From 24b4749fdbdf887a8896bcf0d4b57fc2fa83a497 Mon Sep 17 00:00:00 2001 From: Martin Kennelly Date: Wed, 4 Sep 2024 13:46:09 +0100 Subject: [PATCH] UDN LGW: ensure masq chain exists before adding rules Prior to this PR, we may try to insert a rule to jump to a chain that doesn't exist. Signed-off-by: Martin Kennelly --- go-controller/pkg/node/gateway_iptables.go | 12 ++++++++++++ go-controller/pkg/node/gateway_localnet.go | 5 +++++ 2 files changed, 17 insertions(+) diff --git a/go-controller/pkg/node/gateway_iptables.go b/go-controller/pkg/node/gateway_iptables.go index df7a3f0ba5e..39dea4842a2 100644 --- a/go-controller/pkg/node/gateway_iptables.go +++ b/go-controller/pkg/node/gateway_iptables.go @@ -79,6 +79,18 @@ func deleteIptRules(rules []nodeipt.Rule) error { return nodeipt.DelRules(rules) } +// ensureChain ensures that a chain exists within a table +func ensureChain(table, chain string) error { + for _, proto := range clusterIPTablesProtocols() { + ipt, err := util.GetIPTablesHelper(proto) + if err != nil { + return fmt.Errorf("failed to get IPTables helper to add UDN chain: %v", err) + } + addChaintoTable(ipt, table, chain) + } + return nil +} + func getGatewayInitRules(chain string, proto iptables.Protocol) []nodeipt.Rule { iptRules := []nodeipt.Rule{} if chain == egressservice.Chain { diff --git a/go-controller/pkg/node/gateway_localnet.go b/go-controller/pkg/node/gateway_localnet.go index 543cda0be58..87e27bb3884 100644 --- a/go-controller/pkg/node/gateway_localnet.go +++ b/go-controller/pkg/node/gateway_localnet.go @@ -26,6 +26,11 @@ func newLocalGateway(nodeName string, hostSubnets []*net.IPNet, gwNextHops []net klog.Info("Creating new local gateway") gw := &gateway{} + if util.IsNetworkSegmentationSupportEnabled() { + if err := ensureChain("nat", iptableUDNMasqueradeChain); err != nil { + return nil, fmt.Errorf("failed to ensure chain %s in NAT table: %w", iptableUDNMasqueradeChain, err) + } + } for _, hostSubnet := range hostSubnets { // local gateway mode uses mp0 as default path for all ingress traffic into OVN var nextHop *net.IPNet