diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go index f5fd04a3548..42b8c050a25 100644 --- a/api/pkg/apis/projectcalico/v3/felixconfig.go +++ b/api/pkg/apis/projectcalico/v3/felixconfig.go @@ -436,6 +436,10 @@ type FelixConfigurationSpec struct { // (ie it uses the iptables MASQUERADE target) NATOutgoingAddress string `json:"natOutgoingAddress,omitempty"` + // When set to true and ip pool setting `natOutgoing` is true, packets sent from Calico networked containers in this pool + // to cluster host subnet will not be excluded from being masqueraded. [Default: false] + DisableHostSubnetNATExclusion bool `json:"disableHostSubnetNATExclusion,omitempty"` + // This is the IPv4 source address to use on programmed device routes. By default the source address is left blank, // leaving the kernel to choose the source address used. DeviceRouteSourceAddress string `json:"deviceRouteSourceAddress,omitempty"` diff --git a/api/pkg/openapi/openapi_generated.go b/api/pkg/openapi/openapi_generated.go index 5717c9e3e9a..d8a6d50e9eb 100644 --- a/api/pkg/openapi/openapi_generated.go +++ b/api/pkg/openapi/openapi_generated.go @@ -2765,6 +2765,13 @@ func schema_pkg_apis_projectcalico_v3_FelixConfigurationSpec(ref common.Referenc Format: "", }, }, + "disableHostSubnetNATExclusion": { + SchemaProps: spec.SchemaProps{ + Description: "When set to true and ip pool setting `natOutgoing` is true, packets sent from Calico networked containers in this pool to cluster host subnet will not be excluded from being masqueraded. [Default: false]", + Type: []string{"boolean"}, + Format: "", + }, + }, "deviceRouteSourceAddress": { SchemaProps: spec.SchemaProps{ Description: "This is the IPv4 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used.", diff --git a/felix/config/config_params.go b/felix/config/config_params.go index c5e8b72d73c..d40f678e0f3 100644 --- a/felix/config/config_params.go +++ b/felix/config/config_params.go @@ -359,9 +359,10 @@ type Config struct { FailsafeInboundHostPorts []ProtoPort `config:"port-list;tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667;die-on-fail"` FailsafeOutboundHostPorts []ProtoPort `config:"port-list;udp:53,udp:67,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667;die-on-fail"` - KubeNodePortRanges []numorstring.Port `config:"portrange-list;30000:32767"` - NATPortRange numorstring.Port `config:"portrange;"` - NATOutgoingAddress net.IP `config:"ipv4;"` + KubeNodePortRanges []numorstring.Port `config:"portrange-list;30000:32767"` + NATPortRange numorstring.Port `config:"portrange;"` + NATOutgoingAddress net.IP `config:"ipv4;"` + DisableHostSubnetNATExclusion bool `config:"bool;false"` UsageReportingEnabled bool `config:"bool;true"` UsageReportingInitialDelaySecs time.Duration `config:"seconds;300"` diff --git a/felix/dataplane/driver.go b/felix/dataplane/driver.go index e7adb604f14..bdd5735ebc2 100644 --- a/felix/dataplane/driver.go +++ b/felix/dataplane/driver.go @@ -277,6 +277,7 @@ func StartDataplaneDriver(configParams *config.Config, NATPortRange: configParams.NATPortRange, IptablesNATOutgoingInterfaceFilter: configParams.IptablesNATOutgoingInterfaceFilter, NATOutgoingAddress: configParams.NATOutgoingAddress, + DisableHostSubnetNATExclusion: configParams.DisableHostSubnetNATExclusion, BPFEnabled: configParams.BPFEnabled, BPFForceTrackPacketsFromIfaces: replaceWildcards(configParams.NFTablesMode == "Enabled", configParams.BPFForceTrackPacketsFromIfaces), ServiceLoopPrevention: configParams.ServiceLoopPrevention, diff --git a/felix/rules/nat.go b/felix/rules/nat.go index 9ca42fe055a..d830a5de1ec 100644 --- a/felix/rules/nat.go +++ b/felix/rules/nat.go @@ -52,13 +52,16 @@ func (r *DefaultRuleRenderer) makeNATOutgoingRuleBPF(version uint8, protocol str func (r *DefaultRuleRenderer) makeNATOutgoingRuleIPTables(ipVersion uint8, protocol string, action Action) Rule { ipConf := r.ipSetConfig(ipVersion) allIPsSetName := ipConf.NameForMainIPSet(IPSetIDNATOutgoingAllPools) - allHostsIPsSetName := ipConf.NameForMainIPSet(IPSetIDAllHostNets) masqIPsSetName := ipConf.NameForMainIPSet(IPSetIDNATOutgoingMasqPools) match := r.NewMatch(). SourceIPSet(masqIPsSetName). - NotDestIPSet(allIPsSetName). - NotDestIPSet(allHostsIPsSetName) + NotDestIPSet(allIPsSetName) + + if !r.Config.DisableHostSubnetNATExclusion { + allHostsIPsSetName := ipConf.NameForMainIPSet(IPSetIDAllHostNets) + match = match.NotDestIPSet(allHostsIPsSetName) + } if protocol != "" { match = match.Protocol(protocol) diff --git a/felix/rules/rule_defs.go b/felix/rules/rule_defs.go index 37bcc13a280..d1b8130b78e 100644 --- a/felix/rules/rule_defs.go +++ b/felix/rules/rule_defs.go @@ -355,6 +355,7 @@ type Config struct { IptablesNATOutgoingInterfaceFilter string NATOutgoingAddress net.IP + DisableHostSubnetNATExclusion bool BPFEnabled bool BPFForceTrackPacketsFromIfaces []string ServiceLoopPrevention string diff --git a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml index ecd3f24f546..7d08c946915 100644 --- a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml +++ b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml @@ -350,6 +350,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 634d4c7f191..37dee9b4881 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -1346,6 +1346,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index 76cc6d09803..6acdf21de45 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -1356,6 +1356,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 9bb02a041c7..ee803e2b8c2 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -1357,6 +1357,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index b3ab123b651..7c112fd8408 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -1341,6 +1341,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/calico.yaml b/manifests/calico.yaml index c0514c98d19..b62ae1db4a4 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -1341,6 +1341,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/canal.yaml b/manifests/canal.yaml index aecd097c9a4..dd10186c769 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -1358,6 +1358,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/crds.yaml b/manifests/crds.yaml index 70d9042c8df..a08a7f9aad2 100644 --- a/manifests/crds.yaml +++ b/manifests/crds.yaml @@ -1251,6 +1251,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index 1c783d53af7..0ed6c51cc11 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -1341,6 +1341,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/ocp/crd.projectcalico.org_felixconfigurations.yaml b/manifests/ocp/crd.projectcalico.org_felixconfigurations.yaml index 2990873decd..830c524db04 100644 --- a/manifests/ocp/crd.projectcalico.org_felixconfigurations.yaml +++ b/manifests/ocp/crd.projectcalico.org_felixconfigurations.yaml @@ -350,6 +350,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/operator-crds.yaml b/manifests/operator-crds.yaml index 37e38fedfb8..ce1df50bde4 100644 --- a/manifests/operator-crds.yaml +++ b/manifests/operator-crds.yaml @@ -17780,6 +17780,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml index befb0fe9ccf..3d6472f529b 100644 --- a/manifests/tigera-operator.yaml +++ b/manifests/tigera-operator.yaml @@ -1263,6 +1263,12 @@ spec: type: string disableConntrackInvalidCheck: type: boolean + disableHostSubnetNATExclusion: + description: 'When set to true and ip pool setting `natOutgoing` is + true, packets sent from Calico networked containers in this pool + to cluster host subnet will not be excluded from being masqueraded. [Default: + false]' + type: boolean endpointReportingDelay: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string