Feature iptables eip nats splits (#1437)

add vip eip fip dnat snat crd add vip crd for l2 macvlan|ipvlan (vpc single-eni-multi-ip), like openstack neturon aap(allow address pair) add eip crd for eip in vpc nat gw pod add snat crd for snat in vpc nat gw pod add dnat crd for dnat in vpc nat gw pod add fip crd for fip in vpc nat gw pod Co-authored-by: zhangbingbing <zhangbingbing@yealink.com>
kubeovn · Apr 28, 2022 · fb3c3e6 · fb3c3e6
1 parent 0c95402
commit fb3c3e6
Show file tree

Hide file tree

Showing 45 changed files with 7,616 additions and 492 deletions.
diff --git a/dist/images/install.sh b/dist/images/install.sh
diff --git a/dist/images/vpcnatgateway/nat-gateway.sh b/dist/images/vpcnatgateway/nat-gateway.sh
@@ -13,8 +13,14 @@ function exec_cmd() {
 }
 
 function init() {
-    lanCIDR=$1
+    # run once is enough
+    iptables-save | grep DNAT_FILTER && exit 0
+    # add static chain
+    # this also a flag to make sure init once
+    iptables -t nat -N DNAT_FILTER
     ip link set net1 up
+    ip link set dev net1 arp off
+    lanCIDR=$1
     if [ $(ip rule show iif net1 | wc -l) -eq 0 ]; then
         exec_cmd "ip rule add iif net1 table $ROUTE_TABLE"
     fi
@@ -24,7 +30,6 @@ function init() {
     exec_cmd "ip route replace $lanCIDR dev eth0 table $ROUTE_TABLE"
 
     # add static chain
-    iptables -t nat -N DNAT_FILTER
     iptables -t nat -N SNAT_FILTER
     iptables -t nat -N EXCLUSIVE_DNAT # floatingIp DNAT
     iptables -t nat -N EXCLUSIVE_SNAT # floatingIp SNAT
@@ -41,6 +46,8 @@ function init() {
 }
 
 function add_vpc_internal_route() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
@@ -52,6 +59,8 @@ function add_vpc_internal_route() {
 }
 
 function del_vpc_internal_route() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
@@ -62,6 +71,8 @@ function del_vpc_internal_route() {
 }
 
 function add_eip() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
@@ -74,50 +85,91 @@ function add_eip() {
         exec_cmd "ip addr replace $eip dev net1"
         exec_cmd "ip route replace $eip_network/$eip_prefix dev net1 table $ROUTE_TABLE"
         exec_cmd "ip route replace default via $gateway dev net1 table $ROUTE_TABLE"
+        ip link set dev net1 arp on
         exec_cmd "arping -c 3 -s $eip_without_prefix $gateway"
     done
 }
 
 function del_eip() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
         eip=${arr[0]}
-        lines=`ip addr show net1 | grep $eip`
-        if [ -n "$lines" ]; then
-            exec_cmd "ip addr del $eip dev net1"
+        ipCidr=`ip addr show net1 | grep $eip | awk '{print $2 }'`
+        if [ -n "$ipCidr" ]; then
+            exec_cmd "ip addr del $ipCidr dev net1"
         fi
     done
 }
 
-function sync_floating_ips() {
-    iptables -t nat -F EXCLUSIVE_DNAT
-    iptables -t nat -F EXCLUSIVE_SNAT
+function add_floating_ip() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
         eip=(${arr[0]//\// })
         internalIp=${arr[1]}
-
+        # check if already exist
+        iptables-save  | grep "EXCLUSIVE_DNAT" | grep "\-d $eip" | grep  "destination" && exit 0
         exec_cmd "iptables -t nat -A EXCLUSIVE_DNAT -d $eip -j DNAT --to-destination $internalIp"
         exec_cmd "iptables -t nat -A EXCLUSIVE_SNAT -s $internalIp -j SNAT --to-source $eip"
     done
 }
 
-function sync_snat() {
-    iptables -t nat -F SHARED_SNAT
+function del_floating_ip() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
         eip=(${arr[0]//\// })
-        internalCIDR=${arr[1]}
+        internalIp=${arr[1]}
+        # check if already exist
+        iptables-save  | grep "EXCLUSIVE_DNAT" | grep "\-d $eip" | grep  "destination"
+        if [ "$?" -eq 0 ];then
+            exec_cmd "iptables -t nat -D EXCLUSIVE_DNAT -d $eip -j DNAT --to-destination $internalIp"
+            exec_cmd "iptables -t nat -D EXCLUSIVE_SNAT -s $internalIp -j SNAT --to-source $eip"
+        fi
+    done
+}
 
+function add_snat() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
+    # iptables -t nat -F SHARED_SNAT
+    for rule in $@
+    do
+        arr=(${rule//,/ })
+        eip=(${arr[0]//\// })
+        internalCIDR=${arr[1]}
+        # check if already exist
+        iptables-save  | grep "SHARED_SNAT" | grep "\-s $internalCIDR" | grep "source $eip" && exit 0
         exec_cmd "iptables -t nat -A SHARED_SNAT -s $internalCIDR -j SNAT --to-source $eip"
     done
 }
+function del_snat() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
+    # iptables -t nat -F SHARED_SNAT
+    for rule in $@
+    do
+        arr=(${rule//,/ })
+        eip=(${arr[0]//\// })
+        internalCIDR=${arr[1]}
+        # check if already exist
+        iptables-save  | grep "SHARED_SNAT" | grep "\-s $internalCIDR" | grep "source $eip"
+        if [ "$?" -eq 0 ];then
+          exec_cmd "iptables -t nat -D SHARED_SNAT -s $internalCIDR -j SNAT --to-source $eip"
+        fi
+    done
+}
 
-function sync_dnat() {
-    iptables -t nat -F SHARED_DNAT
+function add_dnat() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
     for rule in $@
     do
         arr=(${rule//,/ })
@@ -126,16 +178,36 @@ function sync_dnat() {
         protocol=${arr[2]}
         internalIp=${arr[3]}
         internalPort=${arr[4]}
-
+        # check if already exist
+        iptables-save  | grep "SHARED_DNAT" | grep "\-d $eip" | grep "p $protocol" | grep "dport $dport"| grep  "destination $internalIp:$internalPort"  && exit 0
         exec_cmd "iptables -t nat -A SHARED_DNAT -p $protocol -d $eip --dport $dport -j DNAT --to-destination $internalIp:$internalPort"
     done
 }
 
+function del_dnat() {
+    # make sure inited
+    iptables-save -t nat | grep  SNAT_FILTER | grep SHARED_SNAT
+    for rule in $@
+    do
+        arr=(${rule//,/ })
+        eip=(${arr[0]//\// })
+        dport=${arr[1]}
+        protocol=${arr[2]}
+        internalIp=${arr[3]}
+        internalPort=${arr[4]}
+        # check if already exist
+        iptables-save  | grep "SHARED_DNAT" | grep "\-d $eip" | grep "p $protocol" | grep "dport $dport"| grep  "destination $internalIp:$internalPort"
+        if [ "$?" -eq 0 ];then
+          exec_cmd "iptables -t nat -D SHARED_DNAT -p $protocol -d $eip --dport $dport -j DNAT --to-destination $internalIp:$internalPort"
+        fi
+    done
+}
+
 rules=${@:2:${#}}
 opt=$1
 case $opt in
  init)
-        echo "init"
+        echo "init $rules"
         init $rules
         ;;
  subnet-route-add)
@@ -154,20 +226,32 @@ case $opt in
         echo "eip-del $rules"
         del_eip $rules
         ;;
- dnat-sync)
-        echo "dnat-sync $rules"
-        sync_dnat $rules
+ dnat-add)
+        echo "dnat-add $rules"
+        add_dnat $rules
+        ;;
+ dnat-del)
+        echo "dnat-del $rules"
+        del_dnat $rules
+        ;;
+ snat-add)
+        echo "snat-add $rules"
+        add_snat $rules
+        ;;
+ snat-del)
+        echo "snat-del $rules"
+        del_snat $rules
         ;;
- snat-sync)
-        echo "snat-sync $rules"
-        sync_snat $rules
+ floating-ip-add)
+        echo "floating-ip-add $rules"
+        add_floating_ip $rules
         ;;
- floating-ip-sync)
-        echo "floating-ip-sync $rules"
-        sync_floating_ips $rules
+ floating-ip-del)
+        echo "floating-ip-del $rules"
+        del_floating_ip $rules
         ;;
  *)
-        echo "Usage: $0 [init|subnet-route-add|subnet-route-del|eip-add|eip-del|dnat-sync|snat-sync|floating-ip-sync] ..."
+        echo "Usage: $0 [init|subnet-route-add|subnet-route-del|eip-add|eip-del|floating-ip-add|floating-ip-del|dnat-add|dnat-del|snat-add|snat-del] ..."
         exit 1
         ;;
-esac
+esac
diff --git a/docs/virtual-ip.md b/docs/virtual-ip.md
@@ -0,0 +1,33 @@
+From v1.10, users can create vip. vip looks a bit like port in openstack neutron. users can use vip to keep ip address before using it (in pod).
+
+in some scenarios below, vip should be very useful。
+
+- build k8s cluster based on  kubevirt vms, if you use veth-pair, ipvlan, macvlan as your cni
+- ovn lb health-check also need vip
+
+
+
+**vip can use in any subnet, vpc and underlay subnet both included.**
+
+
+
+### create vip
+
+```yaml
+# 1. dynamic get vip
+apiVersion: kubeovn.io/v1
+kind: VirtualIP
+metadata:
+  name: vip-dynamic-01
+spec:
+  subnet: my-ovn-vpc-subnet # specify your subnet
+---
+# 2. static ip
+apiVersion: kubeovn.io/v1
+kind: VirtualIP
+metadata:
+  name: static-vip01
+spec:
+  subnet: my-ovn-vpc-subnet # specify your subnet
+  v4Ip: "172.20.10.201"  # and specify your ip
+```