From 448f618c6069cc80823f757b6b07721324b095a4 Mon Sep 17 00:00:00 2001 From: leonnicolas Date: Fri, 29 Jan 2021 19:56:15 +0100 Subject: [PATCH] BUG: iptables rules Add default iptables to allow forward traffic from and to pod cidr. Previously Kilo expected the default behaviour of the forward chain to accept packets, which can not be guaranteed. --- pkg/mesh/mesh.go | 5 +---- pkg/mesh/routes.go | 4 +++- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/mesh/mesh.go b/pkg/mesh/mesh.go index 674f780..3e537dd 100644 --- a/pkg/mesh/mesh.go +++ b/pkg/mesh/mesh.go @@ -484,10 +484,7 @@ func (m *Mesh) applyTopology() { m.errorCounter.WithLabelValues("apply").Inc() return } - var ipRules []iptables.Rule - if m.cni { - ipRules = append(ipRules, t.Rules(m.cni)...) - } + ipRules := t.Rules(m.cni) // If we are handling local routes, ensure the local // tunnel has an IP address and IPIP traffic is allowed. if m.enc.Strategy() != encapsulation.Never && m.local { diff --git a/pkg/mesh/routes.go b/pkg/mesh/routes.go index f9960fc..37565b5 100644 --- a/pkg/mesh/routes.go +++ b/pkg/mesh/routes.go @@ -225,7 +225,9 @@ func (t *Topology) Rules(cni bool) []iptables.Rule { rules = append(rules, iptables.NewIPv4Chain("nat", "KILO-NAT")) rules = append(rules, iptables.NewIPv6Chain("nat", "KILO-NAT")) if cni { - rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-m", "comment", "--comment", "Kilo: jump to NAT chain", "-s", t.subnet.String(), "-j", "KILO-NAT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "nat", "POSTROUTING", "-m", "comment", "--comment", "Kilo: jump to KILO-NAT chain", "-s", t.subnet.String(), "-j", "KILO-NAT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets from the pod subnet", "-s", t.subnet.String(), "-j", "ACCEPT")) + rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(t.subnet.IP)), "filter", "FORWARD", "-m", "comment", "--comment", "Kilo: forward packets to the pod subnet", "-d", t.subnet.String(), "-j", "ACCEPT")) } for _, s := range t.segments { rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(s.wireGuardIP)), "nat", "KILO-NAT", "-m", "comment", "--comment", "Kilo: do not NAT packets destined for WireGuared IPs", "-d", s.wireGuardIP.String(), "-j", "RETURN"))