Conversation
Name it generically and add another bool that allows to control whether the dst port must be in the nodeport range or outside of it. For the current users, it is set so that they match on the configured NodePort range. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2864c48 to
b279163
Compare
Member
Author
|
retest-runtime |
Member
Author
|
retest-4.19 |
Member
Author
|
retest-net-next |
e2e6836 to
d47ab81
Compare
Member
Author
|
test-me-please |
pchaigno
approved these changes
Jul 9, 2020
Member
pchaigno
left a comment
There was a problem hiding this comment.
Mostly refactoring nits on my side. LGTM otherwise, but I'm not very familiar with this code and even less with the Kubernetes implication.
Member
Author
|
(all checks green) |
d47ab81 to
53d15f9
Compare
Prepare the socket LB for a hostport-related wildcard lookup. The NodePort
and HostPort range are exclusive, so the lookup is still fast given we can
bail out early w/o map lookup in sock{4,6}_wildcard_lookup(). Aside from
the range, we must match on HOST_ID dst address for the hostport lookup.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Ensure that we don't process such packets from outside if they ever land on our node. Instead of doing a more expensive memcmp() on the address, just include this into the test for the underlying type. The latter is still present for the case where the agent is restarted & reconfigured and map entries are still stale before k8s resync. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
In IPv6 case we already use net.IPv6zero in LoadBalancerNodeAddresses(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
In order to be compatible with portmap's HostPort mode, we need to expose the host port on all addresses for the case where no hostIP was specified. This also includes the loopback address. For the case where hostIP was specified, we only expose the user provided IP address under HostPort. A typical portmap rule looks like (removing CNI-HOSTPORT-SETMARK from here): [...] [6:408] -A PREROUTING -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT [...] [0:0] -A CNI-DN-1ba85aa0447ede8ba6dab -d 8.8.8.8/32 -p tcp -m tcp --dport 999 -j DNAT --to-destination 10.0.0.217:80 [0:0] -A CNI-DN-489a67438eed03d272897 -d 127.0.0.1/32 -p tcp -m tcp --dport 298 -j DNAT --to-destination 10.0.0.27:80 [2:120] -A CNI-DN-526ac7f749f8260cb0d9f -p tcp -m tcp --dport 666 -j DNAT --to-destination 10.0.0.188:80 [2:120] -A CNI-DN-81de08afe40acdfde3fac -d 192.168.178.29/32 -p tcp -m tcp --dport 777 -j DNAT --to-destination 10.0.0.138:80 [2:120] -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"portmap\" id: \"dd111758b3cc7d46e0c027725f4c1cc3d5ac349c6cb1d6ebb919a5f433f155aa\"" -m multiport --dports 666 -j CNI-DN-526ac7f749f8260cb0d9f [...] In above example, hostPort 666 has no hostIP specified; hostPort 777 had the hostIP of 192.168.178.29 specified. In such case access via 127.0.0.1:777 is not possible. hostPort 298 had 127.0.0.1 as hostIP specified, so it's only available via loopback but not from outside world. And hostPort 999 had 8.8.8.8 as hostIP specified. It's not forbidden but it won't match/xlate if 8.8.8.8 is not a local address on the node. Implement these semantics also for the BPF-based replacement by reworking the k8s watcher's genServiceMappings(). Fixes: #12116 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Final one to enforce drop of surrogate entries for external traffic. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Extend the batch of hostPort tests to improve coverage. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
53d15f9 to
15476a9
Compare
Member
Author
|
test-me-please |
Member
Author
|
(ignoring checkpatch in this case since line goes over ~85 chars) |
aanm
reviewed
Jul 9, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commit msg; targeted for 1.8.2.
Fixes: #12116