wireguard: use allowed_ips only for nodes

Signed-off-by: Nathan Skrzypczak <[email protected]>
projectcalico · Nov 2, 2023 · 65effe7 · 65effe7
1 parent af1ec91
commit 65effe7
Show file tree

Hide file tree

Showing 5 changed files with 210 additions and 221 deletions.
diff --git a/calico-vpp-agent/connectivity/ipip.go b/calico-vpp-agent/connectivity/ipip.go
@@ -138,13 +138,14 @@ func (p *IpipProvider) AddConnectivity(cn *common.NodeConnectivity) error {
 			p.errorCleanup(tunnel)
 			return errors.Wrapf(err, "Error setting ipip interface up")
 		}
+		p.log.Infof("connectivity(add) before route IPIP tunnel=%s", tunnel.String())
 
 		p.log.Debugf("Routing pod->node %s traffic into tunnel (swIfIndex %d)", cn.NextHop.String(), swIfIndex)
 		err = p.vpp.RouteAdd(&types.Route{
 			Dst: common.ToMaxLenCIDR(cn.NextHop),
 			Paths: []types.RoutePath{{
 				SwIfIndex: swIfIndex,
-				Gw:        nil,
+				Gw:        cn.NextHop,
 			}},
 			Table: common.PodVRFIndex,
 		})
@@ -166,7 +167,7 @@ func (p *IpipProvider) AddConnectivity(cn *common.NodeConnectivity) error {
 		Dst: &cn.Dst,
 		Paths: []types.RoutePath{{
 			SwIfIndex: tunnel.SwIfIndex,
-			Gw:        nil,
+			Gw:        cn.NextHop,
 		}},
 	}
 	err := p.vpp.RouteAdd(route)
@@ -191,7 +192,7 @@ func (p *IpipProvider) DelConnectivity(cn *common.NodeConnectivity) error {
 		Dst: &cn.Dst,
 		Paths: []types.RoutePath{{
 			SwIfIndex: tunnel.SwIfIndex,
-			Gw:        nil,
+			Gw:        cn.NextHop,
 		}},
 	}
 	err := p.vpp.RouteDel(routeToDelete)
@@ -208,7 +209,7 @@ func (p *IpipProvider) DelConnectivity(cn *common.NodeConnectivity) error {
 			Dst: common.ToMaxLenCIDR(cn.NextHop),
 			Paths: []types.RoutePath{{
 				SwIfIndex: tunnel.SwIfIndex,
-				Gw:        nil,
+				Gw:        cn.NextHop,
 			}},
 			Table: common.PodVRFIndex,
 		})

diff --git a/calico-vpp-agent/connectivity/vxlan.go b/calico-vpp-agent/connectivity/vxlan.go
@@ -195,7 +195,7 @@ func (p *VXLanProvider) AddConnectivity(cn *common.NodeConnectivity) error {
 				Dst: common.ToMaxLenCIDR(cn.NextHop),
 				Paths: []types.RoutePath{{
 					SwIfIndex: swIfIndex,
-					Gw:        nil,
+					Gw:        cn.NextHop,
 				}},
 				Table: common.PodVRFIndex,
 			})
@@ -251,7 +251,7 @@ func (p *VXLanProvider) AddConnectivity(cn *common.NodeConnectivity) error {
 		Dst: &cn.Dst,
 		Paths: []types.RoutePath{{
 			SwIfIndex: tunnel.SwIfIndex,
-			Gw:        nodeIP, // FIXME this is probably wrong. The gateway of route going out to another node should not point to THIS node.
+			Gw:        cn.NextHop,
 		}},
 		Table: table,
 	}
@@ -263,15 +263,11 @@ func (p *VXLanProvider) AddConnectivity(cn *common.NodeConnectivity) error {
 	return p.vpp.RouteAdd(route)
 }
 
-func (p *VXLanProvider) DelConnectivity(cn *common.NodeConnectivity) error {
+func (p *VXLanProvider) DelConnectivity(cn *common.NodeConnectivity) (err error) {
 	tunnel, found := p.vxlanIfs[cn.NextHop.String()+"-"+fmt.Sprint(cn.Vni)]
 	if !found {
 		return errors.Errorf("Deleting unknown vxlan tunnel cn=%s", cn.String())
 	}
-	nodeIP, err := p.getNodeIpForConnectivity(cn)
-	if err != nil {
-		return err
-	}
 
 	var routeToDelete *types.Route
 	if cn.Vni == 0 {
@@ -280,7 +276,7 @@ func (p *VXLanProvider) DelConnectivity(cn *common.NodeConnectivity) error {
 			Dst: &cn.Dst,
 			Paths: []types.RoutePath{{
 				SwIfIndex: tunnel.SwIfIndex,
-				Gw:        nodeIP,
+				Gw:        cn.NextHop,
 			}},
 		}
 	} else {
@@ -290,7 +286,7 @@ func (p *VXLanProvider) DelConnectivity(cn *common.NodeConnectivity) error {
 			Dst: &cn.Dst,
 			Paths: []types.RoutePath{{
 				SwIfIndex: tunnel.SwIfIndex,
-				Gw:        nodeIP,
+				Gw:        cn.NextHop,
 			}},
 			Table: vrfIndex,
 		}