Calling AddPort before AddProtocol returns an error, which means ConntrackDeleteFilter has been called without port filter.
Signed-off-by: Sang Heon Lee <developistBV@gmail.com>
This commit adds a new parameter `ingressPolicy` (`string`) to the `firewall` plugin.
The supported values are `open` and `same-bridge`.
- `open` is the default and does NOP.
- `same-bridge` creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2"
that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and
"DOCKER-ISOLATION-STAGE-2" rules.
e.g., when `ns1` and `ns2` are connected to bridge `cni1`, and `ns3` is
connected to bridge `cni2`, the `same-bridge` ingress policy disallows
communications between `ns1` and `ns3`, while allowing communications
between `ns1` and `ns2`.
Please refer to the comment lines in `ingresspolicy.go` for the actual iptables rules.
The `same-bridge` ingress policy is expected to be used in conjunction
with `bridge` plugin. May not work as expected with other "main" plugins.
It should be also noted that the `same-bridge` ingress policy executes
raw `iptables` commands directly, even when the `backend` is set to `firewalld`.
We could potentially use the "direct" API of firewalld [1] to execute
iptables via firewalld, but it doesn't seem to have a clear benefit over just directly
executing raw iptables commands.
(Anyway, we have been already executing raw iptables commands in the `portmap` plugin)
[1] https://firewalld.org/documentation/direct/options.html
This commit replaces the `isolation` plugin proposal (issue 573, PR 574).
The design of `ingressPolicy` was discussed in the comments of the withdrawn PR 574 ,
but `same-network` was renamed to `same-bridge` then.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
If an interface is not configured with IPAM (because it functions at
layer 2), it will not be brought up otherwise.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Use the constants already defined in the golang.org/x/sys/unix package
instead of open-coding them.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
First byte of client ID is type, instead of value. See this from
RFC2132:
Code Len Type Client-Identifier
+-----+-----+-----+-----+-----+---
| 61 | n | t1 | i1 | i2 | ...
+-----+-----+-----+-----+-----+---
Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
Almost every first retry of DHCP will fail due to interface is not up. Add a
fast retry to reduce unnecessary latency.
Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
The current code accidentally ignores partial reads, since it doesn't
check the return value of (io.Reader).Read.
What we actually want is io.ReadFull(rand.Reader, buf), which is
conveniently provided by rand.Read(buf).
Signed-off-by: edef <edef@edef.eu>
The new macspoofchk field is added to the bridge plugin to support
anti-mac-spoofing.
When the parameter is enabled, traffic is limited to the mac addresses
of the container interface (the veth peer that is placed in the
container ns).
Any traffic that exits the pod is checked against the source mac address
that is expected. If the mac address is different, the frames are
dropped.
The implementation is using nftables and should only be used on nodes
that support it.
Signed-off-by: Edward Haas <edwardh@redhat.com>
