Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(NSC): only set rp_filter to 2 if it is 1 #1791

Merged
merged 1 commit into from
Jan 11, 2025
Merged

fix(NSC): only set rp_filter to 2 if it is 1 #1791

merged 1 commit into from
Jan 11, 2025

Conversation

dsseng
Copy link
Contributor

@dsseng dsseng commented Dec 30, 2024
edited
Loading

Setting rp_filter to 2 when it is 0 will override its status to be always enabled (in the loose mode).
This behavior could break some networking solutions as it made packet admission rules more strict.

Reference: #1651 (comment) and subsequent

@dsseng
Copy link
Contributor Author

dsseng commented Dec 30, 2024

Also this doesn't work in all cases as I see, since this won't disable rp_filter on these in case all is set to 1 or 2:

kube-router/pkg/controllers/proxy/linux_networking.go

Lines 769 to 787 in 93498fb

// disable rp_filter on all interface
sysctlErr := utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "kube-tunnel-if", 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on kube-tunnel-if in the endpoint container: %s",
sysctlErr.Error())
}
sysctlErr = utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, assumedContainerIfaceName, 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on eth0 in the endpoint container: %s", sysctlErr.Error())
}
sysctlErr = utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "all", 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on `all` in the endpoint container: %s", sysctlErr.Error())
}

aauren
aauren requested changes Jan 3, 2025
View reviewed changes
Copy link
Collaborator

@aauren aauren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's one linting error that needs correcting, and I left a request to add one more interface that I missed in our previous conversation, and I had one question.

I also deployed it to my test harness and while I haven't tested all of the boundary conditions for rp_filter values, I was able to confirm that it runs similar to how it ran before.

But other than that, this change looks really good! Thanks for putting this together for us!

pkg/controllers/proxy/network_services_controller.go Outdated Show resolved Hide resolved
pkg/controllers/proxy/network_services_controller.go Outdated Show resolved Hide resolved
@aauren
Copy link
Collaborator

aauren commented Jan 3, 2025

Also this doesn't work in all cases as I see, since this won't disable rp_filter on these in case all is set to 1 or 2:

kube-router/pkg/controllers/proxy/linux_networking.go

Lines 769 to 787 in 93498fb

// disable rp_filter on all interface
sysctlErr := utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "kube-tunnel-if", 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on kube-tunnel-if in the endpoint container: %s",
sysctlErr.Error())
}
sysctlErr = utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, assumedContainerIfaceName, 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on eth0 in the endpoint container: %s", sysctlErr.Error())
}
sysctlErr = utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "all", 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on `all` in the endpoint container: %s", sysctlErr.Error())
}

I'm not totally sure if I understand this comment correctly, doesn't the last case set rp_filter to 0 on the all interface and 0 is more permissive than 1 or 2?

Also, just to be clear, this logic is setting that value for the interfaces found inside the container's network namespace in case that helps clarify anything for you.

@dsseng
Copy link
Contributor Author

dsseng commented Jan 3, 2025

Also this doesn't work in all cases as I see, since this won't disable rp_filter on these in case all is set to 1 or 2:

kube-router/pkg/controllers/proxy/linux_networking.go

Lines 769 to 787 in 93498fb

// disable rp_filter on all interface
sysctlErr := utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "kube-tunnel-if", 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on kube-tunnel-if in the endpoint container: %s",
sysctlErr.Error())
}
sysctlErr = utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, assumedContainerIfaceName, 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on eth0 in the endpoint container: %s", sysctlErr.Error())
}
sysctlErr = utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "all", 0)
if sysctlErr != nil {
attemptNamespaceResetAfterError(hostNetworkNamespaceHandle)
return fmt.Errorf("failed to disable rp_filter on `all` in the endpoint container: %s", sysctlErr.Error())
}

I'm not totally sure if I understand this comment correctly, doesn't the last case set rp_filter to 0 on the all interface and 0 is more permissive than 1 or 2?

Also, just to be clear, this logic is setting that value for the interfaces found inside the container's network namespace in case that helps clarify anything for you.

Okay, if it's inside the container that's not to be considered. Thanks for clarifying

@dsseng dsseng requested a review from aauren January 3, 2025 19:57
aauren
aauren reviewed Jan 5, 2025
View reviewed changes
Copy link
Collaborator

@aauren aauren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update! 2 more comments, but I think we're just about at the end here.

pkg/controllers/proxy/network_services_controller.go Outdated Show resolved Hide resolved
pkg/controllers/proxy/network_services_controller.go Outdated Show resolved Hide resolved
@dsseng
fix(NSC): only set rp_filter to 2 if it is 1
e35961d 
Setting rp_filter to 2 when it is 0 will override its status to be always enabled (in the loose mode).
This behavior could break some networking solutions as it made packet admission rules more strict.
@dsseng dsseng requested a review from aauren January 11, 2025 18:37
aauren
aauren approved these changes Jan 11, 2025
View reviewed changes
Copy link
Collaborator

@aauren aauren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Thanks so much for your contribution @dsseng!

@aauren aauren merged commit aa7cffb into cloudnativelabs:master Jan 11, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aauren aauren aauren approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dsseng @aauren