diff --git a/pkg/agent/iptables.go b/pkg/agent/iptables.go index 968b547..bbf9233 100644 --- a/pkg/agent/iptables.go +++ b/pkg/agent/iptables.go @@ -73,8 +73,8 @@ func (m *Manager) ensureIPTablesRules() error { subnetsIP4, subnetsIP6 := classifySubnets(current.Subnets) if !areSubnetsEqual(current.Subnets, m.lastSubnets) { - m.ipt = iptables.NewApplierCleaner(iptables.ProtocolIPv4, jumpChains, buildRuleData(IPSetFabEdgePeerCIDR, subnetsIP4)) - m.ipt6 = iptables.NewApplierCleaner(iptables.ProtocolIPv6, jumpChains, buildRuleData(IPSetFabEdgePeerCIDR6, subnetsIP6)) + m.ipt = iptables.NewApplierCleaner(iptables.ProtocolIPv4, jumpChains, buildRuleData(ipset.RemoteCIDR, subnetsIP4)) + m.ipt6 = iptables.NewApplierCleaner(iptables.ProtocolIPv6, jumpChains, buildRuleData(ipset.RemoteCIDR6, subnetsIP6)) m.lastSubnets = current.Subnets } @@ -84,8 +84,8 @@ func (m *Manager) ensureIPTablesRules() error { peerIPSet sets.String ipt iptables.ApplierCleaner }{ - {IPSetFabEdgePeerCIDR, ipset.ProtocolFamilyIPV4, peerIPSet4, m.ipt}, - {IPSetFabEdgePeerCIDR6, ipset.ProtocolFamilyIPV6, peerIPSet6, m.ipt6}, + {ipset.RemoteCIDR, ipset.ProtocolFamilyIPV4, peerIPSet4, m.ipt}, + {ipset.RemoteCIDR6, ipset.ProtocolFamilyIPV6, peerIPSet6, m.ipt6}, } var errors []error diff --git a/pkg/agent/manager.go b/pkg/agent/manager.go index 1852e2e..07e39a5 100644 --- a/pkg/agent/manager.go +++ b/pkg/agent/manager.go @@ -36,11 +36,6 @@ import ( "github.com/fabedge/fabedge/third_party/ipvs" ) -const ( - IPSetFabEdgePeerCIDR = "FABEDGE-PEER-CIDR" - IPSetFabEdgePeerCIDR6 = "FABEDGE-PEER-CIDR6" -) - type Manager struct { Config diff --git a/pkg/cloud-agent/iptables.go b/pkg/cloud-agent/iptables.go index e5d1d1f..0175152 100644 --- a/pkg/cloud-agent/iptables.go +++ b/pkg/cloud-agent/iptables.go @@ -16,19 +16,22 @@ package cloud_agent import ( "bytes" + "text/template" + + "k8s.io/apimachinery/pkg/util/sets" + "github.com/fabedge/fabedge/pkg/util/ipset" ipsetutil "github.com/fabedge/fabedge/pkg/util/ipset" "github.com/fabedge/fabedge/pkg/util/iptables" - "k8s.io/apimachinery/pkg/util/sets" - "text/template" ) type IptablesHandler struct { - ipset ipsetutil.Interface ipsetName string hashFamily string - helper iptables.ApplierCleaner - rulesData []byte + ipset ipsetutil.Interface + + helper iptables.ApplierCleaner + rulesData []byte } func newIptableHandler() (*IptablesHandler, error) { @@ -40,7 +43,7 @@ func newIptableHandler() (*IptablesHandler, error) { return &IptablesHandler{ ipset: ipsetutil.New(), - ipsetName: ipset.IPSetRemotePodCIDR, + ipsetName: ipset.RemotePodCIDR, hashFamily: ipsetutil.ProtocolFamilyIPV4, helper: iptables.NewApplierCleaner(iptables.ProtocolIPv4, jumpChains, rulesData.Bytes()), rulesData: rulesData.Bytes(), @@ -56,7 +59,7 @@ func newIp6tableHandler() (*IptablesHandler, error) { return &IptablesHandler{ ipset: ipsetutil.New(), - ipsetName: ipset.IPSetRemotePodCIDR6, + ipsetName: ipset.RemotePodCIDR6, hashFamily: ipsetutil.ProtocolFamilyIPV6, helper: iptables.NewApplierCleaner(iptables.ProtocolIPv6, jumpChains, rulesData.Bytes()), rulesData: rulesData.Bytes(), @@ -88,7 +91,7 @@ var jumpChains = []iptables.JumpChain{ } func (h IptablesHandler) maintainRules(remotePodCIDRs []string) { - if err := h.syncRemotePodCIDRSet(remotePodCIDRs); err != nil { + if err := h.ensureIPSet(remotePodCIDRs); err != nil { logger.Error(err, "failed to sync ipset", "setName", h.ipsetName, "remotePodCIDRs", remotePodCIDRs) } else { logger.V(5).Info("ipset is synced", "setName", h.ipsetName, "remotePodCIDRs", remotePodCIDRs) @@ -101,7 +104,7 @@ func (h IptablesHandler) maintainRules(remotePodCIDRs []string) { } } -func (h IptablesHandler) syncRemotePodCIDRSet(remotePodCIDRs []string) error { +func (h IptablesHandler) ensureIPSet(remotePodCIDRs []string) error { set := &ipsetutil.IPSet{ Name: h.ipsetName, HashFamily: h.hashFamily, diff --git a/pkg/connector/iptables.go b/pkg/connector/iptables.go index 2aa5c9d..9571c08 100644 --- a/pkg/connector/iptables.go +++ b/pkg/connector/iptables.go @@ -38,19 +38,19 @@ var tmpl = template.Must(template.New("iptables").Parse(` -A FABEDGE-INPUT -p ah -j ACCEPT -A FABEDGE-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FABEDGE-FORWARD -m set --match-set {{ .CloudPodCIDR }} src -j ACCEPT --A FABEDGE-FORWARD -m set --match-set {{ .CloudPodCIDR }} dst -j ACCEPT --A FABEDGE-FORWARD -m set --match-set {{ .CloudNodeCIDR }} src -j ACCEPT --A FABEDGE-FORWARD -m set --match-set {{ .CloudNodeCIDR }} dst -j ACCEPT +-A FABEDGE-FORWARD -m set --match-set {{ .LocalPodCIDR }} src -j ACCEPT +-A FABEDGE-FORWARD -m set --match-set {{ .LocalPodCIDR }} dst -j ACCEPT +-A FABEDGE-FORWARD -m set --match-set {{ .LocalNodeCIDR }} src -j ACCEPT +-A FABEDGE-FORWARD -m set --match-set {{ .LocalNodeCIDR }} dst -j ACCEPT COMMIT *nat :FABEDGE-POSTROUTING - [0:0] --A FABEDGE-POSTROUTING -m set --match-set {{ .CloudPodCIDR }} src -m set --match-set {{ .EdgePodCIDR}} dst -j ACCEPT --A FABEDGE-POSTROUTING -m set --match-set {{ .EdgePodCIDR }} src -m set --match-set {{ .CloudPodCIDR }} dst -j ACCEPT --A FABEDGE-POSTROUTING -m set --match-set {{ .CloudPodCIDR }} src -m set --match-set {{ .EdgeNodeCIDR }} dst -j ACCEPT --A FABEDGE-POSTROUTING -m set --match-set {{ .EdgePodCIDR }} src -m set --match-set {{ .CloudNodeCIDR }} dst -j MASQUERADE --A FABEDGE-POSTROUTING -m set --match-set {{ .EdgeNodeCIDR }} src -m set --match-set {{ .CloudPodCIDR}} dst -j MASQUERADE +-A FABEDGE-POSTROUTING -m set --match-set {{ .LocalPodCIDR }} src -m set --match-set {{ .RemotePodCIDR}} dst -j ACCEPT +-A FABEDGE-POSTROUTING -m set --match-set {{ .RemotePodCIDR }} src -m set --match-set {{ .LocalPodCIDR }} dst -j ACCEPT +-A FABEDGE-POSTROUTING -m set --match-set {{ .LocalPodCIDR }} src -m set --match-set {{ .RemoteNodeCIDR }} dst -j ACCEPT +-A FABEDGE-POSTROUTING -m set --match-set {{ .RemotePodCIDR }} src -m set --match-set {{ .LocalNodeCIDR }} dst -j MASQUERADE +-A FABEDGE-POSTROUTING -m set --match-set {{ .RemoteNodeCIDR }} src -m set --match-set {{ .LocalPodCIDR}} dst -j MASQUERADE COMMIT `)) @@ -125,19 +125,19 @@ func (h *IPTablesHandler) setIPSetEntrySet(edgePodCIDRSet, edgeNodeCIDRSet, clou h.specs = []IPSetSpec{ { - Name: h.names.EdgePodCIDR, + Name: h.names.RemotePodCIDR, EntrySet: edgePodCIDRSet, }, { - Name: h.names.EdgeNodeCIDR, + Name: h.names.RemoteNodeCIDR, EntrySet: edgeNodeCIDRSet, }, { - Name: h.names.CloudPodCIDR, + Name: h.names.LocalPodCIDR, EntrySet: cloudPodCIDRSet, }, { - Name: h.names.CloudNodeCIDR, + Name: h.names.LocalNodeCIDR, EntrySet: cloudNodeCIDRSet, }, } @@ -179,7 +179,7 @@ func (h *IPTablesHandler) getEdgeNodeCIDRs() []string { h.lock.RUnlock() for _, spec := range specs { - if spec.Name == ipset.IPSetEdgeNodeCIDR { + if spec.Name == ipset.RemoteNodeCIDR { return spec.EntrySet.List() } } diff --git a/pkg/util/ipset/ipset.go b/pkg/util/ipset/ipset.go index a573b24..7db78ea 100644 --- a/pkg/util/ipset/ipset.go +++ b/pkg/util/ipset/ipset.go @@ -36,42 +36,44 @@ const ( ProtocolFamilyIPV6 = ipset.ProtocolFamilyIPV6 ) +// Remote refers to nodes or pods in different LANs, maybe even not in the same cluster, +// while Local refers to nodes or pods in the same LAN and the same cluster. const ( - IPSetEdgePodCIDR = "FABEDGE-EDGE-POD-CIDR" - IPSetEdgePodCIDR6 = "FABEDGE-EDGE-POD-CIDR6" - IPSetEdgeNodeCIDR = "FABEDGE-EDGE-NODE-CIDR" - IPSetEdgeNodeCIDR6 = "FABEDGE-EDGE-NODE-CIDR6" - IPSetCloudPodCIDR = "FABEDGE-CLOUD-POD-CIDR" - IPSetCloudPodCIDR6 = "FABEDGE-CLOUD-POD-CIDR6" - IPSetCloudNodeCIDR = "FABEDGE-CLOUD-NODE-CIDR" - IPSetCloudNodeCIDR6 = "FABEDGE-CLOUD-NODE-CIDR6" - IPSetRemotePodCIDR = "FABEDGE-REMOTE-POD-CIDR" - IPSetRemotePodCIDR6 = "FABEDGE-REMOTE-POD-CIDR6" + RemotePodCIDR = "FABEDGE-REMOTE-POD-CIDR" + RemotePodCIDR6 = "FABEDGE-REMOTE-POD-CIDR6" + RemoteNodeCIDR = "FABEDGE-REMOTE-NODE-CIDR" + RemoteNodeCIDR6 = "FABEDGE-REMOTE-NODE-CIDR6" + LocalPodCIDR = "FABEDGE-LOCAL-POD-CIDR" + LocalPodCIDR6 = "FABEDGE-LOCAL-POD-CIDR6" + LocalNodeCIDR = "FABEDGE-LOCAL-NODE-CIDR" + LocalNodeCIDR6 = "FABEDGE-LOCAL-NODE-CIDR6" + RemoteCIDR = "FABEDGE-REMOTE-CIDR" + RemoteCIDR6 = "FABEDGE-REMOTE-CIDR6" ) type IPSetNames struct { - EdgePodCIDR string - EdgeNodeCIDR string - CloudPodCIDR string - CloudNodeCIDR string - RemotePodCIDR string + RemotePodCIDR string + RemoteNodeCIDR string + LocalPodCIDR string + LocalNodeCIDR string + RemoteCIDR string } var ( Names4 = IPSetNames{ - EdgeNodeCIDR: IPSetEdgeNodeCIDR, - EdgePodCIDR: IPSetEdgePodCIDR, - CloudPodCIDR: IPSetCloudPodCIDR, - CloudNodeCIDR: IPSetCloudNodeCIDR, - RemotePodCIDR: IPSetRemotePodCIDR, + RemoteNodeCIDR: RemoteNodeCIDR, + RemotePodCIDR: RemotePodCIDR, + LocalPodCIDR: LocalPodCIDR, + LocalNodeCIDR: LocalNodeCIDR, + RemoteCIDR: RemoteCIDR, } Names6 = IPSetNames{ - EdgeNodeCIDR: IPSetEdgeNodeCIDR6, - EdgePodCIDR: IPSetEdgePodCIDR6, - CloudPodCIDR: IPSetCloudPodCIDR6, - CloudNodeCIDR: IPSetCloudNodeCIDR6, - RemotePodCIDR: IPSetRemotePodCIDR6, + RemoteNodeCIDR: RemoteNodeCIDR6, + RemotePodCIDR: RemotePodCIDR6, + LocalPodCIDR: LocalPodCIDR6, + LocalNodeCIDR: LocalNodeCIDR6, + RemoteCIDR: RemoteCIDR6, } )