Revision abc9d1dda0b116ce23dc009a3974d570d4226924 authored by Anton Protopopov on 28 November 2022, 15:14:40 UTC, committed by Joe Stringer on 02 December 2022, 00:33:34 UTC
[ upstream commit cf3cc16289b7621c7b3aff93d7d6eab94b309921 ]

In case of TCP this is not enough to do net.Dial + setsockopt(SO_MARK), as in
this case TCP SYN will have a wrong identity, e.g.:

    Policy verdict log: flow 0x7a95a133 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:42437 -> 10.244.1.120:53 tcp SYN
    Policy verdict log: flow 0x907eaa19 local EP ID 458, remote ID host, proto 6, ingress, action allow, match L3-Only, 172.19.0.2:56276 -> 10.244.1.120:53 tcp SYN

Here the second message has wrong identity (host). We still allow the traffic,
as the origin is local host and the coredns is running on the same host, but
this will not work for a remote host if ingress policy doesn't allow
remote-node identity.) To fix this we need to pass a Control parameter to Dial,
so that setsockopt(2) is called before the connect(2). With such a change we
now see the correct identity in case of TCP:

    Policy verdict log: flow 0xeb7902a9 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:36661 -> 10.244.1.120:53 tcp SYN
    Policy verdict log: flow 0x4efbc5a0 local EP ID 458, remote ID 41903, proto 6, ingress, action allow, match L3-L4, 172.19.0.2:40508 -> 10.244.1.120:53 tcp SYN

Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity")

Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
1 parent d35f4e6
History
File Mode Size
bpf
config
consul
eks
fuzzing
ginkgo-ext
gke
helpers
k8sT
l4lb
logger
packet
provision
runtime
standalone
Makefile -rw-r--r-- 1.0 KB
README.md -rw-r--r-- 160 bytes
Vagrantfile -rw-r--r-- 9.8 KB
archive_test_results.sh -rwxr-xr-x 302 bytes
archive_test_results_eks.sh -rwxr-xr-x 303 bytes
get-gh-comment-info.py -rw-r--r-- 606 bytes
get-vagrant-kubeconfig.sh -rwxr-xr-x 304 bytes
kubernetes-netperftest.sh -rwxr-xr-x 507 bytes
kubernetes-test.sh -rwxr-xr-x 4.1 KB
post_build_agent.sh -rwxr-xr-x 376 bytes
print-node-ip.sh -rwxr-xr-x 130 bytes
test_suite_test.go -rw-r--r-- 9.5 KB
test_test.go -rw-r--r-- 726 bytes
vagrant-ci-start.sh -rwxr-xr-x 1.4 KB
vagrant-local-create-box.sh -rwxr-xr-x 567 bytes
vagrant-local-start-runtime.sh -rwxr-xr-x 370 bytes
vagrant-local-start.sh -rwxr-xr-x 743 bytes

README.md

back to top