Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fqdn: dnsproxy: fix forwarding of the original security identity for TCP
In case of TCP this is not enough to do net.Dial + setsockopt(SO_MARK), as in this case TCP SYN will have a wrong identity, e.g.: Policy verdict log: flow 0x7a95a133 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:42437 -> 10.244.1.120:53 tcp SYN Policy verdict log: flow 0x907eaa19 local EP ID 458, remote ID host, proto 6, ingress, action allow, match L3-Only, 172.19.0.2:56276 -> 10.244.1.120:53 tcp SYN Here the second message has wrong identity (host). We still allow the traffic, as the origin is local host and the coredns is running on the same host, but this will not work for a remote host if ingress policy doesn't allow remote-node identity.) To fix this we need to pass a Control parameter to Dial, so that setsockopt(2) is called before the connect(2). With such a change we now see the correct identity in case of TCP: Policy verdict log: flow 0xeb7902a9 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:36661 -> 10.244.1.120:53 tcp SYN Policy verdict log: flow 0x4efbc5a0 local EP ID 458, remote ID 41903, proto 6, ingress, action allow, match L3-L4, 172.19.0.2:40508 -> 10.244.1.120:53 tcp SYN Fixes: 44c1def ("fqdn: dnsproxy: forward the original security identity") Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
- Loading branch information