Skip to content
This repository has been archived by the owner on Jul 16, 2024. It is now read-only.

Commit

Permalink
nft: dispatch per IP+port, not just IP
Browse files Browse the repository at this point in the history
  • Loading branch information
@mcluseau
mcluseau committed Jan 19, 2024
1 parent 6ccd640 commit c7476d4
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 34 deletions.
13 changes: 9 additions & 4 deletions backends/nft/nft.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,8 +205,11 @@ func addDispatchChains(table *nftable) {
}

// DNAT
if table.Chains.Has("z_dispatch_svc_dnat") {
fmt.Fprint(dnatAll, " jump z_dispatch_svc_dnat\n")
dispatchProtos := []string{"tcp", "udp", "sctp"}
for _, proto := range dispatchProtos {
if table.Chains.Has("z_dispatch_svc_dnat_" + proto) {
fmt.Fprint(dnatAll, " jump z_dispatch_svc_dnat_"+proto+"\n")
}
}

if table.Chains.Has("dnat_external") {
Expand All @@ -228,8 +231,10 @@ func addDispatchChains(table *nftable) {
filterAll := table.Chains.Get("z_filter_all")
fmt.Fprint(filterAll, " ct state invalid drop\n")

if table.Chains.Has("z_dispatch_svc_filter") {
fmt.Fprint(filterAll, " jump z_dispatch_svc_filter\n")
for _, proto := range dispatchProtos {
if table.Chains.Has("z_dispatch_svc_filter_" + proto) {
fmt.Fprint(filterAll, " jump z_dispatch_svc_filter_"+proto+"\n")
}
}

if table.Chains.Has("filter_external") {
Expand Down
52 changes: 38 additions & 14 deletions backends/nft/render-context.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,39 +106,63 @@ func (ctx *renderContext) addServiceEndpoints(serviceEndpoints *fullstate.Servic

for _, i := range []struct {
suffix, target string
proto localv1.Protocol
}{
{"_dnat", dnatChainName},
{"_filter", filterChainName},
{"_dnat_tcp", dnatChainName, localv1.Protocol_TCP},
{"_dnat_udp", dnatChainName, localv1.Protocol_UDP},
{"_dnat_sctp", dnatChainName, localv1.Protocol_SCTP},
{"_filter_tcp", filterChainName, localv1.Protocol_TCP},
{"_filter_udp", filterChainName, localv1.Protocol_UDP},
{"_filter_sctp", filterChainName, localv1.Protocol_SCTP},
} {
if ctx.table.Chains.Get(i.target).Len() == 0 {
continue
}

ports := make([]*localv1.PortMapping, 0, len(svc.Ports))
for _, port := range svc.Ports {
if port.Protocol == i.proto {
ports = append(ports, port)
}
}

if len(ports) == 0 {
continue
}

protoMatch := protoMatch(i.proto)

vmapItem := ctx.table.Chains.GetItem("z_dispatch_svc" + i.suffix)
vmap := vmapItem.Value()

first := false
if vmap.Len() == 0 {
// first time here
vmap.WriteString(" " + ctx.table.Family + " daddr vmap {\n ")
vmap.WriteString(" " + ctx.table.Family + " daddr . " + protoMatch + " vmap {\n ")
vmapItem.Defer(func(vmap *Leaf) {
vmap.WriteString(" }\n")
})
first = true
}

for idx, ip := range ips {
if first {
first = false
} else if idx%5 == 0 {
vmap.WriteString(",\n ")
} else {
vmap.WriteString(", ")
}
n := 0
for _, ip := range ips {
for _, port := range ports {
if first {
first = false
} else if n%5 == 0 {
vmap.WriteString(",\n ")
} else {
vmap.WriteString(", ")
}
n++

vmap.WriteString(ip)
vmap.WriteString(": jump ")
vmap.WriteString(i.target)
vmap.WriteString(ip)
vmap.WriteString(" . ")
vmap.WriteString(strconv.Itoa(int(port.Port)))
vmap.WriteString(": jump ")
vmap.WriteString(i.target)
}
}
}
}
Expand Down
32 changes: 16 additions & 16 deletions backends/nft/render-context_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,21 +106,21 @@ func ExampleRenderBasicService() {
// tcp dport 82 reject
// fib daddr type local tcp dport 58081 reject
// }
// chain z_dispatch_svc_dnat {
// ip daddr vmap {
// 10.0.0.1: jump svc_my-ns_my-svc_dnat }
// chain z_dispatch_svc_dnat_tcp {
// ip daddr . tcp dport vmap {
// 10.0.0.1 . 80: jump svc_my-ns_my-svc_dnat, 10.0.0.1 . 81: jump svc_my-ns_my-svc_dnat, 10.0.0.1 . 82: jump svc_my-ns_my-svc_dnat }
// }
// chain z_dispatch_svc_filter {
// ip daddr vmap {
// 10.0.0.1: jump svc_my-ns_my-svc_filter }
// chain z_dispatch_svc_filter_tcp {
// ip daddr . tcp dport vmap {
// 10.0.0.1 . 80: jump svc_my-ns_my-svc_filter, 10.0.0.1 . 81: jump svc_my-ns_my-svc_filter, 10.0.0.1 . 82: jump svc_my-ns_my-svc_filter }
// }
// chain z_dnat_all {
// jump z_dispatch_svc_dnat
// jump z_dispatch_svc_dnat_tcp
// fib daddr type local jump nodeports_dnat
// }
// chain z_filter_all {
// ct state invalid drop
// jump z_dispatch_svc_filter
// jump z_dispatch_svc_filter_tcp
// fib daddr type local jump nodeports_filter
// }
// chain z_hook_filter_forward {
Expand Down Expand Up @@ -221,21 +221,21 @@ func ExampleRenderServiceWithClientIPAffinity() {
// tcp dport 82 reject
// fib daddr type local tcp dport 58081 reject
// }
// chain z_dispatch_svc_dnat {
// ip daddr vmap {
// 10.0.0.1: jump svc_my-ns_my-svc_dnat }
// chain z_dispatch_svc_dnat_tcp {
// ip daddr . tcp dport vmap {
// 10.0.0.1 . 80: jump svc_my-ns_my-svc_dnat, 10.0.0.1 . 81: jump svc_my-ns_my-svc_dnat, 10.0.0.1 . 82: jump svc_my-ns_my-svc_dnat }
// }
// chain z_dispatch_svc_filter {
// ip daddr vmap {
// 10.0.0.1: jump svc_my-ns_my-svc_filter }
// chain z_dispatch_svc_filter_tcp {
// ip daddr . tcp dport vmap {
// 10.0.0.1 . 80: jump svc_my-ns_my-svc_filter, 10.0.0.1 . 81: jump svc_my-ns_my-svc_filter, 10.0.0.1 . 82: jump svc_my-ns_my-svc_filter }
// }
// chain z_dnat_all {
// jump z_dispatch_svc_dnat
// jump z_dispatch_svc_dnat_tcp
// fib daddr type local jump nodeports_dnat
// }
// chain z_filter_all {
// ct state invalid drop
// jump z_dispatch_svc_filter
// jump z_dispatch_svc_filter_tcp
// fib daddr type local jump nodeports_filter
// }
// chain z_hook_filter_forward {
Expand Down

0 comments on commit c7476d4

Please sign in to comment.