Update clients to use Packetfilter

Signed-off-by: Yossi Boaron <[email protected]>
submariner-io · Jan 16, 2024 · ca8fb1d · ca8fb1d
1 parent 516689d
commit ca8fb1d
Show file tree

Hide file tree

Showing 31 changed files with 771 additions and 660 deletions.
diff --git a/pkg/globalnet/controllers/base_controllers.go b/pkg/globalnet/controllers/base_controllers.go
@@ -29,7 +29,7 @@ import (
 	"github.com/submariner-io/admiral/pkg/federate"
 	"github.com/submariner-io/admiral/pkg/util"
 	submarinerv1 "github.com/submariner-io/submariner/pkg/apis/submariner.io/v1"
-	iptiface "github.com/submariner-io/submariner/pkg/globalnet/controllers/iptables"
+	pfiface "github.com/submariner-io/submariner/pkg/globalnet/controllers/packetfilter"
 	"github.com/submariner-io/submariner/pkg/ipam"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -60,11 +60,11 @@ func newBaseSyncerController() *baseSyncerController {
 	}
 }
 
-func newBaseIPAllocationController(pool *ipam.IPPool, iptIface iptiface.Interface) *baseIPAllocationController {
+func newBaseIPAllocationController(pool *ipam.IPPool, pfIface pfiface.Interface) *baseIPAllocationController {
 	return &baseIPAllocationController{
 		baseSyncerController: newBaseSyncerController(),
 		pool:                 pool,
-		iptIface:             iptIface,
+		pfIface:              pfIface,
 	}
 }
 

diff --git a/pkg/globalnet/controllers/cluster_egressip_controller.go b/pkg/globalnet/controllers/cluster_egressip_controller.go
@@ -29,7 +29,7 @@ import (
 	"github.com/submariner-io/admiral/pkg/util"
 	submarinerv1 "github.com/submariner-io/submariner/pkg/apis/submariner.io/v1"
 	"github.com/submariner-io/submariner/pkg/globalnet/constants"
-	"github.com/submariner-io/submariner/pkg/globalnet/controllers/iptables"
+	"github.com/submariner-io/submariner/pkg/globalnet/controllers/packetfilter"
 	"github.com/submariner-io/submariner/pkg/globalnet/metrics"
 	"github.com/submariner-io/submariner/pkg/ipam"
 	corev1 "k8s.io/api/core/v1"
@@ -49,13 +49,13 @@ func NewClusterGlobalEgressIPController(config *syncer.ResourceSyncerConfig, loc
 
 	logger.Info("Creating ClusterGlobalEgressIP controller")
 
-	iptIface, err := iptables.New()
+	pfIface, err := packetfilter.New()
 	if err != nil {
 		return nil, errors.WithMessage(err, "error creating the IPTablesInterface handler")
 	}
 
 	controller := &clusterGlobalEgressIPController{
-		baseIPAllocationController: newBaseIPAllocationController(pool, iptIface),
+		baseIPAllocationController: newBaseIPAllocationController(pool, pfIface),
 		localSubnets:               localSubnets,
 	}
 
@@ -215,7 +215,7 @@ func (c *clusterGlobalEgressIPController) flushClusterGlobalEgressRules(allocate
 
 func (c *clusterGlobalEgressIPController) deleteClusterGlobalEgressRules(srcIPList []string, snatIP string) error {
 	for _, srcIP := range srcIPList {
-		if err := c.iptIface.RemoveClusterEgressRules(srcIP, snatIP, globalNetIPTableMark); err != nil {
+		if err := c.pfIface.RemoveClusterEgressRules(srcIP, snatIP, globalNetIPTableMark); err != nil {
 			return err //nolint:wrapcheck  // Let the caller wrap it
 		}
 	}
@@ -228,7 +228,7 @@ func (c *clusterGlobalEgressIPController) programClusterGlobalEgressRules(alloca
 	egressRulesProgrammed := []string{}
 
 	for _, srcIP := range c.localSubnets {
-		if err := c.iptIface.AddClusterEgressRules(srcIP, snatIP, globalNetIPTableMark); err != nil {
+		if err := c.pfIface.AddClusterEgressRules(srcIP, snatIP, globalNetIPTableMark); err != nil {
 			_ = c.deleteClusterGlobalEgressRules(egressRulesProgrammed, snatIP)
 
 			return err //nolint:wrapcheck  // Let the caller wrap it

diff --git a/pkg/globalnet/controllers/cluster_egressip_controller_test.go b/pkg/globalnet/controllers/cluster_egressip_controller_test.go
@@ -30,6 +30,7 @@ import (
 	"github.com/submariner-io/submariner/pkg/globalnet/constants"
 	"github.com/submariner-io/submariner/pkg/globalnet/controllers"
 	"github.com/submariner-io/submariner/pkg/ipam"
+	"github.com/submariner-io/submariner/pkg/packetfilter"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -39,7 +40,7 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 	When("the well-known ClusterGlobalEgressIP does not exist on startup", func() {
 		It("should create it and allocate the default number of global IPs", func() {
 			t.awaitClusterGlobalEgressIPStatusAllocated(controllers.DefaultNumberOfClusterEgressIPs)
-			t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+			t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 		})
 	})
 
@@ -74,7 +75,7 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 				})
 
 				It("should program the necessary IP table rules for the allocated IPs", func() {
-					t.awaitIPTableRules(existing.Status.AllocatedIPs...)
+					t.awaitPacketFilterRules(existing.Status.AllocatedIPs...)
 				})
 			})
 
@@ -87,12 +88,12 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 
 				It("should reallocate the global IPs", func() {
 					t.awaitClusterGlobalEgressIPStatusAllocated(*existing.Spec.NumberOfIPs)
-					t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+					t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 				})
 
 				It("should release the previously allocated IPs", func() {
 					t.awaitIPsReleasedFromPool(existing.Status.AllocatedIPs...)
-					t.awaitNoIPTableRules(existing.Status.AllocatedIPs...)
+					t.awaitNoPacketFilterRules(existing.Status.AllocatedIPs...)
 				})
 			})
 
@@ -121,14 +122,14 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 						Status: metav1.ConditionTrue,
 					})
 
-					t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+					t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 				})
 			})
 
 			Context("and programming the IP table rules fails", func() {
 				BeforeEach(func() {
 					t.createClusterGlobalEgressIP(existing)
-					t.ipt.AddFailOnAppendRuleMatcher(ContainSubstring(existing.Status.AllocatedIPs[0]))
+					t.pFilter.AddFailOnAppendRuleMatcher(ContainSubstring(existing.Status.AllocatedIPs[0]))
 				})
 
 				It("should reallocate the global IPs", func() {
@@ -142,7 +143,7 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 					})
 
 					allocatedIPs := getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs
-					t.awaitIPTableRules(allocatedIPs...)
+					t.awaitPacketFilterRules(allocatedIPs...)
 					t.awaitIPsReleasedFromPool(existing.Status.AllocatedIPs...)
 				})
 			})
@@ -225,12 +226,12 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 
 			It("should reallocate the global IPs", func() {
 				t.awaitClusterGlobalEgressIPStatusAllocated(numberOfIPs)
-				t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+				t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 			})
 
 			It("should release the previously allocated IPs", func() {
 				t.awaitIPsReleasedFromPool(existing.Status.AllocatedIPs...)
-				t.awaitNoIPTableRules(existing.Status.AllocatedIPs...)
+				t.awaitNoPacketFilterRules(existing.Status.AllocatedIPs...)
 			})
 		})
 
@@ -241,12 +242,12 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 
 			It("should reallocate the global IPs", func() {
 				t.awaitClusterGlobalEgressIPStatusAllocated(numberOfIPs)
-				t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+				t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 			})
 
 			It("should release the previously allocated IPs", func() {
 				t.awaitIPsReleasedFromPool(existing.Status.AllocatedIPs...)
-				t.awaitNoIPTableRules(existing.Status.AllocatedIPs...)
+				t.awaitNoPacketFilterRules(existing.Status.AllocatedIPs...)
 			})
 		})
 
@@ -265,31 +266,31 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 
 			It("should release the previously allocated IPs", func() {
 				t.awaitIPsReleasedFromPool(existing.Status.AllocatedIPs...)
-				t.awaitNoIPTableRules(existing.Status.AllocatedIPs...)
+				t.awaitNoPacketFilterRules(existing.Status.AllocatedIPs...)
 			})
 		})
 
 		Context("and IP tables cleanup of previously allocated IPs initially fails", func() {
 			BeforeEach(func() {
 				numberOfIPs = *existing.Spec.NumberOfIPs + 1
-				t.ipt.AddFailOnDeleteRuleMatcher(ContainSubstring(existing.Status.AllocatedIPs[0]))
+				t.pFilter.AddFailOnDeleteRuleMatcher(ContainSubstring(existing.Status.AllocatedIPs[0]))
 			})
 
 			It("should eventually cleanup the IP tables and reallocate", func() {
-				t.awaitNoIPTableRules(existing.Status.AllocatedIPs...)
+				t.awaitNoPacketFilterRules(existing.Status.AllocatedIPs...)
 				t.awaitClusterGlobalEgressIPStatusAllocated(numberOfIPs)
-				t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+				t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 			})
 		})
 
 		Context("and programming of IP tables initially fails", func() {
 			BeforeEach(func() {
 				numberOfIPs = *existing.Spec.NumberOfIPs + 1
-				t.ipt.AddFailOnAppendRuleMatcher(Not(ContainSubstring(existing.Status.AllocatedIPs[0])))
+				t.pFilter.AddFailOnAppendRuleMatcher(Not(ContainSubstring(existing.Status.AllocatedIPs[0])))
 			})
 
 			It("should eventually reallocate the global IPs", func() {
-				t.awaitNoIPTableRules(existing.Status.AllocatedIPs...)
+				t.awaitNoPacketFilterRules(existing.Status.AllocatedIPs...)
 				t.awaitEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName, numberOfIPs, metav1.Condition{
 					Type:   string(submarinerv1.GlobalEgressIPAllocated),
 					Status: metav1.ConditionFalse,
@@ -298,7 +299,7 @@ var _ = Describe("ClusterGlobalEgressIP controller", func() {
 					Type:   string(submarinerv1.GlobalEgressIPAllocated),
 					Status: metav1.ConditionTrue,
 				})
-				t.awaitIPTableRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
+				t.awaitPacketFilterRules(getGlobalEgressIPStatus(t.clusterGlobalEgressIPs, constants.ClusterGlobalEgressIPName).AllocatedIPs...)
 			})
 		})
 
@@ -393,14 +394,14 @@ func (t *clusterGlobalEgressIPControllerTestDriver) start() {
 	Expect(t.controller.Start()).To(Succeed())
 }
 
-func (t *clusterGlobalEgressIPControllerTestDriver) awaitIPTableRules(ips ...string) {
-	t.ipt.AwaitRule("nat", constants.SmGlobalnetEgressChainForCluster, ContainSubstring(getSNATAddress(ips...)))
+func (t *clusterGlobalEgressIPControllerTestDriver) awaitPacketFilterRules(ips ...string) {
+	t.pFilter.AwaitRule(packetfilter.TableTypeNAT, constants.SmGlobalnetEgressChainForCluster, ContainSubstring(getSNATAddress(ips...)))
 
 	for _, localSubnet := range t.localSubnets {
-		t.ipt.AwaitRule("nat", constants.SmGlobalnetEgressChainForCluster, ContainSubstring(localSubnet))
+		t.pFilter.AwaitRule(packetfilter.TableTypeNAT, constants.SmGlobalnetEgressChainForCluster, ContainSubstring(localSubnet))
 	}
 }
 
-func (t *clusterGlobalEgressIPControllerTestDriver) awaitNoIPTableRules(ips ...string) {
-	t.ipt.AwaitNoRule("nat", constants.SmGlobalnetEgressChainForCluster, ContainSubstring(getSNATAddress(ips...)))
+func (t *clusterGlobalEgressIPControllerTestDriver) awaitNoPacketFilterRules(ips ...string) {
+	t.pFilter.AwaitNoRule(packetfilter.TableTypeNAT, constants.SmGlobalnetEgressChainForCluster, ContainSubstring(getSNATAddress(ips...)))
 }
diff --git a/pkg/globalnet/controllers/controllers_suite_test.go b/pkg/globalnet/controllers/controllers_suite_test.go
@@ -38,8 +38,8 @@ import (
 	"github.com/submariner-io/submariner/pkg/ipam"
 	"github.com/submariner-io/submariner/pkg/ipset"
 	fakeIPSet "github.com/submariner-io/submariner/pkg/ipset/fake"
-	"github.com/submariner-io/submariner/pkg/iptables"
-	fakeIPT "github.com/submariner-io/submariner/pkg/iptables/fake"
+	"github.com/submariner-io/submariner/pkg/packetfilter"
+	fakePF "github.com/submariner-io/submariner/pkg/packetfilter/fake"
 	routeAgent "github.com/submariner-io/submariner/pkg/routeagent_driver/constants"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -88,7 +88,7 @@ type testDriverBase struct {
 	restMapper             meta.RESTMapper
 	dynClient              *dynamicfake.FakeDynamicClient
 	scheme                 *runtime.Scheme
-	ipt                    *fakeIPT.IPTables
+	pFilter                *fakePF.PacketFilter
 	ipSet                  *fakeIPSet.IPSet
 	pool                   *ipam.IPPool
 	localSubnets           []string
@@ -109,12 +109,11 @@ func newTestDriverBase() *testDriverBase {
 		restMapper: test.GetRESTMapperFor(&submarinerv1.Endpoint{}, &corev1.Service{}, &corev1.Node{}, &corev1.Pod{}, &corev1.Endpoints{},
 			&submarinerv1.GlobalEgressIP{}, &submarinerv1.ClusterGlobalEgressIP{}, &submarinerv1.GlobalIngressIP{}, &mcsv1a1.ServiceExport{}),
 		scheme:       runtime.NewScheme(),
-		ipt:          fakeIPT.New(),
+		pFilter:      fakePF.New(),
 		ipSet:        fakeIPSet.New(),
 		globalCIDR:   localCIDR,
 		localSubnets: []string{},
 	}
-
 	Expect(mcsv1a1.AddToScheme(t.scheme)).To(Succeed())
 	Expect(submarinerv1.AddToScheme(t.scheme)).To(Succeed())
 	Expect(corev1.AddToScheme(t.scheme)).To(Succeed())
@@ -140,10 +139,6 @@ func newTestDriverBase() *testDriverBase {
 
 	t.nodes = t.dynClient.Resource(*test.GetGroupVersionResourceFor(t.restMapper, &corev1.Node{}))
 
-	iptables.NewFunc = func() (iptables.Interface, error) {
-		return t.ipt, nil
-	}
-
 	ipset.NewFunc = func() ipset.Interface {
 		return t.ipSet
 	}
@@ -153,8 +148,6 @@ func newTestDriverBase() *testDriverBase {
 
 func (t *testDriverBase) afterEach() {
 	t.controller.Stop()
-
-	iptables.NewFunc = nil
 }
 
 func (t *testDriverBase) verifyIPsReservedInPool(ips ...string) {
@@ -231,8 +224,10 @@ func (t *testDriverBase) createServiceExport(s *corev1.Service) {
 	})
 }
 
-func (t *testDriverBase) createIPTableChain(table, chain string) {
-	_ = t.ipt.NewChain(table, chain)
+func (t *testDriverBase) createPFilterChain(table packetfilter.TableType, chain string) {
+	_ = t.pFilter.CreateChainIfNotExists(table, &packetfilter.Chain{
+		Name: chain,
+	})
 }
 
 func (t *testDriverBase) getGlobalIngressIPStatus(name string) *submarinerv1.GlobalIngressIPStatus {