search

kubeovn / kube-ovn

A Bridge between SDN and Cloud Native (Project under CNCF)
https://kubeovn.github.io/docs/stable/en/
Apache License 2.0
1.87k stars 433 forks source link

[BUG] SNAT and DNAT can use non exists EIP #4249

Open reski-rukmantiyo opened 3 days ago

reski-rukmantiyo commented 3 days ago

Kube-OVN Version

v1.12.12

Kubernetes Version

Client Version: v1.30.2 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.0

Operation-system/Kernel Version

"Ubuntu 22.04.4 LTS" 5.15.0-113-generic

Description

Right now, snat and dnat can use non existing EIP resources. These are my EIP resources

ubuntu@devspace-vm:~/dekagpu-installation/$ k get eip
NAME         IP            MAC                 NAT         NATGWDP   READY
eip-random   172.18.0.51   8e:bf:29:5a:ae:f5               gw1       true
eip01        172.18.0.55   86:64:71:5b:f0:04   dnat,snat   gw1       true
eipd01       172.18.0.54   aa:56:26:1f:62:5b               gw1       true
eips01       172.18.0.52   ce:87:b1:38:5c:c6   dnat,snat   gw1       true

I dont have EIP called eip101

Steps To Reproduce

  1. Create and apply SNAT

kind: IptablesSnatRule
apiVersion: kubeovn.io/v1
metadata:
  name: snat01
spec:
  eip: eip101
  internalCIDR: 10.0.1.0/24
  1. Check for SNAT
ubuntu@devspace-vm:~/dekagpu-installation/$ k get snat
NAME     EIP      V4IP          V6IP   INTERNALCIDR   NATGWDP   READY
snat01   eip101   172.18.0.55          10.0.1.0/24    gw1       true

Current Behavior

SNAT and DNAT creation success.

Expected Behavior

SNAT and DNAT creation should be failed.

But if this are by design, please note in the docs. Thanks

bobz965 commented 3 days ago

i think it should be failed

reski-rukmantiyo commented 3 days ago

in above capture, it's okay although it cannot be used

ubuntu@devspace-vm:~/dekagpu-installation/$ k get snat
NAME     EIP      V4IP          V6IP   INTERNALCIDR   NATGWDP   READY
snat01   eip101   172.18.0.55          10.0.1.0/24    gw1       true

and eip

ubuntu@devspace-vm:~/dekagpu-installation/$ k get eip
NAME         IP            MAC                 NAT         NATGWDP   READY
eip-random   172.18.0.51   8e:bf:29:5a:ae:f5               gw1       true
eip01        172.18.0.55   86:64:71:5b:f0:04   dnat,snat   gw1       true
eipd01       172.18.0.54   aa:56:26:1f:62:5b               gw1       true
eips01       172.18.0.52   ce:87:b1:38:5c:c6   dnat,snat   gw1       true
bobz965 commented 2 days ago

I checkout the code,

image

i think the case can not be reproduced.

could you please show the log about the snat snat01 use eip101 ?

reski-rukmantiyo commented 2 days ago

Hi, please check this out...something weird

ubuntu@devspace-vm:~/dekagpu-installation/$ k get eip
NAME    IP            MAC                 NAT         NATGWDP   READY
eip01   172.18.0.52   02:53:ec:52:e1:2b   dnat,snat   gw1       true
ubuntu@devspace-vm:~/dekagpu-installation/$ k apply -f custom-vpc+nat-gateway/08.yaml 
iptablessnatrule.kubeovn.io/snat01 configured
ubuntu@devspace-vm:~/dekagpu-installation/$ k get eip
NAME    IP            MAC                 NAT         NATGWDP   READY
eip01   172.18.0.52   02:53:ec:52:e1:2b   dnat,snat   gw1       true
ubuntu@devspace-vm:~/dekagpu-installation/$ k get snat 
NAME     EIP      V4IP          V6IP   INTERNALCIDR   NATGWDP   READY
snat01   eips01   172.18.0.52          10.0.1.0/24    gw1       true