iptables: always do SNAT for access from other nodes to nodeport with external traffic policy set to Local (#2844)

zhangzujian · zhangzujian · commit ae226e33c4a3 · 2023-05-23T15:40:41.000+08:00
diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go
@@ -486,14 +486,14 @@ func (c *Controller) setIptables() error {
 			continue
 		}
 
-		var kubeProxyIpsetProtocol, matchset string
+		var kubeProxyIpsetProtocol, matchset, nodeMatchSet string
 		var obsoleteRules, iptablesRules []util.IPTableRule
 		if protocol == kubeovnv1.ProtocolIPv4 {
 			iptablesRules = v4Rules
-			matchset = "ovn40subnets"
+			matchset, nodeMatchSet = "ovn40subnets", "ovn40"+OtherNodeSet
 		} else {
 			iptablesRules = v6Rules
-			kubeProxyIpsetProtocol, matchset = "6-", "ovn60subnets"
+			kubeProxyIpsetProtocol, matchset, nodeMatchSet = "6-", "ovn60subnets", "ovn60"+OtherNodeSet
 		}
 
 		if nodeIP := nodeIPs[protocol]; nodeIP != "" {
@@ -515,8 +515,12 @@ func (c *Controller) setIptables() error {
 					continue
 				}
 				rule := fmt.Sprintf("-p %s -m addrtype --dst-type LOCAL -m set --match-set %s dst -j MARK --set-xmark 0x80000/0x80000", p, ipset)
+				rule2 := fmt.Sprintf("-p %s -m set --match-set %s src -m set --match-set %s dst -j MARK --set-xmark 0x4000/0x4000", p, nodeMatchSet, ipset)
 				obsoleteRules = append(obsoleteRules, util.IPTableRule{Table: NAT, Chain: Prerouting, Rule: strings.Fields(rule)})
-				iptablesRules = append(iptablesRules, util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule)})
+				iptablesRules = append(iptablesRules,
+					util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule)},
+					util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule2)},
+				)
 			}
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -486,14 +486,14 @@ func (c *Controller) setIptables() error {`
`486`	`486`	`continue`
`487`	`487`	`}`
`488`	`488`
`489`		`- var kubeProxyIpsetProtocol, matchset string`
	`489`	`+ var kubeProxyIpsetProtocol, matchset, nodeMatchSet string`
`490`	`490`	`var obsoleteRules, iptablesRules []util.IPTableRule`
`491`	`491`	`if protocol == kubeovnv1.ProtocolIPv4 {`
`492`	`492`	`iptablesRules = v4Rules`
`493`		`- matchset = "ovn40subnets"`
	`493`	`+ matchset, nodeMatchSet = "ovn40subnets", "ovn40"+OtherNodeSet`
`494`	`494`	`} else {`
`495`	`495`	`iptablesRules = v6Rules`
`496`		`- kubeProxyIpsetProtocol, matchset = "6-", "ovn60subnets"`
	`496`	`+ kubeProxyIpsetProtocol, matchset, nodeMatchSet = "6-", "ovn60subnets", "ovn60"+OtherNodeSet`
`497`	`497`	`}`
`498`	`498`
`499`	`499`	`if nodeIP := nodeIPs[protocol]; nodeIP != "" {`
`@@ -515,8 +515,12 @@ func (c *Controller) setIptables() error {`
`515`	`515`	`continue`
`516`	`516`	`}`
`517`	`517`	`rule := fmt.Sprintf("-p %s -m addrtype --dst-type LOCAL -m set --match-set %s dst -j MARK --set-xmark 0x80000/0x80000", p, ipset)`
	`518`	`+ rule2 := fmt.Sprintf("-p %s -m set --match-set %s src -m set --match-set %s dst -j MARK --set-xmark 0x4000/0x4000", p, nodeMatchSet, ipset)`
`518`	`519`	`obsoleteRules = append(obsoleteRules, util.IPTableRule{Table: NAT, Chain: Prerouting, Rule: strings.Fields(rule)})`
`519`		`- iptablesRules = append(iptablesRules, util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule)})`
	`520`	`+ iptablesRules = append(iptablesRules,`
	`521`	`+ util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule)},`
	`522`	`+ util.IPTableRule{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(rule2)},`
	`523`	`+ )`
`520`	`524`	`}`
`521`	`525`	`}`
`522`	`526`