ipip.go 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208
  1. // +build !windows
  2. // Copyright 2017 flannel authors
  3. //
  4. // Licensed under the Apache License, Version 2.0 (the "License");
  5. // you may not use this file except in compliance with the License.
  6. // You may obtain a copy of the License at
  7. //
  8. // http://www.apache.org/licenses/LICENSE-2.0
  9. //
  10. // Unless required by applicable law or agreed to in writing, software
  11. // distributed under the License is distributed on an "AS IS" BASIS,
  12. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. // See the License for the specific language governing permissions and
  14. // limitations under the License.
  15. package ipip
  16. import (
  17. "encoding/json"
  18. "fmt"
  19. "syscall"
  20. "sync"
  21. "github.com/coreos/flannel/backend"
  22. "github.com/coreos/flannel/pkg/ip"
  23. "github.com/coreos/flannel/subnet"
  24. log "github.com/golang/glog"
  25. "github.com/vishvananda/netlink"
  26. "golang.org/x/net/context"
  27. )
  28. const (
  29. backendType = "ipip"
  30. tunnelName = "flannel.ipip"
  31. )
  32. func init() {
  33. backend.Register(backendType, New)
  34. }
  35. type IPIPBackend struct {
  36. sm subnet.Manager
  37. extIface *backend.ExternalInterface
  38. }
  39. func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backend, error) {
  40. be := &IPIPBackend{
  41. sm: sm,
  42. extIface: extIface,
  43. }
  44. return be, nil
  45. }
  46. func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup, config *subnet.Config) (backend.Network, error) {
  47. cfg := struct {
  48. DirectRouting bool
  49. }{}
  50. if len(config.Backend) > 0 {
  51. if err := json.Unmarshal(config.Backend, &cfg); err != nil {
  52. return nil, fmt.Errorf("error decoding IPIP backend config: %v", err)
  53. }
  54. }
  55. log.Infof("IPIP config: DirectRouting=%v", cfg.DirectRouting)
  56. n := &backend.RouteNetwork{
  57. SimpleNetwork: backend.SimpleNetwork{
  58. ExtIface: be.extIface,
  59. },
  60. SM: be.sm,
  61. BackendType: backendType,
  62. }
  63. attrs := &subnet.LeaseAttrs{
  64. PublicIP: ip.FromIP(be.extIface.ExtAddr),
  65. BackendType: backendType,
  66. }
  67. l, err := be.sm.AcquireLease(ctx, attrs)
  68. switch err {
  69. case nil:
  70. n.SubnetLease = l
  71. case context.Canceled, context.DeadlineExceeded:
  72. return nil, err
  73. default:
  74. return nil, fmt.Errorf("failed to acquire lease: %v", err)
  75. }
  76. link, err := be.configureIPIPDevice(n.SubnetLease)
  77. if err != nil {
  78. return nil, err
  79. }
  80. n.Mtu = link.MTU
  81. n.LinkIndex = link.Index
  82. n.GetRoute = func(lease *subnet.Lease) *netlink.Route {
  83. route := netlink.Route{
  84. Dst: lease.Subnet.ToIPNet(),
  85. Gw: lease.Attrs.PublicIP.ToIP(),
  86. LinkIndex: n.LinkIndex,
  87. Flags: int(netlink.FLAG_ONLINK),
  88. }
  89. if cfg.DirectRouting {
  90. dr, err := ip.DirectRouting(lease.Attrs.PublicIP.ToIP())
  91. if err != nil {
  92. log.Error(err)
  93. }
  94. if dr {
  95. log.V(2).Infof("configure route to %v via direct routing", lease.Attrs.PublicIP.String())
  96. route.LinkIndex = n.ExtIface.Iface.Index
  97. }
  98. }
  99. return &route
  100. }
  101. return n, nil
  102. }
  103. func (be *IPIPBackend) configureIPIPDevice(lease *subnet.Lease) (*netlink.Iptun, error) {
  104. // When modprobe ipip module, a tunl0 ipip device is created automatically per network namespace by ipip kernel module.
  105. // It is the namespace default IPIP device with attributes local=any and remote=any.
  106. // When receiving IPIP protocol packets, kernel will forward them to tunl0 as a fallback device
  107. // if it can't find an option whose local/remote attribute matches their src/dst ip address more precisely.
  108. // See https://github.com/torvalds/linux/blob/v4.13/net/ipv4/ip_tunnel.c#L85-L95 .
  109. // So we have two options of creating ipip device, either rename tunl0 to flannel.ipip or create an new ipip device
  110. // and set local attribute of flannel.ipip to distinguish these two devices.
  111. // Considering tunl0 might be used by users, so choose the later option.
  112. link := &netlink.Iptun{LinkAttrs: netlink.LinkAttrs{Name: tunnelName}, Local: be.extIface.IfaceAddr}
  113. if err := netlink.LinkAdd(link); err != nil {
  114. if err != syscall.EEXIST {
  115. return nil, err
  116. }
  117. // The link already exists, so check existing link attributes.
  118. existing, err := netlink.LinkByName(tunnelName)
  119. if err != nil {
  120. return nil, err
  121. }
  122. // If there's an exists device but it's not an ipip/IpTun device then get the user to fix it (flannel shouldn't
  123. // delete a user's device)
  124. if existing.Type() != "ipip" {
  125. return nil, fmt.Errorf("%v isn't an ipip mode device, please remove device and try again", tunnelName)
  126. }
  127. ipip, ok := existing.(*netlink.Iptun)
  128. if !ok {
  129. return nil, fmt.Errorf("%s isn't an iptun device (%#v), please remove device and try again", tunnelName, link)
  130. }
  131. // local attribute may change if a user changes iface configuration, we need to recreate the device to ensure
  132. // local and remote attribute is expected.
  133. // local should be equal to the extIface.IfaceAddr and remote should be nil (or equal to 0.0.0.0)
  134. if ipip.Local == nil || !ipip.Local.Equal(be.extIface.IfaceAddr) || (ipip.Remote != nil && ipip.Remote.String() != "0.0.0.0") {
  135. log.Warningf("%q already exists with incompatable attributes: local=%v remote=%v; recreating device",
  136. tunnelName, ipip.Local, ipip.Remote)
  137. if err = netlink.LinkDel(existing); err != nil {
  138. return nil, fmt.Errorf("failed to delete interface: %v", err)
  139. }
  140. if err = netlink.LinkAdd(link); err != nil {
  141. return nil, fmt.Errorf("failed to create ipip interface: %v", err)
  142. }
  143. }
  144. }
  145. // Due to the extra 20 byte IP header that the tunnel will add to each packet,
  146. // MTU size for both the workload and tunnel interfaces should be 20 bytes less than the selected iface (specified with the --iface option).
  147. expectMTU := be.extIface.Iface.MTU - 20
  148. if expectMTU <= 0 {
  149. return nil, fmt.Errorf("MTU %d of iface %s is too small for ipip mode to work", be.extIface.Iface.MTU, be.extIface.Iface.Name)
  150. }
  151. oldMTU := link.Attrs().MTU
  152. if oldMTU > expectMTU || oldMTU == 0 {
  153. log.Infof("current MTU of %s is %d, setting it to %d", tunnelName, oldMTU, expectMTU)
  154. err := netlink.LinkSetMTU(link, expectMTU)
  155. if err != nil {
  156. return nil, fmt.Errorf("failed to set %v MTU to %d: %v", tunnelName, expectMTU, err)
  157. }
  158. // change MTU as it will be written into /run/flannel/subnet.env
  159. link.Attrs().MTU = expectMTU
  160. }
  161. // Ensure that the device has a /32 address so that no broadcast routes are created.
  162. // This IP is just used as a source address for host to workload traffic (so
  163. // the return path for the traffic has an address on the flannel network to use as the destination)
  164. if err := ip.EnsureV4AddressOnLink(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, link); err != nil {
  165. return nil, fmt.Errorf("failed to ensure address of interface %s: %s", link.Attrs().Name, err)
  166. }
  167. if err := netlink.LinkSetUp(link); err != nil {
  168. return nil, fmt.Errorf("failed to set %v UP: %v", tunnelName, err)
  169. }
  170. return link, nil
  171. }