fix(vpcnatgw): cannot DNAT same EIP and same external port on two different protocols (#6201)

SkalaNetworks · oilbeater · commit 9ac4ac62e671 · 2026-01-23T02:15:49.000Z
You should be able to DNAT 1.1.1.1:22 TCP and 1.1.1.1:22 UDP on the same EIP, but the check doesn't check if it is two different protocols. On Windows, RDP asks to open both the UDP and TCP protocols on the same port. It cannot be done behind an EIP attached to a VPC NAT gateway because of this bug.

Signed-off-by: SkalaNetworks &lt;contact@skala.network&gt;
diff --git a/pkg/controller/vpc_nat_gw_nat.go b/pkg/controller/vpc_nat_gw_nat.go
@@ -419,7 +419,7 @@ func (c *Controller) handleAddIptablesDnatRule(key string) error {
 		klog.Errorf("failed to get eip, %v", err)
 		return err
 	}
-	if dup, err := c.isDnatDuplicated(eip.Spec.NatGwDp, eipName, dnat.Name, dnat.Spec.ExternalPort); dup || err != nil {
+	if dup, err := c.isDnatDuplicated(eip.Spec.NatGwDp, dnat.Spec.EIP, dnat.Name, dnat.Spec.ExternalPort, dnat.Spec.Protocol); dup || err != nil {
 		klog.Error(err)
 		return err
 	}
@@ -494,7 +494,7 @@ func (c *Controller) handleUpdateIptablesDnatRule(key string) error {
 		klog.Errorf("failed to get eip, %v", err)
 		return err
 	}
-	if dup, err := c.isDnatDuplicated(cachedDnat.Status.NatGwDp, eipName, cachedDnat.Name, cachedDnat.Spec.ExternalPort); dup || err != nil {
+	if dup, err := c.isDnatDuplicated(cachedDnat.Status.NatGwDp, cachedDnat.Spec.EIP, cachedDnat.Name, cachedDnat.Spec.ExternalPort, cachedDnat.Spec.Protocol); dup || err != nil {
 		klog.Errorf("failed to update dnat, %v", err)
 		return err
 	}
@@ -1536,8 +1536,8 @@ func (c *Controller) snatChangeEip(snat *kubeovnv1.IptablesSnatRule, eip *kubeov
 	return false
 }
 
-func (c *Controller) isDnatDuplicated(gwName, eipName, dnatName, externalPort string) (bool, error) {
-	// check if eip:external port already used
+func (c *Controller) isDnatDuplicated(gwName, eipName, dnatName, externalPort, protocol string) (bool, error) {
+	// Check if the tuple "eip:external port:protocol" is already used by another DNAT rule
 	dnats, err := c.iptablesDnatRulesLister.List(labels.SelectorFromSet(labels.Set{
 		util.VpcNatGatewayNameLabel: gwName,
 		util.VpcDnatEPortLabel:      externalPort,
@@ -1549,8 +1549,8 @@ func (c *Controller) isDnatDuplicated(gwName, eipName, dnatName, externalPort st
 	}
 	if len(dnats) != 0 {
 		for _, d := range dnats {
-			if d.Name != dnatName && d.Spec.EIP == eipName {
-				err = fmt.Errorf("failed to create dnat %s, duplicate, same eip %s, same external port '%s' is using by dnat %s", dnatName, eipName, externalPort, d.Name)
+			if d.Name != dnatName && d.Spec.EIP == eipName && d.Spec.Protocol == protocol {
+				err = fmt.Errorf("failed to create dnat %s, duplicate, same eip %s, same external port '%s', same protocol'%s' is using by dnat %s", dnatName, eipName, externalPort, protocol, d.Name)
 				return true, err
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -419,7 +419,7 @@ func (c *Controller) handleAddIptablesDnatRule(key string) error {`
`419`	`419`	`klog.Errorf("failed to get eip, %v", err)`
`420`	`420`	`return err`
`421`	`421`	`}`
`422`		`- if dup, err := c.isDnatDuplicated(eip.Spec.NatGwDp, eipName, dnat.Name, dnat.Spec.ExternalPort); dup \|\| err != nil {`
	`422`	`+ if dup, err := c.isDnatDuplicated(eip.Spec.NatGwDp, dnat.Spec.EIP, dnat.Name, dnat.Spec.ExternalPort, dnat.Spec.Protocol); dup \|\| err != nil {`
`423`	`423`	`klog.Error(err)`
`424`	`424`	`return err`
`425`	`425`	`}`
`@@ -494,7 +494,7 @@ func (c *Controller) handleUpdateIptablesDnatRule(key string) error {`
`494`	`494`	`klog.Errorf("failed to get eip, %v", err)`
`495`	`495`	`return err`
`496`	`496`	`}`
`497`		`- if dup, err := c.isDnatDuplicated(cachedDnat.Status.NatGwDp, eipName, cachedDnat.Name, cachedDnat.Spec.ExternalPort); dup \|\| err != nil {`
	`497`	`+ if dup, err := c.isDnatDuplicated(cachedDnat.Status.NatGwDp, cachedDnat.Spec.EIP, cachedDnat.Name, cachedDnat.Spec.ExternalPort, cachedDnat.Spec.Protocol); dup \|\| err != nil {`
`498`	`498`	`klog.Errorf("failed to update dnat, %v", err)`
`499`	`499`	`return err`
`500`	`500`	`}`
`@@ -1536,8 +1536,8 @@ func (c Controller) snatChangeEip(snat kubeovnv1.IptablesSnatRule, eip *kubeov`
`1536`	`1536`	`return false`
`1537`	`1537`	`}`
`1538`	`1538`
`1539`		`-func (c *Controller) isDnatDuplicated(gwName, eipName, dnatName, externalPort string) (bool, error) {`
`1540`		`- // check if eip:external port already used`
	`1539`	`+func (c *Controller) isDnatDuplicated(gwName, eipName, dnatName, externalPort, protocol string) (bool, error) {`
	`1540`	`+ // Check if the tuple "eip:external port:protocol" is already used by another DNAT rule`
`1541`	`1541`	`dnats, err := c.iptablesDnatRulesLister.List(labels.SelectorFromSet(labels.Set{`
`1542`	`1542`	`util.VpcNatGatewayNameLabel: gwName,`
`1543`	`1543`	`util.VpcDnatEPortLabel: externalPort,`
`@@ -1549,8 +1549,8 @@ func (c *Controller) isDnatDuplicated(gwName, eipName, dnatName, externalPort st`
`1549`	`1549`	`}`
`1550`	`1550`	`if len(dnats) != 0 {`
`1551`	`1551`	`for _, d := range dnats {`
`1552`		`- if d.Name != dnatName && d.Spec.EIP == eipName {`
`1553`		`- err = fmt.Errorf("failed to create dnat %s, duplicate, same eip %s, same external port '%s' is using by dnat %s", dnatName, eipName, externalPort, d.Name)`
	`1552`	`+ if d.Name != dnatName && d.Spec.EIP == eipName && d.Spec.Protocol == protocol {`
	`1553`	`+ err = fmt.Errorf("failed to create dnat %s, duplicate, same eip %s, same external port '%s', same protocol'%s' is using by dnat %s", dnatName, eipName, externalPort, protocol, d.Name)`
`1554`	`1554`	`return true, err`
`1555`	`1555`	`}`
`1556`	`1556`	`}`