Commit 8bcd166c authored by Boris Djurdjevic's avatar Boris Djurdjevic Committed by Murali Reddy
Browse files

Fix connection resets during firewall sync (#807)

For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.

A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.

This commits swaps the order of rule insertion.
parent 3a0da2bf
base PR902 apply-both-ingress-egress-pol bgppolicies closed-channel consolidate_network_policy_chains dependabot/go_modules/github.com/aws/aws-sdk-go-1.44.211 dependabot/go_modules/github.com/osrg/gobgp/v3-3.11.0 dependabot/go_modules/k8s.io/api-0.26.2 dependabot/go_modules/k8s.io/apimachinery-0.26.2 dependabot/go_modules/k8s.io/cri-api-0.26.2 disable-policy-routing drop-flag egress-netpol enix exttrafficpolicy fix-Test_syncInternalPeers fix-build-break fix-ci fix-test-failures-due-to-pr-813 fix_network_policy_cleanup_code gobgp-update gomod goreleaser goreleaser-ldflags health_check_give_more_grace issue-609 issue-712 issue-828 issue-841 issue-862 issue-905 issue-templates linters master mrueg-patch-1 nflog npc-refactor policytypes pr914-feedback proxy-healtchecks rel-v0.0.1 release-test/22.02.3 release/21.06-BETA.1 release/21.08-BETA.1 release/21.08-BETA.2 release/22.02 release/22.02-RC.1 release/22.02-RC.2 release/22.02-test release/22.02.1 release/22.02.2 release/22.02.3 release/22.02.4 release/22.12 release/22.12-BETA.1 release/22.12-BETA.2 release/22.12-RC.1 release/22.12.1 release/22.12.2 release/22.12.3 release/22.12.4 release/22.2-RC.1 release/23.10-BETA.1 release/23.10-RC.1 release/23.10.0 release/23.10.1 release/23.10.1.2 release/23.10.1.3 release/23.10.2 release/24.04-BETA.1 release/24.04-RC.1 release/24.04.0 remove_deprecated_cluster-cidr_option revert-819-exttrafficpolicy stable/angelfish stable/angelfish-backup-06-04-22 stable/angelfish-backup-28-05-22 stable/bluefin stable/cobia stable/dragonfish testing-refine-branchout-process testing-refine-branchout-process2 tmprelease/test-21.08 tmprelease/test-21.09 tmprelease/test2-21.09 tmprelease/test3-21.09 tmprelease/test4-21.09 truenas/master truenas/master-backup-03-4-22 truenas/master-backup-10-7-21 truenas/master-backup-2-7-23 truenas/master-backup-21-08-22 truenas/master-backup-28-7-21 truenas/master-backup-29-05-22 truenas/master-backup-29-4-21 v1.0 v1.1 xtables v1.0.1 v1.0.0 v1.0.0-rc6 v1.0.0-rc5 v1.0.0-rc4 v1.0.0-rc3 v1.0.0-rc2 v1.0.0-rc1 v0.4.0 v0.4.0-rc3 v0.4.0-rc2 TS-24.04-RC.1 TS-24.04-BETA.1 TS-23.10.2 TS-23.10.1.3 TS-23.10.1.2 TS-23.10.1.1 TS-23.10.1 TS-23.10.0.1 TS-23.10.0 TS-23.10-RC.1 TS-23.10-BETA.1 TS-22.12.4.2 TS-22.12.4.1 TS-22.12.4 TS-22.12.3.3 TS-22.12.3.2 TS-22.12.3.1 TS-22.12.3 TS-22.12.2 TS-22.12.1 TS-22.12.0 TS-22.12-RC.1 TS-22.12-BETA.2 TS-22.12-BETA.1 TS-22.12-ALPHA.1 TS-22.02.4 TS-22.02.3 TS-22.02.2.1 TS-22.02.2 TS-22.02.1 TS-22.02.0.1 TS-22.02.0 TS-22.2.0 TS-22.02.RELEASE.1 TS-22.02-RC.2 TS-22.02-RC.1 TS-22.02-RC.1-2 TS-22.02-RC.1-1 TS-21.08-BETA.2 TS-21.08-BETA.1 TS-21.06-BETA.1 TS-21.04-ALPHA.1 TS-21.02-ALPHA.1 TS-20.12-ALPHA TS-20.10-ALPHA TS-12.12.3 DN110M-CS-v2.0
No related merge requests found
Showing with 31 additions and 31 deletions
+31 -31
......@@ -748,6 +748,20 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
}
}
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
comment = "rule for stateful firewall for pod"
args = []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
exists, err = iptablesCmdHandler.Exists("filter", podFwChainName, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
if !exists {
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
// ensure there is rule in filter table and FORWARD chain to jump to pod specific firewall chain
// this rule applies to the traffic getting routed (coming for other node pods)
comment = "rule to jump traffic destined to POD name:" + pod.name + " namespace: " + pod.namespace +
......@@ -803,20 +817,6 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
comment = "rule for stateful firewall for pod"
args = []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
exists, err = iptablesCmdHandler.Exists("filter", podFwChainName, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
if !exists {
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
}
// loop through the pods running on the node which egress network policies to be applied
......@@ -859,12 +859,26 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
}
}
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
comment := "rule for stateful firewall for pod"
args := []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
exists, err := iptablesCmdHandler.Exists("filter", podFwChainName, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
if !exists {
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
// ensure there is rule in filter table and FORWARD chain to jump to pod specific firewall chain
// this rule applies to the traffic getting routed (coming for other node pods)
comment := "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +
comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +
" to chain " + podFwChainName
args := []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName}
exists, err := iptablesCmdHandler.Exists("filter", "FORWARD", args...)
args = []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName}
exists, err = iptablesCmdHandler.Exists("filter", "FORWARD", args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
......@@ -901,20 +915,6 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
comment = "rule for stateful firewall for pod"
args = []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
exists, err = iptablesCmdHandler.Exists("filter", podFwChainName, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
if !exists {
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
if err != nil {
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
}
}
}
return activePodFwChains, nil
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment