-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable global IPv6 forwarding #4376
base: master
Are you sure you want to change the base?
Conversation
3411734
to
e5ef6a0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
short of silly nits, this LGTM
Thanks for the review! :) |
I see that there is a default DROP rule at the end of the FORWARD chain, which in essence is replacing the default Policy of the chain. I would like just to propose if instead of a rule we change the policy The reason is that it would make easier for third components to add their specific iptables rule (just append instead of taking care to before the DROP rule). This is only implementation detail, the behavior (either DROP policy or last DROP rule) is of course the same. |
06caadf
to
05856f3
Compare
575c6dd
to
7c92fb3
Compare
Thanks for the suggestion, I think it makes sense to go with the DROP policy and I have updated the PR. |
ee3c6da
to
e8d3cc4
Compare
8b919a3
to
3a70308
Compare
thanks @kyrtapz for the PR. |
Global forwarding works differently for IPv6: conf/all/forwarding - BOOLEAN Enable global IPv6 forwarding between all interfaces. IPv4 and IPv6 work differently here; e.g. netfilter must be used to control which interfaces may forward packets and which not. https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt It is not possible to configure the IPv6 forwarding per interface by setting the net.ipv6.conf.<ifname>.forwarding sysctl. Instead, the opposite approach is required where the global forwarding is enabled and an iptables policy is added to restrict it by default. To ensure consistent behavior between IPv4/IPv6 and limit the forwarding scope for IPv4 networks this commit configures the default DROP policy for all configured IP families. Signed-off-by: Patryk Diak <[email protected]>
Global forwarding works differently for IPv6:
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
It is not possible to configure the IPv6 forwarding per interface by setting the net.ipv6.conf.IFNAME.forwarding sysctl (it just configures the interface-specific Host/Router behaviour). Instead, the opposite approach is required where the global forwarding is enabled and traffic is restricted through iptables.
To ensure consistent behavior between IPv4/IPv6 and to limit the forwarding scope for IPv4 networks this PR configures the default DROP policy for both IP families.
Issue reproducer:
./kind.sh -ic -ds -gm local -i6 -n4 -df
kubectl run test_pod --image=quay.io/openshift/origin-network-tools -- sleep 9999
The request times out.
tcpdump on the node shows that the traffic is not being forwarded between
ovn-k8s-mp0
andbreth0