siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.93k stars 557 forks source link

Support for routing rules and tables #7184

Open dedene opened 1 year ago

dedene commented 1 year ago

Feature Request

Support for routing rules and tables in the machine config

Description

For various setups on Bare Metal, more advanced routing configuration possibilities are needed. This would allow for things like

ip route add default via 46.105.135.110 dev eth0 table 100
ip rule add from 46.105.135.96/28 table 100

See this discussion for an example use case.

smira commented 1 year ago

Some notes from implementation point of view:

ffetech commented 1 year ago

Would be great if also something like this would be possible: iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE … to get a talos node to work as NAT gateway.

smira commented 1 year ago

Would be great if also something like this would be possible: iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE … to get a talos node to work as NAT gateway.

This makes sense, but it is totally different from this issue. This should go to #4421

rsidhaarth commented 1 year ago

Would be great if also something like this would be possible: iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE … to get a talos node to work as NAT gateway.

@smira Please don't treat this as managing a firewall because the above command helps to route the LAN network to get internet. But his intention is to make Talos to support NAT.

Example: I have a 1Gbit Internet and 10Gbit LAN (without Internet). But in Talos, as of now there is no way to use 10Gbit LAN without a workaround. If we use a 10Gbit network for the K8s network then there will be no internet as there is no way to set up NAT in Talos.

So Talos should have the option to set up NAT so we can route the Private network traffic to the different interfaces to get Internet.

So something like

      interfaces:
        - interface: eth0
          addresses:
            - 10.10.0.2/24
          routes:
            - network: 10.10.0.0/24
              gateway: 10.10.0.1
            - network: 0.0.0.0/0
              interface: eth1
              metric: 200
          mtu: 9000
        - interface: eth1
          addresses:
            - x.x.x.x/26
          routes:
            - network: 0.0.0.0/0
              gateway: x.x.x.x
              metric: 100

eth0 - 10Gbit LAN eth1 - 1Gbit Public Network

camrossi commented 7 months ago

I need to set a "blackhole" route in my cluster, in general ip route support doing this:

ip route add blackhole 1.1.1.1/32

So as part of this feature request we could also add route-type support. For now I did this workaround in my cluster but would like to understand if this is ok or if I am gonna end up with issues down the road:

    network:
        interfaces:
            - interface: eth0 # The interface name.
              routes:
                - network: 10.56.0.0/16 
                  gateway: 0.0.0.0 
              dhcp: true

talosctl -n 192.168.11.90  get route | grep 10.56.0.
NODE            NAMESPACE   TYPE          ID                       VERSION       DESTINATION   GATEWAY  LINK
192.168.11.90   network     RouteStatus   inet4//10.56.0.0/16/1024  1            10.56.0.0/16            eth0 

And it seems to have done the trick but I am not really sure if this is something that is actually supported or not.

kvaps commented 6 months ago

Hey there, I just want to note that I'm also looking the way for doing this, I can sponsor on writing implementation.

my issue: https://github.com/siderolabs/talos/issues/8738

maxpain commented 2 months ago

It would be useful for Hetzner vSwitch and OVH vRack.