Block local processes from accessing the UDNs subnets

kyrtapz · kyrtapz · commit ea10061df7fc · 2025-04-22T19:34:08.000+02:00
An important caveat is that this rule will also block the VRF
from accessing the UDN subnets.
Additionally modify the isolation E2Es to use Consitently
instead of Eventually for cases where no connectivity is expected.

Signed-off-by: Patryk Diak &lt;pdiak@redhat.com&gt;
diff --git a/go-controller/pkg/node/gateway_shared_intf.go b/go-controller/pkg/node/gateway_shared_intf.go
@@ -69,6 +69,14 @@ const (
 	// nftablesUDNMarkExternalIPsV4Map, nftablesUDNMarkExternalIPsV6Map
 	nftablesUDNServiceMarkChain = "udn-service-mark"
 
+	// nftablesUDNBGPOutputChain is a base chain used for blocking the local processes
+	// from accessing any of the advertised UDN networks
+	nftablesUDNBGPOutputChain = "udn-bgp-drop"
+
+	// nftablesAdvertisedUDNsSetV[4|6] is a set containing advertised UDN subnets
+	nftablesAdvertisedUDNsSetV4 = "advertised-udn-subnets-v4"
+	nftablesAdvertisedUDNsSetV6 = "advertised-udn-subnets-v6"
+
 	// nftablesUDNMarkNodePortsMap is a verdict maps containing
 	// localNodeIP / protocol / port keys indicating traffic that
 	// should be marked with a UDN specific value, which is used to direct the traffic
@@ -2457,6 +2465,11 @@ func newNodePortWatcher(
 				return nil, fmt.Errorf("unable to configure UDN nftables: %w", err)
 			}
 		}
+		if util.IsRouteAdvertisementsEnabled() {
+			if err := configureAdvertisedUDNIsolationNFTables(); err != nil {
+				return nil, fmt.Errorf("unable to configure UDN isolation nftables: %w", err)
+			}
+		}
 	}
 
 	var subnets []*net.IPNet
@@ -2919,3 +2932,74 @@ func getIPv(ipnet *net.IPNet) string {
 	}
 	return prefix
 }
+
+// configureAdvertisedUDNIsolationNFTables configures nftables to drop traffic generated locally towards advertised UDN subnets.
+// It sets up a nftables chain named nftablesUDNBGPOutputChain in the output hook with filter priority which drops
+// traffic originating from the local node destined to nftablesAdvertisedUDNsSet.
+// It creates nftablesAdvertisedUDNsSet[v4|v6] set which stores the subnets.
+// Results in:
+//
+//	set advertised-udn-subnets-v4 {
+//	  type ipv4_addr
+//	  flags interval
+//	  comment "advertised UDN V4 subnets"
+//	}
+//	set advertised-udn-subnets-v6 {
+//	  type ipv6_addr
+//	  flags interval
+//	  comment "advertised UDN V6 subnets"
+//	}
+//	chain udn-bgp-drop {
+//	  comment "Drop traffic generated locally towards advertised UDN subnets"
+//	   type filter hook output priority filter; policy accept;
+//	   ip daddr @advertised-udn-subnets-v4 counter packets 0 bytes 0 drop
+//	   ip6 daddr @advertised-udn-subnets-v6 counter packets 0 bytes 0 drop
+//	 }
+func configureAdvertisedUDNIsolationNFTables() error {
+	counterIfDebug := ""
+	if config.Logging.Level > 4 {
+		counterIfDebug = "counter"
+	}
+
+	nft, err := nodenft.GetNFTablesHelper()
+	if err != nil {
+		return err
+	}
+	tx := nft.NewTransaction()
+	tx.Add(&knftables.Chain{
+		Name:    nftablesUDNBGPOutputChain,
+		Comment: knftables.PtrTo("Drop traffic generated locally towards advertised UDN subnets"),
+
+		Type:     knftables.PtrTo(knftables.FilterType),
+		Hook:     knftables.PtrTo(knftables.OutputHook),
+		Priority: knftables.PtrTo(knftables.FilterPriority),
+	})
+	tx.Flush(&knftables.Chain{Name: nftablesUDNBGPOutputChain})
+
+	// TODO: clean up any stale entries in advertised-udn-subnets-v[4|6]
+	set := &knftables.Set{
+		Name:    nftablesAdvertisedUDNsSetV4,
+		Comment: knftables.PtrTo("advertised UDN V4 subnets"),
+		Type:    "ipv4_addr",
+		Flags:   []knftables.SetFlag{knftables.IntervalFlag},
+	}
+	tx.Add(set)
+
+	set = &knftables.Set{
+		Name:    nftablesAdvertisedUDNsSetV6,
+		Comment: knftables.PtrTo("advertised UDN V6 subnets"),
+		Type:    "ipv6_addr",
+		Flags:   []knftables.SetFlag{knftables.IntervalFlag},
+	}
+	tx.Add(set)
+
+	tx.Add(&knftables.Rule{
+		Chain: nftablesUDNBGPOutputChain,
+		Rule:  knftables.Concat(fmt.Sprintf("ip daddr @%s", nftablesAdvertisedUDNsSetV4), counterIfDebug, "drop"),
+	})
+	tx.Add(&knftables.Rule{
+		Chain: nftablesUDNBGPOutputChain,
+		Rule:  knftables.Concat(fmt.Sprintf("ip6 daddr @%s", nftablesAdvertisedUDNsSetV6), counterIfDebug, "drop"),
+	})
+	return nft.Run(context.TODO(), tx)
+}
diff --git a/go-controller/pkg/node/gateway_udn.go b/go-controller/pkg/node/gateway_udn.go
@@ -437,6 +437,14 @@ func (udng *UserDefinedNetworkGateway) DelNetwork() error {
 			return fmt.Errorf("failed to reconcile default gateway for network %s, err: %v", udng.GetNetworkName(), err)
 		}
 	}
+
+	if util.IsPodNetworkAdvertisedAtNode(udng.NetInfo, udng.node.Name) {
+		err := udng.updateAdvertisedUDNIsolationRules(false)
+		if err != nil {
+			return fmt.Errorf("failed to remove advertised UDN isolation rules for network %s: %w", udng.GetNetworkName(), err)
+		}
+	}
+
 	if err := udng.delMarkChain(); err != nil {
 		return err
 	}
@@ -918,6 +926,9 @@ func (udng *UserDefinedNetworkGateway) doReconcile() error {
 		return fmt.Errorf("error while updating logical flow for UDN %s: %s", udng.GetNetworkName(), err)
 	}
 
+	if err := udng.updateAdvertisedUDNIsolationRules(isNetworkAdvertised); err != nil {
+		return fmt.Errorf("error while updating advertised UDN isolation rules for network %s: %w", udng.GetNetworkName(), err)
+	}
 	return nil
 }
 
@@ -975,3 +986,74 @@ func (udng *UserDefinedNetworkGateway) removeDefaultRouteFromVRF() error {
 	}
 	return nil
 }
+
+// updateAdvertisedUDNIsolationRules adds the full UDN subnets to nftablesAdvertisedUDNsSetV[4|6] nft set that is used
+// in the following chain/rules to drop locally generated traffic towards a UDN network:
+//
+//	chain udn-bgp-drop {
+//	  comment "Drop traffic generated locally towards advertised UDN subnets"
+//	  type filter hook output priority filter; policy accept;
+//	  ip daddr @advertised-udn-subnets-v4 counter packets 0 bytes 0 drop
+//	  ip6 daddr @advertised-udn-subnets-v6 counter packets 0 bytes 0 drop
+//	}
+//
+// It blocks access to the full UDN subnet to handle a case in L3 when a node tries to access
+// a host subnet available on a different node. Example set entries:
+//
+//	 set advertised-udn-subnets-v4 {
+//	   type ipv4_addr
+//	   flags interval
+//	   comment "advertised UDNs V4 subnets"
+//	   elements = { 10.10.0.0/16 comment "cluster_udn_l3network" }
+//	}
+func (udng *UserDefinedNetworkGateway) updateAdvertisedUDNIsolationRules(isNetworkAdvertised bool) error {
+	nft, err := nodenft.GetNFTablesHelper()
+	if err != nil {
+		return fmt.Errorf("failed to get nftables helper: %v", err)
+	}
+	tx := nft.NewTransaction()
+
+	if !isNetworkAdvertised {
+		existingV4, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV4)
+		if err != nil {
+			if !knftables.IsNotFound(err) {
+				return fmt.Errorf("could not list existing items in %s set: %w", nftablesAdvertisedUDNsSetV4, err)
+			}
+		}
+		existingV6, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV6)
+		if err != nil {
+			if !knftables.IsNotFound(err) {
+				return fmt.Errorf("could not list existing items in %s set: %w", nftablesAdvertisedUDNsSetV6, err)
+			}
+		}
+
+		for _, elem := range append(existingV4, existingV6...) {
+			if elem.Comment != nil && *elem.Comment == udng.GetNetworkName() {
+				tx.Delete(elem)
+			}
+		}
+
+		if tx.NumOperations() == 0 {
+			return nil
+		}
+		return nft.Run(context.TODO(), tx)
+	}
+
+	for _, udnNet := range udng.Subnets() {
+		set := nftablesAdvertisedUDNsSetV4
+		if utilnet.IsIPv6CIDR(udnNet.CIDR) {
+			set = nftablesAdvertisedUDNsSetV6
+		}
+		tx.Add(&knftables.Element{
+			Set:     set,
+			Key:     []string{udnNet.CIDR.String()},
+			Comment: knftables.PtrTo(udng.GetNetworkName()),
+		})
+
+	}
+
+	if tx.NumOperations() == 0 {
+		return nil
+	}
+	return nft.Run(context.TODO(), tx)
+}
diff --git a/go-controller/pkg/node/gateway_udn_test.go b/go-controller/pkg/node/gateway_udn_test.go
@@ -1,6 +1,7 @@
 package node
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"sort"
@@ -11,6 +12,7 @@ import (
 
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containernetworking/plugins/pkg/testutils"
+	nadapi "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
 	nadfake "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/clientset/versioned/fake"
 	"github.com/stretchr/testify/mock"
 	"github.com/vishvananda/netlink"
@@ -21,6 +23,7 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 	utilnet "k8s.io/utils/net"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/knftables"
 
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
 	udnfakeclient "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/userdefinednetwork/v1/apis/clientset/versioned/fake"
@@ -1652,3 +1655,137 @@ func TestConstructUDNVRFIPRulesPodNetworkAdvertised(t *testing.T) {
 		})
 	}
 }
+
+func TestUserDefinedNetworkGateway_updateAdvertisedUDNIsolationRules(t *testing.T) {
+	tests := []struct {
+		name                string
+		nad                 *nadapi.NetworkAttachmentDefinition
+		isNetworkAdvertised bool
+		initialElements     []*knftables.Element
+		expectedV4Elements  []*knftables.Element
+		expectedV6Elements  []*knftables.Element
+	}{
+		{
+			name: "Should add V4 and V6 entries to the set for advertised L3 network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer3Topology, "100.128.0.0/16/24,ae70::/60/64", types.NetworkRolePrimary),
+			isNetworkAdvertised: true,
+			expectedV4Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV4,
+				Key:     []string{"100.128.0.0/16"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+			expectedV6Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV6,
+				Key:     []string{"ae70::/60"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+		},
+		{
+			name: "Should add V4 and V6 entries to the set for advertised L2 network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer2Topology, "100.128.0.0/16,ae70::/60", types.NetworkRolePrimary),
+			isNetworkAdvertised: true,
+			expectedV4Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV4,
+				Key:     []string{"100.128.0.0/16"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+			expectedV6Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV6,
+				Key:     []string{"ae70::/60"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+		},
+		{
+			name: "Should not add duplicate V4 and V6 entries to the for advertised network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer3Topology, "100.128.0.0/16/24,ae70::/60/64", types.NetworkRolePrimary),
+			isNetworkAdvertised: true,
+			initialElements: []*knftables.Element{
+				{
+					Set:     nftablesAdvertisedUDNsSetV4,
+					Key:     []string{"100.128.0.0/16"},
+					Comment: knftables.PtrTo[string]("test"),
+				}, {
+					Set:     nftablesAdvertisedUDNsSetV6,
+					Key:     []string{"ae70::/60"},
+					Comment: knftables.PtrTo[string]("test"),
+				},
+			},
+			expectedV4Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV4,
+				Key:     []string{"100.128.0.0/16"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+			expectedV6Elements: []*knftables.Element{{
+				Set:     nftablesAdvertisedUDNsSetV6,
+				Key:     []string{"ae70::/60"},
+				Comment: knftables.PtrTo[string]("test"),
+			}},
+		},
+		{
+			name: "Should remove V4 and V6 entries from the set when network for not advertised network",
+			nad: ovntest.GenerateNAD("test", "rednad", "greenamespace",
+				types.Layer3Topology, "100.128.0.0/16/24,ae70::/60/64", types.NetworkRolePrimary),
+			isNetworkAdvertised: false,
+			initialElements: []*knftables.Element{
+				{
+					Set:     nftablesAdvertisedUDNsSetV4,
+					Key:     []string{"100.128.0.0/16"},
+					Comment: knftables.PtrTo[string]("test"),
+				}, {
+					Set:     nftablesAdvertisedUDNsSetV6,
+					Key:     []string{"ae70::/60"},
+					Comment: knftables.PtrTo[string]("test"),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			nft := nodenft.SetFakeNFTablesHelper()
+			config.IPv4Mode = true
+			config.IPv6Mode = true
+
+			netInfo, err := util.ParseNADInfo(tt.nad)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			err = configureAdvertisedUDNIsolationNFTables()
+			g.Expect(err).ToNot(HaveOccurred())
+			tx := nft.NewTransaction()
+			for _, element := range tt.initialElements {
+				tx.Add(element)
+			}
+			if tx.NumOperations() > 0 {
+				err = nft.Run(context.TODO(), tx)
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+			udng := &UserDefinedNetworkGateway{
+				NetInfo: netInfo,
+			}
+			err = udng.updateAdvertisedUDNIsolationRules(tt.isNetworkAdvertised)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			v4Elems, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV4)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(v4Elems).To(HaveLen(len(tt.expectedV4Elements)))
+
+			v6Elems, err := nft.ListElements(context.TODO(), "set", nftablesAdvertisedUDNsSetV6)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(v6Elems).To(HaveLen(len(tt.expectedV6Elements)))
+
+			for i, element := range tt.expectedV4Elements {
+				g.Expect(element.Key).To(HaveLen(len(v4Elems[i].Key)))
+				g.Expect(element.Key[0]).To(BeEquivalentTo(v4Elems[i].Key[0]))
+				g.Expect(element.Comment).To(BeEquivalentTo(v4Elems[i].Comment))
+			}
+			for i, element := range tt.expectedV6Elements {
+				g.Expect(element.Key).To(HaveLen(len(v6Elems[i].Key)))
+				g.Expect(element.Key[0]).To(BeEquivalentTo(v6Elems[i].Key[0]))
+				g.Expect(element.Comment).To(BeEquivalentTo(v6Elems[i].Comment))
+			}
+		})
+	}
+}
diff --git a/test/e2e/route_advertisements.go b/test/e2e/route_advertisements.go
