123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208 |
- // +build !windows
- // Copyright 2017 flannel authors
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- package ipip
- import (
- "encoding/json"
- "fmt"
- "syscall"
- "sync"
- "github.com/coreos/flannel/backend"
- "github.com/coreos/flannel/pkg/ip"
- "github.com/coreos/flannel/subnet"
- log "github.com/golang/glog"
- "github.com/vishvananda/netlink"
- "golang.org/x/net/context"
- )
- const (
- backendType = "ipip"
- tunnelName = "flannel.ipip"
- )
- func init() {
- backend.Register(backendType, New)
- }
- type IPIPBackend struct {
- sm subnet.Manager
- extIface *backend.ExternalInterface
- }
- func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backend, error) {
- be := &IPIPBackend{
- sm: sm,
- extIface: extIface,
- }
- return be, nil
- }
- func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup, config *subnet.Config) (backend.Network, error) {
- cfg := struct {
- DirectRouting bool
- }{}
- if len(config.Backend) > 0 {
- if err := json.Unmarshal(config.Backend, &cfg); err != nil {
- return nil, fmt.Errorf("error decoding IPIP backend config: %v", err)
- }
- }
- log.Infof("IPIP config: DirectRouting=%v", cfg.DirectRouting)
- n := &backend.RouteNetwork{
- SimpleNetwork: backend.SimpleNetwork{
- ExtIface: be.extIface,
- },
- SM: be.sm,
- BackendType: backendType,
- }
- attrs := &subnet.LeaseAttrs{
- PublicIP: ip.FromIP(be.extIface.ExtAddr),
- BackendType: backendType,
- }
- l, err := be.sm.AcquireLease(ctx, attrs)
- switch err {
- case nil:
- n.SubnetLease = l
- case context.Canceled, context.DeadlineExceeded:
- return nil, err
- default:
- return nil, fmt.Errorf("failed to acquire lease: %v", err)
- }
- link, err := be.configureIPIPDevice(n.SubnetLease)
- if err != nil {
- return nil, err
- }
- n.Mtu = link.MTU
- n.LinkIndex = link.Index
- n.GetRoute = func(lease *subnet.Lease) *netlink.Route {
- route := netlink.Route{
- Dst: lease.Subnet.ToIPNet(),
- Gw: lease.Attrs.PublicIP.ToIP(),
- LinkIndex: n.LinkIndex,
- Flags: int(netlink.FLAG_ONLINK),
- }
- if cfg.DirectRouting {
- dr, err := ip.DirectRouting(lease.Attrs.PublicIP.ToIP())
- if err != nil {
- log.Error(err)
- }
- if dr {
- log.V(2).Infof("configure route to %v via direct routing", lease.Attrs.PublicIP.String())
- route.LinkIndex = n.ExtIface.Iface.Index
- }
- }
- return &route
- }
- return n, nil
- }
- func (be *IPIPBackend) configureIPIPDevice(lease *subnet.Lease) (*netlink.Iptun, error) {
- // When modprobe ipip module, a tunl0 ipip device is created automatically per network namespace by ipip kernel module.
- // It is the namespace default IPIP device with attributes local=any and remote=any.
- // When receiving IPIP protocol packets, kernel will forward them to tunl0 as a fallback device
- // if it can't find an option whose local/remote attribute matches their src/dst ip address more precisely.
- // See https://github.com/torvalds/linux/blob/v4.13/net/ipv4/ip_tunnel.c#L85-L95 .
- // So we have two options of creating ipip device, either rename tunl0 to flannel.ipip or create an new ipip device
- // and set local attribute of flannel.ipip to distinguish these two devices.
- // Considering tunl0 might be used by users, so choose the later option.
- link := &netlink.Iptun{LinkAttrs: netlink.LinkAttrs{Name: tunnelName}, Local: be.extIface.IfaceAddr}
- if err := netlink.LinkAdd(link); err != nil {
- if err != syscall.EEXIST {
- return nil, err
- }
- // The link already exists, so check existing link attributes.
- existing, err := netlink.LinkByName(tunnelName)
- if err != nil {
- return nil, err
- }
- // If there's an exists device but it's not an ipip/IpTun device then get the user to fix it (flannel shouldn't
- // delete a user's device)
- if existing.Type() != "ipip" {
- return nil, fmt.Errorf("%v isn't an ipip mode device, please remove device and try again", tunnelName)
- }
- ipip, ok := existing.(*netlink.Iptun)
- if !ok {
- return nil, fmt.Errorf("%s isn't an iptun device (%#v), please remove device and try again", tunnelName, link)
- }
- // local attribute may change if a user changes iface configuration, we need to recreate the device to ensure
- // local and remote attribute is expected.
- // local should be equal to the extIface.IfaceAddr and remote should be nil (or equal to 0.0.0.0)
- if ipip.Local == nil || !ipip.Local.Equal(be.extIface.IfaceAddr) || (ipip.Remote != nil && ipip.Remote.String() != "0.0.0.0") {
- log.Warningf("%q already exists with incompatable attributes: local=%v remote=%v; recreating device",
- tunnelName, ipip.Local, ipip.Remote)
- if err = netlink.LinkDel(existing); err != nil {
- return nil, fmt.Errorf("failed to delete interface: %v", err)
- }
- if err = netlink.LinkAdd(link); err != nil {
- return nil, fmt.Errorf("failed to create ipip interface: %v", err)
- }
- }
- }
- // Due to the extra 20 byte IP header that the tunnel will add to each packet,
- // MTU size for both the workload and tunnel interfaces should be 20 bytes less than the selected iface (specified with the --iface option).
- expectMTU := be.extIface.Iface.MTU - 20
- if expectMTU <= 0 {
- return nil, fmt.Errorf("MTU %d of iface %s is too small for ipip mode to work", be.extIface.Iface.MTU, be.extIface.Iface.Name)
- }
- oldMTU := link.Attrs().MTU
- if oldMTU > expectMTU || oldMTU == 0 {
- log.Infof("current MTU of %s is %d, setting it to %d", tunnelName, oldMTU, expectMTU)
- err := netlink.LinkSetMTU(link, expectMTU)
- if err != nil {
- return nil, fmt.Errorf("failed to set %v MTU to %d: %v", tunnelName, expectMTU, err)
- }
- // change MTU as it will be written into /run/flannel/subnet.env
- link.Attrs().MTU = expectMTU
- }
- // Ensure that the device has a /32 address so that no broadcast routes are created.
- // This IP is just used as a source address for host to workload traffic (so
- // the return path for the traffic has an address on the flannel network to use as the destination)
- if err := ip.EnsureV4AddressOnLink(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, link); err != nil {
- return nil, fmt.Errorf("failed to ensure address of interface %s: %s", link.Attrs().Name, err)
- }
- if err := netlink.LinkSetUp(link); err != nil {
- return nil, fmt.Errorf("failed to set %v UP: %v", tunnelName, err)
- }
- return link, nil
- }
|