Skip to content

Fix egress port iptables rule when no ports are specified #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix egress port iptables rule when no ports are specified #269

wants to merge 1 commit into from

Conversation

@zachomedia
Copy link

@zachomedia zachomedia commented Nov 29, 2018

What this PR does / why we need it:

This PR corrects the iptables flag for network policy egress rules when no ports are defined. Without this fix, the rule added to AZURE-NPM-EGRESS-PORT (since it checks the dst ip instead of src ip of the pod) doesn't match and therefore doesn't go to the AZURE-NPM-EGRESS-TO table which would allow the traffic.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:
None.

Release note:

@sylus
Copy link

sylus commented Dec 12, 2018

Hey @saiyan86 is it possible to get this in? Network policy just doesn't work as expected without this fix.

Thanks a bunch!

@mgrabarz mgrabarz mentioned this pull request Feb 26, 2019
Closed
@saiyan86
Copy link
Contributor

saiyan86 commented Mar 1, 2019

@zachomedia @sylus Thanks a lot for contributing! #307 should address this along with a bunch of other changes.

@saiyan86 saiyan86 closed this Mar 1, 2019
@zachomedia
Copy link
Author

zachomedia commented Mar 4, 2019
edited
Loading

@saiyan86 I took at look at the resulting change and it looks like the bug is likely still there https://github.com/Azure/azure-container-networking/blob/master/npm/parse.go#L576 still has IptablesDstFlag instead of IptablesSrcFlag.

I'll see if I can try out the newer version on a cluster and confirm it's still there.

@zachomedia
Copy link
Author

zachomedia commented Mar 13, 2019

@saiyan86 I just confirmed that this bug is still present in the latest version (v1.0.18).

@zachomedia zachomedia mentioned this pull request Mar 14, 2019
Closed
@saiyan86 saiyan86 reopened this Mar 16, 2019
@saiyan86
Copy link
Contributor

saiyan86 commented Mar 16, 2019

@zachomedia Can you share a network policy that triggers this bug? All of my current tests passed.

@saiyan86 saiyan86 self-assigned this Mar 16, 2019
@zachomedia
Copy link
Author

zachomedia commented Mar 16, 2019

First, apply a deny-all rule:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Then allow traffic to mirror.csclub.uwaterloo.ca (129.97.134.71):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-csc-mirror
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 129.97.134.71/32

After applying the second rule, it should allow you to communicate with mirror.csclub.uwaterloo.ca (on port 80, for example). However, it doesn't work.

If you specify specific ports, for example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-csc-mirror
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 80
      protocol: TCP
    - port: 443
      protocol: TCP
  - to:
    - ipBlock:
        cidr: 129.97.134.71/32

Then everything works as expected.

@saiyan86 saiyan86 mentioned this pull request Mar 19, 2019
Merged
@saiyan86
Copy link
Contributor

saiyan86 commented Mar 19, 2019

fixed in #315

@saiyan86 saiyan86 closed this Mar 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saiyan86 saiyan86 Awaiting requested review from saiyan86

Assignees

@saiyan86 saiyan86

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zachomedia @sylus @saiyan86