From 8bd9b3e4f9477f1b86efbcf91c8777cc91307968 Mon Sep 17 00:00:00 2001 From: Andrea Panattoni Date: Fri, 7 Apr 2023 18:36:08 +0200 Subject: [PATCH] Fix ETP iptables for shared gateway mode For NodePort Services with ExternalTrafficPolicy = Local, incoming connections shouldn't be DNATted to masqueradeIP. Signed-off-by: Andrea Panattoni --- go-controller/pkg/node/gateway_iptables.go | 4 +++- go-controller/pkg/node/gateway_localnet_linux_test.go | 11 +++-------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/go-controller/pkg/node/gateway_iptables.go b/go-controller/pkg/node/gateway_iptables.go index 14c32a785a..17eba5ef5c 100644 --- a/go-controller/pkg/node/gateway_iptables.go +++ b/go-controller/pkg/node/gateway_iptables.go @@ -611,7 +611,9 @@ func getGatewayIPTRules(service *kapi.Service, localEndpoints []string, svcHasLo if svcTypeIsETPLocal && !svcHasLocalHostNetEndPnt { // case1 (see function description for details) // A DNAT rule to masqueradeIP is added that takes priority over DNAT to clusterIP. - rules = append(rules, getNodePortIPTRules(svcPort, clusterIP, svcPort.NodePort, svcHasLocalHostNetEndPnt, svcTypeIsETPLocal)...) + if config.Gateway.Mode == config.GatewayModeLocal { + rules = append(rules, getNodePortIPTRules(svcPort, clusterIP, svcPort.NodePort, svcHasLocalHostNetEndPnt, svcTypeIsETPLocal)...) + } // add a skip SNAT rule to OVN-KUBE-SNAT-MGMTPORT to preserve sourceIP for etp=local traffic. rules = append(rules, getNodePortETPLocalIPTRules(svcPort, clusterIP)...) } diff --git a/go-controller/pkg/node/gateway_localnet_linux_test.go b/go-controller/pkg/node/gateway_localnet_linux_test.go index 27ae4ddd1c..8202673026 100644 --- a/go-controller/pkg/node/gateway_localnet_linux_test.go +++ b/go-controller/pkg/node/gateway_localnet_linux_test.go @@ -1155,7 +1155,6 @@ var _ = Describe("Node Operations", func() { "OVN-KUBE-ETP": []string{ fmt.Sprintf("-p %s -d %s --dport %v -j DNAT --to-destination %s:%v", service.Spec.Ports[0].Protocol, service.Status.LoadBalancer.Ingress[0].IP, service.Spec.Ports[0].Port, types.V4HostETPLocalMasqueradeIP, service.Spec.Ports[0].NodePort), fmt.Sprintf("-p %s -d %s --dport %v -j DNAT --to-destination %s:%v", service.Spec.Ports[0].Protocol, externalIP, service.Spec.Ports[0].Port, types.V4HostETPLocalMasqueradeIP, service.Spec.Ports[0].NodePort), - fmt.Sprintf("-p %s -m addrtype --dst-type LOCAL --dport %v -j DNAT --to-destination %s:%v", service.Spec.Ports[0].Protocol, service.Spec.Ports[0].NodePort, types.V4HostETPLocalMasqueradeIP, service.Spec.Ports[0].NodePort), }, "OVN-KUBE-ITP": []string{}, "OVN-KUBE-EGRESS-SVC": []string{"-m mark --mark 0x3f0 -m comment --comment Do not SNAT to SVC VIP -j RETURN"}, @@ -2116,9 +2115,7 @@ var _ = Describe("Node Operations", func() { "OVN-KUBE-SNAT-MGMTPORT": []string{ fmt.Sprintf("-p TCP --dport %v -j RETURN", service.Spec.Ports[0].NodePort), }, - "OVN-KUBE-ETP": []string{ - fmt.Sprintf("-p %s -m addrtype --dst-type LOCAL --dport %v -j DNAT --to-destination %s:%v", service.Spec.Ports[0].Protocol, service.Spec.Ports[0].NodePort, types.V4HostETPLocalMasqueradeIP, service.Spec.Ports[0].NodePort), - }, + "OVN-KUBE-ETP": []string{}, "OVN-KUBE-ITP": []string{}, "OVN-KUBE-EGRESS-SVC": []string{"-m mark --mark 0x3f0 -m comment --comment Do not SNAT to SVC VIP -j RETURN"}, }, @@ -2405,10 +2402,8 @@ var _ = Describe("Node Operations", func() { "OVN-KUBE-SNAT-MGMTPORT": []string{ fmt.Sprintf("-p TCP --dport %v -j RETURN", service.Spec.Ports[0].NodePort), }, - "OVN-KUBE-ITP": []string{}, - "OVN-KUBE-ETP": []string{ - fmt.Sprintf("-p %s -m addrtype --dst-type LOCAL --dport %v -j DNAT --to-destination %s:%v", service.Spec.Ports[0].Protocol, service.Spec.Ports[0].NodePort, types.V4HostETPLocalMasqueradeIP, service.Spec.Ports[0].NodePort), - }, + "OVN-KUBE-ITP": []string{}, + "OVN-KUBE-ETP": []string{}, "OVN-KUBE-EGRESS-SVC": []string{"-m mark --mark 0x3f0 -m comment --comment Do not SNAT to SVC VIP -j RETURN"}, }, "filter": {},