Alert for blocked ESP protocol as part of diagnose

When there is no NAT between the Gateway nodes and Libreswan cable-driver is used, IPsec protocol uses UDP/4500 port for exchanging the keys and ESP for data transfer. As part of subctl diagnose command, this PR now validates if there is a potential issue with ESP and returns appropriate error message. Signed-off-by: Sridhar Gaddam <[email protected]>
submariner-io · Aug 28, 2023 · 79aa9e4 · 79aa9e4
1 parent 64d82fd
commit 79aa9e4
Showing 1 changed file with 40 additions and 7 deletions.
diff --git a/pkg/diagnose/firewall.go b/pkg/diagnose/firewall.go
@@ -46,6 +46,12 @@ const (
 	NatDiscoveryPort
 )
 
+const (
+	Libreswan = "libreswan"
+	Wireguard = "wireguard"
+	VxLAN     = "vxlan"
+)
+
 const (
 	clientSourcePort = "9898"
 	loadBalancerName = "submariner-gateway"
@@ -245,22 +251,49 @@ func verifyConnectivity(localClusterInfo, remoteClusterInfo *cluster.Info, names
 
 	defer cPod.Delete()
 
-	if err = cPod.AwaitCompletion(); err != nil {
+	err = awaitPodCompletion(cPod, sPod, status)
+	if err != nil {
+		return err
+	}
+
+	if options.VerboseOutput {
+		status.Success("tcpdump output from sniffer pod on Gateway node:\n%s", sPod.PodOutput)
+	}
+
+	var noNatWithIPsec bool
+	if gatewayPodIP == localEndpoint.Spec.PrivateIP && localEndpoint.Spec.Backend == Libreswan {
+		noNatWithIPsec = true
+	}
+
+	return validateOutput(sPod, clientMessage, localEndpoint.Spec.Hostname, destPort, noNatWithIPsec, status)
+}
+
+func awaitPodCompletion(cPod, sPod *pods.Scheduled, status reporter.Interface) error {
+	if err := cPod.AwaitCompletion(); err != nil {
 		return status.Error(err, "Error waiting for the client pod to finish its execution")
 	}
 
-	if err = sPod.AwaitCompletion(); err != nil {
+	if err := sPod.AwaitCompletion(); err != nil {
 		return status.Error(err, "Error waiting for the sniffer pod to finish its execution")
 	}
 
-	if options.VerboseOutput {
-		status.Success("tcpdump output from sniffer pod on Gateway node:\n%s", sPod.PodOutput)
-	}
+	return nil
+}
 
+func validateOutput(sPod *pods.Scheduled, clientMessage, hostname string, destPort int32,
+	noNatWithIPsec bool, status reporter.Interface,
+) error {
 	if !strings.Contains(sPod.PodOutput, clientMessage) {
+		if noNatWithIPsec {
+			return status.Error(fmt.Errorf("the tcpdump output from the sniffer pod does not include the message"+
+				" sent from client pod. Please check that your firewall configuration allows UDP/%d traffic"+
+				" and ESP traffic on the %q nodes. Actual pod output: \n%s", destPort, hostname,
+				truncate(sPod.PodOutput)), "")
+		}
+
 		return status.Error(fmt.Errorf("the tcpdump output from the sniffer pod does not include the message"+
 			" sent from client pod. Please check that your firewall configuration allows UDP/%d traffic"+
-			" on the %q node. Actual pod output: \n%s", destPort, localEndpoint.Spec.Hostname, truncate(sPod.PodOutput)), "")
+			" on the %q node. Actual pod output: \n%s", destPort, hostname, truncate(sPod.PodOutput)), "")
 	}
 
 	return nil
@@ -301,7 +334,7 @@ func getTargetPort(submariner *v1alpha1.Submariner, endpoint *subv1.Endpoint, tg
 	var err error
 
 	switch endpoint.Spec.Backend {
-	case "libreswan", "wireguard", "vxlan":
+	case Libreswan, Wireguard, VxLAN:
 		if tgtport == TunnelPort {
 			targetPort, err = endpoint.Spec.GetBackendPort(subv1.UDPPortConfig, int32(submariner.Spec.CeIPSecNATTPort))
 			if err != nil {