Add specific nat rules for inbound envoy routing

Istio Envoy treats differently inbound traffic that targets ports declared in a service and ports that are undeclared in a service. Traffic that targets ports undeclared in an associated service is sent from 127.0.0.6 to <POD_IP>, instead of being sent from localhost to localhost. This commit adds rules that hit traffic sent from 127.0.0.6 and dnats it to the VM Signed-off-by: Radim Hrazdil <rhrazdil@redhat.com>
kubevirt · Mar 12, 2021 · a24ada6 · a24ada6
1 parent 7c36627
commit a24ada6
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/pkg/virt-launcher/virtwrap/network/podinterface.go b/pkg/virt-launcher/virtwrap/network/podinterface.go
@@ -1085,6 +1085,14 @@ func getLoopbackAdrress(proto iptables.Protocol) string {
 	}
 }
 
+func getEnvoyInboundLoopbackAddress(proto iptables.Protocol) string {
+	if proto == iptables.ProtocolIPv4 {
+		return "127.0.0.6"
+	} else {
+		return "::6"
+	}
+}
+
 func (b *MasqueradeBindMechanism) createNatRulesUsingNftables(proto iptables.Protocol) error {
 	err := Handler.NftablesNewChain(proto, "nat", "KUBEVIRT_PREINBOUND")
 	if err != nil {
@@ -1122,6 +1130,15 @@ func (b *MasqueradeBindMechanism) createNatRulesUsingNftables(proto iptables.Pro
 		if port.Protocol == "" {
 			port.Protocol = "tcp"
 		}
+		err = Handler.NftablesAppendRule(proto, "nat", "KUBEVIRT_POSTINBOUND",
+			strings.ToLower(port.Protocol),
+			"dport",
+			strconv.Itoa(int(port.Port)),
+			Handler.GetNFTIPString(proto), "saddr", getEnvoyInboundLoopbackAddress(proto),
+			"counter", "snat", "to", b.getGatewayByProtocol(proto))
+		if err != nil {
+			return err
+		}
 
 		err = Handler.NftablesAppendRule(proto, "nat", "KUBEVIRT_POSTINBOUND",
 			strings.ToLower(port.Protocol),
@@ -1151,6 +1168,16 @@ func (b *MasqueradeBindMechanism) createNatRulesUsingNftables(proto iptables.Pro
 		if err != nil {
 			return err
 		}
+
+		err = Handler.NftablesAppendRule(proto, "nat", "output",
+			Handler.GetNFTIPString(proto), "saddr", getEnvoyInboundLoopbackAddress(proto),
+			strings.ToLower(port.Protocol),
+			"dport",
+			strconv.Itoa(int(port.Port)),
+			"counter", "dnat", "to", b.getVifIpByProtocol(proto))
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil

diff --git a/pkg/virt-launcher/virtwrap/network/podinterface_test.go b/pkg/virt-launcher/virtwrap/network/podinterface_test.go
@@ -268,6 +268,10 @@ var _ = Describe("Pod Network", func() {
 			mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "postrouting", GetNFTIPString(proto), "saddr", GetMasqueradeVmIp(proto), "counter", "masquerade").Return(nil)
 			mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "prerouting", "iifname", "eth0", "counter", "jump", "KUBEVIRT_PREINBOUND").Return(nil)
 			mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "postrouting", "oifname", "k6t-eth0", "counter", "jump", "KUBEVIRT_POSTINBOUND").Return(nil)
+			//mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "KUBEVIRT_POSTINBOUND", Handler.GetNFTIPString(proto), "saddr", getEnvoyInboundLoopbackAddress(proto), "counter", "snat", "to", GetMasqueradeGwIp(proto)).Return(nil)
+			//mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "KUBEVIRT_POSTINBOUND", Handler.GetNFTIPString(proto), "saddr", getLoopbackAdrress(proto), "counter", "snat", "to", GetMasqueradeGwIp(proto)).Return(nil)
+			//mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "output", Handler.GetNFTIPString(proto), "daddr", getLoopbackAdrress(proto), "counter", "dnat", "to", GetMasqueradeVmIp(proto)).Return(nil)
+			//mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "output", Handler.GetNFTIPString(proto), "saddr", getEnvoyInboundLoopbackAddress(proto), "counter", "dnat", "to", GetMasqueradeVmIp(proto)).Return(nil)
 			mockNetwork.EXPECT().NftablesAppendRule(proto, "nat", "KUBEVIRT_PREINBOUND", "counter", "dnat", "to", GetMasqueradeVmIp(proto)).Return(nil)
 
 		}
@@ -498,6 +502,13 @@ var _ = Describe("Pod Network", func() {
 				for _, proto := range ipProtocols() {
 					mockNetwork.EXPECT().NftablesLoad(proto).Return(nil)
 
+					mockNetwork.EXPECT().NftablesAppendRule(proto, "nat",
+						"KUBEVIRT_POSTINBOUND",
+						"tcp",
+						"dport",
+						"80",
+						GetNFTIPString(proto), "saddr", getEnvoyInboundLoopbackAddress(proto),
+						"counter", "snat", "to", GetMasqueradeGwIp(proto)).Return(nil).AnyTimes()
 					mockNetwork.EXPECT().NftablesAppendRule(proto, "nat",
 						"KUBEVIRT_POSTINBOUND",
 						"tcp",
@@ -518,6 +529,13 @@ var _ = Describe("Pod Network", func() {
 						"dport",
 						"80",
 						"counter", "dnat", "to", GetMasqueradeVmIp(proto)).Return(nil).AnyTimes()
+					mockNetwork.EXPECT().NftablesAppendRule(proto, "nat",
+						"output",
+						GetNFTIPString(proto), "saddr", getEnvoyInboundLoopbackAddress(proto),
+						"tcp",
+						"dport",
+						"80",
+						"counter", "dnat", "to", GetMasqueradeVmIp(proto)).Return(nil).AnyTimes()
 				}
 
 				domain := NewDomainWithBridgeInterface()