feat: change tun ip cidr

Signed-off-by: yuyicai <yuyicai@hotmail.com>

pkg/config/config.go

@@ -35,7 +35,10 @@ const (
 	VolumeEnvoyConfig = "envoy-config"
 	VolumeSyncthing   = "syncthing"
 
-	innerIPv4Pool = "223.254.0.100/16"
+	// innerIPv4Pool is used as tun ip
+	// 198.19.0.0/16 network  is part of the 198.18.0.0/15 (reserved for benchmarking).
+	// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+	innerIPv4Pool = "198.19.0.100/16"
 	// 原因：在docker环境中，设置docker的 gateway 和 subnet，不能 inner 的冲突，也不能和 docker的 172.17 冲突
 	// 不然的话，请求会不通的
 	// 解决的问题：在 k8s 中的  名叫 kubernetes 的 service ip 为
@@ -51,10 +54,11 @@ const (
 	//  }
 	//]
 	// 如果不创建 network，那么是无法请求到 这个 kubernetes 的 service 的
-	dockerInnerIPv4Pool = "223.255.0.100/16"
+	dockerInnerIPv4Pool = "198.18.0.100/16"
 
-	//The IPv6 address prefixes FE80::/10 and FF02::/16 are not routable
-	innerIPv6Pool = "efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64"
+	// 2001:2::/64 network is part of the 2001:2::/48 (reserved for benchmarking)
+	// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+	innerIPv6Pool = "2001:2::9999/64"
 
 	DefaultNetDir = "/etc/cni/net.d"
 

pkg/core/gvisortunendpoint.go

@@ -97,7 +97,7 @@ func (h *gvisorTCPHandler) readFromTCPConnWriteToEndpoint(ctx context.Context, c
 		}
 
 		h.addRoute(src, conn)
-		// inner ip like 223.254.0.100/102/103 connect each other
+		// inner ip like 198.19.0.100/102/103 connect each other
 		if config.CIDR.Contains(dst) || config.CIDR6.Contains(dst) {
 			log.Tracef("[TUN-RAW] Forward to TUN device, SRC: %s, DST: %s, Length: %d", src.String(), dst.String(), read)
 			util.SafeWrite(h.packetChan, &datagramPacket{

pkg/core/route.go

@@ -27,9 +27,9 @@ type TCPUDPacket struct {
 }
 
 // Route example:
-// -L "tcp://:10800" -L "tun://:8422?net=223.254.0.100/16"
-// -L "tun:/10.233.24.133:8422?net=223.254.0.102/16&route=223.254.0.0/16"
-// -L "tun:/127.0.0.1:8422?net=223.254.0.102/16&route=223.254.0.0/16,10.233.0.0/16" -F "tcp://127.0.0.1:10800"
+// -L "tcp://:10800" -L "tun://:8422?net=198.19.0.100/16"
+// -L "tun:/10.233.24.133:8422?net=198.19.0.102/16&route=198.19.0.0/16"
+// -L "tun:/127.0.0.1:8422?net=198.19.0.102/16&route=198.19.0.0/16,10.233.0.0/16" -F "tcp://127.0.0.1:10800"
 type Route struct {
 	ServeNodes []string // -L tun
 	ChainNode  string   // -F tcp

pkg/daemon/daemon.go

@@ -99,7 +99,7 @@ func (o *SvrOption) Start(ctx context.Context) error {
 	grpc_health_v1.RegisterHealthServer(svr, health.NewServer())
 	defer cleanup()
 	reflection.Register(svr)
-	// [tun-client] 223.254.0.101 - 127.0.0.1:8422: dial tcp 127.0.0.1:55407: connect: can't assign requested address
+	// [tun-client] 198.19.0.101 - 127.0.0.1:8422: dial tcp 127.0.0.1:55407: connect: can't assign requested address
 	http.DefaultTransport.(*http.Transport).MaxIdleConnsPerHost = 100
 	// startup a http server
 	// With downgrading-capable gRPC server, which can also handle HTTP.

pkg/dev/docker_utils.go

@@ -90,7 +90,7 @@ func RunLogsSinceNow(name string, follow bool) error {
 }
 
 // CreateNetwork
-// docker create kubevpn-traffic-manager --labels owner=config.ConfigMapPodTrafficManager --subnet 223.255.0.0/16 --gateway 223.255.0.100
+// docker create kubevpn-traffic-manager --labels owner=config.ConfigMapPodTrafficManager --subnet 198.18.0.0/16 --gateway 198.18.0.100
 func CreateNetwork(ctx context.Context, name string) (string, error) {
 	args := []string{
 		"network",

pkg/inject/exchange.go

@@ -79,7 +79,7 @@ func AddContainer(spec *corev1.PodSpec, c util.PodRouteConfig) {
 		},
 		Command: []string{"/bin/sh", "-c"},
 		// https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.2
-		// for curl -g -6 [efff:ffff:ffff:ffff:ffff:ffff:ffff:999a]:9080/health or curl 127.0.0.1:9080/health hit local PC
+		// for curl -g -6 [2001:2::999a]:9080/health or curl 127.0.0.1:9080/health hit local PC
 		// output chain
 		// iptables -t nat -A OUTPUT -o lo ! -p icmp -j DNAT --to-destination ${LocalTunIPv4}
 		// ip6tables -t nat -A OUTPUT -o lo ! -p icmp -j DNAT --to-destination ${LocalTunIPv6}

pkg/util/networkpolicy_windows.go

@@ -96,7 +96,7 @@ func decode(in []byte) ([]byte, error) {
 // AddAllowFirewallRule
 // for ping local tun device ip, if not add this firewall, can not ping local tun IP on windows
 func AddAllowFirewallRule(ctx context.Context) {
-	// netsh advfirewall firewall add rule name=kubevpn-traffic-manager dir=in action=allow enable=yes remoteip=223.254.0.100/16,efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64,LocalSubnet
+	// netsh advfirewall firewall add rule name=kubevpn-traffic-manager dir=in action=allow enable=yes remoteip=198.19.0.100/16,2001:2::9999/64,LocalSubnet
 	cmd := exec.CommandContext(ctx, "netsh", []string{
 		"advfirewall",
 		"firewall",

pkg/util/util_test.go

@@ -65,8 +65,8 @@ func TestName(t *testing.T) {
 
 func TestPing(t *testing.T) {
 	defer util.Run()()
-	SrcIP := net.ParseIP("223.254.0.102").To4()
-	DstIP := net.ParseIP("223.254.0.100").To4()
+	SrcIP := net.ParseIP("198.19.0.102").To4()
+	DstIP := net.ParseIP("198.19.0.100").To4()
 
 	icmpLayer := layers.ICMPv4{
 		TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),

pkg/webhook/pods.go

@@ -72,7 +72,7 @@ func (h *admissionReviewHandler) handleCreate(ar v1.AdmissionReview) *v1.Admissi
 		return &v1.AdmissionResponse{UID: ar.Request.UID, Allowed: true}
 	}
 	// if create pod kubevpn-traffic-manager, just ignore it
-	// because 223.254.0.100 is reserved
+	// because 198.19.0.100 is reserved
 	if x, _, _ := net.ParseCIDR(value); config.RouterIP.Equal(x) {
 		return &v1.AdmissionResponse{UID: ar.Request.UID, Allowed: true}
 	}
@@ -163,7 +163,7 @@ func (h *admissionReviewHandler) handleDelete(ar v1.AdmissionReview) *v1.Admissi
 		return &v1.AdmissionResponse{Allowed: true}
 	}
 	// if delete pod kubevpn-traffic-manager, just ignore it
-	// because 223.254.0.100 is reserved
+	// because 198.19.0.100 is reserved
 	if x, _, _ := net.ParseCIDR(value); config.RouterIP.Equal(x) {
 		return &v1.AdmissionResponse{Allowed: true}
 	}