Disable IPv6 RA and ICMP redirects on host-side veth

aws · Apr 4, 2020 · 80bcddd · 80bcddd
1 parent 9afe2fe
commit 80bcddd
Show file tree

Hide file tree

Showing 2 changed files with 140 additions and 26 deletions.
diff --git a/cmd/routed-eni-cni-plugin/driver/driver.go b/cmd/routed-eni-cni-plugin/driver/driver.go
@@ -14,7 +14,9 @@
 package driver
 
 import (
+	"fmt"
 	"net"
+	"os"
 	"syscall"
 
 	"github.com/pkg/errors"
@@ -27,6 +29,7 @@ import (
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/netlinkwrapper"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/networkutils"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/nswrapper"
+	"github.com/aws/amazon-vpc-cni-k8s/pkg/procsyswrapper"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/logger"
 )
 
@@ -48,13 +51,15 @@ type NetworkAPIs interface {
 type linuxNetwork struct {
 	netLink netlinkwrapper.NetLink
 	ns      nswrapper.NS
+	procSys procsyswrapper.ProcSys
 }
 
 // New creates linuxNetwork object
 func New() NetworkAPIs {
 	return &linuxNetwork{
 		netLink: netlinkwrapper.NewNetLink(),
 		ns:      nswrapper.NewNS(),
+		procSys: procsyswrapper.NewProcSys(),
 	}
 }
 
@@ -165,11 +170,11 @@ func (createVethContext *createVethPairContext) run(hostNS ns.NetNS) error {
 // SetupNS wires up linux networking for a pod's network
 func (os *linuxNetwork) SetupNS(hostVethName string, contVethName string, netnsPath string, addr *net.IPNet, table int, vpcCIDRs []string, useExternalSNAT bool, mtu int, log logger.Logger) error {
 	log.Debugf("SetupNS: hostVethName=%s, contVethName=%s, netnsPath=%s, table=%d, mtu=%d", hostVethName, contVethName, netnsPath, table, mtu)
-	return setupNS(hostVethName, contVethName, netnsPath, addr, table, vpcCIDRs, useExternalSNAT, os.netLink, os.ns, mtu, log)
+	return setupNS(hostVethName, contVethName, netnsPath, addr, table, vpcCIDRs, useExternalSNAT, os.netLink, os.ns, mtu, log, os.procSys)
 }
 
 func setupNS(hostVethName string, contVethName string, netnsPath string, addr *net.IPNet, table int, vpcCIDRs []string, useExternalSNAT bool,
-	netLink netlinkwrapper.NetLink, ns nswrapper.NS, mtu int, log logger.Logger) error {
+	netLink netlinkwrapper.NetLink, ns nswrapper.NS, mtu int, log logger.Logger, procSys procsyswrapper.ProcSys) error {
 	// Clean up if hostVeth exists.
 	if oldHostVeth, err := netLink.LinkByName(hostVethName); err == nil {
 		if err = netLink.LinkDel(oldHostVeth); err != nil {
@@ -189,6 +194,22 @@ func setupNS(hostVethName string, contVethName string, netnsPath string, addr *n
 		return errors.Wrapf(err, "setupNS network: failed to find link %q", hostVethName)
 	}
 
+	// NB: Must be set after move to host namespace, or kernel will reset to defaults.
+	if err := procSys.Set(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", hostVethName), "0"); err != nil {
+		if !os.IsNotExist(err) {
+			return errors.Wrapf(err, "setup NS network: failed to disable IPv6 router advertisements")
+		}
+		log.Debugf("SetupNS: Ignoring '%s' writing to accept_ra: Assuming kernel lacks IPv6 support", err)
+	}
+
+	if err := procSys.Set(fmt.Sprintf("net/ipv6/conf/%s/accept_redirects", hostVethName), "0"); err != nil {
+		if !os.IsNotExist(err) {
+			return errors.Wrapf(err, "setup NS network: failed to disable IPv6 ICMP redirects")
+		}
+		log.Debugf("SetupNS: Ignoring '%s' writing to accept_redirects: Assuming kernel lacks IPv6 support", err)
+	}
+	log.Debugf("SetupNS: disabled IPv6 RA and ICMP redirects on %s", hostVethName)
+
 	// Explicitly set the veth to UP state, because netlink doesn't always do that on all the platforms with net.FlagUp.
 	// veth won't get a link local address unless it's set to UP state.
 	if err = netLink.LinkSetUp(hostVeth); err != nil {