Skip to content

Commit c7fd5d4

Browse files
QxBytesQxBytes
committed
replace existing iptables rules
1 parent 8e28a4b commit c7fd5d4

File tree

1 file changed

+15
-38
lines changed

1 file changed

+15
-38
lines changed

cns/restserver/internalapi_linux.go

Lines changed: 15 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -56,46 +56,11 @@ func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainer
5656
}
5757
}
5858

59-
snatUDPRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
60-
if err != nil {
61-
return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT UDP rule : %v", err)
62-
}
63-
if !snatUDPRuleexist {
64-
logger.Printf("[Azure CNS] Inserting SNAT UDP rule ...")
65-
err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
66-
if err != nil {
67-
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to inset SNAT UDP rule : " + err.Error()
68-
}
69-
}
70-
71-
snatTCPRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
72-
if err != nil {
73-
return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT TCP rule : %v", err)
74-
}
75-
if !snatTCPRuleexist {
76-
logger.Printf("[Azure CNS] Inserting SNAT TCP rule ...")
77-
err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
78-
if err != nil {
79-
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert SNAT TCP rule : " + err.Error()
80-
}
81-
}
82-
83-
snatIMDSRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", req.HostPrimaryIP)
84-
if err != nil {
85-
return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT IMDS rule : %v", err)
86-
}
87-
if !snatIMDSRuleexist {
88-
logger.Printf("[Azure CNS] Inserting SNAT IMDS rule ...")
89-
err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", req.HostPrimaryIP)
90-
if err != nil {
91-
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert SNAT IMDS rule : " + err.Error()
92-
}
93-
}
94-
9559
// use any secondary ip + the nnc prefix length to get an iptables rule to allow dns traffic
96-
// this should be idempotent if req.IPConfiguration.IPSubnet.IPAddress is an ip in the nc's subnet
60+
// in podsubnet case, ncPrimaryIP is the pod subnet's primary ip
61+
// in vnet scale case, ncPrimaryIP is the node's ip
9762
for _, v := range req.SecondaryIPConfigs {
98-
// put the ip address in standard cidr form (where we zero out the parts that change the rule)
63+
// put the ip address in standard cidr form (where we zero out the parts that are not relevant)
9964
_, podSubnet, _ := net.ParseCIDR(v.IPAddress + "/" + fmt.Sprintf("%d", req.IPConfiguration.IPSubnet.PrefixLength))
10065

10166
snatUDPRuleExists, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", podSubnet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
@@ -126,6 +91,18 @@ func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainer
12691
break
12792
}
12893

94+
snatIMDSRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", req.HostPrimaryIP)
95+
if err != nil {
96+
return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT IMDS rule : %v", err)
97+
}
98+
if !snatIMDSRuleexist {
99+
logger.Printf("[Azure CNS] Inserting SNAT IMDS rule ...")
100+
err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", req.HostPrimaryIP)
101+
if err != nil {
102+
return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert SNAT IMDS rule : " + err.Error()
103+
}
104+
}
105+
129106
return types.Success, ""
130107
}
131108

0 commit comments

Comments
 (0)