Revision abc9d1dda0b116ce23dc009a3974d570d4226924 authored by Anton Protopopov on 28 November 2022, 15:14:40 UTC, committed by Joe Stringer on 02 December 2022, 00:33:34 UTC
[ upstream commit cf3cc16289b7621c7b3aff93d7d6eab94b309921 ]
In case of TCP this is not enough to do net.Dial + setsockopt(SO_MARK), as in
this case TCP SYN will have a wrong identity, e.g.:
Policy verdict log: flow 0x7a95a133 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:42437 -> 10.244.1.120:53 tcp SYN
Policy verdict log: flow 0x907eaa19 local EP ID 458, remote ID host, proto 6, ingress, action allow, match L3-Only, 172.19.0.2:56276 -> 10.244.1.120:53 tcp SYN
Here the second message has wrong identity (host). We still allow the traffic,
as the origin is local host and the coredns is running on the same host, but
this will not work for a remote host if ingress policy doesn't allow
remote-node identity.) To fix this we need to pass a Control parameter to Dial,
so that setsockopt(2) is called before the connect(2). With such a change we
now see the correct identity in case of TCP:
Policy verdict log: flow 0xeb7902a9 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:36661 -> 10.244.1.120:53 tcp SYN
Policy verdict log: flow 0x4efbc5a0 local EP ID 458, remote ID 41903, proto 6, ingress, action allow, match L3-L4, 172.19.0.2:40508 -> 10.244.1.120:53 tcp SYN
Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity")
Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
1 parent d35f4e6
Computing file changes ...
