cilium · ti-mo · Jun 13, 2023 · May 30, 2023 · Jun 1, 2023 · May 24, 2023
@@ -181,15 +181,6 @@ function encap_fail()
 	exit 1
 }
 
-	# If the host does not have an IPv6 address assigned, assign our generated host
-	# IP to make the host accessible to endpoints
-	if [ "$IP6_HOST" != "<nil>" ]; then
-		[ -n "$(ip -6 addr show to $IP6_HOST dev $HOST_DEV1)" ] || ip -6 addr add $IP6_HOST dev $HOST_DEV1
-	fi
-	if [ "$IP4_HOST" != "<nil>" ]; then
-		[ -n "$(ip -4 addr show to $IP4_HOST dev $HOST_DEV1)" ] || ip -4 addr add $IP4_HOST dev $HOST_DEV1
-	fi
-
 if [ "$PROXY_RULE" = "true" ]; then
 # Decrease priority of the rule to identify local addresses
 move_local_rules

@@ -319,6 +319,23 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 	}
 	args[initArgMode] = string(mode)
 
+	var nodeIPv4, nodeIPv6 net.IP
+	args[initArgIPv4NodeIP] = "<nil>"
+	args[initArgIPv6NodeIP] = "<nil>"
+	if option.Config.EnableIPv4 {
+		nodeIPv4 = node.GetInternalIPv4Router()
+		args[initArgIPv4NodeIP] = nodeIPv4.String()
+	}
+	if option.Config.EnableIPv6 {
+		nodeIPv6 = node.GetIPv6Router()
+		args[initArgIPv6NodeIP] = nodeIPv6.String()
+		// Docker <17.05 has an issue which causes IPv6 to be disabled in the initns for all
+		// interface (https://github.com/docker/libnetwork/issues/1720)
+		// Enable IPv6 for now
+		sysSettings = append(sysSettings,
+			sysctl.Setting{Name: "net.ipv6.conf.all.disable_ipv6", Val: "0", IgnoreErr: false})
+	}
+
 	// Datapath initialization
 	hostDev1, hostDev2, err := SetupBaseDevice(deviceMTU)
 	if err != nil {
@@ -327,6 +344,21 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 	args[initArgHostDev1] = hostDev1.Attrs().Name
 	args[initArgHostDev2] = hostDev2.Attrs().Name
 
+	if option.Config.IPAM == ipamOption.IPAMENI {
+		var err error
+		if sysSettings, err = addENIRules(sysSettings, o.Datapath().LocalNodeAddressing()); err != nil {
+			return fmt.Errorf("unable to install ip rule for ENI multi-node NodePort: %w", err)
+		}
+	}
+
+	// Any code that relies on sysctl settings being applied needs to be called after this.
+	sysctl.ApplySettings(sysSettings)
+
+	// add internal ipv4 and ipv6 addresses to cilium_host
+	if err := addHostDeviceAddr(hostDev1, nodeIPv4, nodeIPv6); err != nil {
+		return fmt.Errorf("failed to add internal IP address to %s: %w", hostDev1.Attrs().Name, err)
+	}
+
 	if err := l.writeNodeConfigHeader(o); err != nil {
 		log.WithError(err).Error("Unable to write node config header")
 		return err
@@ -359,23 +391,6 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 	args[initArgLib] = "<nil>"
 	args[initArgRundir] = option.Config.StateDir
 
-	if option.Config.EnableIPv4 {
-		args[initArgIPv4NodeIP] = node.GetInternalIPv4Router().String()
-	} else {
-		args[initArgIPv4NodeIP] = "<nil>"
-	}
-
-	if option.Config.EnableIPv6 {
-		args[initArgIPv6NodeIP] = node.GetIPv6Router().String()
-		// Docker <17.05 has an issue which causes IPv6 to be disabled in the initns for all
-		// interface (https://github.com/docker/libnetwork/issues/1720)
-		// Enable IPv6 for now
-		sysSettings = append(sysSettings,
-			sysctl.Setting{Name: "net.ipv6.conf.all.disable_ipv6", Val: "0", IgnoreErr: false})
-	} else {
-		args[initArgIPv6NodeIP] = "<nil>"
-	}
-
 	args[initArgMTU] = fmt.Sprintf("%d", deviceMTU)
 
 	args[initArgSocketLB] = "<nil>"
@@ -434,15 +449,6 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 		logfields.BPFClockSource: clockSource[option.Config.ClockSource],
 	}).Info("Setting up BPF datapath")
 
-	if option.Config.IPAM == ipamOption.IPAMENI {
-		var err error
-		if sysSettings, err = addENIRules(sysSettings, o.Datapath().LocalNodeAddressing()); err != nil {
-			return fmt.Errorf("unable to install ip rule for ENI multi-node NodePort: %w", err)
-		}
-	}
-
-	sysctl.ApplySettings(sysSettings)
-
 	if option.Config.InstallIptRules && option.Config.EnableL7Proxy {
 		args[initArgProxyRule] = "true"
 	} else {

@@ -414,3 +414,33 @@ func (l *Loader) reloadIPSecOnLinkChanges() {
 		}
 	}()
 }
+
+// addHostDeviceAddr add internal ipv4 and ipv6 addresses to the cilium_host device.
+func addHostDeviceAddr(hostDev netlink.Link, ipv4, ipv6 net.IP) error {
+	if ipv4 != nil {
+		addr := netlink.Addr{
+			IPNet: &net.IPNet{
+				IP:   ipv4,
+				Mask: net.CIDRMask(32, 32), // corresponds to /32
+			},
+		}
+
+		if err := netlink.AddrReplace(hostDev, &addr); err != nil {
+			return err
+		}
+	}
+	if ipv6 != nil {
+		addr := netlink.Addr{
+			IPNet: &net.IPNet{
+				IP:   ipv6,
+				Mask: net.CIDRMask(64, 128), // corresponds to /64
+			},
+		}
+
+		if err := netlink.AddrReplace(hostDev, &addr); err != nil {
+			return err
+		}
+
+	}
+	return nil
+}
@@ -7,71 +7,127 @@ package loader
 
 import (
 	"fmt"
+	"net"
+	"testing"
 
-	. "github.com/cilium/checkmate"
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/stretchr/testify/require"
 	"github.com/vishvananda/netlink"
 
+	"github.com/cilium/cilium/pkg/netns"
 	"github.com/cilium/cilium/pkg/option"
 	"github.com/cilium/cilium/pkg/sysctl"
 	"github.com/cilium/cilium/pkg/testutils"
 )
 
-type NetlinkTestSuite struct {
-	prevConfigEnableIPv4 bool
-	prevConfigEnableIPv6 bool
-}
-
-var _ = Suite(&NetlinkTestSuite{})
-
-func (s *NetlinkTestSuite) SetUpSuite(c *C) {
-	testutils.PrivilegedTest(c)
-
-	s.prevConfigEnableIPv4 = option.Config.EnableIPv4
-	s.prevConfigEnableIPv6 = option.Config.EnableIPv6
+func TestSetupDev(t *testing.T) {
+	testutils.PrivilegedTest(t)
 
+	prevConfigEnableIPv4 := option.Config.EnableIPv4
+	prevConfigEnableIPv6 := option.Config.EnableIPv6
+	t.Cleanup(func() {
+		option.Config.EnableIPv4 = prevConfigEnableIPv4
+		option.Config.EnableIPv6 = prevConfigEnableIPv6
+	})
 	option.Config.EnableIPv4 = true
 	option.Config.EnableIPv6 = true
-}
 
-func (s *NetlinkTestSuite) TearDownSuite(c *C) {
-	option.Config.EnableIPv4 = s.prevConfigEnableIPv4
-	option.Config.EnableIPv6 = s.prevConfigEnableIPv6
+	netnsName := "test-setup-dev"
+	netns0, err := netns.ReplaceNetNSWithName(netnsName)
+	require.NoError(t, err)
+	require.NotNil(t, netns0)
+	t.Cleanup(func() {
+		netns0.Close()
+		netns.RemoveNetNSWithName(netnsName)
+	})
+
+	netns0.Do(func(_ ns.NetNS) error {
+		ifName := "dummy"
+		dummy := &netlink.Dummy{
+			LinkAttrs: netlink.LinkAttrs{
+				Name: ifName,
+			},
+		}
+		err := netlink.LinkAdd(dummy)
+		require.NoError(t, err)
+
+		err = setupDev(dummy)
+		require.NoError(t, err)
+
+		enabledSettings := []string{
+			fmt.Sprintf("net.ipv6.conf.%s.forwarding", ifName),
+			fmt.Sprintf("net.ipv4.conf.%s.forwarding", ifName),
+			fmt.Sprintf("net.ipv4.conf.%s.accept_local", ifName),
+		}
+		disabledSettings := []string{
+			fmt.Sprintf("net.ipv4.conf.%s.rp_filter", ifName),
+			fmt.Sprintf("net.ipv4.conf.%s.send_redirects", ifName),
+		}
+		for _, setting := range enabledSettings {
+			s, err := sysctl.Read(setting)
+			require.NoError(t, err)
+			require.Equal(t, s, "1")
+		}
+		for _, setting := range disabledSettings {
+			s, err := sysctl.Read(setting)
+			require.NoError(t, err)
+			require.Equal(t, s, "0")
+		}
+
+		err = netlink.LinkDel(dummy)
+		require.NoError(t, err)
+
+		return nil
+	})
 }
 
-func (s *NetlinkTestSuite) TestSetupDev(c *C) {
-	ifName := "dummy9"
-
-	dummy := &netlink.Dummy{
-		LinkAttrs: netlink.LinkAttrs{
-			Name: ifName,
-		},
-	}
-	err := netlink.LinkAdd(dummy)
-	c.Assert(err, IsNil)
-
-	err = setupDev(dummy)
-	c.Assert(err, IsNil)
-
-	enabledSettings := []string{
-		fmt.Sprintf("net.ipv6.conf.%s.forwarding", ifName),
-		fmt.Sprintf("net.ipv4.conf.%s.forwarding", ifName),
-		fmt.Sprintf("net.ipv4.conf.%s.accept_local", ifName),
-	}
-	disabledSettings := []string{
-		fmt.Sprintf("net.ipv4.conf.%s.rp_filter", ifName),
-		fmt.Sprintf("net.ipv4.conf.%s.send_redirects", ifName),
-	}
-	for _, setting := range enabledSettings {
-		s, err := sysctl.Read(setting)
-		c.Assert(err, IsNil)
-		c.Assert(s, Equals, "1")
-	}
-	for _, setting := range disabledSettings {
-		s, err := sysctl.Read(setting)
-		c.Assert(err, IsNil)
-		c.Assert(s, Equals, "0")
-	}
-
-	err = netlink.LinkDel(dummy)
-	c.Assert(err, IsNil)
+func TestAddHostDeviceAddr(t *testing.T) {
+	testutils.PrivilegedTest(t)
+
+	// test IP addresses
+	testIPv4 := net.ParseIP("1.2.3.4")
+	testIPv6 := net.ParseIP("2001:db08:0bad:cafe:600d:bee2:0bad:cafe")
+
+	netnsName := "test-internal-node-ips"
+	netns0, err := netns.ReplaceNetNSWithName(netnsName)
+	require.NoError(t, err)
+	require.NotNil(t, netns0)
+	t.Cleanup(func() {
+		netns0.Close()
+		netns.RemoveNetNSWithName(netnsName)
+	})
+
+	netns0.Do(func(_ ns.NetNS) error {
+		ifName := "dummy"
+		dummy := &netlink.Dummy{
+			LinkAttrs: netlink.LinkAttrs{
+				Name: ifName,
+			},
+		}
+		err := netlink.LinkAdd(dummy)
+		require.NoError(t, err)
+
+		err = addHostDeviceAddr(dummy, testIPv4, testIPv6)
+		require.NoError(t, err)
+
+		addrs, err := netlink.AddrList(dummy, netlink.FAMILY_ALL)
+		require.NoError(t, err)
+
+		var foundIPv4, foundIPv6 bool
+		for _, addr := range addrs {
+			if testIPv4.Equal(addr.IP) {
+				foundIPv4 = true
+			}
+			if testIPv6.Equal(addr.IP) {
+				foundIPv6 = true
+			}
+		}
+		require.Equal(t, foundIPv4, true)
+		require.Equal(t, foundIPv6, true)
+
+		err = netlink.LinkDel(dummy)
+		require.NoError(t, err)
+
+		return nil
+	})
 }