golang
/
flannel


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208
							// +build !windows

// Copyright 2017 flannel authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package ipip

import (
	"encoding/json"
	"fmt"
	"syscall"

	"sync"

	"github.com/coreos/flannel/backend"
	"github.com/coreos/flannel/pkg/ip"
	"github.com/coreos/flannel/subnet"
	log "github.com/golang/glog"
	"github.com/vishvananda/netlink"
	"golang.org/x/net/context"
)

const (
	backendType = "ipip"
	tunnelName  = "flannel.ipip"
)

func init() {
	backend.Register(backendType, New)
}

type IPIPBackend struct {
	sm       subnet.Manager
	extIface *backend.ExternalInterface
}

func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backend, error) {
	be := &IPIPBackend{
		sm:       sm,
		extIface: extIface,
	}
	return be, nil
}

func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup, config *subnet.Config) (backend.Network, error) {
	cfg := struct {
		DirectRouting bool
	}{}

	if len(config.Backend) > 0 {
		if err := json.Unmarshal(config.Backend, &cfg); err != nil {
			return nil, fmt.Errorf("error decoding IPIP backend config: %v", err)
		}
	}

	log.Infof("IPIP config: DirectRouting=%v", cfg.DirectRouting)

	n := &backend.RouteNetwork{
		SimpleNetwork: backend.SimpleNetwork{
			ExtIface: be.extIface,
		},
		SM:          be.sm,
		BackendType: backendType,
	}

	attrs := &subnet.LeaseAttrs{
		PublicIP:    ip.FromIP(be.extIface.ExtAddr),
		BackendType: backendType,
	}

	l, err := be.sm.AcquireLease(ctx, attrs)
	switch err {
	case nil:
		n.SubnetLease = l
	case context.Canceled, context.DeadlineExceeded:
		return nil, err
	default:
		return nil, fmt.Errorf("failed to acquire lease: %v", err)
	}

	link, err := be.configureIPIPDevice(n.SubnetLease)

	if err != nil {
		return nil, err
	}

	n.Mtu = link.MTU
	n.LinkIndex = link.Index
	n.GetRoute = func(lease *subnet.Lease) *netlink.Route {
		route := netlink.Route{
			Dst:       lease.Subnet.ToIPNet(),
			Gw:        lease.Attrs.PublicIP.ToIP(),
			LinkIndex: n.LinkIndex,
			Flags:     int(netlink.FLAG_ONLINK),
		}

		if cfg.DirectRouting {
			dr, err := ip.DirectRouting(lease.Attrs.PublicIP.ToIP())

			if err != nil {
				log.Error(err)
			}

			if dr {
				log.V(2).Infof("configure route to %v via direct routing", lease.Attrs.PublicIP.String())
				route.LinkIndex = n.ExtIface.Iface.Index
			}
		}

		return &route
	}

	return n, nil
}

func (be *IPIPBackend) configureIPIPDevice(lease *subnet.Lease) (*netlink.Iptun, error) {
	// When modprobe ipip module, a tunl0 ipip device is created automatically per network namespace by ipip kernel module.
	// It is the namespace default IPIP device with attributes local=any and remote=any.
	// When receiving IPIP protocol packets, kernel will forward them to tunl0 as a fallback device
	// if it can't find an option whose local/remote attribute matches their src/dst ip address more precisely.
	// See https://github.com/torvalds/linux/blob/v4.13/net/ipv4/ip_tunnel.c#L85-L95 .

	// So we have two options of creating ipip device, either rename tunl0 to flannel.ipip or create an new ipip device
	// and set local attribute of flannel.ipip to distinguish these two devices.
	// Considering tunl0 might be used by users, so choose the later option.
	link := &netlink.Iptun{LinkAttrs: netlink.LinkAttrs{Name: tunnelName}, Local: be.extIface.IfaceAddr}

	if err := netlink.LinkAdd(link); err != nil {
		if err != syscall.EEXIST {
			return nil, err
		}

		// The link already exists, so check existing link attributes.
		existing, err := netlink.LinkByName(tunnelName)
		if err != nil {
			return nil, err
		}

		// If there's an exists device but it's not an ipip/IpTun device then get the user to fix it (flannel shouldn't
		// delete a user's device)
		if existing.Type() != "ipip" {
			return nil, fmt.Errorf("%v isn't an ipip mode device, please remove device and try again", tunnelName)
		}
		ipip, ok := existing.(*netlink.Iptun)
		if !ok {
			return nil, fmt.Errorf("%s isn't an iptun device (%#v), please remove device and try again", tunnelName, link)
		}

		// local attribute may change if a user changes iface configuration, we need to recreate the device to ensure
		// local and remote attribute is expected.
		// local should be equal to the extIface.IfaceAddr and remote should be nil (or equal to 0.0.0.0)
		if ipip.Local == nil || !ipip.Local.Equal(be.extIface.IfaceAddr) || (ipip.Remote != nil && ipip.Remote.String() != "0.0.0.0") {
			log.Warningf("%q already exists with incompatable attributes: local=%v remote=%v; recreating device",
				tunnelName, ipip.Local, ipip.Remote)

			if err = netlink.LinkDel(existing); err != nil {
				return nil, fmt.Errorf("failed to delete interface: %v", err)
			}

			if err = netlink.LinkAdd(link); err != nil {
				return nil, fmt.Errorf("failed to create ipip interface: %v", err)
			}
		}
	}

	// Due to the extra 20 byte IP header that the tunnel will add to each packet,
	// MTU size for both the workload and tunnel interfaces should be 20 bytes less than the selected iface (specified with the --iface option).
	expectMTU := be.extIface.Iface.MTU - 20
	if expectMTU <= 0 {
		return nil, fmt.Errorf("MTU %d of iface %s is too small for ipip mode to work", be.extIface.Iface.MTU, be.extIface.Iface.Name)
	}

	oldMTU := link.Attrs().MTU
	if oldMTU > expectMTU || oldMTU == 0 {
		log.Infof("current MTU of %s is %d, setting it to %d", tunnelName, oldMTU, expectMTU)
		err := netlink.LinkSetMTU(link, expectMTU)

		if err != nil {
			return nil, fmt.Errorf("failed to set %v MTU to %d: %v", tunnelName, expectMTU, err)
		}
		// change MTU as it will be written into /run/flannel/subnet.env
		link.Attrs().MTU = expectMTU
	}

	// Ensure that the device has a /32 address so that no broadcast routes are created.
	// This IP is just used as a source address for host to workload traffic (so
	// the return path for the traffic has an address on the flannel network to use as the destination)
	if err := ip.EnsureV4AddressOnLink(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, link); err != nil {
		return nil, fmt.Errorf("failed to ensure address of interface %s: %s", link.Attrs().Name, err)
	}

	if err := netlink.LinkSetUp(link); err != nil {
		return nil, fmt.Errorf("failed to set %v UP: %v", tunnelName, err)
	}

	return link, nil
}