in pkg/cni/routes/routes.go [145:183]
func addRoutingForIngress(eth0Link netlink.Link, defaultRoute netlink.Route, sysctlDir string) error {
// add iptables rule to mark traffic from eth0
ipt, err := routesRunner.iptables.New()
if err != nil {
return fmt.Errorf("failed to create iptable: %w", err)
}
if err := ipt.AppendUnique(consts.MangleTable, consts.PreRoutingChain, "-i", "eth0", "-j", "MARK", "--set-mark", strconv.Itoa(consts.Eth0Mark)); err != nil {
return fmt.Errorf("failed to append iptables set-mark rule: %w", err)
}
if err := ipt.AppendUnique(consts.MangleTable, consts.PreRoutingChain, "-j", "CONNMARK", "--save-mark"); err != nil {
return fmt.Errorf("failed to append iptables save-mark rule: %w", err)
}
if err := ipt.AppendUnique(consts.MangleTable, consts.OutputChain, "-m", "connmark", "--mark", strconv.Itoa(consts.Eth0Mark), "-j", "CONNMARK", "--restore-mark"); err != nil {
return fmt.Errorf("failed to append iptables restore-mark rule: %w", err)
}
// add ip rule: lookup separate routing table if packet is marked
rule := netlink.NewRule()
rule.Mark = uint32(consts.Eth0Mark)
rule.Table = consts.Eth0Mark
if err := routesRunner.netlink.RuleAdd(rule); err != nil {
return fmt.Errorf("failed to add routing rule: %w", err)
}
// add route
defaultRoute.Table = consts.Eth0Mark
if err := routesRunner.netlink.RouteReplace(&defaultRoute); err != nil {
return fmt.Errorf("failed to add default route via eth0: %w", err)
}
// update rp_filter flag
if err := os.WriteFile(filepath.Join(sysctlDir, "net/ipv4/conf/all/rp_filter"), []byte("2"), 0644); err != nil {
return fmt.Errorf("failed to write net.ipv4.conf.all.rp_filter: %w", err)
}
if err := os.WriteFile(filepath.Join(sysctlDir, "net/ipv4/conf/eth0/rp_filter"), []byte("2"), 0644); err != nil {
return fmt.Errorf("failed to write net.ipv4.conf.eth0.rp_filter: %w", err)
}
return nil
}