firewall: add option to disable fully-random mode for MASQUERADE

main.go

@@ -85,6 +85,7 @@ type CmdLineOpts struct {
 	iface                     flagSlice
 	ifaceRegex                flagSlice
 	ipMasq                    bool
+	ipMasqRandomFullyDisable  bool
 	ifaceCanReach             string
 	subnetFile                string
 	publicIP                  string
@@ -122,6 +123,7 @@ func init() {
 	flannelFlags.StringVar(&opts.publicIPv6, "public-ipv6", "", "IPv6 accessible by other nodes for inter-host communication")
 	flannelFlags.IntVar(&opts.subnetLeaseRenewMargin, "subnet-lease-renew-margin", 60, "subnet lease renewal margin, in minutes, ranging from 1 to 1439")
 	flannelFlags.BoolVar(&opts.ipMasq, "ip-masq", false, "setup IP masquerade rule for traffic destined outside of overlay network")
+	flannelFlags.BoolVar(&opts.ipMasqRandomFullyDisable, "ip-masq-fully-random-disable", false, "disable fully-random mode for MASQUERADE")
 	flannelFlags.BoolVar(&opts.kubeSubnetMgr, "kube-subnet-mgr", false, "contact the Kubernetes API for subnet assignment instead of etcd.")
 	flannelFlags.StringVar(&opts.kubeApiUrl, "kube-api-url", "", "Kubernetes API server URL. Does not need to be specified if flannel is running in a pod.")
 	flannelFlags.StringVar(&opts.kubeAnnotationPrefix, "kube-annotation-prefix", "flannel.alpha.coreos.com", `Kubernetes annotation prefix. Can contain single slash "/", otherwise it will be appended at the end.`)
@@ -405,7 +407,8 @@ func main() {
 			config.IPv6Network, prevIPv6Subnet,
 			prevIPv6Network,
 			bn.Lease(),
-			opts.iptablesResyncSeconds)
+			opts.iptablesResyncSeconds,
+			opts.ipMasqRandomFullyDisable)
 		if err != nil {
 			log.Errorf("Failed to setup masq rules, %v", err)
 			cancel()

pkg/trafficmngr/iptables/iptables.go

@@ -92,7 +92,8 @@ func (iptm *IPTablesManager) CleanUp(ctx context.Context) error {
 func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,
 	flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net,
 	currentlease *lease.Lease,
-	resyncPeriod int) error {
+	resyncPeriod int,
+	ipMasqRandomFullyDisable bool) error {
 
 	if !flannelIPv4Net.Empty() {
 		// recycle iptables rules only when network configured or subnet leased is not equal to current one.
@@ -102,14 +103,14 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne
 			newLease := &lease.Lease{
 				Subnet: prevSubnet,
 			}
-			if err := iptm.deleteIP4Tables(iptm.masqRules(prevNetwork, newLease)); err != nil {
+			if err := iptm.deleteIP4Tables(iptm.masqRules(prevNetwork, newLease, ipMasqRandomFullyDisable)); err != nil {
 				return err
 			}
 		}
 
 		log.Infof("Setting up masking rules")
 		iptm.CreateIP4Chain("nat", "FLANNEL-POSTRTG")
-		go iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease), resyncPeriod)
+		go iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease, ipMasqRandomFullyDisable), resyncPeriod)
 	}
 	if !flannelIPv6Net.Empty() {
 		// recycle iptables rules only when network configured or subnet leased is not equal to current one.
@@ -119,19 +120,19 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne
 			newLease := &lease.Lease{
 				IPv6Subnet: prevIPv6Subnet,
 			}
-			if err := iptm.deleteIP6Tables(iptm.masqIP6Rules(prevIPv6Network, newLease)); err != nil {
+			if err := iptm.deleteIP6Tables(iptm.masqIP6Rules(prevIPv6Network, newLease, ipMasqRandomFullyDisable)); err != nil {
 				return err
 			}
 		}
 
 		log.Infof("Setting up masking rules for IPv6")
 		iptm.CreateIP6Chain("nat", "FLANNEL-POSTRTG")
-		go iptm.setupAndEnsureIP6Tables(ctx, iptm.masqIP6Rules(flannelIPv6Net, currentlease), resyncPeriod)
+		go iptm.setupAndEnsureIP6Tables(ctx, iptm.masqIP6Rules(flannelIPv6Net, currentlease, ipMasqRandomFullyDisable), resyncPeriod)
 	}
 	return nil
 }
 
-func (iptm *IPTablesManager) masqRules(ccidr ip.IP4Net, lease *lease.Lease) []trafficmngr.IPTablesRule {
+func (iptm *IPTablesManager) masqRules(ccidr ip.IP4Net, lease *lease.Lease, ipMasqRandomFullyDisable bool) []trafficmngr.IPTablesRule {
 	cluster_cidr := ccidr.String()
 
 	pod_cidr := lease.Subnet.String()
@@ -153,21 +154,21 @@ func (iptm *IPTablesManager) masqRules(ccidr ip.IP4Net, lease *lease.Lease) []tr
 	// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
 	rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}})
 	// NAT if it's not multicast traffic
-	if supports_random_fully {
+	if supports_random_fully && !ipMasqRandomFullyDisable {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "224.0.0.0/4", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}})
 	} else {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "224.0.0.0/4", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}})
 	}
 	// Masquerade anything headed towards flannel from the host
-	if supports_random_fully {
+	if supports_random_fully && !ipMasqRandomFullyDisable {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}})
 	} else {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}})
 	}
 	return rules
 }
 
-func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *lease.Lease) []trafficmngr.IPTablesRule {
+func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *lease.Lease, ipMasqRandomFullyDisable bool) []trafficmngr.IPTablesRule {
 	cluster_cidr := ccidr.String()
 	pod_cidr := lease.IPv6Subnet.String()
 	ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
@@ -190,14 +191,14 @@ func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *lease.Lease) [
 	// Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
 	rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}})
 	// NAT if it's not multicast traffic
-	if supports_random_fully {
+	if supports_random_fully && !ipMasqRandomFullyDisable {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "ff00::/8", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}})
 	} else {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "ff00::/8", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}})
 	}
 
 	// Masquerade anything headed towards flannel from the host
-	if supports_random_fully {
+	if supports_random_fully && !ipMasqRandomFullyDisable {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}})
 	} else {
 		rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}})

pkg/trafficmngr/iptables/iptables_test.go

@@ -125,7 +125,7 @@ func TestDeleteRules(t *testing.T) {
 		ip.IP4Net{
 			IP:        ip.MustParseIP4("10.0.1.0"),
 			PrefixLen: 16,
-		}, testingLease())
+		}, testingLease(), false)
 	expectedRules := expectedTearDownIPTablesRestoreRules(baseRules)
 
 	err := ipTablesBootstrap(ipt, iptr, baseRules)

pkg/trafficmngr/iptables/iptables_windows.go

@@ -49,7 +49,8 @@ func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, fla
 func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,
 	flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net,
 	currentlease *lease.Lease,
-	resyncPeriod int) error {
+	resyncPeriod int,
+	ipMasqRandomFullyDisable bool) error {
 	log.Warning(trafficmngr.ErrUnimplemented)
 	return nil
 }

pkg/trafficmngr/nftables/nftables.go

@@ -149,7 +149,8 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context,
 func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,
 	flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net,
 	currentlease *lease.Lease,
-	resyncPeriod int) error {
+	resyncPeriod int,
+	ipMasqRandomFullyDisable bool) error {
 	if !flannelIPv4Net.Empty() {
 		log.Infof("nftables: setting up masking rules (ipv4)")
 		tx := nftm.nftv4.NewTransaction()
@@ -166,7 +167,7 @@ func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne
 		tx.Flush(&knftables.Chain{
 			Name: postrtgChain,
 		})
-		err := nftm.addMasqRules(ctx, tx, flannelIPv4Net.String(), currentlease.Subnet.String(), knftables.IPv4Family)
+		err := nftm.addMasqRules(ctx, tx, flannelIPv4Net.String(), currentlease.Subnet.String(), knftables.IPv4Family, ipMasqRandomFullyDisable)
 		if err != nil {
 			return fmt.Errorf("nftables: couldn't setup masq rules: %v", err)
 		}
@@ -191,7 +192,7 @@ func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne
 		tx.Flush(&knftables.Chain{
 			Name: postrtgChain,
 		})
-		err := nftm.addMasqRules(ctx, tx, flannelIPv6Net.String(), currentlease.IPv6Subnet.String(), knftables.IPv6Family)
+		err := nftm.addMasqRules(ctx, tx, flannelIPv6Net.String(), currentlease.IPv6Subnet.String(), knftables.IPv6Family, ipMasqRandomFullyDisable)
 		if err != nil {
 			return fmt.Errorf("nftables: couldn't setup masq rules: %v", err)
 		}
@@ -207,9 +208,10 @@ func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne
 func (nftm *NFTablesManager) addMasqRules(ctx context.Context,
 	tx *knftables.Transaction,
 	clusterCidr, podCidr string,
-	family knftables.Family) error {
+	family knftables.Family,
+	ipMasqRandomFullyDisable bool) error {
 	masquerade := "masquerade fully-random"
-	if !nftm.checkRandomfully(ctx) {
+	if !nftm.checkRandomfully(ctx) || ipMasqRandomFullyDisable {
 		masquerade = "masquerade"
 	}
 

pkg/trafficmngr/nftables/nftables_windows.go

@@ -43,7 +43,8 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context,
 func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,
 	flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net,
 	currentlease *lease.Lease,
-	resyncPeriod int) error {
+	resyncPeriod int,
+	ipMasqRandomFullyDisable bool) error {
 	log.Warning(trafficmngr.ErrUnimplemented)
 	return nil
 }

pkg/trafficmngr/trafficmngr.go

@@ -55,5 +55,6 @@ type TrafficManager interface {
 		flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net,
 		flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net,
 		currentlease *lease.Lease,
-		resyncPeriod int) error
+		resyncPeriod int,
+		ipMasqRandomFullyDisable bool) error
 }