fix: add proper nil rule src handling

When ip rules are evaluated in the netlink library, default routes for
src and dst are equated to nil. This makes it difficult to evaluate
them and requires additional handling in order for them.

I filed an issue upstream so that this could potentially get fixed:
vishvananda/netlink#1080 however if it doesn't
get resolved, this should allow us to move forward.

Author: aauren

pkg/controllers/proxy/linux_networking.go

@@ -570,14 +570,27 @@ func (ln *linuxNetworking) setupRoutesForExternalIPForDSR(serviceInfoMap service
 		nRule.Src = defaultPrefixCIDR
 		nRule.Table = externalIPRouteTableID
 
+		// It would be better if we could filter by src, but it's not actually set by iproute2 when netlink receives it
+		// back. Instead, a rule.Src that is set to 0.0.0.0/0 or ::/0 will come back as nil. So if we filter by src, we
+		// will not find any rules.
 		rules, err := netlink.RuleListFiltered(nFamily, nRule,
-			netlink.RT_FILTER_TABLE|netlink.RT_FILTER_SRC|netlink.RT_FILTER_PRIORITY)
+			netlink.RT_FILTER_TABLE|netlink.RT_FILTER_PRIORITY)
 		if err != nil {
 			return fmt.Errorf("failed to list rule for external IP's and verify if `ip rule add prio 32765 from all "+
 				"lookup external_ip` exists due to: %v", err)
 		}
 
-		if len(rules) < 1 {
+		klog.V(2).Infof("rules found: %d", len(rules))
+		defaultRuleFound := false
+		for _, rule := range rules {
+			klog.V(2).Infof("rule: %+v", rule)
+			// If the rule.Src is nil, it means that the rule is a default route rule (0.0.0.0/0 or ::/0)
+			if rule.Src == nil {
+				defaultRuleFound = true
+			}
+		}
+
+		if !defaultRuleFound {
 			err = netlink.RuleAdd(nRule)
 			if err != nil {
 				klog.Infof("Failed to add policy rule (equivalent to `ip rule add prio %d from %s lookup "+

pkg/controllers/proxy/network_services_controller.go

@@ -1752,7 +1752,8 @@ func routeVIPTrafficToDirector(fwmark string, family v1.IPFamily) error {
 	nRule.Table = customDSRRouteTableID
 	nRule.Priority = defaultTrafficDirectorRulePriority
 
-	routes, err := netlink.RuleListFiltered(nFamily, nRule, netlink.RT_FILTER_MARK|netlink.RT_FILTER_TABLE)
+	routes, err := netlink.RuleListFiltered(nFamily, nRule,
+		netlink.RT_FILTER_MARK|netlink.RT_FILTER_TABLE|netlink.RT_FILTER_PRIORITY)
 	if err != nil {
 		return fmt.Errorf("failed to verify if `ip rule` exists due to: %v", err)
 	}

pkg/routes/pbr.go

@@ -51,9 +51,34 @@ func ipRuleAbstraction(ipFamily int, ipOp int, cidr string) error {
 	nRule.Src = nSrc
 	nRule.Table = CustomTableID
 
-	rules, err := netlink.RuleListFiltered(ipFamily, nRule, netlink.RT_FILTER_SRC)
+	// If the rule that we are abstracting has either the src or dst set to a default route, then we need to handle it
+	// differently. For more information, see: https://github.com/vishvananda/netlink/issues/1080
+	// TODO: If the above issue is resolved, some of the below logic can be removed
+	rules := make([]netlink.Rule, 0)
+	isDefaultRoute, err := utils.IsDefaultRoute(nSrc)
 	if err != nil {
-		return fmt.Errorf("failed to list rules: %s", err.Error())
+		return fmt.Errorf("failed to check if CIDR is a default route: %v", err)
+	}
+
+	if isDefaultRoute {
+		var tmpRules []netlink.Rule
+		tmpRules, err = netlink.RuleListFiltered(ipFamily, nRule, netlink.RT_FILTER_TABLE)
+		if err != nil {
+			return fmt.Errorf("failed to list rules: %s", err.Error())
+		}
+
+		// Check if one or more of the rules returned are a default route rule
+		for _, rule := range tmpRules {
+			// If the rule has no src, then it is a default route rule which is the match criteria for the rule
+			if rule.Src == nil {
+				rules = append(rules, rule)
+			}
+		}
+	} else {
+		rules, err = netlink.RuleListFiltered(ipFamily, nRule, netlink.RT_FILTER_SRC|netlink.RT_FILTER_TABLE)
+		if err != nil {
+			return fmt.Errorf("failed to list rules: %s", err.Error())
+		}
 	}
 
 	if ipOp == PBRRuleDel && len(rules) > 0 {