Meridio
Meridio copied to clipboard
Nordix
Non-existing VIP in a Flow might cause traffic issues
Let's say we have these resources configured in Meridio, vip-v4-a is configured in the attractor (not shown here) and flow-a has a single vip address which is not existing (vip1):
apiVersion: meridio.nordix.org/v1alpha1
kind: Vip
metadata:
name: vip-v4-a
namespace: red
labels:
trench: trench-a
spec:
address: "20.0.0.1/32"
---
apiVersion: meridio.nordix.org/v1alpha1
kind: Stream
metadata:
name: stream-a
namespace: red
labels:
trench: trench-a
spec:
conduit: lb-fe
---
apiVersion: meridio.nordix.org/v1alpha1
kind: Flow
metadata:
name: flow-a
namespace: red
labels:
trench: trench-a
spec:
stream: stream-a
priority: 1
vips:
- vip1
source-subnets:
- 0.0.0.0/0
source-ports:
- any
destination-ports:
- "5000"
protocols:
- tcp
The NSP will receive the configuration in the configmap, and will build all resources. It will see the vip1 is not existing in the flow-a, so it will ignore it, and let the vip list empty in the flow-a. The LBs will receive the flow-a from the NSP and will configure the nfqlb flows (with the flow-a and its empty VIP list). The traffic will work with the vip-v4-a (20.0.0.1/32) and go through stream-a since NFQLB will consider the empty vip list as any VIP address. This might affect other streams (especially if flow-a has a high priority) since the flow-a will consider any VIP address.
Two solutions to fix this problem:
- We should ignore a resource if one of its property is invalid/non-existing, so it that case, the LBs would not receive
flow-asince it has an non-existing VIP - NFQLB should reject the traffic if the list is empty (list of VIP, ports, source IPs...?)
