Merge pull request #697 from Cydox/no-default-gateway

add no_default_gateway option
containers · May 22, 2023 · bd41190 · bd41190
2 parents 09e0529 + e0ae9bc
commit bd41190
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 52 deletions.
diff --git a/src/network/bridge.rs b/src/network/bridge.rs
@@ -16,7 +16,10 @@ use crate::{
 };
 
 use super::{
-    constants::{NO_CONTAINER_INTERFACE_ERROR, OPTION_ISOLATE, OPTION_METRIC, OPTION_MTU},
+    constants::{
+        NO_CONTAINER_INTERFACE_ERROR, OPTION_ISOLATE, OPTION_METRIC, OPTION_MTU,
+        OPTION_NO_DEFAULT_ROUTE,
+    },
     core_utils::{self, get_ipam_addresses, join_netns, parse_option, CoreUtils},
     driver::{self, DriverInfo},
     internal_types::{
@@ -43,6 +46,8 @@ struct InternalData {
     isolate: bool,
     /// Route metric for any default routes added for the network
     metric: Option<u32>,
+    /// if set, no default gateway will be added
+    no_default_route: bool,
     // TODO: add vlan
 }
 
@@ -72,6 +77,8 @@ impl driver::NetworkDriver for Bridge<'_> {
         let mtu: u32 = parse_option(&self.info.network.options, OPTION_MTU, 0)?;
         let isolate: bool = parse_option(&self.info.network.options, OPTION_ISOLATE, false)?;
         let metric: u32 = parse_option(&self.info.network.options, OPTION_METRIC, 100)?;
+        let no_default_route: bool =
+            parse_option(&self.info.network.options, OPTION_NO_DEFAULT_ROUTE, false)?;
 
         let static_mac = match &self.info.per_network_opts.static_mac {
             Some(mac) => Some(CoreUtils::decode_address_from_hex(mac)?),
@@ -86,6 +93,7 @@ impl driver::NetworkDriver for Bridge<'_> {
             mtu,
             isolate,
             metric: Some(metric),
+            no_default_route,
         });
         Ok(())
     }
@@ -633,7 +641,7 @@ fn create_veth_pair(
         .set_up(netlink::LinkID::ID(veth.header.index))
         .wrap("set container veth up")?;
 
-    if !internal {
+    if !internal && !data.no_default_route {
         core_utils::add_default_routes(netns, &data.ipam.gateway_addresses, data.metric)?;
     }
 

diff --git a/src/network/constants.rs b/src/network/constants.rs
@@ -16,6 +16,7 @@ pub const OPTION_ISOLATE: &str = "isolate";
 pub const OPTION_MTU: &str = "mtu";
 pub const OPTION_MODE: &str = "mode";
 pub const OPTION_METRIC: &str = "metric";
+pub const OPTION_NO_DEFAULT_ROUTE: &str = "no_default_route";
 
 /// 100 is the default metric for most Linux networking tools.
 pub const DEFAULT_METRIC: u32 = 100;

diff --git a/src/network/vlan.rs b/src/network/vlan.rs
@@ -13,7 +13,10 @@ use crate::{
 };
 
 use super::{
-    constants::{NO_CONTAINER_INTERFACE_ERROR, OPTION_METRIC, OPTION_MODE, OPTION_MTU},
+    constants::{
+        NO_CONTAINER_INTERFACE_ERROR, OPTION_METRIC, OPTION_MODE, OPTION_MTU,
+        OPTION_NO_DEFAULT_ROUTE,
+    },
     core_utils::{self, get_ipam_addresses, parse_option, CoreUtils},
     driver::{self, DriverInfo},
     internal_types::IPAMAddresses,
@@ -56,6 +59,8 @@ struct InternalData {
     metric: Option<u32>,
     /// kind-specific data
     kind: KindData,
+    /// if set, no default gateway will be added
+    no_default_route: bool,
     // TODO: add vlan
 }
 
@@ -89,6 +94,8 @@ impl driver::NetworkDriver for Vlan<'_> {
 
         let mtu = parse_option(&self.info.network.options, OPTION_MTU, 0)?;
         let metric = parse_option(&self.info.network.options, OPTION_METRIC, 100)?;
+        let no_default_route: bool =
+            parse_option(&self.info.network.options, OPTION_NO_DEFAULT_ROUTE, false)?;
 
         // Remove gateways when marked as internal network
         if self.info.network.internal {
@@ -124,6 +131,7 @@ impl driver::NetworkDriver for Vlan<'_> {
                     )))
                 }
             },
+            no_default_route,
         });
         Ok(())
     }
@@ -343,7 +351,9 @@ fn setup(
         .set_up(netlink::LinkID::ID(dev.header.index))
         .wrap(format!("set {} up", kind_data))?;
 
-    core_utils::add_default_routes(netns, &data.ipam.gateway_addresses, data.metric)?;
+    if !data.no_default_route {
+        core_utils::add_default_routes(netns, &data.ipam.gateway_addresses, data.metric)?;
+    }
 
     // add static routes
     for route in data.ipam.routes.iter() {

diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats
@@ -133,16 +133,16 @@ fw_driver=iptables
     assert "$output" "!~" "10.92.0.0/24 via 10.91.0.1" "static route not removed"
 }
 
-@test "$fw_driver - bridge with no default gateway" {
-    run_netavark --file ${TESTSDIR}/testfiles/bridge-nogateway.json setup $(get_container_netns_path)
+@test "$fw_driver - bridge with no default route" {
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-nodefaultroute.json setup $(get_container_netns_path)
 
     run_in_container_netns ip r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
     run_in_container_netns ip -6 r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
-    run_netavark --file ${TESTSDIR}/testfiles/bridge-nogateway.json teardown $(get_container_netns_path)
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-nodefaultroute.json teardown $(get_container_netns_path)
     assert "" "no errors"
 }
 

diff --git a/test/200-bridge-firewalld.bats b/test/200-bridge-firewalld.bats
@@ -114,16 +114,16 @@ function teardown() {
     assert "$output" "!~" "10.92.0.0/24 via 10.91.0.1" "static route not removed"
 }
 
-@test "$fw_driver - bridge with no default gateway" {
-    run_netavark --file ${TESTSDIR}/testfiles/bridge-nogateway.json setup $(get_container_netns_path)
+@test "$fw_driver - bridge with no default route" {
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-nodefaultroute.json setup $(get_container_netns_path)
 
     run_in_container_netns ip r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
     run_in_container_netns ip -6 r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
-    run_netavark --file ${TESTSDIR}/testfiles/bridge-nogateway.json teardown $(get_container_netns_path)
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-nodefaultroute.json teardown $(get_container_netns_path)
     assert "" "no errors"
 }
 

diff --git a/test/300-macvlan.bats b/test/300-macvlan.bats
@@ -71,16 +71,16 @@ function setup() {
     run_in_container_netns ip link delete dummy0
 }
 
-@test "macvlan setup no default gateway" {
-    run_netavark --file ${TESTSDIR}/testfiles/macvlan-nogateway.json setup $(get_container_netns_path)
+@test "macvlan setup no default route" {
+    run_netavark --file ${TESTSDIR}/testfiles/macvlan-nodefaultroute.json setup $(get_container_netns_path)
 
     run_in_container_netns ip r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
     run_in_container_netns ip -6 r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
-    run_netavark --file ${TESTSDIR}/testfiles/macvlan-nogateway.json teardown $(get_container_netns_path)
+    run_netavark --file ${TESTSDIR}/testfiles/macvlan-nodefaultroute.json teardown $(get_container_netns_path)
     assert "" "no errors"
 }
 

diff --git a/test/400-ipvlan.bats b/test/400-ipvlan.bats
@@ -71,16 +71,16 @@ function setup() {
     run_in_container_netns ip link delete dummy0
 }
 
-@test "ipvlan setup with no default gateway" {
-    run_netavark --file ${TESTSDIR}/testfiles/ipvlan-nogateway.json setup $(get_container_netns_path)
+@test "ipvlan setup no default route" {
+    run_netavark --file ${TESTSDIR}/testfiles/ipvlan-nodefaultroute.json setup $(get_container_netns_path)
 
     run_in_container_netns ip r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
     run_in_container_netns ip -6 r
-    assert "$output" "!~" "default" "default gateway exists"
+    assert "$output" "!~" "default" "default route exists"
 
-    run_netavark --file ${TESTSDIR}/testfiles/ipvlan-nogateway.json teardown $(get_container_netns_path)
+    run_netavark --file ${TESTSDIR}/testfiles/ipvlan-nodefaultroute.json teardown $(get_container_netns_path)
     assert "" "no errors"
 }
 

diff --git a/test/testfiles/bridge-nogateway.json → test/testfiles/bridge-nodefaultroute.json b/test/testfiles/bridge-nogateway.json → test/testfiles/bridge-nodefaultroute.json
@@ -5,8 +5,7 @@
         "podman": {
             "interface_name": "eth0",
             "static_ips": [
-                "10.88.0.2",
-                "fd:1f1f::2"
+                "10.88.0.2"
             ]
         }
     },
@@ -16,19 +15,17 @@
             "driver": "bridge",
             "id": "53ce4390f2adb1681eb1a90ec8b48c49c015e0a8d336c197637e7f65e365fa9e",
             "internal": false,
-            "ipv6_enabled": true,
+            "ipv6_enabled": false,
             "name": "podman",
             "network_interface": "podman0",
             "subnets": [
                 {
-                    "subnet": "10.88.0.0/24"
-                },
-                {
-                    "subnet": "fd:1f1f::/64"
+                    "gateway": "10.88.0.1",
+                    "subnet": "10.88.0.0/16"
                 }
             ],
             "options": {
-                "no_auto_gateway": "1"
+                "no_default_route": "true"
             }
         }
     }

diff --git a/test/testfiles/ipvlan-nogateway.json → test/testfiles/ipvlan-nodefaultroute.json b/test/testfiles/ipvlan-nogateway.json → test/testfiles/ipvlan-nodefaultroute.json
@@ -4,8 +4,7 @@
     "networks": {
        "podman": {
           "static_ips": [
-             "10.88.0.2",
-             "fd:1f1f::2"
+             "10.88.0.2"
           ],
           "interface_name": "eth0"
        }
@@ -18,20 +17,18 @@
           "network_interface": "dummy0",
           "subnets": [
              {
-                "subnet": "10.88.0.0/16"
-             },
-             {
-               "subnet": "fd:1f1f::/64"
+                "subnet": "10.88.0.0/16",
+                "gateway": "10.88.0.1"
              }
           ],
-          "options": {
-            "no_auto_gateway": "1"
-          },
-          "ipv6_enabled": true,
+          "ipv6_enabled": false,
           "internal": false,
           "dns_enabled": true,
           "ipam_options": {
              "driver": "host-local"
+          },
+          "options": {
+            "no_default_route": "true"
           }
        }
     }

diff --git a/test/testfiles/macvlan-nogateway.json → test/testfiles/macvlan-nodefaultroute.json b/test/testfiles/macvlan-nogateway.json → test/testfiles/macvlan-nodefaultroute.json
@@ -4,8 +4,7 @@
     "networks": {
        "podman": {
           "static_ips": [
-             "10.88.0.2",
-             "fd:1f1f::2"
+             "10.88.0.2"
           ],
           "interface_name": "eth0"
        }
@@ -18,20 +17,18 @@
           "network_interface": "dummy0",
           "subnets": [
              {
-                "subnet": "10.88.0.0/16"
-             },
-             {
-                "subnet": "fd:1f1f::/64"
+                "subnet": "10.88.0.0/16",
+                "gateway": "10.88.0.1"
              }
           ],
-          "options": {
-            "no_auto_gateway": "1"
-          },
-          "ipv6_enabled": true,
+          "ipv6_enabled": false,
           "internal": false,
           "dns_enabled": true,
           "ipam_options": {
              "driver": "host-local"
+          },
+          "options": {
+            "no_default_route": "true"
           }
        }
     }