2924: Preserve the client source IP #3298
Conversation
brb
force-pushed
the
issues/2924-preserve-src-ip-on-local
branch
from
bff0984
to
9792df4
Compare
|
Just trying to understand this, without having been immersed in the details lately, I think the following explanation is useful: Consider a packet arriving on node A from source S destined for pod P. @brb can you confirm? |
| @@ -529,3 +537,27 @@ func ensureRulesAtTop(table, chain string, rulespecs [][]string, ipt *iptables.I | |||
|
|
|||
| return nil | |||
| } | |||
|
|
|||
| func reexpose(config *BridgeConfig, log *logrus.Logger) error { | |||
| // Get existing IP addrs of the weave bridge. | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
net/bridge.go
Outdated
| @@ -463,7 +469,10 @@ func configureIPTables(config *BridgeConfig) error { | |||
|
|
|||
| if !config.NPC { | |||
| // Create a chain for allowing ingress traffic when the bridge is exposed | |||
| _ = ipt.NewChain("filter", "WEAVE-EXPOSE") | |||
| if err := ipt.ClearChain("filter", "WEAVE-EXPOSE"); err != nil { | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
net/bridge.go
Outdated
|
|
||
| return ipt.AppendUnique("nat", "POSTROUTING", "-j", "WEAVE") | ||
| // k8s-only: Create the ipset to store CIDRs allocated by IPAM for local pods. |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
prog/weave-npc/main.go
Outdated
| @@ -56,7 +57,7 @@ func resetIPTables(ipt *iptables.IPTables) error { | |||
| } | |||
|
|
|||
| func resetIPSets(ips ipset.Interface) error { | |||
| // Remove ipsets prefixed `weave-` only | |||
| // Remove ipsets prefixed `weave-` excluding weave-no-masq-local (used by weaver). | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
net/bridge.go
Outdated
| if err := ips.Create(NoMasqLocalIpset, ipset.HashNet); err != nil { | ||
| return err | ||
| } | ||
| if err := ipt.Insert("nat", "WEAVE", 1, "-m", "set", "--match-set", string(NoMasqLocalIpset), "dst", "-j", "RETURN"); err != nil { |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
| @@ -199,6 +199,6 @@ func (alloc *Allocator) HandleHTTP(router *mux.Router, defaultSubnet address.CID | |||
| }) | |||
|
|
|||
| router.Methods("GET").Path("/ipinfo/tracker").HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | |||
| fmt.Fprintf(w, tracker) | |||
| fmt.Fprintf(w, alloc.tracker.String()) | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
| return "no-masq-local" | ||
| } | ||
|
|
||
| func (t *NoMasqLocalTracker) HandleUpdate(prevRanges, currRanges []address.Range, local bool) error { |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
net/bridge.go
Outdated
|
|
||
| func NewNoMasqLocalTracker() *NoMasqLocalTracker { | ||
| return &NoMasqLocalTracker{ | ||
| // TODO(mp) Reuse ipset object as each time calling New creates a test set. |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
| @@ -186,6 +202,7 @@ func main() { | |||
| http.HandleFunc("/read", state.serveRead) | |||
| http.HandleFunc("/write", state.serveWrite) | |||
| http.HandleFunc("/status", state.serveStatus) | |||
| http.HandleFunc("/client_ip", state.serveClientIP) | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
|
||
| CLIENT_IP_MASQ="$($SSH $HOST1 curl -sS http://$HOST2:31138/client_ip)" | ||
|
|
||
| WEAVE_ENV_VARS="${WEAVE_ENV_VARS}\\n - name: NO_MASQ_LOCAL\\n value: \"1\"" |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
brb
force-pushed
the
issues/2924-preserve-src-ip-on-local
branch
2 times, most recently
from
20c1526
to
ef42d9b
Compare
This ensures that all exposing-related iptables rules are created. As we do the re-expose, we need to clear the WEAVE-EXPOSE chain if such exists. Thus, we use ClearChain instead of NewChain to create the chain.
It's going to be used by net/bridge.go.
The ipset is used to track locally allocated CIDRs. If requested, external traffic sent to pods within these CIDR ranges will avoid SNAT'ing (NYI).
Cleaner approach than passing a tracker name to ipam/http.
It's going to be used by NoMasqLocalTracker.
The tracker updates the "no-masq-local" ipset with CIDR ranges allocated by IPAM.
One can enable the feature by setting NO_MASQ_LOCAL=1 among env vars of the weave-kube DaemonSet.
The endpoint is going to be used by --no-masq-local integration tests.
Also, increase timeout for smoke tests to 360 sec.
ACK. Additional useful info: as mentioned in the code, this works only on k8s, as in the vanilla Docker case, the Docker bridge acts as a default gw for a container, while in the k8s case - the weave bridge. So in the Docker case, if S sends a packet to P, a reply to it might be sent via different interface which can result in dropped reply due to |
|
It might be worth commenting that "Kubernetes only" is a shorthand for "containers where the Weave Net interface is the default gateway", since the latter can be achieved using vanilla Docker and |
|
Is this PR ready for final review now? |
- Track only local changes. - Add comment to the iptables rule which prevents SNAT'ing. - Rename the ipset to weaver-no-masq-local to prevent NPC from destroying it. - Fix comment about create/flush WEAVE-EXPOSE. - Add comment about reexpose being no-op if bridge hasn't been exposed. - Add comment that the feature is not only for Kubernetes. - Reuse the ipset instance.
brb
force-pushed
the
issues/2924-preserve-src-ip-on-local
branch
from
ef42d9b
to
4c13639
Compare
brb
force-pushed
the
issues/2924-preserve-src-ip-on-local
branch
from
4c13639
to
3daa028
Compare
|
Thanks for the review. Yep, it's ready for final review. Two last commits are relevant ones. |
As ipset.New(...) can be called by two processes (weaver and weave-npc) at the same time, there is a possibility for a race when they both check the comment support. To prevent the race, we append a random nonce to the test ipset name.
brb
force-pushed
the
issues/2924-preserve-src-ip-on-local
branch
from
3daa028
to
2f8aa7a
Compare
|
Some discussion on Twitter about whether we should default this on. Thoughts? |
See #3389 |
Could you link to the discussion? We can make it default only for cases where the |
This PR implements a mechanism for preserving the client source IP addr when accessing a Service annotated with
service.spec.externalTrafficPolicy=Local.The idea for preserving the source IP addr has been presented by #2924 (comment).
If the
--no-masq-localflag is passed to weaver, it will dynamically maintain theweave-no-masq-localipset containing CIDRs allocated by IPAM for the particular weaver. The ipset is used by the iptables rule:iptables -t nat -I WEAVE 1 -m set --match-set weave-no-masq-local dst -j RETURN. The rule prevents external traffic to be MASQUERADEd before being sent to a Pod.I suggest to read each commit separately when reviewing this PR.
Fixes #2924.