Merge pull request #5163 from kyrtapz/bgp_isolation_e2e

Block local processes from accessing advertised UDNs

Author: tssurya

go-controller/pkg/node/gateway_shared_intf.go

@@ -69,6 +69,14 @@ const (
 	// nftablesUDNMarkExternalIPsV4Map, nftablesUDNMarkExternalIPsV6Map
 	nftablesUDNServiceMarkChain = "udn-service-mark"
 
+	// nftablesUDNBGPOutputChain is a base chain used for blocking the local processes
+	// from accessing any of the advertised UDN networks
+	nftablesUDNBGPOutputChain = "udn-bgp-drop"
+
+	// nftablesAdvertisedUDNsSetV[4|6] is a set containing advertised UDN subnets
+	nftablesAdvertisedUDNsSetV4 = "advertised-udn-subnets-v4"
+	nftablesAdvertisedUDNsSetV6 = "advertised-udn-subnets-v6"
+
 	// nftablesUDNMarkNodePortsMap is a verdict maps containing
 	// localNodeIP / protocol / port keys indicating traffic that
 	// should be marked with a UDN specific value, which is used to direct the traffic
@@ -2457,6 +2465,11 @@ func newNodePortWatcher(
 				return nil, fmt.Errorf("unable to configure UDN nftables: %w", err)
 			}
 		}
+		if util.IsRouteAdvertisementsEnabled() {
+			if err := configureAdvertisedUDNIsolationNFTables(); err != nil {
+				return nil, fmt.Errorf("unable to configure UDN isolation nftables: %w", err)
+			}
+		}
 	}
 
 	var subnets []*net.IPNet
@@ -2919,3 +2932,74 @@ func getIPv(ipnet *net.IPNet) string {
 	}
 	return prefix
 }
+
+// configureAdvertisedUDNIsolationNFTables configures nftables to drop traffic generated locally towards advertised UDN subnets.
+// It sets up a nftables chain named nftablesUDNBGPOutputChain in the output hook with filter priority which drops
+// traffic originating from the local node destined to nftablesAdvertisedUDNsSet.
+// It creates nftablesAdvertisedUDNsSet[v4|v6] set which stores the subnets.
+// Results in:
+//
+//	set advertised-udn-subnets-v4 {
+//	  type ipv4_addr
+//	  flags interval
+//	  comment "advertised UDN V4 subnets"
+//	}
+//	set advertised-udn-subnets-v6 {
+//	  type ipv6_addr
+//	  flags interval
+//	  comment "advertised UDN V6 subnets"
+//	}
+//	chain udn-bgp-drop {
+//	  comment "Drop traffic generated locally towards advertised UDN subnets"
+//	   type filter hook output priority filter; policy accept;
+//	   ip daddr @advertised-udn-subnets-v4 counter packets 0 bytes 0 drop
+//	   ip6 daddr @advertised-udn-subnets-v6 counter packets 0 bytes 0 drop
+//	 }
+func configureAdvertisedUDNIsolationNFTables() error {
+	counterIfDebug := ""
+	if config.Logging.Level > 4 {
+		counterIfDebug = "counter"
+	}
+
+	nft, err := nodenft.GetNFTablesHelper()
+	if err != nil {
+		return err
+	}
+	tx := nft.NewTransaction()
+	tx.Add(&knftables.Chain{
+		Name:    nftablesUDNBGPOutputChain,
+		Comment: knftables.PtrTo("Drop traffic generated locally towards advertised UDN subnets"),
+
+		Type:     knftables.PtrTo(knftables.FilterType),
+		Hook:     knftables.PtrTo(knftables.OutputHook),
+		Priority: knftables.PtrTo(knftables.FilterPriority),
+	})
+	tx.Flush(&knftables.Chain{Name: nftablesUDNBGPOutputChain})
+
+	// TODO: clean up any stale entries in advertised-udn-subnets-v[4|6]
+	set := &knftables.Set{
+		Name:    nftablesAdvertisedUDNsSetV4,
+		Comment: knftables.PtrTo("advertised UDN V4 subnets"),
+		Type:    "ipv4_addr",
+		Flags:   []knftables.SetFlag{knftables.IntervalFlag},
+	}
+	tx.Add(set)
+
+	set = &knftables.Set{
+		Name:    nftablesAdvertisedUDNsSetV6,
+		Comment: knftables.PtrTo("advertised UDN V6 subnets"),
+		Type:    "ipv6_addr",
+		Flags:   []knftables.SetFlag{knftables.IntervalFlag},
+	}
+	tx.Add(set)
+
+	tx.Add(&knftables.Rule{
+		Chain: nftablesUDNBGPOutputChain,
+		Rule:  knftables.Concat(fmt.Sprintf("ip daddr @%s", nftablesAdvertisedUDNsSetV4), counterIfDebug, "drop"),
+	})
+	tx.Add(&knftables.Rule{
+		Chain: nftablesUDNBGPOutputChain,
+		Rule:  knftables.Concat(fmt.Sprintf("ip6 daddr @%s", nftablesAdvertisedUDNsSetV6), counterIfDebug, "drop"),
+	})
+	return nft.Run(context.TODO(), tx)
+}

go-controller/pkg/node/gateway_udn.go

@@ -437,6 +437,14 @@ func (udng *UserDefinedNetworkGateway) DelNetwork() error {
 			return fmt.Errorf("failed to reconcile default gateway for network %s, err: %v", udng.GetNetworkName(), err)
 		}
 	}
+
+	if util.IsPodNetworkAdvertisedAtNode(udng.NetInfo, udng.node.Name) {
+		err := udng.updateAdvertisedUDNIsolationRules(false)
+		if err != nil {
+			return fmt.Errorf("failed to remove advertised UDN isolation rules for network %s: %w", udng.GetNetworkName(), err)
+		}
+	}
+
 	if err := udng.delMarkChain(); err != nil {
 		return err
 	}
@@ -918,6 +926,9 @@ func (udng *UserDefinedNetworkGateway) doReconcile() error {
 		return fmt.Errorf("error while updating logical flow for UDN %s: %s", udng.GetNetworkName(), err)
 	}
 
+	if err := udng.updateAdvertisedUDNIsolationRules(isNetworkAdvertised); err != nil {
+		return fmt.Errorf("error while updating advertised UDN isolation rules for network %s: %w", udng.GetNetworkName(), err)
+	}
 	return nil
 }
 
@@ -975,3 +986,74 @@ func (udng *UserDefinedNetworkGateway) removeDefaultRouteFromVRF() error {
 	}
 	return nil
 }
+
+// updateAdvertisedUDNIsolationRules adds the full UDN subnets to nftablesAdvertisedUDNsSetV[4|6] nft set that is used
+// in the following chain/rules to drop locally generated traffic towards a UDN network:
+//
+//	chain udn-bgp-drop {
+//	  comment "Drop traffic generated locally towards advertised UDN subnets"
+//	  type filter hook output priority filter; policy accept;
+//	  ip daddr @advertised-udn-subnets-v4 counter packets 0 bytes 0 drop
+//	  ip6 daddr @advertised-udn-subnets-v6 counter packets 0 bytes 0 drop
+//	}
+//
+// It blocks access to the full UDN subnet to handle a case in L3 when a node tries to access
+// a host subnet available on a different node. Example set entries:
+//
+//	 set advertised-udn-subnets-v4 {
+//	   type ipv4_addr
+//	   flags interval
+//	   comment "advertised UDNs V4 subnets"
+//	   elements = { 10.10.0.0/16 comment "cluster_udn_l3network" }
+//	}
+func (udng *UserDefinedNetworkGateway) updateAdvertisedUDNIsolationRules(isNetworkAdvertised bool) error {
+	nft, err := nodenft.GetNFTablesHelper()
+	if err != nil {
+		return fmt.Errorf("failed to get nftables helper: %v", err)
+	}
+	tx := nft.NewTransaction()
+
+	if !isNetworkAdvertised {
+		existingV4, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV4)
+		if err != nil {
+			if !knftables.IsNotFound(err) {
+				return fmt.Errorf("could not list existing items in %s set: %w", nftablesAdvertisedUDNsSetV4, err)
+			}
+		}
+		existingV6, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV6)
+		if err != nil {
+			if !knftables.IsNotFound(err) {
+				return fmt.Errorf("could not list existing items in %s set: %w", nftablesAdvertisedUDNsSetV6, err)
+			}
+		}
+
+		for _, elem := range append(existingV4, existingV6...) {
+			if elem.Comment != nil && *elem.Comment == udng.GetNetworkName() {
+				tx.Delete(elem)
+			}
+		}
+
+		if tx.NumOperations() == 0 {
+			return nil
+		}
+		return nft.Run(context.TODO(), tx)
+	}
+
+	for _, udnNet := range udng.Subnets() {
+		set := nftablesAdvertisedUDNsSetV4
+		if utilnet.IsIPv6CIDR(udnNet.CIDR) {
+			set = nftablesAdvertisedUDNsSetV6
+		}
+		tx.Add(&knftables.Element{
+			Set:     set,
+			Key:     []string{udnNet.CIDR.String()},
+			Comment: knftables.PtrTo(udng.GetNetworkName()),
+		})
+
+	}
+
+	if tx.NumOperations() == 0 {
+		return nil
+	}
+	return nft.Run(context.TODO(), tx)
+}

go-controller/pkg/node/gateway_udn_test.go

@@ -1,6 +1,7 @@
 package node
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"sort"
@@ -11,6 +12,7 @@ import (
 
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containernetworking/plugins/pkg/testutils"
+	nadapi "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
 	nadfake "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/clientset/versioned/fake"
 	"github.com/stretchr/testify/mock"
 	"github.com/vishvananda/netlink"
@@ -21,6 +23,7 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 	utilnet "k8s.io/utils/net"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/knftables"
 
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
 	udnfakeclient "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/userdefinednetwork/v1/apis/clientset/versioned/fake"
@@ -1652,3 +1655,137 @@ func TestConstructUDNVRFIPRulesPodNetworkAdvertised(t *testing.T) {
 		})
 	}
 }
+
+func TestUserDefinedNetworkGateway_updateAdvertisedUDNIsolationRules(t *testing.T) {
+	tests := []struct {
+		name                string
+		nad                 *nadapi.NetworkAttachmentDefinition
+		isNetworkAdvertised bool
+		initialElements     []*knftables.Element
+		expectedV4Elements  []*knftables.Element
+		expectedV6Elements  []*knftables.Element
+	}{
+		{
+			name: "Should add V4 and V6 entries to the set for advertised L3 network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer3Topology, "100.128.0.0/16/24,ae70::/60/64", types.NetworkRolePrimary),
+			isNetworkAdvertised: true,
+			expectedV4Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV4,
+				Key:     []string{"100.128.0.0/16"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+			expectedV6Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV6,
+				Key:     []string{"ae70::/60"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+		},
+		{
+			name: "Should add V4 and V6 entries to the set for advertised L2 network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer2Topology, "100.128.0.0/16,ae70::/60", types.NetworkRolePrimary),
+			isNetworkAdvertised: true,
+			expectedV4Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV4,
+				Key:     []string{"100.128.0.0/16"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+			expectedV6Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV6,
+				Key:     []string{"ae70::/60"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+		},
+		{
+			name: "Should not add duplicate V4 and V6 entries to the for advertised network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer3Topology, "100.128.0.0/16/24,ae70::/60/64", types.NetworkRolePrimary),
+			isNetworkAdvertised: true,
+			initialElements: []*knftables.Element{
+				{
+					Set:     nftablesAdvertisedUDNsSetV4,
+					Key:     []string{"100.128.0.0/16"},
+					Comment: knftables.PtrTo[string]("test"),
+				}, {
+					Set:     nftablesAdvertisedUDNsSetV6,
+					Key:     []string{"ae70::/60"},
+					Comment: knftables.PtrTo[string]("test"),
+				},
+			},
+			expectedV4Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV4,
+				Key:     []string{"100.128.0.0/16"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+			expectedV6Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV6,
+				Key:     []string{"ae70::/60"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+		},
+		{
+			name: "Should remove V4 and V6 entries from the set when network for not advertised network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer3Topology, "100.128.0.0/16/24,ae70::/60/64", types.NetworkRolePrimary),
+			isNetworkAdvertised: false,
+			initialElements: []*knftables.Element{
+				{
+					Set:     nftablesAdvertisedUDNsSetV4,
+					Key:     []string{"100.128.0.0/16"},
+					Comment: knftables.PtrTo[string]("test"),
+				}, {
+					Set:     nftablesAdvertisedUDNsSetV6,
+					Key:     []string{"ae70::/60"},
+					Comment: knftables.PtrTo[string]("test"),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			nft := nodenft.SetFakeNFTablesHelper()
+			config.IPv4Mode = true
+			config.IPv6Mode = true
+
+			netInfo, err := util.ParseNADInfo(tt.nad)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			err = configureAdvertisedUDNIsolationNFTables()
+			g.Expect(err).ToNot(HaveOccurred())
+			tx := nft.NewTransaction()
+			for _, element := range tt.initialElements {
+				tx.Add(element)
+			}
+			if tx.NumOperations() > 0 {
+				err = nft.Run(context.TODO(), tx)
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+			udng := &UserDefinedNetworkGateway{
+				NetInfo: netInfo,
+			}
+			err = udng.updateAdvertisedUDNIsolationRules(tt.isNetworkAdvertised)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			v4Elems, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV4)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(v4Elems).To(HaveLen(len(tt.expectedV4Elements)))
+
+			v6Elems, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV6)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(v6Elems).To(HaveLen(len(tt.expectedV6Elements)))
+
+			for i, element := range tt.expectedV4Elements {
+				g.Expect(element.Key).To(HaveLen(len(v4Elems[i].Key)))
+				g.Expect(element.Key[0]).To(BeEquivalentTo(v4Elems[i].Key[0]))
+				g.Expect(element.Comment).To(BeEquivalentTo(v4Elems[i].Comment))
+			}
+			for i, element := range tt.expectedV6Elements {
+				g.Expect(element.Key).To(HaveLen(len(v6Elems[i].Key)))
+				g.Expect(element.Key[0]).To(BeEquivalentTo(v6Elems[i].Key[0]))
+				g.Expect(element.Comment).To(BeEquivalentTo(v6Elems[i].Comment))
+			}
+		})
+	}
+}