mirrors/tailscale
1
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity

cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658)

Browse Source 
The AddSNATRuleForDst rule was adding a new rule each time it was called including:
- if a rule already existed
- if a rule matching the destination, but with different desired source already existed

This was causing issues especially for the in-progress egress HA proxies work,
where the rules are now refreshed more frequently, so more redundant rules
were being created.

This change:
- only creates the rule if it doesn't already exist
- if a rule for the same dst, but different source is found, delete it
- also ensures that egress proxies refresh firewall rules
if the node's tailnet IP changes

Updates tailscale/tailscale#13406

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This commit is contained in:
Irbe Krumina
2024-10-03 20:15:00 +01:00
committed by GitHub
parent a3c6a3a34f
commit 9bd158cc09
9 changed files with 272 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/containerboot/services.go
View File

@ -196,8 +196,7 @@ func (ep *egressProxy) syncEgressConfigs(cfgs *egressservices.Configs, status *e
if !local.IsValid() {
return nil, fmt.Errorf("no valid local IP: %v", local)
}
// TODO(irbekrm): only create the SNAT rule if it does not already exist.
if err := ep.nfr.AddSNATRuleForDst(local, t); err != nil {
if err := ep.nfr.EnsureSNATForDst(local, t); err != nil {
return nil, fmt.Errorf("error setting up SNAT rule: %w", err)
}
}