Skip to content

Commit 8bcd166

Browse files
djboris9murali-reddy
djboris9
authored and
murali-reddy
committed
Fix connection resets during firewall sync (cloudnativelabs#807)
For very busy tcp connections there is a small possibility to receive a TCP RST during the iptables sync. A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and egress connections. In between of the creation of these two rules a connection reset can happen for already established connections. This commits swaps the order of rule insertion.
1 parent 3a0da2b commit 8bcd166

File tree

1 file changed

+31
-31
lines changed

1 file changed

+31
-31
lines changed

pkg/controllers/netpol/network_policy_controller.go

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -748,6 +748,20 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
748748
}
749749
}
750750

751+
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
752+
comment = "rule for stateful firewall for pod"
753+
args = []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
754+
exists, err = iptablesCmdHandler.Exists("filter", podFwChainName, args...)
755+
if err != nil {
756+
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
757+
}
758+
if !exists {
759+
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
760+
if err != nil {
761+
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
762+
}
763+
}
764+
751765
// ensure there is rule in filter table and FORWARD chain to jump to pod specific firewall chain
752766
// this rule applies to the traffic getting routed (coming for other node pods)
753767
comment = "rule to jump traffic destined to POD name:" + pod.name + " namespace: " + pod.namespace +
@@ -803,20 +817,6 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
803817
if err != nil {
804818
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
805819
}
806-
807-
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
808-
comment = "rule for stateful firewall for pod"
809-
args = []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
810-
exists, err = iptablesCmdHandler.Exists("filter", podFwChainName, args...)
811-
if err != nil {
812-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
813-
}
814-
if !exists {
815-
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
816-
if err != nil {
817-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
818-
}
819-
}
820820
}
821821

822822
// loop through the pods running on the node which egress network policies to be applied
@@ -859,12 +859,26 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
859859
}
860860
}
861861

862+
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
863+
comment := "rule for stateful firewall for pod"
864+
args := []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
865+
exists, err := iptablesCmdHandler.Exists("filter", podFwChainName, args...)
866+
if err != nil {
867+
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
868+
}
869+
if !exists {
870+
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
871+
if err != nil {
872+
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
873+
}
874+
}
875+
862876
// ensure there is rule in filter table and FORWARD chain to jump to pod specific firewall chain
863877
// this rule applies to the traffic getting routed (coming for other node pods)
864-
comment := "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +
878+
comment = "rule to jump traffic from POD name:" + pod.name + " namespace: " + pod.namespace +
865879
" to chain " + podFwChainName
866-
args := []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName}
867-
exists, err := iptablesCmdHandler.Exists("filter", "FORWARD", args...)
880+
args = []string{"-m", "comment", "--comment", comment, "-s", pod.ip, "-j", podFwChainName}
881+
exists, err = iptablesCmdHandler.Exists("filter", "FORWARD", args...)
868882
if err != nil {
869883
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
870884
}
@@ -901,20 +915,6 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(version string) (map[s
901915
if err != nil {
902916
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
903917
}
904-
905-
// ensure statefull firewall, that permits return traffic for the traffic originated by the pod
906-
comment = "rule for stateful firewall for pod"
907-
args = []string{"-m", "comment", "--comment", comment, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
908-
exists, err = iptablesCmdHandler.Exists("filter", podFwChainName, args...)
909-
if err != nil {
910-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
911-
}
912-
if !exists {
913-
err := iptablesCmdHandler.Insert("filter", podFwChainName, 1, args...)
914-
if err != nil {
915-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
916-
}
917-
}
918918
}
919919

920920
return activePodFwChains, nil

0 commit comments

Comments
 (0)