e Mon Sep 17 00:00:00 2001 From: Matthew Long <61910737+thatmattlong@users.noreply.github.com> Date: Thu, 2 Sep 2021 10:07:24 -0700 Subject: [PATCH 1/2] add snat rule to host IP for IMDS --- cni/network/invoker_cns.go | 7 +++---- iptables/iptables.go | 6 ++++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go index c95fbe7a58..c51102d5f6 100644 --- a/cni/network/invoker_cns.go +++ b/cni/network/invoker_cns.go @@ -161,16 +161,15 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub } azureDNSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureDNS, iptables.UDP, iptables.DNSPort) + azureIMDSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureIMDS, iptables.TCP, iptables.HTTPPort) - // TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR - // https://github.com/Azure/AgentBaker/pull/367/files - podTrafficAccept := fmt.Sprintf(" -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -s %s ", ncSubnetPrefix.String()) snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP) + snatHostIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.hostPrimaryIP) options[network.IPTablesKey] = []iptables.IPTableEntry{ iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift), - iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, podTrafficAccept, iptables.Accept), iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift), iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSMatch, snatPrimaryIPJump), + iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump), } return nil diff --git a/iptables/iptables.go b/iptables/iptables.go index 2f3abf9eb0..4aac7389e7 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -67,7 +67,8 @@ const ( // known ports const ( - DNSPort = 53 + DNSPort = 53 + HTTPPort = 80 ) // known protocols @@ -78,7 +79,8 @@ const ( // known IP's const ( - AzureDNS = "168.63.129.16" + AzureDNS = "168.63.129.16" + AzureIMDS = "169.254.169.254" ) var ( From 7ac0e02b91c55b6859abeaa91e89ac5a7f23eee9 Mon Sep 17 00:00:00 2001 From: Matthew Long <61910737+thatmattlong@users.noreply.github.com> Date: Thu, 2 Sep 2021 15:18:41 -0700 Subject: [PATCH 2/2] add comment for rules --- cni/network/invoker_cns.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go index c51102d5f6..61df2e9679 100644 --- a/cni/network/invoker_cns.go +++ b/cni/network/invoker_cns.go @@ -164,11 +164,14 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub azureIMDSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureIMDS, iptables.TCP, iptables.HTTPPort) snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP) + // we need to snat IMDS traffic to node IP, this sets up snat '--to' snatHostIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.hostPrimaryIP) options[network.IPTablesKey] = []iptables.IPTableEntry{ iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift), iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift), + // add a snat rule to primary NC IP for DNS iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSMatch, snatPrimaryIPJump), + // add a snat rule to node IP for IMDS http traffic iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump), }