diff --git a/pkg/diagnose/firewall.go b/pkg/diagnose/firewall.go index d2e21784e..e03542224 100644 --- a/pkg/diagnose/firewall.go +++ b/pkg/diagnose/firewall.go @@ -46,6 +46,12 @@ const ( NatDiscoveryPort ) +const ( + Libreswan = "libreswan" + Wireguard = "wireguard" + VxLAN = "vxlan" +) + const ( clientSourcePort = "9898" loadBalancerName = "submariner-gateway" @@ -245,22 +251,49 @@ func verifyConnectivity(localClusterInfo, remoteClusterInfo *cluster.Info, names defer cPod.Delete() - if err = cPod.AwaitCompletion(); err != nil { + err = awaitPodCompletion(cPod, sPod, status) + if err != nil { + return err + } + + if options.VerboseOutput { + status.Success("tcpdump output from sniffer pod on Gateway node:\n%s", sPod.PodOutput) + } + + var noNatWithIPsec bool + if gatewayPodIP == localEndpoint.Spec.PrivateIP && localEndpoint.Spec.Backend == Libreswan { + noNatWithIPsec = true + } + + return validateOutput(sPod, clientMessage, localEndpoint.Spec.Hostname, destPort, noNatWithIPsec, status) +} + +func awaitPodCompletion(cPod, sPod *pods.Scheduled, status reporter.Interface) error { + if err := cPod.AwaitCompletion(); err != nil { return status.Error(err, "Error waiting for the client pod to finish its execution") } - if err = sPod.AwaitCompletion(); err != nil { + if err := sPod.AwaitCompletion(); err != nil { return status.Error(err, "Error waiting for the sniffer pod to finish its execution") } - if options.VerboseOutput { - status.Success("tcpdump output from sniffer pod on Gateway node:\n%s", sPod.PodOutput) - } + return nil +} +func validateOutput(sPod *pods.Scheduled, clientMessage, hostname string, destPort int32, + noNatWithIPsec bool, status reporter.Interface, +) error { if !strings.Contains(sPod.PodOutput, clientMessage) { + if noNatWithIPsec { + return status.Error(fmt.Errorf("the tcpdump output from the sniffer pod does not include the message"+ + " sent from client pod. Please check that your firewall configuration allows UDP/%d traffic"+ + " and ESP traffic on the %q nodes. Actual pod output: \n%s", destPort, hostname, + truncate(sPod.PodOutput)), "") + } + return status.Error(fmt.Errorf("the tcpdump output from the sniffer pod does not include the message"+ " sent from client pod. Please check that your firewall configuration allows UDP/%d traffic"+ - " on the %q node. Actual pod output: \n%s", destPort, localEndpoint.Spec.Hostname, truncate(sPod.PodOutput)), "") + " on the %q node. Actual pod output: \n%s", destPort, hostname, truncate(sPod.PodOutput)), "") } return nil @@ -301,7 +334,7 @@ func getTargetPort(submariner *v1alpha1.Submariner, endpoint *subv1.Endpoint, tg var err error switch endpoint.Spec.Backend { - case "libreswan", "wireguard", "vxlan": + case Libreswan, Wireguard, VxLAN: if tgtport == TunnelPort { targetPort, err = endpoint.Spec.GetBackendPort(subv1.UDPPortConfig, int32(submariner.Spec.CeIPSecNATTPort)) if err != nil {