Support /32 tunnel-source (#5144)

There exists a use case for sourcing tunnel traffic from a /32 address assigned to the lo interface of the node. The lo interface typically comes with a localhost address (ie. 127.0.0.1). This change excludes localhost addresses from acting as the tunnel source. It also permits using a /32 address for the tunnel source if the host-tunnel-src variable is set to true (false by default).

Signed-off-by: Anthony Timmins <anthony.timmins@crowdstrike.com>

---------

Signed-off-by: Anthony Timmins <anthony.timmins@crowdstrike.com>
Signed-off-by: netdever <46330739+netdever@users.noreply.github.com>
Co-authored-by: Anthony Timmins <anthony.timmins@crowdstrike.com>

Author: netdever

pkg/daemon/config.go

@@ -38,6 +38,7 @@ type Configuration struct {
 	// interface being used for tunnel
 	tunnelIface               string
 	Iface                     string
+	HostTunnelSrc             bool
 	DPDKTunnelIface           string
 	MTU                       int
 	MSS                       int
@@ -87,6 +88,7 @@ func ParseFlags() *Configuration {
 
 		argNodeName              = pflag.String("node-name", "", "Name of the node on which the daemon is running on.")
 		argIface                 = pflag.String("iface", "", "The iface used to inter-host pod communication, can be a nic name or a group of regex separated by comma (default the default route iface)")
+		argHostTunnelSrc         = pflag.Bool("host-tunnel-src", false, "Enable /32 address selection for the tunnel source, excludes localhost addresses unless explicitly allowed.")
 		argDPDKTunnelIface       = pflag.String("dpdk-tunnel-iface", "br-phy", "Specifies the name of the dpdk tunnel iface.")
 		argMTU                   = pflag.Int("mtu", 0, "The MTU used by pod iface in overlay networks (default iface MTU - 100)")
 		argEnableMirror          = pflag.Bool("enable-mirror", false, "Enable traffic mirror (default false)")
@@ -147,6 +149,7 @@ func ParseFlags() *Configuration {
 		CniConfFile:               *argCniConfFile,
 		CniConfName:               *argsCniConfName,
 		Iface:                     *argIface,
+		HostTunnelSrc:             *argHostTunnelSrc,
 		DPDKTunnelIface:           *argDPDKTunnelIface,
 		MTU:                       *argMTU,
 		EnableMirror:              *argEnableMirror,
@@ -257,17 +260,19 @@ func (config *Configuration) initNicConfig(nicBridgeMappings map[string]string)
 		for _, addr := range addrs {
 			_, ipCidr, err := net.ParseCIDR(addr.String())
 			if err != nil {
-				klog.Errorf("Failed to parse CIDR address %s: %v", addr.String(), err)
+				klog.Errorf("Failed to parse CIDR address %s: %v, skipping", addr.String(), err)
 				continue
 			}
-			// exclude the vip as encap ip
-			if ones, bits := ipCidr.Mask.Size(); ones == bits {
+			// exclude the vip as encap ip unless host-tunnel-src is true
+			if ones, bits := ipCidr.Mask.Size(); ones == bits && !config.HostTunnelSrc {
 				klog.Infof("Skip address %s", ipCidr.String())
 				continue
 			}
 
+			// exclude link-local and localhost addresses
 			ipStr := strings.Split(addr.String(), "/")[0]
-			if ip := net.ParseIP(ipStr); ip == nil || ip.IsLinkLocalUnicast() {
+			_, localhost, _ := net.ParseCIDR("127.0.0.0/8")
+			if ip := net.ParseIP(ipStr); ip == nil || ip.IsLinkLocalUnicast() || localhost.Contains(ip) {
 				continue
 			}
 			if len(srcIPs) == 0 || slices.Contains(srcIPs, ipStr) {