calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

DROP vs REJECT for rules

Open zetsub0u opened this issue 4 years ago • 12 comments

Hi,

Quick question, I don't see a way to set the policy for the rules from DROP to REJECT (silently drop vs quick RST), is this accurate? If so, any reason why this isn't configurable and would it be acceptable PR?

Thanks.

zetsub0u avatar Mar 31 '21 13:03 zetsub0u

Its always been DROP, mostly because in the firewall world, its a bad idea to let people know that the IP address has a host behind it, and to slow down their reconnaissance of your hosts.

What's your use case for REJECT?

lwr20 avatar Apr 06 '21 16:04 lwr20

I know and i agree completely, but we've had our firewalls do REJECT for years, on our custom implementation in docker and after that with kube-router (they do REJECT too) and when we switched to DROP with calico a lot of users started complaining because they used the behavior of the quick connection refused to debug network policy issues for example. We are trying to convince them it's better to go DROP but we might lose the battle, so i was wondering if having the option somewhere would be an acceptable change.

zetsub0u avatar Apr 06 '21 20:04 zetsub0u

This almost got added previously: https://github.com/projectcalico/felix/pull/2161/files

lwr20 avatar Apr 07 '21 13:04 lwr20

Any update to this one? Our use case is that we want to go zero trust kind of architecture where we block all connections between namespaces are blocked by default and REJECT is just more clear for those who are trying to debug why some of needed connections fails.

Example I'm new with Kubernetes and just wasted couple of hours because I though that there was some routing, etc issue on my Kubernetes/infra setup before remembered that there is also that default network policy which blocks everything...

olljanat avatar Oct 20 '21 15:10 olljanat

Just like to add that we'd also like to create REJECT policies - the network policies we enact are intended to ease the UX of our developers and operators by making the security boundaries clear. DROP rules just cause a higher debugging and support load because of the number of situations that can result in a connection stalling forever.

i.e. a pod in our cluster is assumed to have a high degree of knowledge about available services and endpoints, we want a quick and relatively clear feedback cycle on the attempted use of something which has not been allowed in the current scope; so that the appropriate configuration change or access request can be made.

rowanj avatar Oct 26 '21 00:10 rowanj

I'm afraid this hasn't made it to the top of the core team's list yet.

Does anyone here fancy taking over https://github.com/projectcalico/felix/pull/2161 ?

lwr20 avatar Oct 26 '21 09:10 lwr20

Btw. I looks to be that https://github.com/projectcalico/felix/pull/2532 already added support for REJECT at least on some parts of code https://github.com/projectcalico/felix/blob/87c68a8b66f6a57170a3ab5084c8c7b66baacdd4/iptables/actions.go#L89-L99 but not sure (at least yet) that what is actually still missing.

olljanat avatar Nov 08 '21 07:11 olljanat

@lwr20 any possibility to get this to core team list or at least get some guidance that what would be right way and place to implement this one?

olljanat avatar Mar 04 '22 07:03 olljanat

@caseydavenport is the core team lead - perhaps he can comment?

But my understanding is that https://github.com/projectcalico/felix/pull/2161 was pretty close, just the the author moved to a new employer who didn't permit OSS contributions without permission.

lwr20 avatar Mar 04 '22 10:03 lwr20

Yep. I think we're still looking for someone from the community to pick this thread up. I agree the last PR was close - probably needed some work on the tests mostly.

caseydavenport avatar Mar 09 '22 22:03 caseydavenport

Ok. Created PR #5735 based on code from https://github.com/projectcalico/felix/pull/2161 and added initial set of tests for now and will try to working with it when I have spare time.

olljanat avatar Mar 10 '22 23:03 olljanat

Status update. #5735 have been there for a while and should contain most of the needed logic.

However it looks that I will need help from someone who know this codebase better to understand that why make test in felix folder fails? For me it looks that felix does not actually read DropActionOverride setting value even when it is configured.

EDIT: Finally found where I have made mistake in tests (DropActionOverride value must be in capital letters REJECT instead of Reject on tests).

olljanat avatar Jul 20 '22 06:07 olljanat

Status update. #5735 have been ready for code review about one month now. I only have rebased it time to time when other merged PRs has required it.

olljanat avatar Dec 08 '22 07:12 olljanat

While #5735 is merged, it's not quite what I wanted/expected with this issue. I was hoping that action in a Rule would gain a Reject value which could be used instead of Deny. image

james-callahan avatar Oct 27 '23 11:10 james-callahan

Updated the title to represent the remaining request scope

caseydavenport avatar Nov 30 '23 23:11 caseydavenport