in pkg/networkutils/network.go [591:692]
func (n *linuxNetwork) buildIptablesConnmarkRules(vpcCIDRs []string, ipt iptableswrapper.IPTablesIface) ([]iptablesRule, error) {
var allCIDRs []string
allCIDRs = append(allCIDRs, vpcCIDRs...)
allCIDRs = append(allCIDRs, n.excludeSNATCIDRs...)
excludeCIDRs := sets.NewString(n.excludeSNATCIDRs...)
log.Debugf("Total CIDRs to exempt from connmark rules - %d", len(allCIDRs))
var chains []string
chain := "AWS-CONNMARK-CHAIN-0"
log.Debugf("Setup Host Network: iptables -N %s -t nat", chain)
if err := ipt.NewChain("nat", chain); err != nil && !containChainExistErr(err) {
log.Errorf("ipt.NewChain error for chain [%s]: %v", chain, err)
return []iptablesRule{}, errors.Wrapf(err, "host network setup: failed to add chain")
}
chains = append(chains, chain)
var iptableRules []iptablesRule
log.Debugf("Setup Host Network: iptables -t nat -A PREROUTING -i %s+ -m comment --comment \"AWS, outbound connections\" -j AWS-CONNMARK-CHAIN-0", n.vethPrefix)
// Force delete legacy rule: the rule was matching on "-m state --state NEW", which is
// always true for packets traversing the nat table
iptableRules = append(iptableRules, iptablesRule{
name: "connmark rule for non-VPC outbound traffic",
shouldExist: false,
table: "nat",
chain: "PREROUTING",
rule: []string{
"-i", n.vethPrefix + "+", "-m", "comment", "--comment", "AWS, outbound connections",
"-m", "state", "--state", "NEW", "-j", "AWS-CONNMARK-CHAIN-0",
}})
iptableRules = append(iptableRules, iptablesRule{
name: "connmark rule for non-VPC outbound traffic",
shouldExist: !n.useExternalSNAT,
table: "nat",
chain: "PREROUTING",
rule: []string{
"-i", n.vethPrefix + "+", "-m", "comment", "--comment", "AWS, outbound connections",
"-j", "AWS-CONNMARK-CHAIN-0",
}})
for _, cidr := range allCIDRs {
comment := "AWS CONNMARK CHAIN, VPC CIDR"
if excludeCIDRs.Has(cidr) {
comment = "AWS CONNMARK CHAIN, EXCLUDED CIDR"
}
log.Debugf("Setup Host Network: iptables -A %s -d %s -t nat -j %s", chain, cidr, "RETURN")
iptableRules = append(iptableRules, iptablesRule{
name: chain,
shouldExist: !n.useExternalSNAT,
table: "nat",
chain: chain,
rule: []string{
"-d", cidr, "-m", "comment", "--comment", comment, "-j", "RETURN",
}})
}
// Force delete existing restore mark rule so that the subsequent rule gets added to the end
iptableRules = append(iptableRules, iptablesRule{
name: "connmark to fwmark copy",
shouldExist: false,
table: "nat",
chain: "PREROUTING",
rule: []string{
"-m", "comment", "--comment", "AWS, CONNMARK", "-j", "CONNMARK",
"--restore-mark", "--mask", fmt.Sprintf("%#x", n.mainENIMark),
},
})
// Being in the nat table, this only applies to the first packet of the connection. The mark
// will be restored in the mangle table for subsequent packets.
iptableRules = append(iptableRules, iptablesRule{
name: "connmark to fwmark copy",
shouldExist: !n.useExternalSNAT,
table: "nat",
chain: "PREROUTING",
rule: []string{
"-m", "comment", "--comment", "AWS, CONNMARK", "-j", "CONNMARK",
"--restore-mark", "--mask", fmt.Sprintf("%#x", n.mainENIMark),
},
})
connmarkStaleRules, err := computeStaleIptablesRules(ipt, "nat", "AWS-CONNMARK-CHAIN", iptableRules, chains)
if err != nil {
return []iptablesRule{}, err
}
iptableRules = append(iptableRules, connmarkStaleRules...)
iptableRules = append(iptableRules, iptablesRule{
name: "connmark rule for external outbound traffic",
shouldExist: !n.useExternalSNAT,
table: "nat",
chain: chain,
rule: []string{
"-m", "comment", "--comment", "AWS, CONNMARK", "-j", "CONNMARK",
"--set-xmark", fmt.Sprintf("%#x/%#x", n.mainENIMark, n.mainENIMark),
},
})
log.Debugf("iptableRules: %v", iptableRules)
return iptableRules, nil
}