--- /dev/null
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+ "fmt"
+ "syscall"
+ "time"
+
+ "github.com/vishvananda/netlink"
+)
+
+const SETTLE_INTERVAL = 50 * time.Millisecond
+
+// SettleAddresses waits for all addresses on a link to leave tentative state.
+// This is particularly useful for ipv6, where all addresses need to do DAD.
+// There is no easy way to wait for this as an event, so just loop until the
+// addresses are no longer tentative.
+// If any addresses are still tentative after timeout seconds, then error.
+func SettleAddresses(ifName string, timeout int) error {
+ link, err := netlink.LinkByName(ifName)
+ if err != nil {
+ return fmt.Errorf("failed to retrieve link: %v", err)
+ }
+
+ deadline := time.Now().Add(time.Duration(timeout) * time.Second)
+ for {
+ addrs, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+ if err != nil {
+ return fmt.Errorf("could not list addresses: %v", err)
+ }
+
+ if len(addrs) == 0 {
+ return nil
+ }
+
+ ok := true
+ for _, addr := range addrs {
+ if addr.Flags&(syscall.IFA_F_TENTATIVE|syscall.IFA_F_DADFAILED) > 0 {
+ ok = false
+ break // Break out of the `range addrs`, not the `for`
+ }
+ }
+
+ if ok {
+ return nil
+ }
+ if time.Now().After(deadline) {
+ return fmt.Errorf("link %s still has tentative addresses after %d seconds",
+ ifName,
+ timeout)
+ }
+
+ time.Sleep(SETTLE_INTERVAL)
+ }
+}
import (
"io/ioutil"
+
+ "github.com/containernetworking/cni/pkg/types/current"
)
func EnableIP4Forward() error {
return echo1("/proc/sys/net/ipv6/conf/all/forwarding")
}
+// EnableForward will enable forwarding for all configured
+// address families
+func EnableForward(ips []*current.IPConfig) error {
+ v4 := false
+ v6 := false
+
+ for _, ip := range ips {
+ if ip.Version == "4" && !v4 {
+ if err := EnableIP4Forward(); err != nil {
+ return err
+ }
+ v4 = true
+ } else if ip.Version == "6" && !v6 {
+ if err := EnableIP6Forward(); err != nil {
+ return err
+ }
+ v6 = true
+ }
+ }
+ return nil
+}
+
func echo1(f string) error {
return ioutil.WriteFile(f, []byte("1"), 0644)
}
// SetupIPMasq installs iptables rules to masquerade traffic
// coming from ipn and going outside of it
func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
- ipt, err := iptables.New()
+ isV6 := ipn.IP.To4() == nil
+
+ var ipt *iptables.IPTables
+ var err error
+ var multicastNet string
+
+ if isV6 {
+ ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+ multicastNet = "ff00::/8"
+ } else {
+ ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+ multicastNet = "224.0.0.0/4"
+ }
if err != nil {
return fmt.Errorf("failed to locate iptables: %v", err)
}
- if err = ipt.NewChain("nat", chain); err != nil {
- if err.(*iptables.Error).ExitStatus() != 1 {
- // TODO(eyakubovich): assumes exit status 1 implies chain exists
+ // Create chain if doesn't exist
+ exists := false
+ chains, err := ipt.ListChains("nat")
+ if err != nil {
+ return fmt.Errorf("failed to list chains: %v", err)
+ }
+ for _, ch := range chains {
+ if ch == chain {
+ exists = true
+ break
+ }
+ }
+ if !exists {
+ if err = ipt.NewChain("nat", chain); err != nil {
return err
}
}
- if err = ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
+ // Packets to this network should not be touched
+ if err := ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
return err
}
- if err = ipt.AppendUnique("nat", chain, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
+ // Don't masquerade multicast - pods should be able to talk to other pods
+ // on the local network via multicast.
+ if err := ipt.AppendUnique("nat", chain, "!", "-d", multicastNet, "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
return err
}
}
}
+ ip.SettleAddresses(ifName, 10)
+
for _, r := range res.Routes {
routeIsV4 := r.Dst.IP.To4() != nil
gw := r.GW
--- /dev/null
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testutils
+
+import (
+ "bytes"
+ "fmt"
+ "os/exec"
+ "strconv"
+ "syscall"
+)
+
+// Ping shells out to the `ping` command. Returns nil if successful.
+func Ping(saddr, daddr string, isV6 bool, timeoutSec int) error {
+ args := []string{
+ "-c", "1",
+ "-W", strconv.Itoa(timeoutSec),
+ "-I", saddr,
+ daddr,
+ }
+
+ bin := "ping"
+ if isV6 {
+ bin = "ping6"
+ }
+
+ cmd := exec.Command(bin, args...)
+ var stderr bytes.Buffer
+ cmd.Stderr = &stderr
+
+ if err := cmd.Run(); err != nil {
+ switch e := err.(type) {
+ case *exec.ExitError:
+ return fmt.Errorf("%v exit status %d: %s",
+ args, e.Sys().(syscall.WaitStatus).ExitStatus(),
+ stderr.String())
+ default:
+ return err
+ }
+ }
+
+ return nil
+}
return fmt.Errorf("failed to delete route %v: %v", route, err)
}
+ addrBits := 32
+ if ipc.Version == "6" {
+ addrBits = 128
+ }
+
for _, r := range []netlink.Route{
netlink.Route{
LinkIndex: contVeth.Index,
Dst: &net.IPNet{
IP: ipc.Gateway,
- Mask: net.CIDRMask(32, 32),
+ Mask: net.CIDRMask(addrBits, addrBits),
},
Scope: netlink.SCOPE_LINK,
Src: ipc.Address.IP,
return fmt.Errorf("failed to load netconf: %v", err)
}
- if err := ip.EnableIP4Forward(); err != nil {
- return fmt.Errorf("failed to enable forwarding: %v", err)
- }
-
// run the IPAM plugin and get back the config to apply
r, err := ipam.ExecAdd(conf.IPAM.Type, args.StdinData)
if err != nil {
return errors.New("IPAM plugin returned missing IP config")
}
+ if err := ip.EnableForward(result.IPs); err != nil {
+ return fmt.Errorf("Could not enable IP forwarding: %v", err)
+ }
+
netns, err := ns.GetNS(args.Netns)
if err != nil {
return fmt.Errorf("failed to open netns %q: %v", args.Netns, err)
package main
import (
+ "fmt"
+
"github.com/containernetworking/cni/pkg/skel"
+ "github.com/containernetworking/cni/pkg/types"
+ "github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/testutils"
Expect(originalNS.Close()).To(Succeed())
})
- It("configures and deconfigures a ptp link with ADD/DEL", func() {
+ doTest := func(conf string, numIPs int) {
const IFNAME = "ptp0"
- conf := `{
- "cniVersion": "0.3.1",
- "name": "mynet",
- "type": "ptp",
- "ipMasq": true,
- "mtu": 5000,
- "ipam": {
- "type": "host-local",
- "subnet": "10.1.2.0/24"
- }
-}`
-
targetNs, err := ns.NewNS()
Expect(err).NotTo(HaveOccurred())
defer targetNs.Close()
StdinData: []byte(conf),
}
+ var resI types.Result
+ var res *current.Result
+
// Execute the plugin with the ADD command, creating the veth endpoints
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
- _, _, err := testutils.CmdAddWithResult(targetNs.Path(), IFNAME, []byte(conf), func() error {
+ resI, _, err = testutils.CmdAddWithResult(targetNs.Path(), IFNAME, []byte(conf), func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
})
Expect(err).NotTo(HaveOccurred())
+ res, err = current.NewResultFromResult(resI)
+ Expect(err).NotTo(HaveOccurred())
+
// Make sure ptp link exists in the target namespace
+ // Then, ping the gateway
+ seenIPs := 0
err = targetNs.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(IFNAME)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().Name).To(Equal(IFNAME))
+
+ for _, ipc := range res.IPs {
+ if ipc.Interface != 1 {
+ continue
+ }
+ seenIPs += 1
+ saddr := ipc.Address.IP.String()
+ daddr := ipc.Gateway.String()
+ fmt.Fprintln(GinkgoWriter, "ping", saddr, "->", daddr)
+
+ if err := testutils.Ping(saddr, daddr, (ipc.Version == "6"), 30); err != nil {
+ return fmt.Errorf("ping %s -> %s failed: %s", saddr, daddr, err)
+ }
+ }
+
return nil
})
Expect(err).NotTo(HaveOccurred())
+ Expect(seenIPs).To(Equal(numIPs))
+
// Call the plugins with the DEL command, deleting the veth endpoints
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
return nil
})
Expect(err).NotTo(HaveOccurred())
+ }
+
+ It("configures and deconfigures a ptp link with ADD/DEL", func() {
+ conf := `{
+ "cniVersion": "0.3.1",
+ "name": "mynet",
+ "type": "ptp",
+ "ipMasq": true,
+ "mtu": 5000,
+ "ipam": {
+ "type": "host-local",
+ "subnet": "10.1.2.0/24"
+ }
+}`
+
+ doTest(conf, 1)
+ })
+
+ It("configures and deconfigures a dual-stack ptp link with ADD/DEL", func() {
+ conf := `{
+ "cniVersion": "0.3.1",
+ "name": "mynet",
+ "type": "ptp",
+ "ipMasq": true,
+ "mtu": 5000,
+ "ipam": {
+ "type": "host-local",
+ "ranges": [
+ { "subnet": "10.1.2.0/24"},
+ { "subnet": "2001:db8:1::0/66"}
+ ]
+ }
+}`
+
+ doTest(conf, 2)
})
+
It("deconfigures an unconfigured ptp link with DEL", func() {
const IFNAME = "ptp0"
git://git.halfball.org / plugins.git / commitdiff