Add dontSNAT subnets rules to mgmtport-snat

yboaron · yboaron · commit 9554ba6e9889 · 2025-06-10T13:31:31.000+03:00
This PR adds rules to prevent SNAT if source IP belongs to
the mgmtport-no-snat-subnets-v4 or mgmtport-no-snat-subnets-v6 sets,
which store IPv4 and IPv6 subnets, respectively.

Signed-off-by: Yossi Boaron &lt;yboaron@redhat.com&gt;
diff --git a/go-controller/pkg/node/managementport/port_linux.go b/go-controller/pkg/node/managementport/port_linux.go
@@ -321,6 +321,18 @@ func setupManagementPortNFTSets() error {
 		Comment: knftables.PtrTo("eTP:Local short-circuit not subject to management port SNAT (IPv6)"),
 		Type:    "ipv6_addr . inet_proto . inet_service",
 	})
+	tx.Add(&knftables.Set{
+		Name:    types.NFTMgmtPortNoSNATSubnetsV4,
+		Comment: knftables.PtrTo("subnets not subject to management port SNAT (IPv4)"),
+		Type:    "ipv4_addr",
+		Flags:   []knftables.SetFlag{knftables.IntervalFlag},
+	})
+	tx.Add(&knftables.Set{
+		Name:    types.NFTMgmtPortNoSNATSubnetsV6,
+		Comment: knftables.PtrTo("subnets not subject to management port SNAT (IPv6)"),
+		Type:    "ipv6_addr",
+		Flags:   []knftables.SetFlag{knftables.IntervalFlag},
+	})
 
 	err = nft.Run(context.TODO(), tx)
 	if err != nil {
@@ -402,6 +414,14 @@ func setupManagementPortNFTChain(interfaceName string, cfg *managementPortConfig
 				"return",
 			),
 		})
+		tx.Add(&knftables.Rule{
+			Chain: nftMgmtPortChain,
+			Rule: knftables.Concat(
+				"ip saddr", "@", types.NFTMgmtPortNoSNATSubnetsV4,
+				counterIfDebug,
+				"return",
+			),
+		})
 		tx.Add(&knftables.Rule{
 			Chain: nftMgmtPortChain,
 			Rule: knftables.Concat(
@@ -441,6 +461,14 @@ func setupManagementPortNFTChain(interfaceName string, cfg *managementPortConfig
 				"return",
 			),
 		})
+		tx.Add(&knftables.Rule{
+			Chain: nftMgmtPortChain,
+			Rule: knftables.Concat(
+				"ip6 saddr", "@", types.NFTMgmtPortNoSNATSubnetsV6,
+				counterIfDebug,
+				"return",
+			),
+		})
 		tx.Add(&knftables.Rule{
 			Chain: nftMgmtPortChain,
 			Rule: knftables.Concat(
diff --git a/go-controller/pkg/types/const.go b/go-controller/pkg/types/const.go
@@ -330,4 +330,10 @@ const (
 	MetricOvsNamespace                   = "ovs"
 	MetricOvsSubsystemVswitchd           = "vswitchd"
 	MetricOvsSubsystemDB                 = "db"
+
+	// "mgmtport-no-snat-subnets-v4" and "mgmtport-no-snat-subnets-v6" are sets containing
+	// subnets, indicating traffic that should not be SNATted when passing through the
+	// management port.
+	NFTMgmtPortNoSNATSubnetsV4 = "mgmtport-no-snat-subnets-v4"
+	NFTMgmtPortNoSNATSubnetsV6 = "mgmtport-no-snat-subnets-v6"
 )
