Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix L7 ingress proxy iptables redirects in direct routing mode #8864

Closed
wants to merge 1 commit into from
Closed

Fix L7 ingress proxy iptables redirects in direct routing mode #8864

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
34 changes: 31 additions & 3 deletions pkg/datapath/iptables/iptables.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,26 @@ func (m *IptablesManager) ingressProxyRule(cmd, l4Match, markMatch, mark, port,
"--on-port", port)
}

func (m *IptablesManager) inboundProxyRedirectRule(cmd string) []string {
// Mark host proxy transparent connections to be routed to the local stack.
// This comes before the TPROXY rules in the chain, and setting the mark
// without the proxy port number will make the TPROXY rule to not match,
// as we do not want to try to tproxy packets that are going to the stack
// already.
// This rule is needed for couple of reasons:
// 1. route return traffic to the proxy
// 2. route original direction traffic that would otherwise be intercepted
// by ip_early_demux
toProxyMark := fmt.Sprintf("%#08x", linux_defaults.MagicMarkIsToProxy)
return append(m.waitArgs,
"-t", "mangle",
cmd, ciliumPreMangleChain,
"-m", "socket", "--transparent", "--nowildcard",
"-m", "comment", "--comment", "cilium: any->pod redirect proxied traffic to host proxy",
"-j", "MARK",
"--set-mark", toProxyMark)
joestringer marked this conversation as resolved.
Show resolved Hide resolved
}

func (m *IptablesManager) iptIngressProxyRule(cmd string, l4proto string, proxyPort uint16, name string) error {
// Match
port := uint32(byteorder.HostToNetwork(proxyPort).(uint16)) << 16
Expand Down Expand Up @@ -438,7 +458,7 @@ func (m *IptablesManager) iptEgressProxyRule(cmd string, l4proto string, proxyPo
return err
}

func (m *IptablesManager) installProxyNotrackRules() error {
func (m *IptablesManager) installStaticProxyRules() error {
// match traffic to a proxy (upper 16 bits has the proxy port, which is masked out)
matchToProxy := fmt.Sprintf("%#08x/%#08x", linux_defaults.MagicMarkIsToProxy, linux_defaults.MagicMarkHostMask)
// proxy return traffic has 0 ID in the mask
Expand Down Expand Up @@ -468,6 +488,10 @@ func (m *IptablesManager) installProxyNotrackRules() error {
"-m", "comment", "--comment", "cilium: NOTRACK for proxy return traffic",
"-j", "NOTRACK"), false)
}
if err == nil {
// Direct inbound TPROXYed traffic towards the socket
err = runProg("iptables", m.inboundProxyRedirectRule("-A"), false)
}
}
if err == nil && option.Config.EnableIPv6 {
// No conntrack for traffic to ingress proxy
Expand All @@ -492,6 +516,10 @@ func (m *IptablesManager) installProxyNotrackRules() error {
"-m", "comment", "--comment", "cilium: NOTRACK for proxy return traffic",
"-j", "NOTRACK"), false)
}
if err == nil {
// Direct inbound TPROXYed traffic towards the socket
err = runProg("ip6tables", m.inboundProxyRedirectRule("-A"), false)
}
}
return err
}
Expand Down Expand Up @@ -613,8 +641,8 @@ func (m *IptablesManager) InstallRules(ifName string) error {
}
}

if err := m.installProxyNotrackRules(); err != nil {
return fmt.Errorf("cannot add proxy NOTRACK rules: %s", err)
if err := m.installStaticProxyRules(); err != nil {
return fmt.Errorf("cannot add static proxy rules: %s", err)
}

if err := m.addCiliumAcceptXfrmRules(); err != nil {
Expand Down