From 138f88d77cf0927e615d22bdc09f7fe0ff9ae429 Mon Sep 17 00:00:00 2001 From: Tamilmani Manoharan Date: Tue, 26 May 2020 13:15:54 -0700 Subject: [PATCH] Disable RA for interfaces created by CNI --- network/bridge_networkclient_linux.go | 6 +++++- network/epcommon/endpoint_common.go | 19 +++++++++++++++++++ network/ovs_networkclient_linux.go | 5 +++++ network/ovssnat/ovssnat.go | 12 ++++++++++++ 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/network/bridge_networkclient_linux.go b/network/bridge_networkclient_linux.go index 1c72f3b848..1bf8d66d46 100644 --- a/network/bridge_networkclient_linux.go +++ b/network/bridge_networkclient_linux.go @@ -39,7 +39,11 @@ func (client *LinuxBridgeClient) CreateBridge() error { }, } - return netlink.AddLink(&link) + if err := netlink.AddLink(&link); err != nil { + return err + } + + return epcommon.DisableRAForInterface(client.bridgeName) } func (client *LinuxBridgeClient) DeleteBridge() error { diff --git a/network/epcommon/endpoint_common.go b/network/epcommon/endpoint_common.go index 923f918447..cf0106cf1a 100644 --- a/network/epcommon/endpoint_common.go +++ b/network/epcommon/endpoint_common.go @@ -31,6 +31,7 @@ const ( enableIPForwardCmd = "sysctl -w net.ipv4.ip_forward=1" toggleIPV6Cmd = "sysctl -w net.ipv6.conf.all.disable_ipv6=%d" enableIPV6ForwardCmd = "sysctl -w net.ipv6.conf.all.forwarding=1" + disableRACmd = "sysctl -w net.ipv6.conf.%s.accept_ra=0" ) func getPrivateIPSpace() []string { @@ -71,6 +72,10 @@ func CreateEndpoint(hostVethName string, containerVethName string) error { return err } + if err := DisableRAForInterface(hostVethName); err != nil { + return err + } + return nil } @@ -87,6 +92,10 @@ func SetupContainerInterface(containerVethName string, targetIfName string) erro return err } + if err := DisableRAForInterface(targetIfName); err != nil { + return err + } + // Bring the interface back up. log.Printf("[net] Setting link %v state up.", targetIfName) return netlink.SetLinkState(targetIfName, true) @@ -228,3 +237,13 @@ func AddSnatRule(match string, ip net.IP) error { target := fmt.Sprintf("SNAT --to %s", ip.String()) return iptables.InsertIptableRule(version, iptables.Nat, iptables.Postrouting, match, target) } + +func DisableRAForInterface(ifName string) error { + cmd := fmt.Sprintf(disableRACmd, ifName) + out, err := platform.ExecuteCommand(cmd) + if err != nil { + log.Errorf("[net] Diabling ra failed with err: %v out: %v", err, out) + } + + return err +} diff --git a/network/ovs_networkclient_linux.go b/network/ovs_networkclient_linux.go index 127605b6f0..84358a4b26 100644 --- a/network/ovs_networkclient_linux.go +++ b/network/ovs_networkclient_linux.go @@ -6,6 +6,7 @@ import ( "strings" "github.com/Azure/azure-container-networking/log" + "github.com/Azure/azure-container-networking/network/epcommon" "github.com/Azure/azure-container-networking/ovsctl" ) @@ -72,6 +73,10 @@ func (client *OVSNetworkClient) CreateBridge() error { } }() + if err := epcommon.DisableRAForInterface(client.bridgeName); err != nil { + return err + } + return updateOVSConfig(ovsOpt) } diff --git a/network/ovssnat/ovssnat.go b/network/ovssnat/ovssnat.go index 9891189597..257058ff9a 100644 --- a/network/ovssnat/ovssnat.go +++ b/network/ovssnat/ovssnat.go @@ -342,6 +342,10 @@ func CreateSnatBridge(snatBridgeIP string, mainInterface string) error { return nil } + if err := epcommon.DisableRAForInterface(SnatBridgeName); err != nil { + return err + } + vethLink := netlink.VEthLink{ LinkInfo: netlink.LinkInfo{ Type: netlink.LINK_TYPE_VETH, @@ -356,6 +360,14 @@ func CreateSnatBridge(snatBridgeIP string, mainInterface string) error { return err } + if err := epcommon.DisableRAForInterface(azureSnatVeth0); err != nil { + return err + } + + if err := epcommon.DisableRAForInterface(azureSnatVeth1); err != nil { + return err + } + log.Printf("Assigning %v on snat bridge", snatBridgeIP) ip, addr, _ := net.ParseCIDR(snatBridgeIP)