Skip to content

Commit 3227570

Browse files
QxBytesQxBytes
committed
cover adding iptables rules for dns in vnet scale cilium case
1 parent eaf9121 commit 3227570

File tree

1 file changed

+35
-0
lines changed

1 file changed

+35
-0
lines changed

cns/restserver/internalapi_linux.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,5 +91,40 @@ func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainer
9191
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert SNAT IMDS rule : " + err.Error()
9292
}
9393
}
94+
95+
// use any secondary ip + the nnc prefix length to get an iptables rule to allow dns traffic
96+
// this should be idempotent if req.IPConfiguration.IPSubnet.IPAddress is an ip in the nc's subnet
97+
for _, v := range req.SecondaryIPConfigs {
98+
// put the ip address in standard cidr form (where we zero out the parts that change the rule)
99+
_, podSubnet, _ := net.ParseCIDR(v.IPAddress + "/" + fmt.Sprintf("%d", req.IPConfiguration.IPSubnet.PrefixLength))
100+
101+
snatUDPRuleExists, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", podSubnet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
102+
if err != nil {
103+
return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of pod SNAT UDP rule : %v", err)
104+
}
105+
if !snatUDPRuleExists {
106+
logger.Printf("[Azure CNS] Inserting pod SNAT UDP rule ...")
107+
err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", podSubnet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
108+
if err != nil {
109+
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert pod SNAT UDP rule : " + err.Error()
110+
}
111+
}
112+
113+
snatPodTCPRuleExists, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", podSubnet.String(), "-d", networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
114+
if err != nil {
115+
return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of pod SNAT TCP rule : %v", err)
116+
}
117+
if !snatPodTCPRuleExists {
118+
logger.Printf("[Azure CNS] Inserting pod SNAT TCP rule ...")
119+
err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", podSubnet.String(), "-d", networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
120+
if err != nil {
121+
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert pod SNAT TCP rule : " + err.Error()
122+
}
123+
}
124+
125+
// we only need to run this code once as the iptable rule applies to all secondary ip configs in the same subnet
126+
break
127+
}
128+
94129
return types.Success, ""
95130
}

0 commit comments

Comments
 (0)