Change auto-egress-ip pkt_mark to be based on VNID, avoid masqueradeBit

If the iptables rules get reordered after a flush, then it's possible
that kube-proxy rules that look at MasqueradeBit will accidentally
match a packet that was intended for an auto-egress-ip rule.

To avoid that, change the code to avoid using that bit of pkt_mark.
This means we now only have 31 bits to work with instead of 32, so
make the mark be based on the (24-bit) VNID rather than the (32-bit)
egress IP address.

Author: danwinship

pkg/cmd/server/kubernetes/network/sdn_linux.go

@@ -55,6 +55,7 @@ func NewSDNInterfaces(options configapi.NodeConfig, networkClient networkclient.
 		KubeInformers:      internalKubeInformers,
 		NetworkInformers:   internalNetworkInformers,
 		IPTablesSyncPeriod: proxyconfig.IPTables.SyncPeriod.Duration,
+		MasqueradeBit:      proxyconfig.IPTables.MasqueradeBit,
 		ProxyMode:          proxyconfig.Mode,
 		EnableHostports:    enableHostports,
 		Recorder:           recorder,

pkg/network/node/egressip.go

@@ -40,8 +40,9 @@ type namespaceEgress struct {
 type egressIPWatcher struct {
 	sync.Mutex
 
-	localIP string
-	oc      *ovsController
+	oc            *ovsController
+	localIP       string
+	masqueradeBit uint32
 
 	networkInformers networkinformers.SharedInformerFactory
 	iptables         *NodeIPTables
@@ -60,17 +61,21 @@ type egressIPWatcher struct {
 	testModeChan chan string
 }
 
-func newEgressIPWatcher(localIP string, oc *ovsController) *egressIPWatcher {
-	return &egressIPWatcher{
-		localIP: localIP,
+func newEgressIPWatcher(oc *ovsController, localIP string, masqueradeBit *int32) *egressIPWatcher {
+	eip := &egressIPWatcher{
 		oc:      oc,
+		localIP: localIP,
 
 		nodesByNodeIP:   make(map[string]*nodeEgress),
 		nodesByEgressIP: make(map[string]*nodeEgress),
 
 		namespacesByVNID:     make(map[uint32]*namespaceEgress),
 		namespacesByEgressIP: make(map[string]*namespaceEgress),
 	}
+	if masqueradeBit != nil {
+		eip.masqueradeBit = 1 << uint32(*masqueradeBit)
+	}
+	return eip
 }
 
 func (eip *egressIPWatcher) Start(networkInformers networkinformers.SharedInformerFactory, iptables *NodeIPTables) error {
@@ -88,13 +93,16 @@ func (eip *egressIPWatcher) Start(networkInformers networkinformers.SharedInform
 	return nil
 }
 
-func ipToHex(ip string) string {
-	bytes := net.ParseIP(ip)
-	if bytes == nil {
-		return "invalid IP: shouldn't happen"
+// Convert vnid to a hex value that is not 0, does not have masqueradeBit set, and isn't
+// the same value as would be returned for any other valid vnid.
+func getMarkForVNID(vnid, masqueradeBit uint32) string {
+	if vnid == 0 {
+		vnid = 0xff000000
+	}
+	if (vnid & masqueradeBit) != 0 {
+		vnid = (vnid | 0x01000000) ^ masqueradeBit
 	}
-	bytes = bytes.To4()
-	return fmt.Sprintf("0x%02x%02x%02x%02x", bytes[0], bytes[1], bytes[2], bytes[3])
+	return fmt.Sprintf("0x%08x", vnid)
 }
 
 func (eip *egressIPWatcher) watchHostSubnets() {
@@ -167,14 +175,14 @@ func (eip *egressIPWatcher) maybeAddEgressIP(egressIP string) {
 		return
 	}
 
-	hex := ipToHex(egressIP)
+	mark := getMarkForVNID(ns.vnid, eip.masqueradeBit)
 	nodeIP := ""
 
 	if node != nil && !node.assignedIPs.Has(egressIP) {
 		node.assignedIPs.Insert(egressIP)
 		nodeIP = node.nodeIP
 		if node.nodeIP == eip.localIP {
-			if err := eip.assignEgressIP(egressIP, hex); err != nil {
+			if err := eip.assignEgressIP(egressIP, mark); err != nil {
 				glog.Errorf("Error assigning Egress IP %q: %v", egressIP, err)
 				nodeIP = ""
 			}
@@ -185,7 +193,7 @@ func (eip *egressIPWatcher) maybeAddEgressIP(egressIP string) {
 		ns.assignedIP = egressIP
 		ns.nodeIP = nodeIP
 
-		err := eip.oc.UpdateNamespaceEgressRules(ns.vnid, ns.nodeIP, hex)
+		err := eip.oc.UpdateNamespaceEgressRules(ns.vnid, ns.nodeIP, mark)
 		if err != nil {
 			glog.Errorf("Error updating Namespace egress rules: %v", err)
 		}
@@ -199,9 +207,9 @@ func (eip *egressIPWatcher) deleteEgressIP(egressIP string) {
 		return
 	}
 
-	hex := ipToHex(egressIP)
+	mark := getMarkForVNID(ns.vnid, eip.masqueradeBit)
 	if node.nodeIP == eip.localIP {
-		if err := eip.releaseEgressIP(egressIP, hex); err != nil {
+		if err := eip.releaseEgressIP(egressIP, mark); err != nil {
 			glog.Errorf("Error releasing Egress IP %q: %v", egressIP, err)
 		}
 	}
@@ -217,7 +225,7 @@ func (eip *egressIPWatcher) deleteEgressIP(egressIP string) {
 		err = eip.oc.UpdateNamespaceEgressRules(ns.vnid, "", "")
 	} else {
 		// Namespace still wants EgressIP but no node provides it
-		err = eip.oc.UpdateNamespaceEgressRules(ns.vnid, "", hex)
+		err = eip.oc.UpdateNamespaceEgressRules(ns.vnid, "", mark)
 	}
 	if err != nil {
 		glog.Errorf("Error updating Namespace egress rules: %v", err)
@@ -293,7 +301,7 @@ func (eip *egressIPWatcher) deleteNamespaceEgress(vnid uint32) {
 	delete(eip.namespacesByVNID, vnid)
 }
 
-func (eip *egressIPWatcher) assignEgressIP(egressIP, egressHex string) error {
+func (eip *egressIPWatcher) assignEgressIP(egressIP, mark string) error {
 	if egressIP == eip.localIP {
 		return fmt.Errorf("desired egress IP %q is the node IP", egressIP)
 	}
@@ -321,14 +329,14 @@ func (eip *egressIPWatcher) assignEgressIP(egressIP, egressHex string) error {
 		}
 	}
 
-	if err := eip.iptables.AddEgressIPRules(egressIP, egressHex); err != nil {
+	if err := eip.iptables.AddEgressIPRules(egressIP, mark); err != nil {
 		return fmt.Errorf("could not add egress IP iptables rule: %v", err)
 	}
 
 	return nil
 }
 
-func (eip *egressIPWatcher) releaseEgressIP(egressIP, egressHex string) error {
+func (eip *egressIPWatcher) releaseEgressIP(egressIP, mark string) error {
 	if egressIP == eip.localIP {
 		return nil
 	}
@@ -353,7 +361,7 @@ func (eip *egressIPWatcher) releaseEgressIP(egressIP, egressHex string) error {
 		}
 	}
 
-	if err := eip.iptables.DeleteEgressIPRules(egressIP, egressHex); err != nil {
+	if err := eip.iptables.DeleteEgressIPRules(egressIP, mark); err != nil {
 		return fmt.Errorf("could not delete egress IP iptables rule: %v", err)
 	}
 

pkg/network/node/egressip_test.go

@@ -31,7 +31,8 @@ func TestEgressIP(t *testing.T) {
 	if oc.localIP != "172.17.0.4" {
 		panic("details of fake ovsController changed")
 	}
-	eip := newEgressIPWatcher("172.17.0.4", oc)
+	masqBit := int32(0)
+	eip := newEgressIPWatcher(oc, "172.17.0.4", &masqBit)
 	eip.testModeChan = make(chan string, 10)
 
 	eip.updateNodeEgress("172.17.0.3", []string{})
@@ -160,7 +161,7 @@ func TestEgressIP(t *testing.T) {
 	err = assertFlowChanges(origFlows, flows,
 		flowChange{
 			kind:  flowAdded,
-			match: []string{"table=100", "reg0=44", "0xac110066->pkt_mark", "goto_table:101"},
+			match: []string{"table=100", "reg0=44", "0x0000002c->pkt_mark", "goto_table:101"},
 		},
 	)
 	if err != nil {
@@ -195,7 +196,7 @@ func TestEgressIP(t *testing.T) {
 	err = assertFlowChanges(origFlows, flows,
 		flowChange{
 			kind:  flowAdded,
-			match: []string{"table=100", "reg0=45", "0xac110067->pkt_mark", "goto_table:101"},
+			match: []string{"table=100", "reg0=45", "0x0100002c->pkt_mark", "goto_table:101"},
 		},
 	)
 	if err != nil {
@@ -216,7 +217,7 @@ func TestEgressIP(t *testing.T) {
 	err = assertFlowChanges(origFlows, flows,
 		flowChange{
 			kind:  flowRemoved,
-			match: []string{"table=100", "reg0=44", "0xac110066->pkt_mark", "goto_table:101"},
+			match: []string{"table=100", "reg0=44", "0x0000002c->pkt_mark", "goto_table:101"},
 		},
 	)
 	if err != nil {
@@ -262,7 +263,7 @@ func TestEgressIP(t *testing.T) {
 	err = assertFlowChanges(origFlows, flows,
 		flowChange{
 			kind:  flowRemoved,
-			match: []string{"table=100", "reg0=45", "0xac110067->pkt_mark", "goto_table:101"},
+			match: []string{"table=100", "reg0=45", "0x0100002c->pkt_mark", "goto_table:101"},
 		},
 		flowChange{
 			kind:  flowAdded,
@@ -289,3 +290,74 @@ func TestEgressIP(t *testing.T) {
 		t.Fatalf("Unexpected flow changes: %v", err)
 	}
 }
+
+func TestMarkForVNID(t *testing.T) {
+	testcases := []struct {
+		description   string
+		vnid          uint32
+		masqueradeBit uint32
+		result        uint32
+	}{
+		{
+			description:   "masqBit in VNID range, but not set in VNID",
+			vnid:          0x000000aa,
+			masqueradeBit: 0x00000001,
+			result:        0x000000aa,
+		},
+		{
+			description:   "masqBit in VNID range, and set in VNID",
+			vnid:          0x000000ab,
+			masqueradeBit: 0x00000001,
+			result:        0x010000aa,
+		},
+		{
+			description:   "masqBit in VNID range, VNID 0",
+			vnid:          0x00000000,
+			masqueradeBit: 0x00000001,
+			result:        0xff000000,
+		},
+		{
+			description:   "masqBit outside of VNID range",
+			vnid:          0x000000aa,
+			masqueradeBit: 0x80000000,
+			result:        0x000000aa,
+		},
+		{
+			description:   "masqBit outside of VNID range, VNID 0",
+			vnid:          0x00000000,
+			masqueradeBit: 0x80000000,
+			result:        0x7f000000,
+		},
+		{
+			description:   "masqBit == bit 24",
+			vnid:          0x000000aa,
+			masqueradeBit: 0x01000000,
+			result:        0x000000aa,
+		},
+		{
+			description:   "masqBit == bit 24, VNID 0",
+			vnid:          0x00000000,
+			masqueradeBit: 0x01000000,
+			result:        0xfe000000,
+		},
+		{
+			description:   "no masqBit, ordinary VNID",
+			vnid:          0x000000aa,
+			masqueradeBit: 0x00000000,
+			result:        0x000000aa,
+		},
+		{
+			description:   "no masqBit, VNID 0",
+			vnid:          0x00000000,
+			masqueradeBit: 0x00000000,
+			result:        0xff000000,
+		},
+	}
+
+	for _, tc := range testcases {
+		result := getMarkForVNID(tc.vnid, tc.masqueradeBit)
+		if result != fmt.Sprintf("0x%08x", tc.result) {
+			t.Fatalf("test %q expected %08x got %s", tc.description, tc.result, result)
+		}
+	}
+}

pkg/network/node/iptables.go

@@ -212,9 +212,9 @@ func (n *NodeIPTables) getNodeIPTablesChains() []Chain {
 	return chainArray
 }
 
-func (n *NodeIPTables) AddEgressIPRules(egressIP, egressHex string) error {
+func (n *NodeIPTables) AddEgressIPRules(egressIP, mark string) error {
 	for _, cidr := range n.clusterNetworkCIDR {
-		_, err := n.ipt.EnsureRule(iptables.Prepend, iptables.TableNAT, iptables.Chain("OPENSHIFT-MASQUERADE"), "-s", cidr, "-m", "mark", "--mark", egressHex, "-j", "SNAT", "--to-source", egressIP)
+		_, err := n.ipt.EnsureRule(iptables.Prepend, iptables.TableNAT, iptables.Chain("OPENSHIFT-MASQUERADE"), "-s", cidr, "-m", "mark", "--mark", mark, "-j", "SNAT", "--to-source", egressIP)
 		if err != nil {
 			return err
 		}
@@ -223,9 +223,9 @@ func (n *NodeIPTables) AddEgressIPRules(egressIP, egressHex string) error {
 	return err
 }
 
-func (n *NodeIPTables) DeleteEgressIPRules(egressIP, egressHex string) error {
+func (n *NodeIPTables) DeleteEgressIPRules(egressIP, mark string) error {
 	for _, cidr := range n.clusterNetworkCIDR {
-		err := n.ipt.DeleteRule(iptables.TableNAT, iptables.Chain("OPENSHIFT-MASQUERADE"), "-s", cidr, "-m", "mark", "--mark", egressHex, "-j", "SNAT", "--to-source", egressIP)
+		err := n.ipt.DeleteRule(iptables.TableNAT, iptables.Chain("OPENSHIFT-MASQUERADE"), "-s", cidr, "-m", "mark", "--mark", mark, "-j", "SNAT", "--to-source", egressIP)
 		if err != nil {
 			return err
 		}

pkg/network/node/node.go

@@ -84,6 +84,7 @@ type OsdnNodeConfig struct {
 
 	IPTablesSyncPeriod time.Duration
 	ProxyMode          kubeproxyconfig.ProxyMode
+	MasqueradeBit      *int32
 }
 
 type OsdnNode struct {
@@ -181,7 +182,7 @@ func New(c *OsdnNodeConfig) (network.NodeInterface, error) {
 		hostSubnetMap:      make(map[string]*networkapi.HostSubnet),
 		kubeInformers:      c.KubeInformers,
 		networkInformers:   c.NetworkInformers,
-		egressIP:           newEgressIPWatcher(c.SelfIP, oc),
+		egressIP:           newEgressIPWatcher(oc, c.SelfIP, c.MasqueradeBit),
 
 		runtimeEndpoint: c.RuntimeEndpoint,
 		// 2 minutes is the current default value used in kubelet

pkg/network/node/ovscontroller.go

@@ -34,7 +34,7 @@ const (
 	Vxlan0 = "vxlan0"
 
 	// rule versioning; increment each time flow rules change
-	ruleVersion = 5
+	ruleVersion = 6
 
 	ruleVersionTable = 253
 )
@@ -681,11 +681,11 @@ func (oc *ovsController) ensureTunMAC() error {
 	return nil
 }
 
-func (oc *ovsController) UpdateNamespaceEgressRules(vnid uint32, nodeIP, egressHex string) error {
+func (oc *ovsController) UpdateNamespaceEgressRules(vnid uint32, nodeIP, mark string) error {
 	otx := oc.ovs.NewTransaction()
 	otx.DeleteFlows("table=100, reg0=%d", vnid)
 
-	if egressHex == "" {
+	if mark == "" {
 		// Namespace no longer has an EgressIP; no VNID-specific rules needed
 	} else if nodeIP == "" {
 		// Namespace has Egress IP, but it is unavailable, so drop egress traffic
@@ -695,7 +695,7 @@ func (oc *ovsController) UpdateNamespaceEgressRules(vnid uint32, nodeIP, egressH
 		if err := oc.ensureTunMAC(); err != nil {
 			return err
 		}
-		otx.AddFlow("table=100, priority=100, reg0=%d, ip, actions=set_field:%s->eth_dst,set_field:%s->pkt_mark,goto_table:101", vnid, oc.tunMAC, egressHex)
+		otx.AddFlow("table=100, priority=100, reg0=%d, ip, actions=set_field:%s->eth_dst,set_field:%s->pkt_mark,goto_table:101", vnid, oc.tunMAC, mark)
 	} else {
 		// Remote Egress IP; send via VXLAN
 		otx.AddFlow("table=100, priority=100, reg0=%d, ip, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:%s->tun_dst,output:1", vnid, nodeIP)