Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use masquerade default gateway when no default gw is found #4122

Merged
merged 1 commit into from
Mar 5, 2024
Merged

Use masquerade default gateway when no default gw is found #4122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 12 additions & 3 deletions go-controller/pkg/node/gateway_init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,10 +184,19 @@ func getGatewayNextHops() ([]net.IP, string, error) {
}
gatewayIntf = defaultGatewayIntf
} else {
if gatewayIntf != defaultGatewayIntf {
trozet marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

too much if's and else's for my taste :) but we can clean code later, I see value in printing different warnings, will help us debug better in the future.

// Mismatch between configured interface and actual default gateway interface detected
klog.Warningf("Found default gateway interface: %q does not match provided interface from config: %q", defaultGatewayIntf, gatewayIntf)
} else if len(defaultGatewayNextHops) == 0 {
// Gateway interface found, but no next hops identified in a default route
klog.Warning("No default route identified in the host. Egress features may not function correctly! " +
"Egress Pod traffic in shared gateway mode may not function correctly!")
}

if gatewayIntf != defaultGatewayIntf || len(defaultGatewayNextHops) == 0 {
if config.Gateway.Mode == config.GatewayModeLocal && config.Gateway.AllowNoUplink {
// For local gw, if not default gateway is available or the provide gateway interface is not the host gateway interface
// use nexthop masquerade IP as GR default gw to steer traffic to the gateway bridge
if config.Gateway.Mode == config.GatewayModeLocal {
// For local gw, if there is no valid gateway interface found, or no valid nexthops, then
// use nexthop masquerade IP as GR default gw to steer traffic to the gateway bridge, and then the host for routing
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-note: so what happens is:

  1. host->kapi clusterIP
  2. sent to br-ex and then to OVN via GR using service routes on host
  3. GR DNATs to secondary network backend pod IPs
  4. no default route on GR so we drop
    This change makes the masqueradeIP be the default route so
  5. Traffic instead of dropping comes back to host
  6. then host routes and iptable masquerade takes this to the secondary nic

thanks @trozet for the nice PR description which made it easy to understand.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right!

if needIPv4NextHop {
nexthop := config.Gateway.MasqueradeIPs.V4DummyNextHopMasqueradeIP
gatewayNextHops = append(gatewayNextHops, nexthop)
Expand Down
1 change: 0 additions & 1 deletion go-controller/pkg/node/gateway_init_linux_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1857,7 +1857,6 @@ var _ = Describe("Gateway unit tests", func() {
gwIPs := []net.IP{config.Gateway.MasqueradeIPs.V4DummyNextHopMasqueradeIP}
config.Gateway.Interface = dummyBridgeName
config.Gateway.Mode = config.GatewayModeLocal
config.Gateway.AllowNoUplink = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-note: there is another UT testing with allowNoUplink to true so we do have coverage.


gatewayNextHops, gatewayIntf, err := getGatewayNextHops()
Expect(err).NotTo(HaveOccurred())
Expand Down