feat: allow from snat eip to fip eip#6329
Conversation
dosubot
bot
added
the
size:L
Summary of ChangesHello @zbb88888, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the VPC NAT gateway functionality by introducing hairpin SNAT capabilities. This feature is crucial for correctly handling traffic originating from within a VPC that is destined for an External IP (EIP) that has been DNAT'd back into the same VPC. Without hairpin SNAT, such traffic could experience issues with connection tracking, leading to dropped packets. The changes include new iptables rules, helper functions for rule management, and comprehensive end-to-end tests to validate the new behavior. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality, which is a valuable addition for enabling traffic from an internal CIDR to an EIP that is DNAT'd back to an internal IP. The changes in nat-gateway.sh correctly set up the necessary iptables chains and rules, and the new e2e tests in e2e_test.go provide good coverage for both creation and deletion of these rules. The suggestions to improve the performance of the shell script by reducing the number of calls to iptables-save within loops are valuable and align with preferring simpler, more efficient solutions.
Pull Request Test Coverage Report for Build 22534103773Details
💛 - Coveralls |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality to enable internal VMs to access each other via their Floating IPs. The changes in nat-gateway.sh correctly set up the necessary iptables chains and logic to automatically manage hairpin rules alongside standard SNAT rules. The new e2e tests in test/e2e/iptables-vpc-nat-gw/e2e_test.go are well-written and provide good coverage for the new feature, including creation and cleanup verification. My feedback includes a performance optimization for the shell script and a suggestion to refactor the test code to reduce duplication. Overall, this is a solid implementation of a valuable feature.
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality, enabling internal VMs to communicate with each other using their floating IPs. However, a high-severity command injection risk has been identified in nat-gateway.sh due to the use of unquoted variables in shell commands executed via bash -c. This architectural pattern is insecure and requires hardening through proper quoting and refactoring the command execution mechanism. Additionally, while the iptables logic and e2e_test.go are comprehensive, an improvement is needed in del_snat to ensure consistency and prevent a potential bug.
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality to allow internal VMs to access other internal services via their Floating IP. A critical command injection vulnerability has been identified in the new nat-gateway.sh script, stemming from unvalidated user input and potentially leading to Remote Code Execution (RCE). Furthermore, there is a critical issue in the shell script's error handling and a high-severity issue in the e2e test logic. Addressing these points, particularly through strict input validation, is crucial to ensure the robustness, reliability, and security of this new feature.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality, enabling internal VMs to access each other via their Floating IPs, implemented by adding a new HAIRPIN_SNAT iptables chain and logic in nat-gateway.sh. However, a critical security audit revealed three command injection vulnerabilities in the nat-gateway.sh script, specifically within the add_hairpin_snat, del_hairpin_snat, and add_snat functions. These vulnerabilities arise from the direct use of un-sanitized user-provided arguments, allowing for potential arbitrary code execution. Remediation requires implementing strict input validation for IP addresses and CIDR notations. While the e2e tests in e2e_test.go are comprehensive and the overall implementation is solid, there is also a minor suggestion to improve code clarity in the shell script.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality to allow internal traffic to access services via their floating IPs. The changes in nat-gateway.sh are well-implemented, adding the necessary iptables chains and logic to automatically manage hairpin rules alongside SNAT rules. The E2E tests in e2e_test.go are comprehensive, covering creation, deletion, and shared EIP scenarios, which ensures the new feature is robust. The minor suggestions to improve code consistency and readability remain valid.
|
/gemini review |
There was a problem hiding this comment.
Code Review
The pull request introduces hairpin SNAT functionality to the VPC NAT gateway, enabling internal VMs to access other internal VMs via their Floating IP (FIP) when SNAT is also configured. This is a significant improvement for network connectivity within the VPC. The implementation includes automatic management of hairpin SNAT rules during SNAT creation and deletion, as well as comprehensive E2E tests. I have identified a few opportunities for improvement in the shell script to enhance robustness, particularly around handling multiple matching iptables rules and ensuring safe variable expansion.
zbb88888
force-pushed
the
eip2eip
branch
5 times, most recently
from
03d36bf to
408579f
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality to enable internal-to-internal traffic via Floating IPs, with modifications to the nat-gateway.sh script for managing iptables rules and new e2e tests. A critical vulnerability exists in the rule deletion process: the script's use of grep to identify rules for deletion can fail when multiple rules match, potentially leaving stale iptables rules active for both standard and hairpin SNAT. Additionally, feedback suggests improving the robustness of iptables rule matching in both the script and tests for better correctness and performance.
zbb88888
changed the title
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin NAT functionality to allow internal services to access each other using their external IPs (FIPs). The changes involve adding a new HAIRPIN_SNAT iptables chain and logic to automatically add/remove hairpin rules when SNAT rules for internal CIDRs are managed. The implementation in nat-gateway.sh is robust, using idempotent operations and detailed rule matching. The accompanying e2e tests in Go are comprehensive, covering rule creation, data path validation, and cleanup scenarios, ensuring the new feature is well-tested. I've suggested a minor performance optimization in the shell script to cache results of is_internal_cidr within function calls to avoid redundant operations in loops.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin SNAT functionality, enabling internal services to access each other via their floating IPs, with changes to the nat-gateway.sh script and new e2e tests. However, the implementation has critical security concerns, including a vulnerable command execution pattern in the controller that allows for RCE in the privileged NAT gateway pod. Additionally, the hairpin SNAT logic is too broad, potentially breaking multi-EIP configurations, and violates several shell scripting best practices, which could lead to globbing issues. For improved maintainability and test robustness, duplicated code in the shell script should be refactored, and the new e2e test needs to be more comprehensive by asserting the correctness of the source IP after NAT.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces hairpin NAT functionality, allowing internal services to access other internal services via their external IPs (FIPs). The changes include adding new iptables chains and rules in nat-gateway.sh to handle hairpin SNAT, and corresponding E2E tests in Go to validate the new feature. The implementation appears correct and robust, with good use of efficient shell scripting patterns and comprehensive test coverage for rule creation, data path verification, and cleanup. I have one suggestion to improve code maintainability by reducing duplication.
|
@oilbeater 大佬,帮忙 review 下 |
Signed-off-by: zbb88888 <jmdxjsjgcxy@gmail.com>
|
Hi @zbb88888 I'm testing this patch on my NAT gateways and I'm finding more use cases where we could improve the hairpin logic. I'd like to pass them through you:
The hairpin logic looks through routes on the VPC interface of the NAT gateway, but it matches the full route. Or if I'm SNATing multiple subnets behind a single NAT gateway through a 0.0.0.0/0 SNAT, then hairpin will not work for anyone.
Despite the title of the PR, I tested the hairpin rules and they only get created when doing SNATs, not when creating Flexible IPs, but I may be missing something
If you have a loadbalancer with a custom range within your Subnet (e.g. 198.18.0.0/24), this LB targets pods within your subnet transparently (it doesn't SNAT to its own address). But no hairpin is created for it.
Say you have subnet A and B, with the NAT gateway being in subnet A. Redirect your traffic using a static route in subnet B to the NAT gateway. You now have one NAT gateway for 2 subnets. Do SNAT+DNAT of a pod within subnet A, try to access it through its EIP from subnet B. No hairpin is created for it, as it was only created for subnet A. Hairpin seems to be pretty hard... I'm examining solutions, and here's what I came up with:
Example:
Without hairpin, none of the 3 subnets can reach the EIP and expect traffic coming back with the correct source IP. When the SNAT is created, ovn-controller triggers the following reconciliation:
That way, if any subnet in the VPC passes through the NAT gateway, hairpin is successful. For FIPs and not SNATs, replace 10.10.0.0/24 by 10.10.0.10/32 for example For the loadbalancer case, if the route is statically injected in the VPC NAT gateway (it is possible through a new option I added to the CRD), we can add an option to hairpin the traffic. What do you think? |
|
Testing this #6445 |
4 participants
Pull Request
What type of this PR
Examples of user facing changes:
Which issue(s) this PR fixes
Fixes #(issue-number)