-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firewall: support ingressPolicy=(open|same-bridge) for isolating bridges as in Docker #584
firewall: support ingressPolicy=(open|same-bridge) for isolating bridges as in Docker #584
Conversation
aaf3e31
to
c3429a1
Compare
Thank you for this PR. Reading through the code it looks very competently done, although I have not taken the time to test it in different scenarios. As we are in the process of releasing version 1.0 of CNI, we felt it best to hold off merging until that is out of the way. Should be a few weeks. |
firewalld v0.9.0+ supports policy objects which allows forward/output filtering. There are two ways you can achieve what you want.
Ref: |
@bboreham @erig0 Thanks a lot for reviewing this.
SGTM
firewalld >= 0.9.0 (Sep 2, 2020) seems available only in very new distros.
Thanks for the information. The first way sounds good. |
Yes. You would need raw iptables support anyways for the distros that don't use firewalld.
I don't know. I'm not involved with CNI. I'm the firewalld maintainer. :) |
Is there an ETA? |
Really trying to get it out by KubeCon. |
Are there any updates post-KubeCon EU? 🙂 |
c3429a1
to
84e9132
Compare
Rebased with the current master for CNI v1.0.0 |
4ad63c8
to
6a7c478
Compare
@bboreham Could you take a look? |
Sorry I am no longer a CNI maintainer. |
6a7c478
to
05ecd24
Compare
Maybe we should consider reopening #574 (separate |
plugins/meta/firewall/firewall.go
Outdated
// This is similar to how Docker libnetwork works. | ||
// IngressPolicySameNetwork executes `iptables` regardless to the value of `Backend`. | ||
// IngressPolicySameNetwork may not work as expected for non-bridge networks. | ||
IngressPolicySameNetwork IngressPolicy = "same-network" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Someday in the future, it might be nice to have L3 isolation, rather than relying on the bridge interface (e.g. for p2p "networks").
What if we call this "same-bridge" for now? That will make it explicit that this is dependent on bridges.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reviewing, renamed same-network
to same-bridge
. PTAL.
@AkihiroSuda Really sorry for the delayed review here. No excuse, just really busy. I have one naming comment, because someday it might be nice for this to also work with p2p interfaces. Otherwise we can merge this as-is. |
…ges as in Docker This commit adds a new parameter `ingressPolicy` (`string`) to the `firewall` plugin. The supported values are `open` and `same-bridge`. - `open` is the default and does NOP. - `same-bridge` creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2" that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and "DOCKER-ISOLATION-STAGE-2" rules. e.g., when `ns1` and `ns2` are connected to bridge `cni1`, and `ns3` is connected to bridge `cni2`, the `same-bridge` ingress policy disallows communications between `ns1` and `ns3`, while allowing communications between `ns1` and `ns2`. Please refer to the comment lines in `ingresspolicy.go` for the actual iptables rules. The `same-bridge` ingress policy is expected to be used in conjunction with `bridge` plugin. May not work as expected with other "main" plugins. It should be also noted that the `same-bridge` ingress policy executes raw `iptables` commands directly, even when the `backend` is set to `firewalld`. We could potentially use the "direct" API of firewalld [1] to execute iptables via firewalld, but it doesn't seem to have a clear benefit over just directly executing raw iptables commands. (Anyway, we have been already executing raw iptables commands in the `portmap` plugin) [1] https://firewalld.org/documentation/direct/options.html This commit replaces the `isolation` plugin proposal (issue 573, PR 574). The design of `ingressPolicy` was discussed in the comments of the withdrawn PR 574 , but `same-network` was renamed to `same-bridge` then. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
05ecd24
to
22dd6c5
Compare
Thank you @squeed ! |
/lgtm, though now that it's a year later we really should get a firewalld native version of this patch done too. |
Thank you for merging, opened doc PR: |
This commit adds a new parameter
ingressPolicy
(string
) to thefirewall
plugin.The supported values are
open
andsame-bridge
.open
is the default and does NOP.same-bridge
creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2" that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and "DOCKER-ISOLATION-STAGE-2" rules.e.g., when
ns1
andns2
are connected to bridgecni1
, andns3
is connected to bridgecni2
, thesame-bridge
ingress policy disallows communications betweenns1
andns3
, while allowing communications betweenns1
andns2
.Please refer to the comment lines in
ingresspolicy.go
for the actual iptables rules.The
same-bridge
ingress policy is expected to be used in conjunction withbridge
plugin. May not work as expected with other "main" plugins.It should be also noted that the
same-bridge
ingress policy executes rawiptables
commands directly, even when thebackend
is set tofirewalld
.We could potentially use the "direct" API of firewalld to execute iptables via firewalld, but it doesn't seem to have a clear benefit over just directly executing raw iptables commands.
(Anyway, we have been already executing raw iptables commands in the
portmap
plugin)This commit replaces the
isolation
plugin proposal (issue #573, PR #574).The design of
ingressPolicy
was discussed in the comments of the withdrawn PR #574 , butsame-network
was renamed tosame-bridge
then.