OCPBUGSM-45393: Bug 2078691: [Downstream Merge] 22-07-2022 #1210
Conversation
remove runtime dependencies for c libraries Signed-off-by: Zenghui Shi <zshi@redhat.com>
Currently the default value for all interfaces is 0 while
rp_filter for "all" is set to 1.
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
As per the definitions to avail other FIB table based routing
we should set rp_filter for ovn-k8s-mp0 to 2 to support ITP=local
feature. Security wise we are still ok since we are enabling this only
on ovnk interface mp0 and not on any other interface.
NOTE: Pkt from host goes into ovn via mp0 destined for clusterIP
and it goes in via the new routing table 7 that was added. Return
packet with srcIP=clusterIP comes out via mp0 and default routing
table says all clusterIP traffic should go to br-ex and this is why
reverse path filter check fails since onward packet went in via mp0.
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Change rp_filter value for ovn-k8s-mp0
Closes #3078 Signed-off-by: Dumitru Ceara <dceara@redhat.com>
e2e: Fix checking of mac entries embedded in conntrack labels.
Build all ovnk binaries with cgo disabled
We weren't locking individual entries while looping through them, this was causing races when same entry was changed or accessed elsewhere in the code. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> Closes: #3080
If EgressIP node create failed while creating default NoRoute policy then an update event happens before objRetry period "30sec" there is no logic to retry recreating this policy. Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
We weren't removing reference of ACL from PG before deleting it. Unfortuntely unit tests don't catch this. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
iterateRetryResources: Lock the entry in the loop
fedora Dockerfile : Update OVN to 22.06.
syncNetworkPolicies: Remove ACLs from PGs before deleting
EgressIP node handle create errs followed by update in < 30s
|
@tssurya: GitHub didn't allow me to request PR reviews from the following users: has, a, merge, tagging, because, one, numansiddique, in, the, each. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tssurya
changed the title
openshift-ci
bot
added
bugzilla/severity-high
|
@tssurya: This pull request references Bugzilla bug 2078691, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@tssurya: This pull request references Bugzilla bug 2078691, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
|
@tssurya: This pull request references Bugzilla bug 2078691, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tssurya
changed the title
|
/refresh bugzilla |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: trozet, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest |
|
/label qe-approved |
|
/abel qe-approved |
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
Ahh there are couple of more bugs as I noted in description. Sorry for that /label qe-approved cancel |
|
/remove qe-approved |
|
/test e2e-metal-ipi-ovn-dualstack |
|
again the metal dualstack job doesn't look promosing: https://prow.ci.openshift.org/job-history/gs/origin-ci-test/pr-logs/directory/pull-ci-openshift-ovn-kubernetes-master-e2e-metal-ipi-ovn-dualstack |
|
@tssurya: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@tssurya: All pull requests linked via external trackers have merged: Bugzilla bug 2078691 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cc @zshi-redhat @dceara @msherif1234 @numansiddique tagging because each one has a commit in the merge
/assign @trozet for approve
/assign @dcbw for approve
Fixes bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2095852 (@anuragthehatter)
https://bugzilla.redhat.com/show_bug.cgi?id=2078691 (@huiran0826)
https://bugzilla.redhat.com/show_bug.cgi?id=2106444