Merge pull request #1089 from bloomberg/add_nat_outgoing

Support for supplying NATOutgoingAddress to Felix
projectcalico · Jun 5, 2019 · 7cda6d7 · 7cda6d7
2 parents 9aa8be7 + aab15a2
commit 7cda6d7
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/lib/apis/v3/felixconfig.go b/lib/apis/v3/felixconfig.go
@@ -220,6 +220,11 @@ type FelixConfigurationSpec struct {
 	// network stack is used.
 	NATPortRange *numorstring.Port `json:"natPortRange,omitempty"`
 
+	// NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that
+	// is leaving the network. By default the address used is an address on the interface the traffic is leaving on
+	// (ie it uses the iptables MASQUERADE target)
+	NATOutgoingAddress string `json:"NATOutgoingAddress,omitempty"`
+
 	// ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have
 	// the tunneled traffic be accepted at calico nodes.
 	ExternalNodesCIDRList *[]string `json:"externalNodesList,omitempty"`

diff --git a/lib/validator/v3/validator.go b/lib/validator/v3/validator.go
@@ -575,6 +575,14 @@ func validateFelixConfigSpec(structLevel validator.StructLevel) {
 				"OpenstackRegion", "", reason("must be a valid DNS label"), "")
 		}
 	}
+
+	if c.NATOutgoingAddress != "" {
+		parsedAddress := cnet.ParseIP(c.NATOutgoingAddress)
+		if parsedAddress == nil || parsedAddress.Version() != 4 {
+			structLevel.ReportError(reflect.ValueOf(c.NATOutgoingAddress),
+				"NATOutgoingAddress", "", reason("is not a valid IP address"), "")
+		}
+	}
 }
 
 func validateWorkloadEndpointSpec(structLevel validator.StructLevel) {

diff --git a/lib/validator/v3/validator_test.go b/lib/validator/v3/validator_test.go
@@ -1733,6 +1733,18 @@ func init() {
 			&api.HTTPMatch{Methods: []string{"GET", "GET", "Foo"}},
 			false,
 		),
+		Entry("should not accept an invalid IP address",
+			api.FelixConfigurationSpec{NATOutgoingAddress: bad_ipv4_1}, false,
+		),
+		Entry("should not accept a masked IP",
+			api.FelixConfigurationSpec{NATOutgoingAddress: netv4_1}, false,
+		),
+		Entry("should not accept an IPV6 address",
+			api.FelixConfigurationSpec{NATOutgoingAddress: ipv6_1}, false,
+		),
+		Entry("should accept a valid IP address",
+			api.FelixConfigurationSpec{NATOutgoingAddress: ipv4_1}, true,
+		),
 	)
 }