From 1491412a260d29c8f92d3c2b468358d3b1293a98 Mon Sep 17 00:00:00 2001
From: "christopher.dziomba@telekom.de" <christopher.dziomba@telekom.de>
Date: Mon, 19 Jun 2023 17:09:42 +0200
Subject: [PATCH 1/4] NOTRACK of UDP 4789 packets to VTEP IP

closes #7
---
 pkg/frr/configure.go   |  2 +-
 pkg/nl/manager.go      |  2 +-
 pkg/notrack/notrack.go | 11 +++++++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pkg/frr/configure.go b/pkg/frr/configure.go
index 4530ed36..37cfdbf9 100644
--- a/pkg/frr/configure.go
+++ b/pkg/frr/configure.go
@@ -53,7 +53,7 @@ func (m *FRRManager) Configure(in FRRConfiguration) (bool, error) {
 }
 
 func (f *FRRManager) renderSubtemplates(in FRRConfiguration) (*FRRTemplateConfig, error) {
-	vrfRouterId, err := (&nl.NetlinkManager{}).GetRouterIDForVRFs()
+	vrfRouterId, err := (&nl.NetlinkManager{}).GetUnderlayIP()
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/nl/manager.go b/pkg/nl/manager.go
index 9cc99c60..d2b29296 100644
--- a/pkg/nl/manager.go
+++ b/pkg/nl/manager.go
@@ -29,7 +29,7 @@ var (
 type NetlinkManager struct {
 }
 
-func (n *NetlinkManager) GetRouterIDForVRFs() (net.IP, error) {
+func (n *NetlinkManager) GetUnderlayIP() (net.IP, error) {
 	_, ip, err := getInterfaceAndIP(UNDERLAY_LOOPBACK)
 	return ip, err
 }
diff --git a/pkg/notrack/notrack.go b/pkg/notrack/notrack.go
index 47e9b8cc..f7eae711 100644
--- a/pkg/notrack/notrack.go
+++ b/pkg/notrack/notrack.go
@@ -11,6 +11,8 @@ import (
 	"github.com/vishvananda/netlink"
 	"k8s.io/utils/strings/slices"
 	ctrl "sigs.k8s.io/controller-runtime"
+
+	"github.com/telekom/das-schiff-network-operator/pkg/nl"
 )
 
 const (
@@ -85,6 +87,8 @@ func RunIPTablesSync() {
 		os.Exit(1)
 	}
 
+	netlinkManager := &nl.NetlinkManager{}
+
 	go func() {
 		for {
 			links, err := netlink.LinkList()
@@ -109,6 +113,13 @@ func RunIPTablesSync() {
 			if err := reconcileIPTables(notrackLinks, ipt6); err != nil {
 				notrackLog.Error(err, "error reconciling notrack in IPv6 iptables")
 			}
+
+			if underlayIP, err := netlinkManager.GetUnderlayIP(); err == nil {
+				ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_CHAIN, "-d", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK")
+			} else {
+				notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
+			}
+
 			time.Sleep(20 * time.Second)
 		}
 	}()

From 9e9b2a0ed2a466e671b9dcc04b7fd3fd192fd5c1 Mon Sep 17 00:00:00 2001
From: "christopher.dziomba@telekom.de" <christopher.dziomba@telekom.de>
Date: Thu, 29 Jun 2023 14:57:34 +0200
Subject: [PATCH 2/4] Catch error for VXLAN notrack

---
 pkg/notrack/notrack.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/notrack/notrack.go b/pkg/notrack/notrack.go
index f7eae711..16c92738 100644
--- a/pkg/notrack/notrack.go
+++ b/pkg/notrack/notrack.go
@@ -115,7 +115,9 @@ func RunIPTablesSync() {
 			}
 
 			if underlayIP, err := netlinkManager.GetUnderlayIP(); err == nil {
-				ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_CHAIN, "-d", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK")
+				if err := ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_CHAIN, "-d", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
+					notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
+				}
 			} else {
 				notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
 			}

From abd171aa44edda5b19493279e6a02abb1dba3897 Mon Sep 17 00:00:00 2001
From: "christopher.dziomba@telekom.de" <christopher.dziomba@telekom.de>
Date: Thu, 29 Jun 2023 15:28:21 +0200
Subject: [PATCH 3/4] Add rule to OUTPUT table for VXLAN originating from Node

---
 pkg/notrack/notrack.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/notrack/notrack.go b/pkg/notrack/notrack.go
index 16c92738..012e482f 100644
--- a/pkg/notrack/notrack.go
+++ b/pkg/notrack/notrack.go
@@ -118,6 +118,9 @@ func RunIPTablesSync() {
 				if err := ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_CHAIN, "-d", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
 					notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
 				}
+				if err := ipt4.AppendUnique(IPTABLES_TABLE, "OUTPUT", "-s", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
+					notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
+				}
 			} else {
 				notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
 			}

From e03e0303657051c61935cbb683d34f7705c65663 Mon Sep 17 00:00:00 2001
From: "christopher.dziomba@telekom.de" <christopher.dziomba@telekom.de>
Date: Thu, 29 Jun 2023 15:29:09 +0200
Subject: [PATCH 4/4] Use consts

---
 pkg/notrack/notrack.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/pkg/notrack/notrack.go b/pkg/notrack/notrack.go
index 012e482f..75d575fd 100644
--- a/pkg/notrack/notrack.go
+++ b/pkg/notrack/notrack.go
@@ -16,8 +16,9 @@ import (
 )
 
 const (
-	IPTABLES_TABLE = "raw"
-	IPTABLES_CHAIN = "PREROUTING"
+	IPTABLES_TABLE      = "raw"
+	IPTABLES_PREROUTING = "PREROUTING"
+	IPTABLES_OUTPUT     = "OUTPUT"
 )
 
 var (
@@ -41,7 +42,7 @@ func buildRule(link string) []string {
 }
 
 func reconcileIPTables(notrackLinks []string, ipt *iptables.IPTables) error {
-	rules, err := ipt.List(IPTABLES_TABLE, IPTABLES_CHAIN)
+	rules, err := ipt.List(IPTABLES_TABLE, IPTABLES_PREROUTING)
 	if err != nil {
 		return err
 	}
@@ -57,7 +58,7 @@ func reconcileIPTables(notrackLinks []string, ipt *iptables.IPTables) error {
 		}
 
 		if !slices.Contains(notrackLinks, link) {
-			if err := ipt.Delete(IPTABLES_TABLE, IPTABLES_CHAIN, buildRule(link)...); err != nil {
+			if err := ipt.Delete(IPTABLES_TABLE, IPTABLES_PREROUTING, buildRule(link)...); err != nil {
 				return err
 			}
 		}
@@ -68,7 +69,7 @@ func reconcileIPTables(notrackLinks []string, ipt *iptables.IPTables) error {
 		if slices.Contains(existingLinks, notrackLink) {
 			continue
 		}
-		if err := ipt.Append(IPTABLES_TABLE, IPTABLES_CHAIN, buildRule(notrackLink)...); err != nil {
+		if err := ipt.Append(IPTABLES_TABLE, IPTABLES_PREROUTING, buildRule(notrackLink)...); err != nil {
 			return err
 		}
 	}
@@ -115,10 +116,10 @@ func RunIPTablesSync() {
 			}
 
 			if underlayIP, err := netlinkManager.GetUnderlayIP(); err == nil {
-				if err := ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_CHAIN, "-d", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
+				if err := ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_PREROUTING, "-d", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
 					notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
 				}
-				if err := ipt4.AppendUnique(IPTABLES_TABLE, "OUTPUT", "-s", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
+				if err := ipt4.AppendUnique(IPTABLES_TABLE, IPTABLES_OUTPUT, "-s", underlayIP.String(), "-p", "udp", "--dport", "4789", "-j", "NOTRACK"); err != nil {
 					notrackLog.Error(err, "error reconciling VXLAN notrack in IPv4 iptables")
 				}
 			} else {