allow from snat eip to fip eip

zbb88888 · zbb88888 · commit 03d36bf00e43 · 2026-02-28T20:30:42.000+08:00
Signed-off-by: zbb88888 &lt;jmdxjsjgcxy@gmail.com&gt;
diff --git a/dist/images/vpcnatgateway/nat-gateway.sh b/dist/images/vpcnatgateway/nat-gateway.sh
@@ -75,6 +75,8 @@ function show_help() {
     echo "  dnat-del                 - Delete DNAT rule"
     echo "  snat-add                 - Add SNAT rule"
     echo "  snat-del                 - Delete SNAT rule"
+    echo "  hairpin-snat-add         - Add hairpin SNAT rule for internal FIP access"
+    echo "  hairpin-snat-del         - Delete hairpin SNAT rule"
     echo "  qos-add                  - Add QoS rule"
     echo "  qos-del                  - Delete QoS rule"
     echo "  eip-ingress-qos-add      - Add EIP ingress QoS"
@@ -162,6 +164,7 @@ function init() {
     $iptables_cmd -t nat -N EXCLUSIVE_SNAT # floatingIp SNAT
     $iptables_cmd -t nat -N SHARED_DNAT
     $iptables_cmd -t nat -N SHARED_SNAT
+    $iptables_cmd -t nat -N HAIRPIN_SNAT
 
     $iptables_cmd -t nat -A PREROUTING -j DNAT_FILTER
     $iptables_cmd -t nat -A DNAT_FILTER -j EXCLUSIVE_DNAT
@@ -170,6 +173,7 @@ function init() {
     $iptables_cmd -t nat -A POSTROUTING -j SNAT_FILTER
     $iptables_cmd -t nat -A SNAT_FILTER -j EXCLUSIVE_SNAT
     $iptables_cmd -t nat -A SNAT_FILTER -j SHARED_SNAT
+    $iptables_cmd -t nat -A SNAT_FILTER -j HAIRPIN_SNAT
 
     # Load IFB kernel module for ingress QoS traffic shaping
     # IFB (Intermediate Functional Block) is required for ingress rate limiting using HTB
@@ -280,6 +284,24 @@ function del_eip() {
     done
 }
 
+# Check if the given CIDR exists in VPC_INTERFACE's routes (indicates it's an internal CIDR)
+# This is used to determine if hairpin SNAT is needed for a given SNAT rule
+# Args: $1 - CIDR to check (e.g., "10.0.1.0/24")
+# Returns: 0 if the CIDR is found in VPC_INTERFACE routes, 1 otherwise
+function is_internal_cidr() {
+    local cidr="$1"
+    if [ -z "$cidr" ]; then
+        return 1
+    fi
+    # Escape '.' in CIDR for grep regex to avoid matching unintended characters
+    # e.g., "10.0.1.0/24" -> "^10\.0\.1\.0/24 " matches exactly, not "10X0Y1Z0/24"
+    local cidr_pattern="^${cidr//./\\.} "
+    if ip -4 route show dev "$VPC_INTERFACE" | grep -q "$cidr_pattern"; then
+        return 0
+    fi
+    return 1
+}
+
 function add_floating_ip() {
     # make sure inited
     check_inited
@@ -316,33 +338,105 @@ function del_floating_ip() {
 function add_snat() {
     # make sure inited
     check_inited
-    # iptables -t nat -F SHARED_SNAT
+    local all_shared_snat_rules
+    all_shared_snat_rules=$($iptables_save_cmd | grep SHARED_SNAT)
     for rule in $@
     do
         arr=(${rule//,/ })
         eip=(${arr[0]//\// })
         internalCIDR=${arr[1]}
         randomFullyOption=${arr[2]}
-        # check if already exist
-        $iptables_save_cmd | grep SHARED_SNAT | grep "\-s $internalCIDR" | grep "source $eip" && exit 0
-        exec_cmd "$iptables_cmd -t nat -A SHARED_SNAT -o $EXTERNAL_INTERFACE -s $internalCIDR -j SNAT --to-source $eip $randomFullyOption"
+        # check if already exist, skip adding if exists (idempotent)
+        ruleMatch=$(echo "$all_shared_snat_rules" | grep -w -- "-s $internalCIDR" | grep -E -- "--to-source $eip(\$| )")
+        if [ -z "$ruleMatch" ]; then
+            exec_cmd "$iptables_cmd -t nat -A SHARED_SNAT -o $EXTERNAL_INTERFACE -s $internalCIDR -j SNAT --to-source $eip $randomFullyOption"
+        fi
+        # Add hairpin SNAT when internalCIDR is routed via VPC_INTERFACE
+        # This enables internal VMs to access other internal VMs via FIP
+        if is_internal_cidr "$internalCIDR"; then
+            echo "SNAT cidr $internalCIDR is internal, adding hairpin SNAT with EIP $eip"
+            add_hairpin_snat "$eip,$internalCIDR,$randomFullyOption"
+        fi
     done
 }
 function del_snat() {
     # make sure inited
     check_inited
-    # iptables -t nat -F SHARED_SNAT
+    local all_shared_snat_rules
+    all_shared_snat_rules=$($iptables_save_cmd | grep SHARED_SNAT)
     for rule in $@
     do
         arr=(${rule//,/ })
         eip=(${arr[0]//\// })
         internalCIDR=${arr[1]}
         # check if already exist
-        ruleMatch=$($iptables_save_cmd | grep SHARED_SNAT | grep "\-s $internalCIDR" | grep "source $eip")
-        if [ "$?" -eq 0 ];then
-          ruleMatch=$(echo $ruleMatch | sed 's/-A //')
+        ruleMatch=$(echo "$all_shared_snat_rules" | grep -w -- "-s $internalCIDR" | grep -E -- "--to-source $eip(\$| )")
+        if [ -n "$ruleMatch" ]; then
+          ruleMatch=$(echo "$ruleMatch" | sed 's/-A //')
           exec_cmd "$iptables_cmd -t nat -D $ruleMatch"
         fi
+        # Remove the corresponding hairpin SNAT rule (1:1 with SNAT).
+        if is_internal_cidr "$internalCIDR"; then
+            del_hairpin_snat "$eip,$internalCIDR"
+        fi
+    done
+}
+
+# Hairpin SNAT: Enables internal VM to access another internal VM's FIP
+# Packet flow when VM A accesses VM B's EIP:
+# 1. VM A (10.0.1.6) -> EIP (10.1.69.216) arrives at NAT GW
+# 2. DNAT translates destination to VM B's internal IP (10.0.1.11)
+# 3. Without hairpin SNAT, reply from VM B goes directly to VM A (same subnet),
+#    but VM A expects reply from EIP, causing asymmetric routing failure
+# 4. Hairpin SNAT translates source to EIP, ensuring symmetric return path via NAT GW
+#
+# Hairpin SNAT mirrors SHARED_SNAT 1:1: each SNAT rule creates a corresponding
+# hairpin rule with the same EIP and --random-fully option. Multiple SNATs with
+# different EIPs for the same CIDR are supported (for port exhaustion mitigation).
+#
+# Rule format: eip,internalCIDR[,--random-fully]
+# Example: 10.1.69.219,10.0.1.0/24,--random-fully
+# Creates: iptables -t nat -A HAIRPIN_SNAT -s 10.0.1.0/24 -d 10.0.1.0/24 -j SNAT --to-source 10.1.69.219 --random-fully
+function add_hairpin_snat() {
+    # make sure inited
+    check_inited
+    local all_hairpin_rules
+    all_hairpin_rules=$($iptables_save_cmd -t nat | grep HAIRPIN_SNAT)
+    for rule in $@
+    do
+        arr=(${rule//,/ })
+        eip=(${arr[0]//\// })
+        internalCIDR=${arr[1]}
+        randomFullyOption=${arr[2]}
+
+        # Check if this exact rule already exists (idempotent)
+        if echo "$all_hairpin_rules" | grep -w -- "-s $internalCIDR" | grep -w -- "-d $internalCIDR" | grep -qE -- "--to-source $eip(\$| )"; then
+            echo "Hairpin SNAT rule for $internalCIDR with EIP $eip already exists, skipping"
+            continue
+        fi
+
+        exec_cmd "$iptables_cmd -t nat -A HAIRPIN_SNAT -s $internalCIDR -d $internalCIDR -j SNAT --to-source $eip $randomFullyOption"
+        echo "Hairpin SNAT rule added: $internalCIDR -> $eip"
+    done
+}
+
+# Delete a hairpin SNAT rule.
+# Args: eip,internalCIDR (comma-separated)
+function del_hairpin_snat() {
+    # make sure inited
+    check_inited
+    local all_hairpin_rules
+    all_hairpin_rules=$($iptables_save_cmd -t nat | grep HAIRPIN_SNAT)
+    for rule in $@
+    do
+        arr=(${rule//,/ })
+        eip=(${arr[0]//\// })
+        internalCIDR=${arr[1]}
+        # check if rule exists (idempotent - skip if not found)
+        if echo "$all_hairpin_rules" | grep -w -- "-s $internalCIDR" | grep -w -- "-d $internalCIDR" | grep -qE -- "--to-source $eip(\$| )"; then
+            exec_cmd "$iptables_cmd -t nat -D HAIRPIN_SNAT -s $internalCIDR -d $internalCIDR -j SNAT --to-source $eip"
+            echo "Hairpin SNAT rule deleted: $internalCIDR -> $eip"
+        fi
     done
 }
 
@@ -1435,6 +1529,14 @@ case $opt in
         echo "snat-del $rules"
         del_snat $rules
         ;;
+    hairpin-snat-add)
+        echo "hairpin-snat-add $rules"
+        add_hairpin_snat $rules
+        ;;
+    hairpin-snat-del)
+        echo "hairpin-snat-del $rules"
+        del_hairpin_snat $rules
+        ;;
     floating-ip-add)
         echo "floating-ip-add $rules"
         add_floating_ip $rules
diff --git a/test/e2e/iptables-vpc-nat-gw/e2e_test.go b/test/e2e/iptables-vpc-nat-gw/e2e_test.go
@@ -249,6 +249,42 @@ func verifySubnetStatusAfterEIPOperation(subnetClient *framework.SubnetClient, s
 	}
 }
 
+// iptablesSaveNat returns the iptables-save output from the NAT gateway pod,
+// using the exact same detection logic as nat-gateway.sh to determine whether
+// to use iptables-legacy-save or iptables-save (nft backend).
+func iptablesSaveNat(natGwPodName string) string {
+	// Replicate nat-gateway.sh detection: if iptables-legacy -t nat -S INPUT 1 succeeds,
+	// rules were written via iptables-legacy, so use iptables-legacy-save to read them.
+	// NOTE: KubectlExec joins args with space and passes to "/bin/sh -c", so pass
+	// the entire script as a single string to avoid double shell wrapping.
+	cmd := []string{"if iptables-legacy -t nat -S INPUT 1 2>/dev/null; then iptables-legacy-save -t nat; else iptables-save -t nat; fi"}
+	stdout, _, err := framework.KubectlExec(framework.KubeOvnNamespace, natGwPodName, cmd...)
+	framework.ExpectNoError(err, "failed to exec iptables-save in NAT gateway pod %s", natGwPodName)
+	return string(stdout)
+}
+
+// hairpinSnatChainExists checks if the HAIRPIN_SNAT chain exists in the NAT gateway pod.
+// Returns false on older versions that don't support this feature.
+func hairpinSnatChainExists(natGwPodName string) bool {
+	output := iptablesSaveNat(natGwPodName)
+	return strings.Contains(output, ":HAIRPIN_SNAT") || strings.Contains(output, "-N HAIRPIN_SNAT")
+}
+
+// hairpinSnatRuleExists checks if hairpin SNAT rule exists in the NAT gateway pod
+// for the given CIDR and specific EIP.
+// Returns true if rule exists, false otherwise (including when HAIRPIN_SNAT chain doesn't exist).
+func hairpinSnatRuleExists(natGwPodName, cidr, eip string) bool {
+	output := iptablesSaveNat(natGwPodName)
+	if !strings.Contains(output, ":HAIRPIN_SNAT") && !strings.Contains(output, "-N HAIRPIN_SNAT") {
+		return false
+	}
+
+	hairpinRulePattern := fmt.Sprintf("-A HAIRPIN_SNAT -s %s -d %s -j SNAT --to-source %s", cidr, cidr, eip)
+	return strings.Contains(output, hairpinRulePattern)
+}
+
+// hairpinSnatRuleExistsForCIDR checks if any hairpin SNAT rule exists for the
+// given CIDR, regardless of which EIP it uses.
 var _ = framework.OrderedDescribe("[group:iptables-vpc-nat-gw]", func() {
 	f := framework.NewDefaultFramework("iptables-vpc-nat-gw")
 
@@ -264,6 +300,7 @@ var _ = framework.OrderedDescribe("[group:iptables-vpc-nat-gw]", func() {
 	var iptablesFIPClient *framework.IptablesFIPClient
 	var iptablesSnatRuleClient *framework.IptablesSnatClient
 	var iptablesDnatRuleClient *framework.IptablesDnatClient
+	var podClient *framework.PodClient
 
 	var dockerExtNet1Network *dockernetwork.Inspect
 	var net1NicName string
@@ -421,6 +458,7 @@ var _ = framework.OrderedDescribe("[group:iptables-vpc-nat-gw]", func() {
 		vpcName = "vpc-" + randomSuffix
 		vpcNatGwName = "gw-" + randomSuffix
 		overlaySubnetName = "overlay-subnet-" + randomSuffix
+		podClient = f.PodClient()
 	})
 
 	framework.ConformanceIt("[1] change gateway image and custom annotations", func() {
@@ -543,6 +581,81 @@ var _ = framework.OrderedDescribe("[group:iptables-vpc-nat-gw]", func() {
 			iptablesSnatRuleClient.DeleteSync(snatName)
 		})
 
+		// Verify hairpin SNAT rule is automatically created for internal CIDR
+		ginkgo.By("Verifying hairpin SNAT rule exists in NAT gateway pod")
+		vpcNatGwPodName := util.GenNatGwPodName(vpcNatGwName)
+		snatEip = iptablesEIPClient.Get(snatEipName)
+		if !hairpinSnatChainExists(vpcNatGwPodName) {
+			framework.Logf("HAIRPIN_SNAT chain not found, skipping hairpin SNAT verification (feature requires v1.15+)")
+		} else {
+			gomega.Eventually(func() bool {
+				return hairpinSnatRuleExists(vpcNatGwPodName, overlaySubnetV4Cidr, snatEip.Status.IP)
+			}, 30*time.Second, 2*time.Second).Should(gomega.BeTrue(),
+				"Hairpin SNAT rule should be created after SNAT creation")
+
+			// Verify real data-path: internal pod accessing another internal pod via FIP EIP
+			// Packet flow: client -> NAT GW (DNAT to serverIP + hairpin SNAT to EIP) -> server -> NAT GW (un-SNAT/DNAT) -> client
+			ginkgo.By("Verifying hairpin SNAT connectivity: internal pod (SNAT EIP) accessing another internal pod (FIP EIP)")
+			serverPodName := "server-" + randomSuffix
+			clientPodName := "client-" + randomSuffix
+			hairpinFipEipName := "hairpin-fip-eip-" + randomSuffix
+			hairpinFipName := "hairpin-fip-" + randomSuffix
+
+			// Create server pod in overlay subnet with auto-assigned IP
+			serverAnnotations := map[string]string{
+				util.LogicalSwitchAnnotation: overlaySubnetName,
+			}
+			serverPort := "8080"
+			serverArgs := []string{"netexec", "--http-port", serverPort}
+			serverPod := framework.MakePod(f.Namespace.Name, serverPodName, nil, serverAnnotations, framework.AgnhostImage, nil, serverArgs)
+			_ = podClient.CreateSync(serverPod)
+			ginkgo.DeferCleanup(func() {
+				ginkgo.By("Cleaning up server pod " + serverPodName)
+				podClient.DeleteSync(serverPodName)
+			})
+
+			// Get server pod's auto-assigned IP for FIP binding
+			createdServerPod := podClient.GetPod(serverPodName)
+			serverPodIP := createdServerPod.Annotations[util.IPAddressAnnotation]
+			framework.ExpectNotEmpty(serverPodIP, "server pod should have an IP assigned")
+			framework.Logf("Server pod %s has IP %s", serverPodName, serverPodIP)
+
+			// Create a dedicated EIP and FIP to map FIP EIP -> server pod IP
+			hairpinFipEip := framework.MakeIptablesEIP(hairpinFipEipName, "", "", "", vpcNatGwName, "", "")
+			_ = iptablesEIPClient.CreateSync(hairpinFipEip)
+			ginkgo.DeferCleanup(func() {
+				ginkgo.By("Cleaning up hairpin FIP EIP " + hairpinFipEipName)
+				iptablesEIPClient.DeleteSync(hairpinFipEipName)
+			})
+			hairpinFipEip = iptablesEIPClient.Get(hairpinFipEipName)
+			framework.ExpectNotEmpty(hairpinFipEip.Status.IP, "hairpin FIP EIP should have an IP assigned")
+
+			hairpinFip := framework.MakeIptablesFIPRule(hairpinFipName, hairpinFipEipName, serverPodIP)
+			_ = iptablesFIPClient.CreateSync(hairpinFip)
+			ginkgo.DeferCleanup(func() {
+				ginkgo.By("Cleaning up hairpin FIP " + hairpinFipName)
+				iptablesFIPClient.DeleteSync(hairpinFipName)
+			})
+
+			// Create client pod in same subnet (uses SNAT EIP for outbound traffic)
+			clientAnnotations := map[string]string{
+				util.LogicalSwitchAnnotation: overlaySubnetName,
+			}
+			clientPod := framework.MakePod(f.Namespace.Name, clientPodName, nil, clientAnnotations, framework.AgnhostImage, nil, []string{"pause"})
+			_ = podClient.CreateSync(clientPod)
+			ginkgo.DeferCleanup(func() {
+				ginkgo.By("Cleaning up client pod " + clientPodName)
+				podClient.DeleteSync(clientPodName)
+			})
+
+			// Test connectivity: client pod (SNAT EIP) -> server pod (FIP EIP)
+			ginkgo.By("Checking connectivity from client pod (SNAT EIP) to server pod (FIP EIP) " + hairpinFipEip.Status.IP)
+			cmd := []string{"curl", "-m", "10", fmt.Sprintf("http://%s:%s/clientip", hairpinFipEip.Status.IP, serverPort)}
+			output, _, err := framework.KubectlExec(f.Namespace.Name, clientPodName, cmd...)
+			framework.ExpectNoError(err, "Client pod (SNAT EIP) should reach server pod via FIP EIP through hairpin SNAT")
+			framework.Logf("Hairpin SNAT connectivity verified, output: %s", string(output))
+		}
+
 		ginkgo.By("Creating iptables vip for dnat")
 		dnatVip := framework.MakeVip(f.Namespace.Name, dnatVipName, overlaySubnetName, "", "", "")
 		_ = vipClient.CreateSync(dnatVip)
@@ -618,8 +731,19 @@ var _ = framework.OrderedDescribe("[group:iptables-vpc-nat-gw]", func() {
 			iptablesSnatRuleClient.DeleteSync(sharedEipSnatName)
 		})
 
-		ginkgo.By("Get share eip")
+		// Verify hairpin SNAT rule is created for the shared SNAT (same CIDR, different EIP).
+		// Hairpin mirrors SNAT 1:1: each SNAT creates its own hairpin rule.
+		ginkgo.By("Getting share eip")
 		shareEip = iptablesEIPClient.Get(sharedEipName)
+		framework.ExpectNotEmpty(shareEip.Status.IP, "shareEip.Status.IP should not be empty")
+		if hairpinSnatChainExists(vpcNatGwPodName) {
+			ginkgo.By("Verifying hairpin SNAT rule exists for the shared SNAT EIP")
+			gomega.Eventually(func() bool {
+				return hairpinSnatRuleExists(vpcNatGwPodName, overlaySubnetV4Cidr, shareEip.Status.IP)
+			}, 30*time.Second, 2*time.Second).Should(gomega.BeTrue(),
+				"Hairpin SNAT rule should be created for shared SNAT EIP")
+		}
+
 		ginkgo.By("Get share dnat")
 		shareDnat = iptablesDnatRuleClient.Get(sharedEipDnatName)
 		ginkgo.By("Get share snat")
@@ -643,6 +767,22 @@ var _ = framework.OrderedDescribe("[group:iptables-vpc-nat-gw]", func() {
 		// make sure eip is shared
 		nats := []string{util.DnatUsingEip, util.FipUsingEip, util.SnatUsingEip}
 		framework.ExpectEqual(shareEip.Status.Nat, strings.Join(nats, ","))
+
+		// Verify hairpin SNAT rule cleanup when SNAT is deleted.
+		// Hairpin lifecycle is 1:1 with SNAT: created together, deleted together.
+		if hairpinSnatChainExists(vpcNatGwPodName) {
+			ginkgo.By("Deleting snat to verify hairpin SNAT rule cleanup")
+			iptablesSnatRuleClient.DeleteSync(snatName)
+			ginkgo.By("Verifying hairpin SNAT rule for the deleted SNAT EIP is removed")
+			gomega.Eventually(func() bool {
+				return hairpinSnatRuleExists(vpcNatGwPodName, overlaySubnetV4Cidr, snatEip.Status.IP)
+			}, 30*time.Second, 2*time.Second).Should(gomega.BeFalse(),
+				"Hairpin SNAT rule should be deleted after SNAT deletion")
+			ginkgo.By("Verifying hairpin SNAT rule for the shared SNAT EIP still exists")
+			gomega.Expect(hairpinSnatRuleExists(vpcNatGwPodName, overlaySubnetV4Cidr, shareEip.Status.IP)).To(gomega.BeTrue(),
+				"Hairpin SNAT rule for the shared SNAT EIP should NOT be affected by deleting a different SNAT")
+		}
+
 		// All cleanup is handled by DeferCleanup above, no need for manual cleanup
 	})
 
