doc: fix minor errors (#941)

* doc: fix minor errors * update egresspolicy
spidernet-io · Nov 7, 2023 · a386883 · a386883 · weizhoublue · Nov 7, 2023
1 parent fe77273
commit a386883
Show file tree

Hide file tree

Showing 11 changed files with 173 additions and 174 deletions.
diff --git a/docs/concepts/Datapath.en.md b/docs/concepts/Datapath.en.md
@@ -4,146 +4,147 @@ Rules that need to take effect are categorized into three categories: all nodes,
 
 ## All nodes
 
-1. Detailed tunnel requirements between nodes are not  listed.
+1. Detailed tunnel requirements between nodes are not listed.
 2. Traffic matching the policy is retagged. This update occurs when a node becomes a gateway node for the first time or during node join, but it is not updated thereafter.
 
-   ```shell
-   iptables -t mangle -N EGRESSGATEWAY-RESET-MARK
-   iptables -t mangle -I FORWARD 1 -j EGRESSGATEWAY-RESET-MARK -m comment --comment "egress gateway: mark egress packet"
+    ```shell
+    iptables -t mangle -N EGRESSGATEWAY-RESET-MARK
+    iptables -t mangle -I FORWARD 1 -j EGRESSGATEWAY-RESET-MARK -m comment --comment "egress gateway: mark egress packet"
 
-   iptables -t mangle -A EGRESSGATEWAY-RESET-MARK \
-       -m mark --mark $NODE_MARK/0x26000000 \
-       -j MARK --set-mark 0x12000000 \
-       -m comment --comment "egress gateway: change mark"
-   \ -m -comment "egress gateway: change mark
+    iptables -t mangle -A EGRESSGATEWAY-RESET-MARK \
+        -m mark --mark $NODE_MARK/0x26000000 \
+        -j MARK --set-mark 0x12000000 \
+        -m comment --comment "egress gateway: change mark"
+    \ -m -comment "egress gateway: change mark
+    ```
 
 3. Preserve the labels for traffic matching the policy. Create them once without requiring updates.
 
-   ```shell
-   iptables -t filter -I FORWARD 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark"
+    ```shell
+    iptables -t filter -I FORWARD 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark"
 
-   iptables -t filter -I OUTPUT 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark"
+    iptables -t filter -I OUTPUT 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark"
 
-   iptables -t mangle -I POSTROUTING 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark"
-   ```
+    iptables -t mangle -I POSTROUTING 1 -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: keep mark"
+    ```
 
 4. Aggregate chains for tagging policy-matched traffic. Create them once without needing updates.
 
-   ```shell
-   iptables -t mangle -N EGRESSGATEWAY-MARK-REQUEST
+    ```shell
+    iptables -t mangle -N EGRESSGATEWAY-MARK-REQUEST
 
-   iptables -t mangle -I PREROUTING 1 -j EGRESSGATEWAY-MARK-REQUEST -m comment --comment "egress gateway: mark egress packet"
-   ```
+    iptables -t mangle -I PREROUTING 1 -j EGRESSGATEWAY-MARK-REQUEST -m comment --comment "egress gateway: mark egress packet"
+    ```
 
 5. Aggregate chains that do not need to do SNAT rules. It is created directly once and does not need to be updated;
 
-   ```shell
-   iptables -t nat -N EGRESSGATEWAY-NO-SNAT
+    ```shell
+    iptables -t nat -N EGRESSGATEWAY-NO-SNAT
 
-   iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-NO-SNAT -m comment --comment "egress gateway: no snat"
+    iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-NO-SNAT -m comment --comment "egress gateway: no snat"
    
-   iptables -t nat -A EGRESSGATEWAY-NO-SNAT -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: no snat"
-   ```
+    iptables -t nat -A EGRESSGATEWAY-NO-SNAT -m mark --mark 0x12000000 -j ACCEPT -m comment --comment "egress gateway: no snat"
+    ```
 
 6. Aggregate chains that need to do SNAT rules. It is created directly once and does not need to be updated.
 
-   ```shell
-   iptables -t nat -N EGRESSGATEWAY-SNAT-EIP
+    ```shell
+    iptables -t nat -N EGRESSGATEWAY-SNAT-EIP
 
-   # Need to insert after rules that don't require SNAT to keep the chain at the top
-   iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-SNAT-EIP -m comment --comment "egress gateway: snat EIP"
-   ```
+    # Need to insert after rules that don't require SNAT to keep the chain at the top
+    iptables -t nat -I POSTROUTING 1 -j EGRESSGATEWAY-SNAT-EIP -m comment --comment "egress gateway: snat EIP"
+    ```
 
 7. egress-ingore-cidr When the `destSubnet` field of the EgressGatewayPolicy is empty, the data plane will automatically match traffic outside the CIDR in the EgressClusterStatus CR and forward it to the Egress gateway.
 
     ```shell
-   IPSET_RULE_DEST_NAME=egress-ingore-cidr
+    IPSET_RULE_DEST_NAME=egress-ingore-cidr
 
-   ipset x $IPSET_RULE_DEST_NAME
+    ipset x $IPSET_RULE_DEST_NAME
 
-   ipset create $IPSET_RULE_DEST_NAME hash:net
+    ipset create $IPSET_RULE_DEST_NAME hash:net
 
-   ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32
-   ```
+    ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32
+    ```
 
 ## Non-Egress Gateway node Relative to EIP
 
 1. ipsets for policy-matched source and destination IPs.
 
-   ```shell
-   IPSET_RULE_DEST_NAME=egress-dest-uuid
+    ```shell
+    IPSET_RULE_DEST_NAME=egress-dest-uuid
 
-   ipset x $IPSET_RULE_DEST_NAME
+    ipset x $IPSET_RULE_DEST_NAME
 
-   ipset create $IPSET_RULE_DEST_NAME hash:net
+    ipset create $IPSET_RULE_DEST_NAME hash:net
 
-   ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32
+    ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32
 
    
-   IPSET_RULE_SRC_NAME=egress-src-uuid
+    IPSET_RULE_SRC_NAME=egress-src-uuid
 
-   ipset x $IPSET_RULE_SRC_NAME
+    ipset x $IPSET_RULE_SRC_NAME
 
-   ipset create $IPSET_RULE_SRC_NAME hash:net
+    ipset create $IPSET_RULE_SRC_NAME hash:net
 
-   ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32
-   ```
+    ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32
+    ```
 
 2. Tag policy-matched traffic to ensure it goes through the tunnel. The NODE_MARK value depends on the node where the corresponding EIP resides.
 
-   ```shell
-   iptables -A EGRESSGATEWAY-MARK-REQUEST -t mangle -m conntrack --ctdir ORIGINAL \
-   -m set --match-set $IPSET_RULE_DEST_NAME dst \
-   -m set --match-set $IPSET_RULE_SRC_NAME src \
-   -j MARK --set-mark $NODE_MARK -m comment --comment "rule uuid: mark request packet"
-   ```
+    ```shell
+    iptables -A EGRESSGATEWAY-MARK-REQUEST -t mangle -m conntrack --ctdir ORIGINAL \
+    -m set --match-set $IPSET_RULE_DEST_NAME dst \
+    -m set --match-set $IPSET_RULE_SRC_NAME src \
+    -j MARK --set-mark $NODE_MARK -m comment --comment "rule uuid: mark request packet"
+    ```
 
 3. Policy routing rules
 
-   ```shell
-   ip rule add fwmark $NODE_MARK table $TABLE_NUM
-   ```
+    ```shell
+    ip rule add fwmark $NODE_MARK table $TABLE_NUM
+    ```
 
 4. Adapt Weave to avoiding SNAT into IPs for Egress tunnels. Make a switch
 
-   ```shell
-   iptables -t nat -A EGRESSGATEWAY-NO-SNAT \ \
-   -m set --match-set $IPSET_RULE_DEST_NAME dst \
-   -m set --match-set $IPSET_RULE_SRC_NAME src \
-   -j ACCEPT -m comment --comment "egress gateway: weave does not do SNAT"
-   ```
+    ```shell
+    iptables -t nat -A EGRESSGATEWAY-NO-SNAT \ \
+    -m set --match-set $IPSET_RULE_DEST_NAME dst \
+    -m set --match-set $IPSET_RULE_SRC_NAME src \
+    -j ACCEPT -m comment --comment "egress gateway: weave does not do SNAT"
+    ```
 
 ## Egress Gateway Node Relative to EIP
 
 1. ipsets for policy-matched source and destination IPs.
 
-   ```shell
-   IPSET_RULE_DEST_NAME=egress-dest-uuid
+    ```shell
+    IPSET_RULE_DEST_NAME=egress-dest-uuid
 
-   ipset x $IPSET_RULE_DEST_NAME
+    ipset x $IPSET_RULE_DEST_NAME
 
-   ipset create $IPSET_RULE_DEST_NAME hash:net
+    ipset create $IPSET_RULE_DEST_NAME hash:net
 
-   ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32
+    ipset add $IPSET_RULE_DEST_NAME 10.6.105.150/32
    
 
-   IPSET_RULE_SRC_NAME=egress-src-uuid
+    IPSET_RULE_SRC_NAME=egress-src-uuid
 
-   ipset x $IPSET_RULE_SRC_NAME
+    ipset x $IPSET_RULE_SRC_NAME
 
-   ipset create $IPSET_RULE_SRC_NAME hash:net
+    ipset create $IPSET_RULE_SRC_NAME hash:net
 
-   ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32
-   ```
+    ipset add $IPSET_RULE_SRC_NAME 172.29.234.173/32
+    ```
 
 2. Apply SNAT to policy-matched traffic during egress. Keep this rule updated in real-time.
 
-   ```shell
-   iptables -t nat -A EGRESSGATEWAY-SNAT-EIP \
-       -m set --match-set $IPSET_RULE_SRC_NAME src \
-       -m set --match-set $IPSET_RULE_DST_NAME dst \
-       -j SNAT --to-source $EIP
-   ðŸñ'ðŸñ'ðŸñ'ðŸñ'ðŸñ'ñ
+    ```shell
+    iptables -t nat -A EGRESSGATEWAY-SNAT-EIP \
+        -m set --match-set $IPSET_RULE_SRC_NAME src \
+        -m set --match-set $IPSET_RULE_DST_NAME dst \
+        -j SNAT --to-source $EIP
+    ðŸñ'ðŸñ'ðŸñ'ðŸñ'ðŸñ'ñ
     ```
 
 ## Others
@@ -152,5 +153,5 @@ Rules that need to take effect are categorized into three categories: all nodes,
 
 2. TABLE_NUM:
 
-  * Since each host can have [0, 255] routing tables (where 0, 253, 254, and 255 are already used by the system), exceeding the maximum number of tables will result in the inability to calculate routes for nodes, leading to node disconnection. Additionally, table names must match the table ID, and if there is no match, the kernel will assign a random name. To be on the safe side, the number of controlled tables (represented by variable n with a default value of 100) is limited, which also serves as the upper limit for gateway nodes.
-  * TABLE_NUM algorithm: users can set a starting value (represented by variable s with a default value of 3000), and the range of table names will be [s, (s+n)]. Users need to ensure that the table names within this range are not occupied. Start with a randomly selected value from [s, (s+n)] and increment it circularly until an unused table name for the current node is obtained. If none is found, an error is reported.
+    * Since each host can have [0, 255] routing tables (where 0, 253, 254, and 255 are already used by the system), exceeding the maximum number of tables will result in the inability to calculate routes for nodes, leading to node disconnection. Additionally, table names must match the table ID, and if there is no match, the kernel will assign a random name. To be on the safe side, the number of controlled tables (represented by variable n with a default value of 100) is limited, which also serves as the upper limit for gateway nodes.
+    * TABLE_NUM algorithm: users can set a starting value (represented by variable s with a default value of 3000), and the range of table names will be [s, (s+n)]. Users need to ensure that the table names within this range are not occupied. Start with a randomly selected value from [s, (s+n)] and increment it circularly until an unused table name for the current node is obtained. If none is found, an error is reported.
diff --git a/docs/reference/EgressClusterInfo.en.md b/docs/reference/EgressClusterInfo.en.md
@@ -4,23 +4,23 @@ The EgressClusterInfo CRD introduces the Egress Ignore CIDR feature to simplify
 apiVersion: egressgateway.spidernet.io/v1beta1
 kind: EgressClusterInfo
 metadata:
-  name: default  # 1
+  name: default  # (1)
 spec:
   autoDetect:
-    clusterIP: true # 2
-    nodeIP: true # 3
-    podCidrMode: auto # 4
-  extraCidr: # 5
+    clusterIP: true # (2)
+    nodeIP: true # (3)
+    podCidrMode: auto # (4)
+  extraCidr: # (5)
   - 10.10.10.1
 status:
-  clusterIP: # 6
+  clusterIP: # (6)
     ipv4:
     - 172.41.0.0/16
     ipv6:
     - fd41::/108
-  extraCidr: # 7
+  extraCidr: # (7)
   - 10.10.10.1
-  nodeIP: # 8
+  nodeIP: # (8)
     egressgateway-control-plane:
       ipv4:
       - 172.18.0.3
@@ -36,7 +36,7 @@ status:
       - 172.18.0.4
       ipv6:
       - fc00:f853:ccd:e793::4
-  podCIDR: # 9
+  podCIDR: # (9)
     default-ipv4-ippool:
       ipv4:
       - 172.40.0.0/16
@@ -46,7 +46,7 @@ status:
     test-ippool:
       ipv4:
       - 177.70.0.0/16
-  podCidrMode: calico # 10
+  podCidrMode: calico # (10)
 ```
 
 1. The name is `default`.Only one can be created by the system maintenance;

diff --git a/docs/reference/EgressClusterInfo.zh.md b/docs/reference/EgressClusterInfo.zh.md
@@ -4,23 +4,23 @@ EgressClusterInfo CRD 为了简化 Egress 策略的配置，引入 Egress Ignore
 apiVersion: egressgateway.spidernet.io/v1beta1
 kind: EgressClusterInfo
 metadata:
-  name: default  # 1
+  name: default  # (1)
 spec:
   autoDetect:
-    clusterIP: true # 2
-    nodeIP: true # 3
-    podCidrMode: auto # 4
-  extraCidr: # 5
+    clusterIP: true # (2)
+    nodeIP: true # (3)
+    podCidrMode: auto # (4)
+  extraCidr: # (5)
   - 10.10.10.1
 status:
-  clusterIP: # 6
+  clusterIP: # (6)
     ipv4:
     - 172.41.0.0/16
     ipv6:
     - fd41::/108
-  extraCidr: # 7
+  extraCidr: # (7)
   - 10.10.10.1
-  nodeIP: # 8
+  nodeIP: # (8)
     egressgateway-control-plane:
       ipv4:
       - 172.18.0.3
@@ -36,7 +36,7 @@ status:
       - 172.18.0.4
       ipv6:
       - fc00:f853:ccd:e793::4
-  podCIDR: # 9
+  podCIDR: # (9)
     default-ipv4-ippool:
       ipv4:
       - 172.40.0.0/16
@@ -46,7 +46,7 @@ status:
     test-ippool:
       ipv4:
       - 177.70.0.0/16
-  podCidrMode: calico # 10
+  podCidrMode: calico # (10)
 ```
 
 1. 名称为 `default`，由系统维护只能创建一个;

diff --git a/docs/reference/EgressClusterPolicy.en.md b/docs/reference/EgressClusterPolicy.en.md
@@ -19,7 +19,7 @@ spec:
     podSubnet:
       - "172.29.16.0/24"
       - 'fd00:1/126'
-    namespaceSelector:   # 1
+    namespaceSelector:   # (1)
       matchLabels:
         app: "shopping"
   destSubnet:

diff --git a/docs/reference/EgressClusterPolicy.zh.md b/docs/reference/EgressClusterPolicy.zh.md
@@ -19,7 +19,7 @@ spec:
     podSubnet:
       - "172.29.16.0/24"
       - 'fd00:1/126'
-    namespaceSelector:   # 1
+    namespaceSelector:   # (1)
       matchLabels:
         app: "shopping"
   destSubnet:

diff --git a/docs/reference/EgressGateway.en.md b/docs/reference/EgressGateway.en.md
@@ -6,30 +6,30 @@ kind: EgressGateway
 metadata:
   name: "eg1"
 spec:
-  ippools:                      # 1
-    ipv4:                       # 2
+  ippools:                      # (1)
+    ipv4:                       # (2)
       - "10.6.1.55"
       - "10.6.1.60-10.6.1.65"
       - "10.6.1.70/28"
-    ipv6:                       # 3
+    ipv6:                       # (3)
       - ""
-    ipv4DefaultEIP: ""          # 4
-    ipv6DefaultEIP: ""          # 5
-  nodeSelector:                 # 6
-    selector:                   # 7
+    ipv4DefaultEIP: ""          # (4)
+    ipv6DefaultEIP: ""          # (5)
+  nodeSelector:                 # (6)
+    selector:                   # (7)
       matchLabels:
         egress: "true"
-    policy: "doing"             # 8
+    policy: "doing"             # (8)
 status:                         
-  nodeList:                     # 9
-    - name: "node1"             # 10
-      status: "Ready"           # 11
-      epis:                     # 12
-        - ipv4: "10.6.1.55"     # 13
-          ipv6: "fd00::55"      # 14
-          policies:             # 15
-            - name: "app"         # 16
-              namespace: "default"  # 17
+  nodeList:                     # (9)
+    - name: "node1"             # (10)
+      status: "Ready"           # (11)
+      epis:                     # (12)
+        - ipv4: "10.6.1.55"     # (13)
+          ipv6: "fd00::55"      # (14)
+          policies:             # (15)
+            - name: "app"         # (16)
+              namespace: "default"  # (17)
 ```
 
 1. Set the range of egress IP pool that EgressGateway can use;