feat(vm-route-forge): add routes for subnets in blackhole (#365)

add routes for subnets in blackhole --------- Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com> Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
deckhouse · Sep 17, 2024 · 51cd316 · 51cd316
1 parent 24ae25d
commit 51cd316
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/images/vm-route-forge/internal/controller/route/route_controller.go b/images/vm-route-forge/internal/controller/route/route_controller.go
@@ -223,6 +223,15 @@ func (c *Controller) Run(ctx context.Context, workers int) error {
 		return fmt.Errorf("failed to synchronize routing rules at start: %w", err)
 	}
 
+	go func() {
+		// AddSubnetRoutesToBlackHole will be executed every minute until context canceled.
+		wait.UntilWithContext(newCtx, func(_ context.Context) {
+			if err := c.netlinkMgr.AddSubnetsRoutesToBlackHole(); err != nil {
+				c.log.Error(err, "Failed to add blackhole routes for subnets.")
+			}
+		}, time.Minute)
+	}()
+
 	c.log.Info("Starting workers of route controller")
 	for i := 0; i < workers; i++ {
 		go wait.UntilWithContext(newCtx, c.worker, time.Second)

diff --git a/images/vm-route-forge/internal/netlinkmanager/manager.go b/images/vm-route-forge/internal/netlinkmanager/manager.go
@@ -41,6 +41,8 @@ const (
 	DefaultCiliumRouteTable = 1490
 	LocalRouteTable         = 255
 	netlinkManager          = "netlinkManager"
+	routePriority           = 0
+	blackHoleRoutePriority  = 100
 )
 
 type Manager struct {
@@ -67,6 +69,23 @@ func New(cache vmipcache.Cache,
 	}
 }
 
+func (m *Manager) AddSubnetsRoutesToBlackHole() error {
+	for _, cidr := range m.cidrs {
+		route := &netlink.Route{
+			Scope:    netlink.SCOPE_UNIVERSE,
+			Dst:      cidr,
+			Table:    m.routeTableID,
+			Type:     unix.RTN_BLACKHOLE,
+			Priority: blackHoleRoutePriority,
+		}
+		if err := m.nlWrapper.RouteReplace(route); err != nil {
+			return fmt.Errorf("failed to update route: %w", err)
+		}
+	}
+
+	return nil
+}
+
 // SyncRules adds rules for configured CIDRS into the Cilium table.
 // Also, it removes existing rules for previously configured CIDRs.
 func (m *Manager) SyncRules() error {
@@ -193,6 +212,7 @@ func (m *Manager) UpdateRoute(vm *virtv2.VirtualMachine, ciliumNode *ciliumv2.Ci
 	route.Dst = vmRouteDst
 	route.Table = m.routeTableID
 	route.Type = 1
+	route.Priority = routePriority
 
 	if err = m.nlWrapper.RouteReplace(&route); err != nil {
 		m.log.Error(err, fmt.Sprintf("failed to update route %q to %q for VM %s/%s", fmtRoute(origRoute), fmtRoute(route), vm.GetNamespace(), vm.GetName()))