Use symmetric return path for non-VPC traffic - alternate solution (a…

…ws#1475)

* use symmetric return path for non-VPC traffic

* account for custom veth prefix configuration

* update host iptables rules on VPC CIDR change

* update integration tests to recognize new changes

* new integration test: reset aws-node config

* update README

README.md

@@ -376,7 +376,7 @@ Type: String
 
 Default: `eni`
 
-Specifies the veth prefix used to generate the host-side veth device name for the CNI. The prefix can be at most 4 characters long.
+Specifies the veth prefix used to generate the host-side veth device name for the CNI. The prefix can be at most 4 characters long. The prefixes `eth`, `vlan` and `lo` are reserved by the CNI plugin and cannot be specified. We recommend using prefix name not shared by any other network interfaces on the worker node instance.
 
 ---
 

cmd/routed-eni-cni-plugin/driver/driver.go

@@ -217,40 +217,13 @@ func setupNS(hostVethName string, contVethName string, netnsPath string, addr *n
 	if deviceNumber > 0 {
 		// To be backwards compatible, we will have to keep this off-by one setting
 		tableNumber := deviceNumber + 1
-		if useExternalSNAT {
-			// add rule: 1536: from <podIP> use table <table>
-			err = addContainerRule(netLink, false, addr, tableNumber)
-			if err != nil {
-				log.Errorf("Failed to add fromContainer rule for %s err: %v", addr.String(), err)
-				return errors.Wrap(err, "add NS network: failed to add fromContainer rule")
-			}
-			log.Infof("Added rule priority %d from %s table %d", fromContainerRulePriority, addr.String(), tableNumber)
-		} else {
-			// add rule: 1536: list of from <podIP> to <vpcCIDR> use table <table>
-			for _, cidr := range vpcCIDRs {
-				podRule := netLink.NewRule()
-				_, podRule.Dst, _ = net.ParseCIDR(cidr)
-				podRule.Src = addr
-				podRule.Table = tableNumber
-				podRule.Priority = fromContainerRulePriority
-
-				err = netLink.RuleAdd(podRule)
-				if isRuleExistsError(err) {
-					log.Warnf("Rule already exists [%v]", podRule)
-				} else {
-					if err != nil {
-						log.Errorf("Failed to add pod IP rule [%v]: %v", podRule, err)
-						return errors.Wrapf(err, "setupNS: failed to add pod rule [%v]", podRule)
-					}
-				}
-				var toDst string
-
-				if podRule.Dst != nil {
-					toDst = podRule.Dst.String()
-				}
-				log.Infof("Successfully added pod rule[%v] to %s", podRule, toDst)
-			}
+		// add rule: 1536: from <podIP> use table <table>
+		err = addContainerRule(netLink, false, addr, tableNumber)
+		if err != nil {
+			log.Errorf("Failed to add fromContainer rule for %s err: %v", addr.String(), err)
+			return errors.Wrap(err, "add NS network: failed to add fromContainer rule")
 		}
+		log.Infof("Added rule priority %d from %s table %d", fromContainerRulePriority, addr.String(), tableNumber)
 	}
 	return nil
 }

pkg/ipamd/ipamd.go

@@ -405,7 +405,7 @@ func (c *IPAMContext) nodeInit() error {
 		return err
 	}
 
-	if err = c.configureIPRulesForPods(vpcCIDRs); err != nil {
+	if err = c.configureIPRulesForPods(); err != nil {
 		return err
 	}
 	// Spawning updateCIDRsRulesOnChange go-routine
@@ -458,7 +458,7 @@ func (c *IPAMContext) nodeInit() error {
 	return nil
 }
 
-func (c *IPAMContext) configureIPRulesForPods(pbVPCcidrs []string) error {
+func (c *IPAMContext) configureIPRulesForPods() error {
 	rules, err := c.networkClient.GetRuleList()
 	if err != nil {
 		log.Errorf("During ipamd init: failed to retrieve IP rule list %v", err)
@@ -471,7 +471,7 @@ func (c *IPAMContext) configureIPRulesForPods(pbVPCcidrs []string) error {
 		// Update ip rules in case there is a change in VPC CIDRs, AWS_VPC_K8S_CNI_EXTERNALSNAT setting
 		srcIPNet := net.IPNet{IP: net.ParseIP(info.IP), Mask: net.IPv4Mask(255, 255, 255, 255)}
 
-		err = c.networkClient.UpdateRuleListBySrc(rules, srcIPNet, pbVPCcidrs, !c.networkClient.UseExternalSNAT())
+		err = c.networkClient.UpdateRuleListBySrc(rules, srcIPNet)
 		if err != nil {
 			log.Warnf("UpdateRuleListBySrc in nodeInit() failed for IP %s: %v", info.IP, err)
 		}
@@ -489,7 +489,11 @@ func (c *IPAMContext) updateCIDRsRulesOnChange(oldVPCCIDRs []string) []string {
 	old := sets.NewString(oldVPCCIDRs...)
 	new := sets.NewString(newVPCCIDRs...)
 	if !old.Equal(new) {
-		_ = c.configureIPRulesForPods(newVPCCIDRs)
+		primaryIP := c.awsClient.GetLocalIPv4()
+		err = c.networkClient.UpdateHostIptablesRules(newVPCCIDRs, c.awsClient.GetPrimaryENImac(), &primaryIP)
+		if err != nil {
+			log.Warnf("unable to update host iptables rules for VPC CIDRs due to error: %v", err)
+		}
 	}
 	return newVPCCIDRs
 }

pkg/ipamd/ipamd_test.go

@@ -152,8 +152,7 @@ func TestNodeInit(t *testing.T) {
 	var rules []netlink.Rule
 	m.network.EXPECT().GetRuleList().Return(rules, nil)
 
-	m.network.EXPECT().UseExternalSNAT().Return(false)
-	m.network.EXPECT().UpdateRuleListBySrc(gomock.Any(), gomock.Any(), gomock.Any(), true)
+	m.network.EXPECT().UpdateRuleListBySrc(gomock.Any(), gomock.Any())
 
 	fakeNode := v1.Node{
 		TypeMeta:   metav1.TypeMeta{Kind: "Node"},