From 3de4bf527b749ddeb5e041d3ad03ddc3ec2f28cf Mon Sep 17 00:00:00 2001 From: leonnicolas Date: Sun, 10 Oct 2021 10:44:41 +0200 Subject: [PATCH 1/3] pkg/mesh/routes.go: add iptbales forward allow rules for segment. Before this commit we added the forward ALLOW rule only for the node's pod CIDR and not all pod CIDRs of a location. This commit adds the forward ALLOW rule for packages from (source) and to (destination) all pod CIDRs of the location if the node is a leader node. Signed-off-by: leonnicolas --- pkg/mesh/routes.go | 19 ++++++++++++++++--- pkg/mesh/topology.go | 3 +++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/pkg/mesh/routes.go b/pkg/mesh/routes.go index 8f68b52f..2cabbd58 100644 --- a/pkg/mesh/routes.go +++ b/pkg/mesh/routes.go @@ -249,9 +249,22 @@ func (t *Topology) Rules(cni, iptablesForwardRule bool) []iptables.Rule { rules = append(rules, iptables.NewIPv6Chain("nat", "KILO-NAT")) if cni { rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-s", t.subnet.String(), "-m", "comment", "--comment", "Kilo: jump to KILO-NAT chain", "-j", "KILO-NAT")) - if iptablesForwardRule { - rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", t.subnet.String(), "-j", "ACCEPT")) - rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to the pod subnet", "-d", t.subnet.String(), "-j", "ACCEPT")) + // Some linux distros or docker will set forward DROP in the filter table. + // To still be able to have pod to pod communication we need to ALLOW packages from and to pod CIDRs within a location. + // Leader nodes will forward packages from all nodes within a location because they act as a gateway for them. + // Non leader nodes only need to allow packages from and to their own pod CIDR. + if iptablesForwardRule && t.leader { + for _, s := range t.segments { + if t.location == s.location { + for _, c := range s.cidrs { + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", c.String(), "-j", "ACCEPT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to the pod subnet", "-d", c.String(), "-j", "ACCEPT")) + } + } + } + } else if iptablesForwardRule { + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the node's pod subnet", "-s", t.subnet.String(), "-j", "ACCEPT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to the node's pod subnet", "-d", t.subnet.String(), "-j", "ACCEPT")) } } for _, s := range t.segments { diff --git a/pkg/mesh/topology.go b/pkg/mesh/topology.go index 908d0a7e..a0a9015f 100644 --- a/pkg/mesh/topology.go +++ b/pkg/mesh/topology.go @@ -172,6 +172,8 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra privateIPs: privateIPs, allowedLocationIPs: allowedLocationIPs, }) + level.Debug(t.logger).Log("msg", "generated segment", "location", location, "allowedIPs", allowedIPs, "endpoint", topoMap[location][leader].Endpoint, "cidrs", cidrs, "hostnames", hostnames, "leader", leader, "privateIPs", privateIPs, "allowedLocationIPs", allowedLocationIPs) + } // Sort the Topology segments so the result is stable. sort.Slice(t.segments, func(i, j int) bool { @@ -218,6 +220,7 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra segment.allowedLocationIPs = t.filterAllowedLocationIPs(segment.allowedLocationIPs, segment.location) } + level.Debug(t.logger).Log("msg", "generated topology", "location", t.location, "hostname", t.hostname, "wireGuardIP", t.wireGuardCIDR, "privateIP", t.privateIP, "subnet", t.subnet, "leader", t.leader) return &t, nil } From c59ac10e152ebbaf4f4fd8d8fcdd6ec912091655 Mon Sep 17 00:00:00 2001 From: leonnicolas Date: Sun, 17 Oct 2021 19:58:17 +0200 Subject: [PATCH 2/3] pkg/mesh/routes.go: forward private IPs and allowed location IPs If the `iptables-allow-forwad` is true, we should also forward packages to and from private IPs and allowed location IPs of the location. Signed-off-by: leonnicolas --- pkg/mesh/routes.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/mesh/routes.go b/pkg/mesh/routes.go index 2cabbd58..421768d2 100644 --- a/pkg/mesh/routes.go +++ b/pkg/mesh/routes.go @@ -256,10 +256,21 @@ func (t *Topology) Rules(cni, iptablesForwardRule bool) []iptables.Rule { if iptablesForwardRule && t.leader { for _, s := range t.segments { if t.location == s.location { + // Make sure packets to and from pod cidrs are not dropped in the forward chain. for _, c := range s.cidrs { rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", c.String(), "-j", "ACCEPT")) rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to the pod subnet", "-d", c.String(), "-j", "ACCEPT")) } + // Make sure packets to and from allowed location IPs are not dropped in the forward chain. + for _, c := range s.allowedLocationIPs { + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from allowed location IPs", "-s", c.String(), "-j", "ACCEPT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to allowed location IPs", "-d", c.String(), "-j", "ACCEPT")) + } + // Make sure packets to and from private IPs are not dropped in the forward chain. + for _, c := range s.privateIPs { + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from private IPs", "-s", oneAddressCIDR(c).String(), "-j", "ACCEPT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to private IPs", "-d", oneAddressCIDR(c).String(), "-j", "ACCEPT")) + } } } } else if iptablesForwardRule { From ac65330c714dad62fdd922fb749ca0a4e4f99431 Mon Sep 17 00:00:00 2001 From: leonnicolas <60091705+leonnicolas@users.noreply.github.com> Date: Mon, 1 Nov 2021 19:02:49 +0100 Subject: [PATCH 3/3] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Lucas Servén Marín --- pkg/mesh/routes.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/mesh/routes.go b/pkg/mesh/routes.go index 421768d2..3e394423 100644 --- a/pkg/mesh/routes.go +++ b/pkg/mesh/routes.go @@ -250,12 +250,12 @@ func (t *Topology) Rules(cni, iptablesForwardRule bool) []iptables.Rule { if cni { rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-s", t.subnet.String(), "-m", "comment", "--comment", "Kilo: jump to KILO-NAT chain", "-j", "KILO-NAT")) // Some linux distros or docker will set forward DROP in the filter table. - // To still be able to have pod to pod communication we need to ALLOW packages from and to pod CIDRs within a location. - // Leader nodes will forward packages from all nodes within a location because they act as a gateway for them. + // To still be able to have pod to pod communication we need to ALLOW packets from and to pod CIDRs within a location. + // Leader nodes will forward packets from all nodes within a location because they act as a gateway for them. // Non leader nodes only need to allow packages from and to their own pod CIDR. if iptablesForwardRule && t.leader { for _, s := range t.segments { - if t.location == s.location { + if s.location == t.location { // Make sure packets to and from pod cidrs are not dropped in the forward chain. for _, c := range s.cidrs { rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(c.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", c.String(), "-j", "ACCEPT"))