-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial nftables prototype implementation #8780
base: master
Are you sure you want to change the base?
Initial nftables prototype implementation #8780
Conversation
felix/dataplane/driver.go
Outdated
@@ -207,6 +207,7 @@ func StartDataplaneDriver(configParams *config.Config, | |||
NetlinkTimeout: configParams.NetlinkTimeoutSecs, | |||
}, | |||
RulesConfig: rules.Config{ | |||
NFTables: true, // TODO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still need to add a FelixConfiguration option and plumb this through.
@@ -110,7 +112,7 @@ func (c *endpointManagerCallbacks) InvokeRemoveWorkload(old *proto.WorkloadEndpo | |||
// endpointManager manages the dataplane resources that belong to each endpoint as well as | |||
// the "dispatch chains" that fan out packets to the right per-endpoint chain. | |||
// | |||
// It programs the relevant iptables chains (via the iptables.Table objects) along with | |||
// It programs the relevant iptables chains (via the generictables.Table objects) along with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to do a sweep through of comments and variables that refer to iptables explicitly and make them generic. Low priority.
ruleRenderer rules.RuleRenderer | ||
routeTable routetable.RouteTableInterface | ||
writeProcSys procSysWriter | ||
osStat func(path string) (os.FileInfo, error) | ||
epMarkMapper rules.EndpointMarkMapper | ||
newMatch func() generictables.MatchCriteria |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two fields allow the implementation of endpointManager (and other structs that follow the same pattern) to be agnostic to the underlying match / action implementation.
nft knftables.Interface | ||
} | ||
|
||
func NewIPSets(ipVersionConfig *ipsets.IPVersionConfig, nft knftables.Interface) *IPSets { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is largely a copy/paste from the existing IPSet dataplane code, but modified to render sets to nftables. Most of member / set tracking logic is exactly the same, and it's just how they are written that differs. Can probably come up with a better way to share code here, but for now this is working.
} | ||
|
||
func (m nftMatch) RPFCheckPassed(acceptLocal bool) generictables.MatchCriteria { | ||
// TODO: acceptLocal is not supported in nftables mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I've been able to discover...
e.g., the iptables-translate
utility doesn't know what to do with it.
rules = append(rules, Rule{ | ||
Action: JumpAction{Target: failsafeChain}, | ||
rules = append(rules, generictables.Rule{ | ||
Match: r.NewMatch(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One of the unfortunate consequences of using an interface type for the match is that leaving the Match
type nil
is no longer viable, as it results in nil pointer exceptions when calling bound functions where previously the function would have been called on a nil
slice.
92b2660
to
7b2f666
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to rename generictables
(sounds pretty generic, but it is not so much ;-) ) to say linuxtables
or nettables
and place both iptables
and nftables
below that? Now we have 3 top level tables packages, which are for linux only and one is just interfaces.
UpdateChains([]*iptables.Chain) | ||
RemoveChains([]*iptables.Chain) | ||
// Table is a shim interface for generictables.Table. | ||
type Table interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: What if we move this type now to generictables as say RuleChains
and embed it in Table
?
@tomastigera yep, I think those are both better! |
6d4c097
to
e7f8874
Compare
e8fc103
to
b5aa960
Compare
7c23a59
to
f6c62fe
Compare
Description
This is still a WIP, but putting it up in order to get initial feedback
and to get some CI runs started.
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*
label.docs-pr-required
: This change requires a change to the documentation that has not been completed yet.docs-completed
: This change has all necessary documentation completed.docs-not-required
: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*
label.release-note-required
: This PR has user-facing changes. Most PRs should have this label.release-note-not-required
: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate
: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr
: This PR is related to install and requires a corresponding change to the operator.