Bug: Controller does not filter IP address family #25

sstrk · 2021-04-22T07:04:27Z

The controller does not distinguish between IPv4 and IPv6 addresses. This breaks the appliance of nftables rules if the host nodes have an IPv4 and an IPv6 address (DualStack).

The controller tries to use IPv6 addresses in an IPv4 nftables rule. This leads to the failure of nftables when trying to apply the generated config:

Error: Could not resolve hostname: Address family for hostname not supported

The text was updated successfully, but these errors were encountered:

horazont · 2021-04-22T07:33:44Z

@ComradeOgilvy Could you please add the diff which is logged by the operator so that it’s clear where the error comes from?

sstrk · 2021-04-22T10:03:55Z

Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: I0422 06:37:55.990373    1757 agent.go:201] configuration diff for /var/lib/ch-k8s-lbaas-agent/nftables/lbaas.conf:
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: --- /var/lib/ch-k8s-lbaas-agent/nftables/.bak-765999954        2021-04-22 06:37:55.984736510 +0000
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +++ /var/lib/ch-k8s-lbaas-agent/nftables/.tmp-675798527        2021-04-22 06:37:55.984736510 +0000
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: @@ -9,6 +9,10 @@
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:  table ip nat {
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:          chain prerouting {
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:  
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +        ip daddr 172.30.154.11 tcp dport 80 mark set 0x1 and 0x1 ct mark set meta mark dnat to numgen inc mod 10 map {0 : 172.30.154.10, 1 : 172.30.154.15, 2 : 172.30.154.22, 3 : 172.30.154.28, 4 : 172.30.154.5, 5 : 172.30.154.7, 6 : fd00::11, 7 : fd00::14, 8 : fd00::15, 9 : fd00::6, } : 30681;
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:          }
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:  
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:          chain postrouting {
Apr 22 06:37:55 managed-k8s-gw-az1 sudo[22853]: ch-k8s-lbaas-agent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/systemctl reload nftables
Apr 22 06:37:56 managed-k8s-gw-az1 sudo[22853]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 22 06:37:56 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: Job for nftables.service failed.

On a DualStack-cluster, the nodes can have IPv4 and IPv6 addresses. The controller does not distinguish the addresses, which leads to the fact that all addresses will be used as Destination Addresses independent of the preferred IPFamily of the Service. This commit adjusts getDestinationAddress to return a map in which the IP addresses are distinguished based on their Address Family. Furthermore, if a Service has a preferred Address Family, only these addresses will be used as destination addresses. Issue: cloudandheat#25

The host nodes of a cluster can have IPv4 and/or IPv6 addresses. The controller does not distinguish the address families, which leads to the fact that all addresses will be used as Destination Addresses independent of the preferred IPFamily of the Service. This commit adjusts getDestinationAddress to return two lists, one for each supported address family. Furthermore, if a Service has a preferred Address Family, only these addresses will be used as destination addresses. Issue: cloudandheat#25

The host nodes of a cluster can have IPv4 and/or IPv6 addresses. The controller does not distinguish the address families, which leads to the fact that all addresses will be used as Destination Addresses independent of the preferred IPFamily of the Service or the Ingress IP. This commit adjusts getDestinationAddress to return two lists, one for each supported address family. To do so, functions to check the correctness of a textual representation of an IP and to check the address family got implemented. golang does not natively support the determination of the address family, which is why the presence of ":" and "." is checked. The GenerateModel function has been adjusted to use only IP addresses of the same address family as the IngressIP as destination addresses. Issue: cloudandheat#25

The host nodes of a cluster can have IPv4 and/or IPv6 addresses. The controller does not distinguish the address families, which leads to the fact that all addresses will be used as Destination Addresses independent of the preferred IPFamily of the Service or the Ingress IP. This commit adjusts getDestinationAddress to return two lists, one for each supported address family. To do so, functions to check the correctness of a textual representation of an IP and to check the address family got implemented. golang does not natively support the determination of the address family, which is why the presence of ":" and "." is checked. The GenerateModel function has been adjusted to use only IP addresses of the same address family as the IngressIP as destination addresses. Fixes: cloudandheat#25

The host nodes of a cluster can have IPv4 and/or IPv6 addresses. The controller does not distinguish the address families, which leads to the fact that all addresses will be used as Destination Addresses independent of the preferred IPFamily of the Service or the Ingress IP. This commit adjusts getDestinationAddress to return two lists, one for each supported address family. To do so, functions to check the correctness of a textual representation of an IP and to check the address family got implemented. golang does not natively support the determination of the address family, which is why the presence of ":" and "." is checked. The GenerateModel function has been adjusted to use only IP addresses of the same address family as the IngressIP as destination addresses. Fixes cloudandheat#25

horazont added the bug Something isn't working label Apr 22, 2021

sstrk mentioned this issue Apr 23, 2021

Filter dest addresses based on IngressIP #26

Merged

horazont closed this as completed in #26 Apr 27, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: Controller does not filter IP address family #25

Bug: Controller does not filter IP address family #25

sstrk commented Apr 22, 2021

horazont commented Apr 22, 2021

sstrk commented Apr 22, 2021

Bug: Controller does not filter IP address family #25

Bug: Controller does not filter IP address family #25

Comments

sstrk commented Apr 22, 2021

horazont commented Apr 22, 2021

sstrk commented Apr 22, 2021