fix: fix reverse routing for KubeSpan #10074
Conversation
| // Consider fwmark for rp_filter routing table lookup. | ||
| { | ||
| Key: "proc.sys.net.ipv4.conf.kubespan.src_valid_mark", | ||
| Value: "1", | ||
| }, |
There was a problem hiding this comment.
We might even consider enabling rp_filter on all interfaces by default as Red Hat and SUSE do for increased security against IP spoofing
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
I guess we can set to 1 as default like RHEL
There was a problem hiding this comment.
Let's discuss that later for 1.10, it's not to be backported like this change is
| }, | ||
| // Consider fwmark for rp_filter routing table lookup. | ||
| { | ||
| Key: "proc.sys.net.ipv4.conf.kubespan.src_valid_mark", |
There was a problem hiding this comment.
shouldn't this be rp_filter instead of src_valid_mark 🤔 ?
There was a problem hiding this comment.
rp_filter will get overriden. This is what I mean:
src_valid_mark - BOOLEAN
0 - The fwmark of the packet is not included in reverse path route lookup. This allows for asymmetric routing configurations utilizing the fwmark in only one direction, e.g., transparent proxying.
1 - The fwmark of the packet is included in reverse path route lookup. This permits rp_filter to function when the fwmark is used for routing traffic in both directions.
This setting also affects the utilization of fmwark when performing source address selection for ICMP replies, or determining addresses stored for the IPOPT_TS_TSANDADDR and IPOPT_RR IP options.
The max value from conf/{all,interface}/src_valid_mark is used.
Default value is 0.
There was a problem hiding this comment.
It's not to disable rp_filter (you cannot override someone enabling rp_filter in mode 2 (loose), like current Kube-Router versions), but to make it honor policy-based routing. To avoid potential side effects we only do this on kubespan interface as it's the interface we do our policy-based routing on.
dsseng
force-pushed
the
kubespan-reverse
branch
2 times, most recently
from
f33df6b to
cbb11f3
Compare
internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go
Outdated
Show resolved
Hide resolved
dsseng
force-pushed
the
kubespan-reverse
branch
from
cbb11f3 to
457d1d4
Compare
dsseng
force-pushed
the
kubespan-reverse
branch
from
c1ad398 to
5f44463
Compare
dsseng
force-pushed
the
kubespan-reverse
branch
from
5f44463 to
61ff3d1
Compare
| Xor: constants.KubeSpanDefaultForceFirewallMark, | ||
| }, | ||
| Verdict: pointer.To(nethelpers.VerdictAccept), | ||
| }, |
There was a problem hiding this comment.
Full rule list in the modified chain for review:
chain kubespan_prerouting { # handle 50
type filter hook prerouting priority filter; policy accept;
meta mark & 0x00000060 == 0x00000020 accept # handle 51
ip daddr { 172.20.0.3-172.20.0.4 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 53
ip6 daddr { fdbd:f075:61fa:5502:2c26:e0ff:fe99:e2a4, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 55
meta mark & 0x00000040 == 0x00000040 ip saddr != { 172.20.0.3-172.20.0.4 } meta mark set meta mark ^ 0x00000040 accept # handle 57
meta mark & 0x00000040 == 0x00000040 ip6 saddr != { fdbd:f075:61fa:5502:2c26:e0ff:fe99:e2a4, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark ^ 0x00000040 accept # handle 59
iifname "kubespan" meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 60
}
chain kubespan_prerouting { # handle 50
type filter hook prerouting priority filter; policy accept;
meta mark & 0x00000060 == 0x00000020 accept # handle 51
ip daddr { 172.20.0.2, 172.20.0.4 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 53
ip6 daddr { fdbd:f075:61fa:5502:5cd0:eff:fea3:252f, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 55
meta mark & 0x00000040 == 0x00000040 ip saddr != { 172.20.0.2, 172.20.0.4 } meta mark set meta mark ^ 0x00000040 accept # handle 57
meta mark & 0x00000040 == 0x00000040 ip6 saddr != { fdbd:f075:61fa:5502:5cd0:eff:fea3:252f, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark ^ 0x00000040 accept # handle 59
iifname "kubespan" meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 60
}
There was a problem hiding this comment.
okay, now with kube-router CNI (and coredns) doesn't come up
This allows it to not come down when rp_filter is enabled. Fixes siderolabs#9814 Co-authored-by: Andrey Smirnov <[email protected]> Signed-off-by: Dmitry Sharshakov <[email protected]>
dsseng
force-pushed
the
kubespan-reverse
branch
from
61ff3d1 to
c93d867
Compare
|
This PR is stale because it has been open 45 days with no activity. |
|
Did this get fixed? |
kube-router was updated to be less agressive about rpfilter, so it "just works" now. this PR hasn't been finished. |
|
If it works with kube-router now is this PR still needed? |
yes, otherwise we would have closed it enabling rp_filter by default would be nice as a feature |
|
maybe this could fix #11244 idk |
|
This PR is stale because it has been open 45 days with no activity. |
|
no stale |
|
This PR is stale because it has been open 45 days with no activity. |
|
no stale |
This allows it to not come down when rp_filter is enabled.
Fixes #9814
Signed-off-by: Dmitry Sharshakov [email protected]