Skip to content

Commit

Permalink
fix: fix reverse routing for KubeSpan
Browse files Browse the repository at this point in the history
This allows it to not come down when rp_filter is enabled.
Fixes #9814

Signed-off-by: Dmitry Sharshakov <[email protected]>
  • Loading branch information
dsseng committed Dec 30, 2024
1 parent 650eb3a commit f33df6b
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 2 deletions.
13 changes: 13 additions & 0 deletions internal/app/machined/pkg/controllers/kubespan/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
},
Verdict: pointer.To(nethelpers.VerdictAccept),
},
// Mark packets to be sent over the KubeSpan link.
{
MatchDestinationAddress: &network.NfTablesAddressMatch{
IncludeSubnets: allowedIPsSet.Prefixes(),
Expand All @@ -388,6 +389,18 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
},
Verdict: pointer.To(nethelpers.VerdictAccept),
},
// Mark incoming packets from the KubeSpan link for rp_filter to find the correct routing table.
{
MatchIIfName: &network.NfTablesIfNameMatch{
InterfaceNames: []string{constants.KubeSpanLinkName},
Operator: nethelpers.OperatorEqual,
},
SetMark: &network.NfTablesMark{
Mask: ^uint32(constants.KubeSpanDefaultFirewallMask),
Xor: constants.KubeSpanDefaultForceFirewallMark,
},
Verdict: pointer.To(nethelpers.VerdictAccept),
},
}

return nil
Expand Down
19 changes: 17 additions & 2 deletions internal/app/machined/pkg/controllers/kubespan/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,9 @@ func (suite *ManagerSuite) TestReconcile() {
asrt.Equal(nethelpers.ChainPriorityFilter, spec.Priority)
asrt.Equal(nethelpers.VerdictAccept, spec.Policy)

asrt.Len(spec.Rules, 2)
asrt.Len(spec.Rules, 3)

if len(spec.Rules) != 2 {
if len(spec.Rules) != 3 {
return
}

Expand Down Expand Up @@ -277,6 +277,21 @@ func (suite *ManagerSuite) TestReconcile() {
},
spec.Rules[1],
)

asrt.Equal(
network.NfTablesRule{
MatchIIfName: &network.NfTablesIfNameMatch{
InterfaceNames: []string{constants.KubeSpanLinkName},
Operator: nethelpers.OperatorEqual,
},
SetMark: &network.NfTablesMark{
Mask: ^uint32(constants.KubeSpanDefaultFirewallMask),
Xor: constants.KubeSpanDefaultForceFirewallMark,
},
Verdict: pointer.To(nethelpers.VerdictAccept),
},
spec.Rules[2],
)
},
)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,11 @@ func (ctrl *KernelParamDefaultsController) getKernelParams() []*kernel.Param {
Key: "proc.sys.net.ipv4.tcp_keepalive_intvl",
Value: "60",
},
// Consider fwmark for rp_filter routing table lookup.
{
Key: "proc.sys.net.ipv4.conf.kubespan.src_valid_mark",
Value: "1",
},
{
Key: "proc.sys.kernel.panic",
Value: "10",
Expand Down

0 comments on commit f33df6b

Please sign in to comment.