From: Alexandre Derumier <aderumier@odiso.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v9 pve-network 19/26] zones: evpn|simple: add snat iptables rules
Date: Mon, 5 Oct 2020 17:08:16 +0200 [thread overview]
Message-ID: <20201005150823.462387-20-aderumier@odiso.com> (raw)
In-Reply-To: <20201005150823.462387-1-aderumier@odiso.com>
(use snat instead masquerade for performance)
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
PVE/Network/SDN/Zones/EvpnPlugin.pm | 18 ++++++++++++++++++
PVE/Network/SDN/Zones/SimplePlugin.pm | 12 ++++++++++++
2 files changed, 30 insertions(+)
diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm
index ff25f12..b89f4b1 100644
--- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -51,6 +51,7 @@ sub generate_sdn_config {
my $vrf_iface = "vrf_$zoneid";
my $vrfvxlan = $plugin_config->{'vrf-vxlan'};
+ my $local_node = PVE::INotify::nodename();
die "missing vxlan tag" if !$tag;
warn "vlan-aware vnet can't be enabled with evpn plugin" if $vnet->{vlanaware};
@@ -86,6 +87,23 @@ sub generate_sdn_config {
push @iface_config, "address $gateway" if !defined($address->{$gateway});
$address->{$gateway} = 1;
}
+ if ($subnet->{snat}) {
+ my $gatewaynodes = $controller->{'gateway-nodes'};
+ my $is_evpn_gateway = "";
+ foreach my $evpn_gatewaynode (PVE::Tools::split_list($gatewaynodes)) {
+ $is_evpn_gateway = 1 if $evpn_gatewaynode eq $local_node;
+ }
+ #find outgoing interface
+ my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip('8.8.8.8');
+ if ($outip && $outiface && $is_evpn_gateway) {
+ #use snat, faster than masquerade
+ push @iface_config, "post-up iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+ push @iface_config, "post-down iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+ #add conntrack zone once on outgoing interface
+ push @iface_config, "post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1";
+ push @iface_config, "post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1";
+ }
+ }
}
push @iface_config, "hwaddress $mac" if $mac;
diff --git a/PVE/Network/SDN/Zones/SimplePlugin.pm b/PVE/Network/SDN/Zones/SimplePlugin.pm
index a4299dd..c58ae87 100644
--- a/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -48,6 +48,18 @@ sub generate_sdn_config {
#add route for /32 pointtopoint
my ($ip, $mask) = split(/\//, $cidr);
push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32;
+ if ($subnet->{snat}) {
+ #find outgoing interface
+ my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip('8.8.8.8');
+ if ($outip && $outiface) {
+ #use snat, faster than masquerade
+ push @iface_config, "post-up iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+ push @iface_config, "post-down iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+ #add conntrack zone once on outgoing interface
+ push @iface_config, "post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1";
+ push @iface_config, "post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1";
+ }
+ }
}
push @iface_config, "hwaddress $mac" if $mac;
--
2.20.1
next prev parent reply other threads:[~2020-10-05 15:09 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 15:07 [pve-devel] [PATCH v9 pve-network 00/26] add subnet plugin Alexandre Derumier
2020-10-05 15:07 ` [pve-devel] [PATCH v9 pve-network 01/26] " Alexandre Derumier
2020-10-05 15:07 ` [pve-devel] [PATCH v9 pve-network 02/26] vnets: add subnets Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 03/26] add subnets verifications hooks Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 04/26] zones: simple|evpn: add gateway ip from subnets to vnet Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 05/26] zone: add vnet_update_hook Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 06/26] vnets: subnets: use cidr Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 07/26] subnet: fix on_delete_hook Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 08/26] api2: subnet create: convert cidr to subnetid Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 09/26] api2: increase version on apply/reload only Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 10/26] add ipams plugins Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 11/26] add pve internal ipam plugin Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 12/26] vnets: find_free_ip : add ipversion detection Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 13/26] vnets: add add_ip Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 14/26] vnets: add del_ip + rework add_ip/find_free_ip Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 15/26] add dns plugin Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 16/26] Fix vnet gateway for routed setup + /32 pointopoint subnet Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 17/26] ipam : pveplugin : fix find_next_free_ip Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 18/26] add vnet to subnets && remove subnetlist from vnet Alexandre Derumier
2020-10-05 15:08 ` Alexandre Derumier [this message]
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 20/26] subnet: disable route option for now and add dns domain format Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 21/26] dns: fix reverse dns Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 22/26] subnets: move api to /sdn/vnet/<vnet>/subnets && make vnet option not optionnal Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 23/26] zones: evpn : fix raise exception Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 24/26] subnet: make ipam not optionnal and use pve ipam as default Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 25/26] don't allow subnets on vlanware vnet Alexandre Derumier
2020-10-05 15:08 ` [pve-devel] [PATCH v9 pve-network 26/26] generate sdn/.running-config on apply Alexandre Derumier
-- strict thread matches above, loose matches on Subject: below --
2020-09-28 8:43 [pve-devel] [PATCH v9 pve-network 00/26] add subnet plugin Alexandre Derumier
2020-09-28 8:43 ` [pve-devel] [PATCH v9 pve-network 19/26] zones: evpn|simple: add snat iptables rules Alexandre Derumier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201005150823.462387-20-aderumier@odiso.com \
--to=aderumier@odiso.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox