Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable global IPv6 forwarding #4376

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable global IPv6 forwarding #4376

wants to merge 1 commit into from

Conversation

kyrtapz
Copy link
Contributor

@kyrtapz kyrtapz commented May 21, 2024
edited

Global forwarding works differently for IPv6:

  conf/all/forwarding - BOOLEAN
   Enable global IPv6 forwarding between all interfaces.
	  IPv4 and IPv6 work differently here; e.g. netfilter must be used
	  to control which interfaces may forward packets and which not.

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

It is not possible to configure the IPv6 forwarding per interface by setting the net.ipv6.conf.IFNAME.forwarding sysctl (it just configures the interface-specific Host/Router behaviour). Instead, the opposite approach is required where the global forwarding is enabled and traffic is restricted through iptables.

To ensure consistent behavior between IPv4/IPv6 and to limit the forwarding scope for IPv4 networks this PR configures the default DROP policy for both IP families.

Issue reproducer:

  1. Setup ipv6 lgw cluster:
    ./kind.sh -ic -ds -gm local -i6 -n4 -df
  2. Disable ipv6 global forwarding (by default it gets enabled by docker and by kind) on worker nodes and restart ovnkube-node
 docker exec -it ovn-worker2 sysctl -w net.ipv6.conf.all.forwarding=0
 docker exec -it ovn-worker sysctl -w net.ipv6.conf.all.forwarding=0
 kubectl -n ovn-kubernetes delete pod -lapp=ovnkube-node
  1. Create a test pod:
    kubectl run test_pod --image=quay.io/openshift/origin-network-tools -- sleep 9999
  2. Test cluster-networked pod connectivity to the API server:
  ctrl_ip=$(kubectl get node ovn-control-plane -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
  kubectl exec -it test_pod -- curl "https://[${ctrl_ip}]:6443"

The request times out.
tcpdump on the node shows that the traffic is not being forwarded between ovn-k8s-mp0 and breth0

sudo nsenter -t $(docker inspect -f '{{ .State.Pid }}' ovn-worker2) -n tcpdump -i any port 6443 and host fc00:f853:ccd:e793::3  -nne
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:42:55.643841 f54f5a905b74252 P   ifindex 7 0a:58:09:f2:f4:29 ethertype IPv6 (0x86dd), length 100: fd00:10:244:3::3.35852 > fc00:f853:ccd:e793::3.6443: Flags [S], seq 1156978119, win 32160, options [mss 1340,sackOK,TS val 1820216298 ecr 0,nop,wscale 7], length 0
12:42:55.644362 ovn-k8s-mp0 In  ifindex 4 0a:58:71:75:e6:87 ethertype IPv6 (0x86dd), length 100: fd00:10:244:3::3.35852 > fc00:f853:ccd:e793::3.6443: Flags [S], seq 1156978119, win 32160, options [mss 1340,sackOK,TS val 1820216298 ecr 0,nop,wscale 7], length 0
12:42:56.707374 f54f5a905b74252 P   ifindex 7 0a:58:09:f2:f4:29 ethertype IPv6 (0x86dd), length 100: fd00:10:244:3::3.35852 > fc00:f853:ccd:e793::3.6443: Flags [S], seq 1156978119, win 32160, options [mss 1340,sackOK,TS val 1820217362 ecr 0,nop,wscale 7], length 0
12:42:56.707391 ovn-k8s-mp0 In  ifindex 4 0a:58:71:75:e6:87 ethertype IPv6 (0x86dd), length 100: fd00:10:244:3::3.35852 > fc00:f853:ccd:e793::3.6443: Flags [S], seq 1156978119, win 32160, options [mss 1340,sackOK,TS val 1820217362 ecr 0,nop,wscale 7], length 0
12:42:57.731385 f54f5a905b74252 P   ifindex 7 0a:58:09:f2:f4:29 ethertype IPv6 (0x86dd), length 100: fd00:10:244:3::3.35852 > fc00:f853:ccd:e793::3.6443: Flags [S], seq 1156978119, win 32160, options [mss 1340,sackOK,TS val 1820218386 ecr 0,nop,wscale 7], length 0
12:42:57.731402 ovn-k8s-mp0 In  ifindex 4 0a:58:71:75:e6:87 ethertype IPv6 (0x86dd), length 100: fd00:10:244:3::3.35852 > fc00:f853:ccd:e793::3.6443: Flags [S], seq 1156978119, win 32160, options [mss 1340,sackOK,TS val 1820218386 ecr 0,nop,wscale 7], length 0

@kyrtapz kyrtapz requested a review from a team as a code owner May 21, 2024 10:49
@kyrtapz kyrtapz force-pushed the ipv6_forwarding branch 4 times, most recently from 3411734 to e5ef6a0 Compare May 21, 2024 16:30
@tssurya tssurya added kind/bug All issues that are bugs and PRs opened to fix bugs core-networking Issues related to traffic flows, OVN/OVS bugs, network disruption labels May 21, 2024
@coveralls
Copy link

coveralls commented May 22, 2024
edited

Coverage Status

coverage: 52.709% (-0.007%) from 52.716%
when pulling 06caadf on kyrtapz:ipv6_forwarding
into 701b8e0 on ovn-org:master.

@tssurya tssurya mentioned this pull request May 23, 2024
Open
flavio-fernandes
flavio-fernandes reviewed May 30, 2024
View reviewed changes
Copy link
Contributor

@flavio-fernandes flavio-fernandes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

short of silly nits, this LGTM

go-controller/pkg/node/default_node_network_controller.go Outdated Show resolved Hide resolved
go-controller/pkg/node/default_node_network_controller.go Outdated Show resolved Hide resolved
go-controller/pkg/node/default_node_network_controller.go Outdated Show resolved Hide resolved
go-controller/pkg/node/default_node_network_controller.go Outdated Show resolved Hide resolved
@kyrtapz kyrtapz mentioned this pull request Jun 14, 2024
Open
@github-actions github-actions bot added the area/unit-testing Issues related to adding/updating unit tests label Jun 14, 2024
@kyrtapz kyrtapz changed the title Enable global IPv6 forwarding [wip] Enable global IPv6 forwarding Jun 14, 2024
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Jun 14, 2024

short of silly nits, this LGTM

Thanks for the review! :)

@karampok karampok mentioned this pull request Jun 17, 2024
Open
@karampok
Copy link

karampok commented Jun 17, 2024
edited

I see that there is a default DROP rule at the end of the FORWARD chain, which in essence is replacing the default Policy of the chain. I would like just to propose if instead of a rule we change the policy iptables -P FORWARD DROP?

The reason is that it would make easier for third components to add their specific iptables rule (just append instead of taking care to before the DROP rule).

This is only implementation detail, the behavior (either DROP policy or last DROP rule) is of course the same.

@kyrtapz kyrtapz force-pushed the ipv6_forwarding branch 2 times, most recently from 06caadf to 05856f3 Compare June 17, 2024 15:01
@github-actions github-actions bot added the kind/documentation All issues related to documentation label Jun 17, 2024
@kyrtapz kyrtapz force-pushed the ipv6_forwarding branch 2 times, most recently from 575c6dd to 7c92fb3 Compare June 17, 2024 15:17
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Jun 17, 2024
edited

I see that there is a default DROP rule at the end of the FORWARD chain, which in essence is replacing the default Policy of the chain. I would like just to propose if instead of a rule we change the policy iptables -P FORWARD DROP?

The reason is that it would make easier for third components to add their specific iptables rule (just append instead of taking care to before the DROP rule).

This is only implementation detail, the behavior (either DROP policy or last DROP rule) is of course the same.

Thanks for the suggestion, I think it makes sense to go with the DROP policy and I have updated the PR.

@kyrtapz kyrtapz force-pushed the ipv6_forwarding branch 2 times, most recently from ee3c6da to e8d3cc4 Compare June 17, 2024 15:53
@kyrtapz kyrtapz force-pushed the ipv6_forwarding branch 2 times, most recently from 8b919a3 to 3a70308 Compare June 18, 2024 07:20
@kyrtapz kyrtapz changed the title [wip] Enable global IPv6 forwarding Enable global IPv6 forwarding Jun 18, 2024
@karampok
Copy link

thanks @kyrtapz for the PR.
AFAICT this change is good enough to block all unwanted traffic and makes openshift/cluster-network-operator#2409 not required.

@kyrtapz
Always enable global IPv6 forwarding
9acf119 
Global forwarding works differently for IPv6:
  conf/all/forwarding - BOOLEAN
   Enable global IPv6 forwarding between all interfaces.
	  IPv4 and IPv6 work differently here; e.g. netfilter must be used
	  to control which interfaces may forward packets and which not.
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

It is not possible to configure the IPv6 forwarding per interface by
setting the net.ipv6.conf.<ifname>.forwarding sysctl. Instead,
the opposite approach is required where the global forwarding
is enabled and an iptables policy is added to restrict it by default.

To ensure consistent behavior between IPv4/IPv6 and limit the
forwarding scope for IPv4 networks this commit configures the default
DROP policy for all configured IP families.

Signed-off-by: Patryk Diak <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karampok karampok karampok left review comments

@flavio-fernandes flavio-fernandes flavio-fernandes left review comments

@trozet trozet Awaiting requested review from trozet

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/unit-testing Issues related to adding/updating unit tests core-networking Issues related to traffic flows, OVN/OVS bugs, network disruption kind/bug All issues that are bugs and PRs opened to fix bugs kind/documentation All issues related to documentation
Projects
OVN Kubernetes Project
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kyrtapz @coveralls @karampok @flavio-fernandes @tssurya