talos icon indicating copy to clipboard operation
talos copied to clipboard
verified publisher icon siderolabs

fix: fix reverse routing for KubeSpan

Open dsseng opened this issue 11 months ago • 12 comments

This allows it to not come down when rp_filter is enabled. Fixes #9814

Signed-off-by: Dmitry Sharshakov [email protected]

        chain kubespan_prerouting { # handle 50
                type filter hook prerouting priority filter; policy accept;
                meta mark & 0x00000060 == 0x00000020 accept # handle 51
                ip daddr { 172.20.0.3-172.20.0.4 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 53
                ip6 daddr { fdbd:f075:61fa:5502:2c26:e0ff:fe99:e2a4, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 55
                meta mark & 0x00000040 == 0x00000040 ip saddr != { 172.20.0.3-172.20.0.4 } meta mark set meta mark ^ 0x00000040 accept # handle 57
                meta mark & 0x00000040 == 0x00000040 ip6 saddr != { fdbd:f075:61fa:5502:2c26:e0ff:fe99:e2a4, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark ^ 0x00000040 accept # handle 59
                iifname "kubespan" meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 60
        }

        chain kubespan_prerouting { # handle 50
                type filter hook prerouting priority filter; policy accept;
                meta mark & 0x00000060 == 0x00000020 accept # handle 51
                ip daddr { 172.20.0.2, 172.20.0.4 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 53
                ip6 daddr { fdbd:f075:61fa:5502:5cd0:eff:fea3:252f, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 55
                meta mark & 0x00000040 == 0x00000040 ip saddr != { 172.20.0.2, 172.20.0.4 } meta mark set meta mark ^ 0x00000040 accept # handle 57
                meta mark & 0x00000040 == 0x00000040 ip6 saddr != { fdbd:f075:61fa:5502:5cd0:eff:fea3:252f, fdbd:f075:61fa:5502:e88a:18ff:fed2:32f3 } meta mark set meta mark ^ 0x00000040 accept # handle 59
                iifname "kubespan" meta mark set meta mark & 0xffffffdf | 0x00000040 accept # handle 60
        }

dsseng avatar Dec 30 '24 10:12 dsseng

This PR is stale because it has been open 45 days with no activity.

github-actions[bot] avatar Mar 21 '25 02:03 github-actions[bot]

Did this get fixed?

rothgar avatar Jun 26 '25 00:06 rothgar

Did this get fixed?

kube-router was updated to be less agressive about rpfilter, so it "just works" now. this PR hasn't been finished.

smira avatar Jun 26 '25 17:06 smira

If it works with kube-router now is this PR still needed?

rothgar avatar Jun 26 '25 20:06 rothgar

If it works with kube-router now is this PR still needed?

yes, otherwise we would have closed it

enabling rp_filter by default would be nice as a feature

smira avatar Jun 27 '25 09:06 smira

maybe this could fix #11244 idk

stevefan1999-personal avatar Jul 01 '25 03:07 stevefan1999-personal

This PR is stale because it has been open 45 days with no activity.

github-actions[bot] avatar Aug 16 '25 02:08 github-actions[bot]

no stale

stevefan1999-personal avatar Aug 16 '25 16:08 stevefan1999-personal

This PR is stale because it has been open 45 days with no activity.

github-actions[bot] avatar Oct 02 '25 02:10 github-actions[bot]

no stale

stevefan1999-personal avatar Oct 02 '25 03:10 stevefan1999-personal

This PR is stale because it has been open 45 days with no activity.

github-actions[bot] avatar Nov 17 '25 02:11 github-actions[bot]

no stale

stevefan1999-personal avatar Nov 17 '25 05:11 stevefan1999-personal