From c539a8bf1cbe814d65f4ac88c54880d9cb541901 Mon Sep 17 00:00:00 2001 From: Alex Stockinger Date: Tue, 28 Jun 2022 16:12:30 +0000 Subject: [PATCH 1/3] Make dropping of other IPIP traffic optional --- cmd/kg/main.go | 4 +++- pkg/encapsulation/ipip.go | 17 ++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/cmd/kg/main.go b/cmd/kg/main.go index 1834653..b2db9ea 100644 --- a/cmd/kg/main.go +++ b/cmd/kg/main.go @@ -115,6 +115,7 @@ var ( resyncPeriod time.Duration iptablesForwardRule bool prioritisePrivateAddr bool + dropOtherIpIpTraffic bool printVersion bool logLevel string @@ -145,6 +146,7 @@ func init() { cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?") cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!") cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.") + cmd.Flags().BoolVar(&dropOtherIpIpTraffic, "drop-other-ipip-traffic", true, "Drop other IP-over-IP traffic (not available in compatibility mode).") cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit") cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels)) @@ -216,7 +218,7 @@ func runRoot(_ *cobra.Command, _ []string) error { case "cilium": enc = encapsulation.NewCilium(e) default: - enc = encapsulation.NewIPIP(e) + enc = encapsulation.NewIPIP(e, dropOtherIpIpTraffic) } gr := mesh.Granularity(granularity) diff --git a/pkg/encapsulation/ipip.go b/pkg/encapsulation/ipip.go index d92b39f..0915258 100644 --- a/pkg/encapsulation/ipip.go +++ b/pkg/encapsulation/ipip.go @@ -23,13 +23,14 @@ import ( ) type ipip struct { - iface int - strategy Strategy + iface int + strategy Strategy + dropOtherIpIpTraffic bool } // NewIPIP returns an encapsulator that uses IPIP. -func NewIPIP(strategy Strategy) Encapsulator { - return &ipip{strategy: strategy} +func NewIPIP(strategy Strategy, dropOtherIpIpTraffic bool) Encapsulator { + return &ipip{strategy: strategy, dropOtherIpIpTraffic: dropOtherIpIpTraffic} } // CleanUp will remove any created IPIP devices. @@ -76,9 +77,11 @@ func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule { // Accept encapsulated traffic from peers. rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT")) } - // Drop all other IPIP traffic. - rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP")) - rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP")) + if i.dropOtherIpIpTraffic { + // Drop all other IPIP traffic. + rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP")) + rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP")) + } return rules } From e958075525db052de0238de0742b069f40d1286b Mon Sep 17 00:00:00 2001 From: Alex Stockinger Date: Tue, 28 Jun 2022 18:11:48 +0000 Subject: [PATCH 2/3] Fix test --- pkg/mesh/routes_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/mesh/routes_test.go b/pkg/mesh/routes_test.go index 648ce0e..cd4ce65 100644 --- a/pkg/mesh/routes_test.go +++ b/pkg/mesh/routes_test.go @@ -1086,7 +1086,7 @@ func TestRoutes(t *testing.T) { }, }, } { - routes, rules := tc.topology.Routes(DefaultKiloInterface, kiloIface, privIface, tunlIface, tc.local, encapsulation.NewIPIP(tc.strategy)) + routes, rules := tc.topology.Routes(DefaultKiloInterface, kiloIface, privIface, tunlIface, tc.local, encapsulation.NewIPIP(tc.strategy, true)) if diff := pretty.Compare(routes, tc.routes); diff != "" { t.Errorf("test case %q: got diff: %v", tc.name, diff) } From 6b99f628773b79854d385bfd8c16ea2efc3c8257 Mon Sep 17 00:00:00 2001 From: Alex Stockinger Date: Tue, 28 Jun 2022 18:13:48 +0000 Subject: [PATCH 3/3] Add docs --- cmd/kg/main.go | 2 +- docs/kg.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/kg/main.go b/cmd/kg/main.go index b2db9ea..d90f55a 100644 --- a/cmd/kg/main.go +++ b/cmd/kg/main.go @@ -146,7 +146,7 @@ func init() { cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?") cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!") cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.") - cmd.Flags().BoolVar(&dropOtherIpIpTraffic, "drop-other-ipip-traffic", true, "Drop other IP-over-IP traffic (not available in compatibility mode).") + cmd.Flags().BoolVar(&dropOtherIpIpTraffic, "drop-other-ipip-traffic", true, "Should Kilo drop other IP-over-IP traffic (not available in compatibility mode)?") cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit") cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels)) diff --git a/docs/kg.md b/docs/kg.md index 9d6f071..695ee4e 100644 --- a/docs/kg.md +++ b/docs/kg.md @@ -38,6 +38,7 @@ Flags: --cni-path string Path to CNI config. (default "/etc/cni/net.d/10-kilo.conflist") --compatibility string Should Kilo run in compatibility mode? Possible values: flannel --create-interface Should kilo create an interface on startup? (default true) + --drop-other-ipip-traffic Should Kilo drop other IP-over-IP traffic (not available in compatibility mode)? (default true) --encapsulate string When should Kilo encapsulate packets within a location? Possible values: never, crosssubnet, always (default "always") -h, --help help for kg --hostname string Hostname of the node on which this process is running.