Consolidate rules added to output chain

This commit adds destination addresses to match for dnat in a single rule. By default traffic destined to 127.0.0.1 is DNATed. With istio, we need to additionally take care of passthrough traffic (traffic destined to ports not declared in a k8s) which is sent from 127.0.0.6 to pod IP. Since we're using destination address to match traffic for dnatting, this commit reads pod IP of the virt launcher and adds it to the set of matched IP addresses, if istio is used. Signed-off-by: Radim Hrazdil <rhrazdil@redhat.com>
kubevirt · May 13, 2021 · 622b1e4 · 622b1e4
1 parent a8c98b8
commit 622b1e4
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 14 deletions.
diff --git a/pkg/virt-launcher/virtwrap/network/podinterface.go b/pkg/virt-launcher/virtwrap/network/podinterface.go
@@ -1163,27 +1163,19 @@ func (b *MasqueradeBindMechanism) createNatRulesUsingNftables(proto iptables.Pro
 			}
 		}
 
+		addressesToDnat, err := b.getDstAddressesToDnat(proto)
+		if err != nil {
+			return err
+		}
 		err = b.handler.NftablesAppendRule(proto, "nat", "output",
-			b.handler.GetNFTIPString(proto), "daddr", getLoopbackAdrress(proto),
+			b.handler.GetNFTIPString(proto), "daddr", addressesToDnat,
 			strings.ToLower(port.Protocol),
 			"dport",
 			strconv.Itoa(int(port.Port)),
 			"counter", "dnat", "to", b.getVifIpByProtocol(proto))
 		if err != nil {
 			return err
 		}
-
-		if hasIstioSidecarInjectionEnabled(b.vmi) && proto == iptables.ProtocolIPv4 {
-			err = b.handler.NftablesAppendRule(proto, "nat", "output",
-				b.handler.GetNFTIPString(proto), "saddr", getEnvoyLoopbackAddress(),
-				strings.ToLower(port.Protocol),
-				"dport",
-				strconv.Itoa(int(port.Port)),
-				"counter", "dnat", "to", b.getVifIpByProtocol(proto))
-			if err != nil {
-				return err
-			}
-		}
 	}
 	return nil
 }
@@ -1227,6 +1219,18 @@ func (b *MasqueradeBindMechanism) getSrcAddressesToSnat(proto iptables.Protocol)
 	return fmt.Sprintf("{ %s }", strings.Join(addresses, ", "))
 }
 
+func (b *MasqueradeBindMechanism) getDstAddressesToDnat(proto iptables.Protocol) (string, error) {
+	addresses := []string{getLoopbackAdrress(proto)}
+	if hasIstioSidecarInjectionEnabled(b.vmi) && proto == iptables.ProtocolIPv4 {
+		ipv4, _, err := b.handler.ReadIPAddressesFromLink(b.podInterfaceName)
+		if err != nil {
+			return "", err
+		}
+		addresses = append(addresses, ipv4)
+	}
+	return fmt.Sprintf("{ %s }", strings.Join(addresses, ", ")), nil
+}
+
 func hasIstioSidecarInjectionEnabled(vmi *v1.VirtualMachineInstance) bool {
 	if val, ok := vmi.GetAnnotations()["sidecar.istio.io/inject"]; ok {
 		return strings.ToLower(val) == "true"

diff --git a/pkg/virt-launcher/virtwrap/network/podinterface_test.go b/pkg/virt-launcher/virtwrap/network/podinterface_test.go
@@ -552,7 +552,7 @@ var _ = Describe("Pod Network", func() {
 						"counter", "dnat", "to", GetMasqueradeVmIp(proto)).Return(nil).AnyTimes()
 					mockNetwork.EXPECT().NftablesAppendRule(proto, "nat",
 						"output",
-						GetNFTIPString(proto), "daddr", getLoopbackAdrress(proto),
+						GetNFTIPString(proto), "daddr", "{ "+getLoopbackAdrress(proto)+" }",
 						"tcp",
 						"dport",
 						"80",