aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathan Skrzypczak <nathan.skrzypczak@gmail.com>2021-02-25 17:42:50 +0100
committerDave Barach <openvpp@barachs.net>2021-03-04 12:35:15 +0000
commit516b0adf6d8bbc6533ab58d7add96ec74d8be05a (patch)
tree57cc09232a708ee6510ded4f00c3e9e0745e3b8e
parent3fd77f7dea1ac91c5b4c9ede69b992a4e2243153 (diff)
cnat: Add calico/k8s src policy
This patch implements k8s-specific extensions to the cnat plugin. This could be done by exposing a richer semantic on srcNAT policies, but this might be too complex work at this point. Also k8s fits quite well as a 'cloud NAT' usecase. Type: feature Change-Id: I2266daf7b10a92e65f5ed430838a12ae826bd333 Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
-rw-r--r--src/plugins/cnat/cnat.api3
-rw-r--r--src/plugins/cnat/cnat_snat_policy.c56
-rw-r--r--src/plugins/cnat/cnat_snat_policy.h2
3 files changed, 59 insertions, 2 deletions
diff --git a/src/plugins/cnat/cnat.api b/src/plugins/cnat/cnat.api
index df57ea54896..e253084e74e 100644
--- a/src/plugins/cnat/cnat.api
+++ b/src/plugins/cnat/cnat.api
@@ -171,6 +171,7 @@ enum cnat_snat_policy_table:u8
{
CNAT_POLICY_INCLUDE_V4 = 0,
CNAT_POLICY_INCLUDE_V6 = 1,
+ CNAT_POLICY_POD = 2,
};
autoreply define cnat_snat_policy_add_del_if
@@ -190,6 +191,8 @@ enum cnat_snat_policies:u8
/* Filter by interface list : snat_policy_add_del_if
* and prefix list : snat_policy_add_del_if */
CNAT_POLICY_IF_PFX = 1,
+ /* Kubernetes specific policy */
+ CNAT_POLICY_K8S = 2,
};
autoreply define cnat_set_snat_policy
diff --git a/src/plugins/cnat/cnat_snat_policy.c b/src/plugins/cnat/cnat_snat_policy.c
index 83a79c0544d..e2901631b28 100644
--- a/src/plugins/cnat/cnat_snat_policy.c
+++ b/src/plugins/cnat/cnat_snat_policy.c
@@ -27,6 +27,8 @@ unformat_cnat_snat_interface_map_type (unformat_input_t *input, va_list *args)
*a = CNAT_SNAT_IF_MAP_INCLUDE_V4;
else if (unformat (input, "include-v6"))
*a = CNAT_SNAT_IF_MAP_INCLUDE_V6;
+ else if (unformat (input, "k8s"))
+ *a = CNAT_SNAT_IF_MAP_INCLUDE_POD;
else
return 0;
return 1;
@@ -44,6 +46,9 @@ format_cnat_snat_interface_map_type (u8 *s, va_list *args)
case CNAT_SNAT_IF_MAP_INCLUDE_V6:
s = format (s, "Included v6");
break;
+ case CNAT_SNAT_IF_MAP_INCLUDE_POD:
+ s = format (s, "k8s pod");
+ break;
default:
s = format (s, "(unknown)");
break;
@@ -135,7 +140,7 @@ cnat_snat_policy_add_del_if_command_fn (vlib_main_t *vm,
VLIB_CLI_COMMAND (cnat_snat_policy_add_del_if_command, static) = {
.path = "set cnat snat-policy if",
.short_help = "set cnat snat-policy if [del]"
- "[table [include-v4 include-v6]] [interface]",
+ "[table [include-v4 include-v6 k8s]] [interface]",
.function = cnat_snat_policy_add_del_if_command_fn,
};
@@ -280,6 +285,48 @@ cnat_snat_policy_if_pfx (vlib_buffer_t *b, cnat_session_t *session)
return 0;
}
+int
+cnat_snat_policy_k8s (vlib_buffer_t *b, cnat_session_t *session)
+{
+ cnat_snat_policy_main_t *cpm = &cnat_snat_policy_main;
+ ip_address_family_t af = session->key.cs_af;
+
+ ip46_address_t *src_addr = &session->key.cs_ip[VLIB_RX];
+ ip46_address_t *dst_addr = &session->key.cs_ip[VLIB_TX];
+ u32 in_if = vnet_buffer (b)->sw_if_index[VLIB_RX];
+ u32 out_if = vnet_buffer (b)->sw_if_index[VLIB_TX];
+
+ /* source nat for outgoing connections */
+ if (cnat_snat_policy_interface_enabled (in_if, af))
+ if (cnat_search_snat_prefix (dst_addr, af))
+ /* Destination is not in the prefixes that don't require snat */
+ return 1;
+
+ /* source nat for translations that come from the outside:
+ src not not a pod interface, dst not a pod interface */
+ if (!clib_bitmap_get (cpm->interface_maps[CNAT_SNAT_IF_MAP_INCLUDE_POD],
+ in_if) &&
+ !clib_bitmap_get (cpm->interface_maps[CNAT_SNAT_IF_MAP_INCLUDE_POD],
+ out_if))
+ {
+ if (AF_IP6 == af &&
+ ip6_address_is_equal (&src_addr->ip6,
+ &ip_addr_v6 (&cpm->snat_ip6.ce_ip)))
+ return 0;
+ if (AF_IP4 == af &&
+ ip4_address_is_equal (&src_addr->ip4,
+ &ip_addr_v4 (&cpm->snat_ip4.ce_ip)))
+ return 0;
+ return 1;
+ }
+
+ /* handle the case where a container is connecting to itself via a service */
+ if (ip46_address_is_equal (src_addr, dst_addr))
+ return 1;
+
+ return 0;
+}
+
void
cnat_set_snat (ip4_address_t *ip4, ip6_address_t *ip6, u32 sw_if_index)
{
@@ -434,6 +481,9 @@ cnat_set_snat_policy (cnat_snat_policy_type_t policy)
case CNAT_SNAT_POLICY_IF_PFX:
cpm->snat_policy = cnat_snat_policy_if_pfx;
break;
+ case CNAT_SNAT_POLICY_K8S:
+ cpm->snat_policy = cnat_snat_policy_k8s;
+ break;
default:
return 1;
}
@@ -451,6 +501,8 @@ cnat_snat_policy_set_cmd_fn (vlib_main_t *vm, unformat_input_t *input,
;
else if (unformat (input, "if-pfx"))
policy = CNAT_SNAT_POLICY_IF_PFX;
+ else if (unformat (input, "k8s"))
+ policy = CNAT_SNAT_POLICY_K8S;
else
return clib_error_return (0, "unknown input '%U'",
format_unformat_error, input);
@@ -462,7 +514,7 @@ cnat_snat_policy_set_cmd_fn (vlib_main_t *vm, unformat_input_t *input,
VLIB_CLI_COMMAND (cnat_snat_policy_set_cmd, static) = {
.path = "set cnat snat-policy",
- .short_help = "set cnat snat-policy [none][if-pfx]",
+ .short_help = "set cnat snat-policy [none][if-pfx][k8s]",
.function = cnat_snat_policy_set_cmd_fn,
};
diff --git a/src/plugins/cnat/cnat_snat_policy.h b/src/plugins/cnat/cnat_snat_policy.h
index ff30d19c884..987ae494e16 100644
--- a/src/plugins/cnat/cnat_snat_policy.h
+++ b/src/plugins/cnat/cnat_snat_policy.h
@@ -44,6 +44,7 @@ typedef enum cnat_snat_interface_map_type_t_
{
CNAT_SNAT_IF_MAP_INCLUDE_V4 = AF_IP4,
CNAT_SNAT_IF_MAP_INCLUDE_V6 = AF_IP6,
+ CNAT_SNAT_IF_MAP_INCLUDE_POD,
CNAT_N_SNAT_IF_MAP,
} cnat_snat_interface_map_type_t;
@@ -51,6 +52,7 @@ typedef enum cnat_snat_policy_type_t_
{
CNAT_SNAT_POLICY_NONE = 0,
CNAT_SNAT_POLICY_IF_PFX = 1,
+ CNAT_SNAT_POLICY_K8S = 2,
} cnat_snat_policy_type_t;
typedef struct cnat_snat_policy_main_t_