Added possibility to switch to iptables nf_tables

Author: cheina97

deployments/liqo/README.md

@@ -90,7 +90,6 @@
 | metricAgent.pod.labels | object | `{}` | Labels for the metricAgent pod. |
 | metricAgent.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the metricAgent pod. |
 | nameOverride | string | `""` | Override the standard name used by Helm and associated to Kubernetes/Liqo resources. |
-| networkConfig.mtu | int | `1340` | Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. The value is used by the gateway and route operators. The default value is configured to ensure correct behavior regardless of the combination of the underlying environments (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. |
 | networkManager.config.additionalPools | list | `[]` | Set of additional network pools to perform the automatic address mapping in Liqo. Network pools are used to map a cluster network into another one in order to prevent conflicts. Default set of network pools is: [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12] |
 | networkManager.config.podCIDR | string | `""` | The subnet used by the pods in your cluster, in CIDR notation (e.g., 10.0.0.0/16). |
 | networkManager.config.reservedSubnets | list | `[]` | List of IP subnets that do not have to be used by Liqo. Liqo can perform automatic IP address remapping when a remote cluster is peering with you, e.g., in case IP address spaces (e.g., PodCIDR) overlaps. In order to prevent IP conflicting between locally used private subnets in your infrastructure and private subnets belonging to remote clusters you need tell liqo the subnets used in your cluster. E.g if your cluster nodes belong to the 192.168.2.0/24 subnet, then you should add that subnet to the reservedSubnets. PodCIDR and serviceCIDR used in the local cluster are automatically added to the reserved list. |
@@ -103,6 +102,9 @@
 | networkManager.pod.labels | object | `{}` | Labels for the networkManager pod. |
 | networkManager.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the networkManager pod. |
 | networking.internal | bool | `true` | Use the default Liqo network manager. |
+| networking.iptables | object | `{"mode":"nf_tables"}` | Iptables configuration tuning. |
+| networking.iptables.mode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". |
+| networking.mtu | int | `1340` | Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. The value is used by the gateway and route operators. The default value is configured to ensure correct behavior regardless of the combination of the underlying environments (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. |
 | networking.reflectIPs | bool | `true` | Reflect pod IPs and EnpointSlices to the remote clusters. |
 | openshiftConfig.enable | bool | `false` | Enable/Disable the OpenShift support, enabling Openshift-specific resources, and setting the pod security contexts in a way that is compatible with Openshift. |
 | openshiftConfig.virtualKubeletSCCs | list | `["anyuid"]` | Security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. |

deployments/liqo/templates/liqo-gateway-deployment.yaml

@@ -46,7 +46,7 @@ spec:
           args:
           - --run-as=liqo-gateway
           - --gateway.leader-elect=true
-          - --gateway.mtu={{ .Values.networkConfig.mtu }}
+          - --gateway.mtu={{ .Values.networking.mtu }}
           - --gateway.listening-port={{ .Values.gateway.config.listeningPort }}
           {{- if .Values.gateway.metrics.enabled }}
           - --metrics-bind-addr=:{{ .Values.gateway.metrics.port }}
@@ -72,6 +72,8 @@ spec:
                   fieldPath: status.podIP
             - name: WIREGUARD_IMPLEMENTATION
               value: {{ .Values.gateway.config.wireguardImplementation }}
+            - name: IPTABLES_MODE
+              value: {{ .Values.networking.iptables.mode }}
       hostNetwork: true
       {{- if ((.Values.common).nodeSelector) }}
       nodeSelector:

deployments/liqo/templates/liqo-network-manager-deployment.yaml

@@ -58,6 +58,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: IPTABLES_MODE
+              value: {{ .Values.networking.iptables.mode }}
           resources: {{- toYaml .Values.networkManager.pod.resources | nindent 12 }}
       {{- if ((.Values.common).nodeSelector) }}
       nodeSelector:

deployments/liqo/templates/liqo-route-daemonset.yaml

@@ -43,7 +43,7 @@ spec:
           command: ["/usr/bin/liqonet"]
           args:
           - --run-as=liqo-route
-          - --route.vxlan-mtu={{ .Values.networkConfig.mtu }}
+          - --route.vxlan-mtu={{ .Values.networking.mtu }}
           {{- if .Values.route.pod.extraArgs }}
           {{- toYaml .Values.route.pod.extraArgs | nindent 10 }}
           {{- end }}
@@ -67,6 +67,8 @@ spec:
               valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
+            - name: IPTABLES_MODE
+              value: {{ .Values.networking.iptables.mode }}
           volumeMounts:
             - mountPath: /run/xtables.lock
               name: xtables-lock

deployments/liqo/values.yaml

@@ -6,6 +6,15 @@
 tag: ""
 # -- The pullPolicy for liqo pods.
 pullPolicy: "IfNotPresent"
+
+common:
+  # -- NodeSelector for all liqo services, excluding virtual kubelet deployment.
+  nodeSelector: {}
+  # -- Tolerations for all liqo services, excluding virtual kubelet deployment.
+  tolerations: []
+  # -- Affinity for all liqo services, excluding virtual kubelet deployment.
+  affinity: {}
+
 apiServer:
   # -- The address that must be used to contact your API server, it needs to be reachable from the clusters that you will peer with (defaults to your master IP).
   address: ""
@@ -17,6 +26,15 @@ networking:
   internal: true
   # -- Reflect pod IPs and EnpointSlices to the remote clusters.
   reflectIPs: true
+  # -- Iptables configuration tuning.
+  iptables:
+    # -- Select the iptables mode to use. Possible values are "legacy" and "nf_tables".
+    mode: "nf_tables"
+  # -- Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces.
+  # The value is used by the gateway and route operators.
+  # The default value is configured to ensure correct behavior regardless of the combination of the underlying environments
+  # (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops.
+  mtu: 1340
 
 reflection:
   skip:
@@ -465,18 +483,4 @@ openshiftConfig:
   virtualKubeletSCCs:
   - anyuid
 
-# Configuration for liqo networking.
-networkConfig:
-  # -- Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces.
-  # The value is used by the gateway and route operators.
-  # The default value is configured to ensure correct behavior regardless of the combination of the underlying environments
-  # (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops.
-  mtu: 1340
 
-common:
-  # -- NodeSelector for all liqo services, excluding virtual kubelet deployment.
-  nodeSelector: {}
-  # -- Tolerations for all liqo services, excluding virtual kubelet deployment.
-  tolerations: []
-  # -- Affinity for all liqo services, excluding virtual kubelet deployment.
-  affinity: {}

docs/_legacy/pages/configuration/networking.md

@@ -47,7 +47,7 @@ liqoctl install ${YOUR_PROVIDER} --cluster-name ${YOUR_CLUSTER_NAME} --mtu 1400
 The `liqoctl install` command is idempotent and can be executed multiple times to enforce the desired configuration.
 {{% /notice %}}
 
-If you are installing Liqo using the provided helm chart than the MTU size can be configured by setting the `networkConfig.mtu` variable in the [values.yaml file](../../../installation/chart_values/#values).
+If you are installing Liqo using the provided helm chart than the MTU size can be configured by setting the `networking.mtu` variable in the [values.yaml file](../../../installation/chart_values/#values).
 
 
 

go.mod

@@ -264,3 +264,6 @@ require (
 )
 
 replace github.com/grandcat/zeroconf => github.com/liqotech/zeroconf v1.0.1-0.20201020081245-6384f3f21ffb
+
+// Waitin for PR https://github.com/coreos/go-iptables/pull/110 to be merged
+replace github.com/coreos/go-iptables => github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548

go.sum

@@ -204,6 +204,8 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
 github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
+github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548 h1:tsUrWiCxLp1cI8TB7qDmHNezZavWgxghH+m+pW+04wA=
+github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -227,8 +229,6 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
-github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=

pkg/liqonet/iptables/iptables.go

@@ -17,6 +17,7 @@ package iptables
 import (
 	"encoding/csv"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/coreos/go-iptables/iptables"
@@ -95,10 +96,19 @@ type IPTHandler struct {
 
 // NewIPTHandler return the iptables handler used to configure the iptables rules.
 func NewIPTHandler() (IPTHandler, error) {
-	ipt, err := iptables.New()
+	selectedmode := os.Getenv("IPTABLES_MODE")
+	var ipt *iptables.IPTables
+	var err error
+	if iptables.ModeType(selectedmode) == iptables.ModeTypeNFTables || iptables.ModeType(selectedmode) == iptables.ModeTypeLegacy {
+		ipt, err = iptables.New(iptables.Mode(iptables.ModeType(selectedmode)))
+	} else {
+		ipt, err = iptables.New()
+	}
 	if err != nil {
 		return IPTHandler{}, err
 	}
+	v1, v2, v3, mode := ipt.GetIptablesVersion()
+	klog.Infof("Iptables version: %d.%d.%d, mode: %s", v1, v2, v3, mode)
 	return IPTHandler{
 		ipt: *ipt,
 	}, err