Enable twice NAT for external IPs in services

Author: rastislavs

mock/natplugin/natplugin_mock.go

@@ -255,8 +255,8 @@ func (mnt *MockNatPlugin) dnatToStaticMappings(dnat *nat.Nat44DNat_DNatConfig) (
 		sm := &StaticMapping{}
 
 		// fields set to a constant value
-		if staticMapping.ExternalPort != 0 && staticMapping.TwiceNat != nat.TwiceNatMode_SELF {
-			return nil, errors.New("self-twice-NAT not enabled for static mapping")
+		if staticMapping.ExternalPort != 0 && staticMapping.TwiceNat == nat.TwiceNatMode_DISABLED {
+			return nil, errors.New("self-twice-NAT/twice-NAT not enabled for static mapping")
 		}
 		if staticMapping.ExternalInterface != "" {
 			return nil, errors.New("static mapping with external interface is not expected")
@@ -285,6 +285,11 @@ func (mnt *MockNatPlugin) dnatToStaticMappings(dnat *nat.Nat44DNat_DNatConfig) (
 		}
 		sm.ExternalPort = uint16(staticMapping.ExternalPort)
 
+		// twice NAT
+		if staticMapping.TwiceNat == nat.TwiceNatMode_ENABLED {
+			sm.TwiceNAT = true
+		}
+
 		// locals
 		for _, local := range staticMapping.LocalIps {
 			localIP := net.ParseIP(local.LocalIp)

mock/natplugin/static_mappings.go

@@ -34,6 +34,7 @@ type StaticMapping struct {
 	ExternalPort uint16
 	Protocol     renderer.ProtocolType
 	Locals       []*Local
+	TwiceNAT     bool
 }
 
 // Local represents a single backend for VPP NAT mapping.
@@ -125,8 +126,8 @@ func (sm *StaticMapping) String() string {
 			locals += ", "
 		}
 	}
-	return fmt.Sprintf("StaticMapping <ExternalIP:%s ExternalPort:%d Protocol:%s, Locals:[%s]>",
-		sm.ExternalIP.String(), sm.ExternalPort, sm.Protocol.String(), locals)
+	return fmt.Sprintf("StaticMapping <ExternalIP:%s ExternalPort:%d Protocol:%s, Locals:[%s] TwiceNAT:[%t]>",
+		sm.ExternalIP.String(), sm.ExternalPort, sm.Protocol.String(), locals, sm.TwiceNAT)
 }
 
 // String converts local into a human-readable string.
@@ -141,6 +142,7 @@ func (sm *StaticMapping) Copy() *StaticMapping {
 		ExternalIP:   dupIP(sm.ExternalIP),
 		ExternalPort: sm.ExternalPort,
 		Protocol:     sm.Protocol,
+		TwiceNAT:     sm.TwiceNAT,
 	}
 	for _, local := range sm.Locals {
 		smCopy.Locals = append(smCopy.Locals, &Local{
@@ -157,7 +159,8 @@ func (sm *StaticMapping) Copy() *StaticMapping {
 func (sm *StaticMapping) Equals(sm2 *StaticMapping) bool {
 	if !sm.ExternalIP.Equal(sm2.ExternalIP) ||
 		sm.ExternalPort != sm2.ExternalPort ||
-		sm.Protocol != sm2.Protocol {
+		sm.Protocol != sm2.Protocol ||
+		sm.TwiceNAT != sm2.TwiceNAT {
 		return false
 	}
 	if len(sm.Locals) != len(sm2.Locals) {

plugins/service/nat44_test.go

@@ -363,6 +363,7 @@ func TestResyncAndSingleService(t *testing.T) {
 	Expect(natPlugin.HasStaticMapping(staticMapping1)).To(BeTrue())
 	staticMapping2 := staticMapping1.Copy()
 	staticMapping2.ExternalIP = net.ParseIP("20.20.20.20")
+	staticMapping2.TwiceNAT = true
 	Expect(natPlugin.HasStaticMapping(staticMapping2)).To(BeTrue())
 
 	// Change port number for pod2.
@@ -799,8 +800,10 @@ func TestMultipleServicesWithMultiplePortsAndResync(t *testing.T) {
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTPS)).To(BeTrue())
 	staticMappingHTTP2 := staticMappingHTTP.Copy()
 	staticMappingHTTP2.ExternalIP = net.ParseIP("20.20.20.20")
+	staticMappingHTTP2.TwiceNAT = true
 	staticMappingHTTPS2 := staticMappingHTTPS.Copy()
 	staticMappingHTTPS2.ExternalIP = net.ParseIP("20.20.20.20")
+	staticMappingHTTPS2.TwiceNAT = true
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTP2)).To(BeTrue())
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTPS2)).To(BeTrue())
 
@@ -1592,6 +1595,7 @@ func TestServiceUpdates(t *testing.T) {
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTP)).To(BeTrue())
 	staticMappingHTTP2 := staticMappingHTTP.Copy()
 	staticMappingHTTP2.ExternalIP = net.ParseIP("20.20.20.20")
+	staticMappingHTTP2.TwiceNAT = true
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTP2)).To(BeTrue())
 	Expect(natPlugin.NumOfStaticMappings()).To(Equal(2))
 
@@ -1718,6 +1722,7 @@ func TestServiceUpdates(t *testing.T) {
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTP)).To(BeTrue())
 	staticMappingHTTP2 = staticMappingHTTP.Copy()
 	staticMappingHTTP2.ExternalIP = net.ParseIP("20.20.20.20")
+	staticMappingHTTP2.TwiceNAT = true
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTP2)).To(BeTrue())
 	Expect(natPlugin.NumOfStaticMappings()).To(Equal(2))
 	Expect(natPlugin.NumOfIdentityMappings()).To(Equal(3))
@@ -1789,6 +1794,7 @@ func TestServiceUpdates(t *testing.T) {
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTPS)).To(BeTrue())
 	staticMappingHTTPS2 := staticMappingHTTPS.Copy()
 	staticMappingHTTPS2.ExternalIP = net.ParseIP("20.20.20.20")
+	staticMappingHTTPS2.TwiceNAT = true
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTP2)).To(BeTrue())
 	Expect(natPlugin.HasStaticMapping(staticMappingHTTPS2)).To(BeTrue())
 	Expect(natPlugin.NumOfStaticMappings()).To(Equal(4))

plugins/service/processor/service.go

@@ -99,7 +99,7 @@ func (s *Service) Refresh() {
 	if s.meta.ClusterIp != "" && s.meta.ClusterIp != "None" {
 		clusterIP := net.ParseIP(s.meta.ClusterIp)
 		if clusterIP != nil {
-			s.contivSvc.ExternalIPs.Add(clusterIP)
+			s.contivSvc.ClusterIPs.Add(clusterIP)
 		} else {
 			s.sp.Log.WithFields(logging.Fields{
 				"service":   s.contivSvc.ID,

plugins/service/renderer/api.go

@@ -117,10 +117,14 @@ type ContivService struct {
 	// TrafficPolicy decides if traffic is routed cluster-wide or node-local only.
 	TrafficPolicy TrafficPolicyType
 
-	// ExternalIPs is a set of all IP addresses on which the service
-	// should be exposed on this node (aside from node IPs for NodePorts, which
+	// ClusterIPs is a set of all IP addresses on which the service
+	// should be exposed within the cluster (aside from node IPs for NodePorts, which
 	// are provided separately via the ServiceRendererAPI.UpdateNodePortServices()
 	// method).
+	ClusterIPs *IPAddresses
+
+	// ExternalIPs is a set of all IP addresses on which the service
+	// should be exposed outside of the cluster (e.g. external load-balancer IPs).
 	ExternalIPs *IPAddresses
 
 	// Ports is a map of all ports exposed for this service.
@@ -144,6 +148,7 @@ const (
 // NewContivService is a constructor for ContivService.
 func NewContivService() *ContivService {
 	return &ContivService{
+		ClusterIPs:  NewIPAddresses(),
 		ExternalIPs: NewIPAddresses(),
 		Ports:       make(map[string]*ServicePort),
 		Backends:    make(map[string][]*ServiceBackend),
@@ -152,6 +157,13 @@ func NewContivService() *ContivService {
 
 // String converts ContivService into a human-readable string.
 func (cs ContivService) String() string {
+	clusterIPs := ""
+	for idx, ip := range cs.ClusterIPs.list {
+		clusterIPs += ip.String()
+		if idx < len(cs.ClusterIPs.list)-1 {
+			clusterIPs += ", "
+		}
+	}
 	externalIPs := ""
 	for idx, ip := range cs.ExternalIPs.list {
 		externalIPs += ip.String()
@@ -175,8 +187,8 @@ func (cs ContivService) String() string {
 		}
 		idx++
 	}
-	return fmt.Sprintf("ContivService %s <Traffic-Policy:%s ExternalIPs:[%s] Backends:{%s}>",
-		cs.ID.String(), cs.TrafficPolicy.String(), externalIPs, allBackends)
+	return fmt.Sprintf("ContivService %s <Traffic-Policy:%s ClusterIPs:[%s] ExternalIPs:[%s] Backends:{%s}>",
+		cs.ID.String(), cs.TrafficPolicy.String(), clusterIPs, externalIPs, allBackends)
 }
 
 // String converts TrafficPolicyType into a human-readable string.

plugins/service/renderer/nat44/nat44_renderer.go

@@ -53,6 +53,15 @@ const (
 	defaultIdleOtherTimeout = 5 * time.Minute // inactive timeout for other NAT sessions
 )
 
+// serviceIPType represents type of IP address where the service is accessible: node / cluster / external
+type serviceIPType int
+
+const (
+	nodeIP serviceIPType = iota
+	clusterIP
+	externalIP
+)
+
 var (
 	tcpNatSessionCount          uint64
 	otherNatSessionCount        uint64
@@ -490,70 +499,43 @@ func (rndr *Renderer) exportDNATMappings(service *renderer.ContivService) []*nat
 
 	// Export NAT mappings for NodePort services.
 	if service.HasNodePort() {
-		for _, nodeIP := range rndr.nodeIPs.List() {
-			if nodeIP.To4() != nil {
-				nodeIP = nodeIP.To4()
-			}
-			// Add one mapping for each port.
-			for portName, port := range service.Ports {
-				if port.NodePort == 0 {
-					continue
-				}
-				mapping := &nat.Nat44DNat_DNatConfig_StaticMapping{}
-				mapping.TwiceNat = nat.TwiceNatMode_SELF
-				mapping.ExternalIp = nodeIP.String()
-				mapping.ExternalPort = uint32(port.NodePort)
-				switch port.Protocol {
-				case renderer.TCP:
-					mapping.Protocol = nat.Protocol_TCP
-				case renderer.UDP:
-					mapping.Protocol = nat.Protocol_UDP
-				}
-				for _, backend := range service.Backends[portName] {
-					if service.TrafficPolicy != renderer.ClusterWide && !backend.Local {
-						// Do not NAT+LB remote backends.
-						continue
-					}
-					local := &nat.Nat44DNat_DNatConfig_StaticMapping_LocalIP{
-						LocalIp:   backend.IP.String(),
-						LocalPort: uint32(backend.Port),
-					}
-					if backend.Local {
-						local.Probability = uint32(rndr.Contiv.GetServiceLocalEndpointWeight())
-					} else {
-						local.Probability = 1
-					}
-					if rndr.isNodeLocalIP(backend.IP) {
-						local.VrfId = rndr.Contiv.GetMainVrfID()
-					} else {
-						local.VrfId = rndr.Contiv.GetPodVrfID()
-					}
-					mapping.LocalIps = append(mapping.LocalIps, local)
-				}
-				if len(mapping.LocalIps) == 0 {
-					continue
-				}
-				if len(mapping.LocalIps) == 1 {
-					// For single backend we use "0" to represent the probability
-					// (not really configured).
-					mapping.LocalIps[0].Probability = 0
-				}
-				mappings = append(mappings, mapping)
-			}
-		}
+		mappings = rndr.exportServiceIPMappings(service, mappings, rndr.nodeIPs, nodeIP)
 	}
 
-	// Export NAT mappings for external IPs.
-	for _, externalIP := range service.ExternalIPs.List() {
+	// Export NAT mappings for cluster & external IPs.
+	mappings = rndr.exportServiceIPMappings(service, mappings, service.ClusterIPs, clusterIP)
+	mappings = rndr.exportServiceIPMappings(service, mappings, service.ExternalIPs, externalIP)
+
+	return mappings
+}
+
+// exportServiceIPMappings exports the corresponding list of D-NAT mappings from a list of service IPs of the given service.
+func (rndr *Renderer) exportServiceIPMappings(service *renderer.ContivService, mappings []*nat.Nat44DNat_DNatConfig_StaticMapping,
+	serviceIPs *renderer.IPAddresses, ipType serviceIPType) []*nat.Nat44DNat_DNatConfig_StaticMapping {
+
+	for _, ip := range serviceIPs.List() {
+		if ip.To4() != nil {
+			ip = ip.To4()
+		}
 		// Add one mapping for each port.
 		for portName, port := range service.Ports {
-			if port.Port == 0 {
+			if ipType == nodeIP && port.NodePort == 0 {
+				continue
+			} else if ipType != nodeIP && port.Port == 0 {
 				continue
 			}
 			mapping := &nat.Nat44DNat_DNatConfig_StaticMapping{}
-			mapping.TwiceNat = nat.TwiceNatMode_ENABLED
-			mapping.ExternalIp = externalIP.String()
-			mapping.ExternalPort = uint32(port.Port)
+			if ipType == externalIP {
+				mapping.TwiceNat = nat.TwiceNatMode_ENABLED
+			} else {
+				mapping.TwiceNat = nat.TwiceNatMode_SELF
+			}
+			mapping.ExternalIp = ip.String()
+			if ipType == nodeIP {
+				mapping.ExternalPort = uint32(port.NodePort)
+			} else {
+				mapping.ExternalPort = uint32(port.Port)
+			}
 			switch port.Protocol {
 			case renderer.TCP:
 				mapping.Protocol = nat.Protocol_TCP
@@ -592,7 +574,6 @@ func (rndr *Renderer) exportDNATMappings(service *renderer.ContivService) []*nat
 			mappings = append(mappings, mapping)
 		}
 	}
-
 	return mappings
 }