-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change source of ipmasq rule from ipn to ip #279
change source of ipmasq rule from ipn to ip #279
Conversation
@rosenhouse @squeed @dcbw PTAL, thx ~ |
ping @squeed @rosenhouse @dcbw , thx ~ |
Sorry to disturb, if you have time, please take a look and help reviews, thanks! @squeed @rosenhouse @dcbw |
oh neat, sorry for missing this |
Can you post the equivalent iptables chain after your change? I'm having trouble understanding the exact nature of the code change. |
Hey, I tried this and it errored out:
|
Sure, here is an example,
Just as above, you can see the ip-masquerade rule of each pod will use its own IP as source but not the whole subnet, this will make network packets from echo pod will only go through its own rule and chain but not the first ip-masquerade rule in POSTROUTING chain. |
I think this maybe because you add with old ptp plugin (-s subnet) and delete with new ptp plugin (-s ip). In this case, the masquerade chain can not be deleted because the rule of POSTROUTING is still using it. |
c1ebd27
to
7efec9e
Compare
I think CI has been broken by a bug on go-iptables, the IsNotExist function doesn't seem to be taking ip6tables into account. |
Oh, interesting. Could you file a PR (and test) for go-iptables, and I can merge it and do a release (I'm a maintainer there, too). |
It seems to work, thanks for your help! @squeed |
I'm still not getting how this change works. I see the code changes from printing I tried to recreate this, and it doesn't do what your example shows: https://play.golang.org/p/zm1Ko5PVIjX What am I missing? |
Actually, Here is my test,
|
Oh, the thing I was missing is that I generally use |
Yes, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ltgm
hi, @squeed , can you help to merge this? |
lgtm |
Hey @mars1024 this PR broke the bridge plugin for me. It looks like the bridge plugin wraps the ipnet in a call to plugins/plugins/main/bridge/bridge.go Line 520 in 0950a36
This results in the |
I created a ginkgo spec to reproduce it here: nickethier@7f9b184 The failure looks like: https://dl.nick.sh/screenshots/2019-05-24-23-25-56_1858x375.png I was able to get that test to pass with the this diff. It doesn't break any of the other tests and works for me when I build and use it. I'm not sure of the reasoning though of why the original author added it so I'm hesitate to call it a fix 😅
|
Thanks for your comments, @nickethier , I've done a local test as below
The results is
So I think the function Network is used to make a canonical CIDR for iptables, but it lose some information about the origin IP in IPNet at the same time. I think the reason for designing this function is the worry of iptables can only handle canonical CIDR like 192.168.0.0/24, but the truth is iptables can handle CIDR like 192.168.0.100/24 as I mentioned above #279 (comment) . So I think your fix is right, just pull it ~ |
Closes containernetworking#544 The above issue describes a situation where using the bridge plugin with IPv6 addresses prevented `DEL` from working correctly. `DEL` seems to be failing in the body of `TeardownIPMasq` This arises because: * twice delete postrouting rules: `ipn.String()` `ipn.IP.String()` containernetworking#279 * we are using a version of go-iptables which is bugged for v6 PR github.com/coreos/go-iptables/pull/74 describes why this does not work. The error message is not being checked correctly. Using a later version of go-iptables means that * when the second `ipt.Delete` fails (this is okay) * we will correctly interpret this as an non-fatal error * `TeardownIPMasq` will not prematurely exit the method * `ipt.ClearChain` now can run * `ipt.DeleteChain` now can run This explains why this was working for v4 but not v6 Signed-off-by: toby lorne <toby@toby.codes>
Closes containernetworking#544 The above issue describes a situation where using the bridge plugin with IPv6 addresses prevented `DEL` from working correctly. `DEL` seems to be failing in the body of `TeardownIPMasq` This arises because: * twice delete postrouting rules: `ipn.String()` `ipn.IP.String()` containernetworking#279 * we are using a version of go-iptables which is bugged for v6 PR github.com/coreos/go-iptables/pull/74 describes why this does not work. The error message is not being checked correctly. Using a later version of go-iptables means that * when the second `ipt.Delete` fails (this is okay) * we will correctly interpret this as an non-fatal error * `TeardownIPMasq` will not prematurely exit the method * `ipt.ClearChain` now can run * `ipt.DeleteChain` now can run This explains why this was working for v4 but not v6 This commit was amended to include v0.5.0 instead of a pseudo-version v0.4.6-0.20200318170312-12696f5c9108 Signed-off-by: toby lorne <toby@toby.codes>
ptp plugin : change source of ipmasq rule from ipn to ip
The old ipmasq rule's source is the whole subnet, this will cause all pods on the host will always hit the first masq chain. I think this may be confused.
The POSTROUTING chain of table nat is as follows,
We can see that only the first masq chain is hit, and the other chains have never been hit so their pkts and bytes are 0. So I change the source of ipmasq rule from subnet to ip to make each pod to go through its own masq CHAIN.