From 76c147f1214514c7a70460a4f46ca4650c932997 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 27 Nov 2018 16:20:27 +1100 Subject: [PATCH 01/15] Added logic to randomise the SNAT rule using --random --- README.md | 6 ++++++ pkg/networkutils/network.go | 20 ++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 970b60daab..c973d7ef6d 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,12 @@ Default: `false` Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses\. If set to `true`, the SNAT `iptables` rule and off\-VPC IP rule are not applied, and these rules are removed if they have already been applied\. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway\. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device\. +`AWS_VPC_K8S_CNI_RANDOMISESNAT` +Type: Boolean +Default: `true` +Specifies weather the SNAT `iptables` rule should randomise the outgoing ports for connections. When enabled the `--random` flag will be added to the SNAT `iptables` rule. +Disable this functionality if you rely on sequential port allocation for outgoing connections. + `WARM_ENI_TARGET` Type: Integer Default: `1` diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 7843b0f6e8..5b971e9779 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -55,6 +55,11 @@ const ( // be installed and will be removed if they are already installed. Defaults to false. envExternalSNAT = "AWS_VPC_K8S_CNI_EXTERNALSNAT" + // This environment is used to specify weather an the SNAT rule added to iptables should randomise port + // allocation for outgoing connections. If set to "true" the SNAT iptables rule will have the "--random" flag + // added to it. Defaults to true. + envRandomiseSNAT = "AWS_VPC_K8S_CNI_RANDOMISESNAT" + // envNodePortSupport is the name of environment variable that configures whether we implement support for // NodePorts on the primary ENI. This requires that we add additional iptables rules and loosen the kernel's // RPF check as described below. Defaults to true. @@ -97,6 +102,7 @@ type NetworkAPIs interface { type linuxNetwork struct { useExternalSNAT bool + randomiseSNAT bool nodePortSupportEnabled bool connmark uint32 @@ -118,6 +124,7 @@ type iptablesIface interface { func New() NetworkAPIs { return &linuxNetwork{ useExternalSNAT: useExternalSNAT(), + randomiseSNAT: randomiseSNAT(), nodePortSupportEnabled: nodePortSupportEnabled(), mainENIMark: getConnmark(), @@ -295,15 +302,16 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, } curChain := fmt.Sprintf("AWS-SNAT-CHAIN-%d", len(vpcCIDRs)) + snatRule := []string{"-m", "comment", "--comment", "AWS, SNAT", + "-m", "addrtype", "!", "--dst-type", "LOCAL", + "-j", "SNAT", "--to-source", primaryAddr.String()} + if n.randomiseSNAT { snatRule.append("--random") } iptableRules = append(iptableRules, iptablesRule{ name: "last SNAT rule for non-VPC outbound traffic", shouldExist: !n.useExternalSNAT, table: "nat", chain: curChain, - rule: []string{ - "-m", "comment", "--comment", "AWS, SNAT", - "-m", "addrtype", "!", "--dst-type", "LOCAL", - "-j", "SNAT", "--to-source", primaryAddr.String()}, + rule: snatRule, }) log.Debugf("iptableRules: %v", iptableRules) @@ -427,6 +435,10 @@ func useExternalSNAT() bool { return getBoolEnvVar(envExternalSNAT, false) } +func randomiseSNAT() bool { + return getBoolEnvVar(envRandomiseSNAT, true) +} + func nodePortSupportEnabled() bool { return getBoolEnvVar(envNodePortSupport, true) } From 6d8f6764561a16584f957342e720ea193100502a Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 27 Nov 2018 16:52:11 +1100 Subject: [PATCH 02/15] randomize not randomise --- README.md | 4 ++-- pkg/networkutils/network.go | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index c973d7ef6d..a822538d15 100644 --- a/README.md +++ b/README.md @@ -99,10 +99,10 @@ Default: `false` Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses\. If set to `true`, the SNAT `iptables` rule and off\-VPC IP rule are not applied, and these rules are removed if they have already been applied\. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway\. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device\. -`AWS_VPC_K8S_CNI_RANDOMISESNAT` +`AWS_VPC_K8S_CNI_RANDOMIZESNAT` Type: Boolean Default: `true` -Specifies weather the SNAT `iptables` rule should randomise the outgoing ports for connections. When enabled the `--random` flag will be added to the SNAT `iptables` rule. +Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled the `--random` flag will be added to the SNAT `iptables` rule. Disable this functionality if you rely on sequential port allocation for outgoing connections. `WARM_ENI_TARGET` diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 5b971e9779..ebc9553a94 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -55,10 +55,10 @@ const ( // be installed and will be removed if they are already installed. Defaults to false. envExternalSNAT = "AWS_VPC_K8S_CNI_EXTERNALSNAT" - // This environment is used to specify weather an the SNAT rule added to iptables should randomise port + // This environment is used to specify weather an the SNAT rule added to iptables should randomize port // allocation for outgoing connections. If set to "true" the SNAT iptables rule will have the "--random" flag // added to it. Defaults to true. - envRandomiseSNAT = "AWS_VPC_K8S_CNI_RANDOMISESNAT" + envRandomizeSNAT = "AWS_VPC_K8S_CNI_RANDOMIZESNAT" // envNodePortSupport is the name of environment variable that configures whether we implement support for // NodePorts on the primary ENI. This requires that we add additional iptables rules and loosen the kernel's @@ -102,7 +102,7 @@ type NetworkAPIs interface { type linuxNetwork struct { useExternalSNAT bool - randomiseSNAT bool + randomizeSNAT bool nodePortSupportEnabled bool connmark uint32 @@ -124,7 +124,7 @@ type iptablesIface interface { func New() NetworkAPIs { return &linuxNetwork{ useExternalSNAT: useExternalSNAT(), - randomiseSNAT: randomiseSNAT(), + randomizeSNAT: randomizeSNAT(), nodePortSupportEnabled: nodePortSupportEnabled(), mainENIMark: getConnmark(), @@ -305,7 +305,7 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, snatRule := []string{"-m", "comment", "--comment", "AWS, SNAT", "-m", "addrtype", "!", "--dst-type", "LOCAL", "-j", "SNAT", "--to-source", primaryAddr.String()} - if n.randomiseSNAT { snatRule.append("--random") } + if n.randomizeSNAT { snatRule.append("--random") } iptableRules = append(iptableRules, iptablesRule{ name: "last SNAT rule for non-VPC outbound traffic", shouldExist: !n.useExternalSNAT, @@ -435,8 +435,8 @@ func useExternalSNAT() bool { return getBoolEnvVar(envExternalSNAT, false) } -func randomiseSNAT() bool { - return getBoolEnvVar(envRandomiseSNAT, true) +func randomizeSNAT() bool { + return getBoolEnvVar(envRandomizeSNAT, true) } func nodePortSupportEnabled() bool { From 872428ec3dcba6975a18bd819eef39a2b78914dd Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 27 Nov 2018 17:48:31 +1100 Subject: [PATCH 03/15] added PRNG/--random-fully functionality as well as fixed .append usage --- README.md | 2 +- pkg/networkutils/network.go | 38 ++++++++++++++++++++++++++++++++----- 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a822538d15..8287119bf1 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ Disable SNAT if you need to allow inbound communication to your pods from extern `AWS_VPC_K8S_CNI_RANDOMIZESNAT` Type: Boolean Default: `true` -Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled the `--random` flag will be added to the SNAT `iptables` rule. +Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use "prng" for the environment variable. Disable this functionality if you rely on sequential port allocation for outgoing connections. `WARM_ENI_TARGET` diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index ebc9553a94..a0846edfd5 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -57,7 +57,8 @@ const ( // This environment is used to specify weather an the SNAT rule added to iptables should randomize port // allocation for outgoing connections. If set to "true" the SNAT iptables rule will have the "--random" flag - // added to it. Defaults to true. + // added to it. Set it to "prng" if you want to use a pseudo random numbers, i.e. "--random-fully". + // Defaults to true. envRandomizeSNAT = "AWS_VPC_K8S_CNI_RANDOMIZESNAT" // envNodePortSupport is the name of environment variable that configures whether we implement support for @@ -102,7 +103,7 @@ type NetworkAPIs interface { type linuxNetwork struct { useExternalSNAT bool - randomizeSNAT bool + randomizeSNAT snatType nodePortSupportEnabled bool connmark uint32 @@ -120,6 +121,14 @@ type iptablesIface interface { NewChain(table, chain string) error } +type snatType uint32 + +const ( + sequentialSNAT snatType = 0 + randomHashSNAT snatType = 1 + randomPRNGSNAT snatType = 2 +) + // New creates a linuxNetwork object func New() NetworkAPIs { return &linuxNetwork{ @@ -305,7 +314,8 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, snatRule := []string{"-m", "comment", "--comment", "AWS, SNAT", "-m", "addrtype", "!", "--dst-type", "LOCAL", "-j", "SNAT", "--to-source", primaryAddr.String()} - if n.randomizeSNAT { snatRule.append("--random") } + if n.randomizeSNAT == randomHashSNAT { snatRule = append(snatRule, "--random") } + if n.randomizeSNAT == randomPRNGSNAT { snatRule = append(snatRule, "--random-fully") } iptableRules = append(iptableRules, iptablesRule{ name: "last SNAT rule for non-VPC outbound traffic", shouldExist: !n.useExternalSNAT, @@ -435,8 +445,26 @@ func useExternalSNAT() bool { return getBoolEnvVar(envExternalSNAT, false) } -func randomizeSNAT() bool { - return getBoolEnvVar(envRandomizeSNAT, true) +func randomizeSNAT() snatType { + defaultValue := randomHashSNAT + defaultString := "hash based random" + if strValue := os.Getenv(envRandomizeSNAT); strValue != "" { + parsedValue, err := strconv.ParseBool(strValue) + if err != nil { + if strings.Compare( "prng", strValue) == 0 { + return randomPRNGSNAT + } + log.Error("Failed to parse "+envRandomizeSNAT+"; using default: "+defaultString, err.Error()) + return defaultValue + } + // true is equal to hash based random + if parsedValue { + return randomHashSNAT + } + // false is equal to sequential + return sequentialSNAT + } + return defaultValue } func nodePortSupportEnabled() bool { From 6cce8f22a01b60cd221ec4e1ee772a18348a6a85 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 27 Nov 2018 17:58:10 +1100 Subject: [PATCH 04/15] clarified usage in documentation --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8287119bf1..9a9fa37b55 100644 --- a/README.md +++ b/README.md @@ -100,10 +100,11 @@ Specifies whether an external NAT gateway should be used to provide SNAT of seco Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway\. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device\. `AWS_VPC_K8S_CNI_RANDOMIZESNAT` -Type: Boolean -Default: `true` -Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use "prng" for the environment variable. -Disable this functionality if you rely on sequential port allocation for outgoing connections. +Type: String +Default: `true` +Valid Values: `true`, `prng`, `false` +Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled (`true`) the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use "prng" for the environment variable. +Disable (`false`) this functionality if you rely on sequential port allocation for outgoing connections. `WARM_ENI_TARGET` Type: Integer From dae39db6cd874143e7335ec91fe7dec0e886fa89 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Thu, 3 Jan 2019 09:56:36 +1100 Subject: [PATCH 05/15] Changed from true/false/prng to hashrandom/prng/none for clarity. --- README.md | 8 +++---- pkg/networkutils/network.go | 47 +++++++++++++++++++++---------------- 2 files changed, 31 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 9a9fa37b55..b6e1d089aa 100644 --- a/README.md +++ b/README.md @@ -101,10 +101,10 @@ Disable SNAT if you need to allow inbound communication to your pods from extern `AWS_VPC_K8S_CNI_RANDOMIZESNAT` Type: String -Default: `true` -Valid Values: `true`, `prng`, `false` -Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled (`true`) the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use "prng" for the environment variable. -Disable (`false`) this functionality if you rely on sequential port allocation for outgoing connections. +Default: `hashrandom` +Valid Values: `hashrandom`, `prng`, `none` +Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled (`hashrandom`) the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use `prng` for the environment variable. +Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections. `WARM_ENI_TARGET` Type: Integer diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index a0846edfd5..0dd357be23 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -55,10 +55,10 @@ const ( // be installed and will be removed if they are already installed. Defaults to false. envExternalSNAT = "AWS_VPC_K8S_CNI_EXTERNALSNAT" - // This environment is used to specify weather an the SNAT rule added to iptables should randomize port - // allocation for outgoing connections. If set to "true" the SNAT iptables rule will have the "--random" flag + // This environment is used to specify weather the SNAT rule added to iptables should randomize port + // allocation for outgoing connections. If set to "hashrandom" the SNAT iptables rule will have the "--random" flag // added to it. Set it to "prng" if you want to use a pseudo random numbers, i.e. "--random-fully". - // Defaults to true. + // Defaults to hashrandom. envRandomizeSNAT = "AWS_VPC_K8S_CNI_RANDOMIZESNAT" // envNodePortSupport is the name of environment variable that configures whether we implement support for @@ -314,14 +314,18 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, snatRule := []string{"-m", "comment", "--comment", "AWS, SNAT", "-m", "addrtype", "!", "--dst-type", "LOCAL", "-j", "SNAT", "--to-source", primaryAddr.String()} - if n.randomizeSNAT == randomHashSNAT { snatRule = append(snatRule, "--random") } - if n.randomizeSNAT == randomPRNGSNAT { snatRule = append(snatRule, "--random-fully") } + if n.randomizeSNAT == randomHashSNAT { + snatRule = append(snatRule, "--random") + } + if n.randomizeSNAT == randomPRNGSNAT { + snatRule = append(snatRule, "--random-fully") + } iptableRules = append(iptableRules, iptablesRule{ name: "last SNAT rule for non-VPC outbound traffic", shouldExist: !n.useExternalSNAT, table: "nat", chain: curChain, - rule: snatRule, + rule: snatRule, }) log.Debugf("iptableRules: %v", iptableRules) @@ -448,22 +452,25 @@ func useExternalSNAT() bool { func randomizeSNAT() snatType { defaultValue := randomHashSNAT defaultString := "hash based random" - if strValue := os.Getenv(envRandomizeSNAT); strValue != "" { - parsedValue, err := strconv.ParseBool(strValue) - if err != nil { - if strings.Compare( "prng", strValue) == 0 { - return randomPRNGSNAT - } - log.Error("Failed to parse "+envRandomizeSNAT+"; using default: "+defaultString, err.Error()) - return defaultValue - } - // true is equal to hash based random - if parsedValue { - return randomHashSNAT - } - // false is equal to sequential + strValue := os.Getenv(envRandomizeSNAT) + if strValue == "" { + // empty means default + return defaultValue + } + if strValue == "prng" { + // prng means to use --random-fully + return randomPRNGSNAT + } + if strValue == "none" { + // none means to disable randomisation (no flag) return sequentialSNAT } + if strValue == "hashrandom" { + // hashrandom means to use --random + return randomHashSNAT + } + // if we get to this point, the environment variable has an invalid value + log.Error("Failed to parse " + envRandomizeSNAT + "; using default: " + defaultString + ". Provided string was " + strValue) return defaultValue } From c56d82e8525cdfba01ac6f6a9e9592cfa0d7f6ed Mon Sep 17 00:00:00 2001 From: TaylorB Date: Sat, 5 Jan 2019 17:21:23 +1100 Subject: [PATCH 06/15] Switched to using iota instead of explicit enums. --- pkg/networkutils/network.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 04b4345762..6fdb5e133c 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -125,9 +125,9 @@ type iptablesIface interface { type snatType uint32 const ( - sequentialSNAT snatType = 0 - randomHashSNAT snatType = 1 - randomPRNGSNAT snatType = 2 + sequentialSNAT snatType = iota + randomHashSNAT + randomPRNGSNAT ) // New creates a linuxNetwork object From 77f8938128ef2d667e67c8df172f8441c92eed38 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 21:18:25 +1100 Subject: [PATCH 07/15] Switched to case and implemented iptables version aware code. --- README.md | 2 +- pkg/networkutils/network.go | 45 +++++++++++++++++++++---------------- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index b6e1d089aa..06f2089b6e 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ Type: String Default: `hashrandom` Valid Values: `hashrandom`, `prng`, `none` Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled (`hashrandom`) the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use `prng` for the environment variable. -Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections. +Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections. For old versions if iptables that do not support `--random-fully` this option will fall back to `--random`. `WARM_ENI_TARGET` Type: Integer diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 6fdb5e133c..dada163142 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -104,7 +104,7 @@ type NetworkAPIs interface { type linuxNetwork struct { useExternalSNAT bool - randomizeSNAT snatType + typeOfSNAT snatType nodePortSupportEnabled bool connmark uint32 @@ -134,7 +134,7 @@ const ( func New() NetworkAPIs { return &linuxNetwork{ useExternalSNAT: useExternalSNAT(), - randomizeSNAT: randomizeSNAT(), + typeOfSNAT: typeOfSNAT(), nodePortSupportEnabled: nodePortSupportEnabled(), mainENIMark: getConnmark(), @@ -310,15 +310,22 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, }}) } + // Prepare the Desired Rule for SNAT Rule curChain := fmt.Sprintf("AWS-SNAT-CHAIN-%d", len(vpcCIDRs)) snatRule := []string{"-m", "comment", "--comment", "AWS, SNAT", "-m", "addrtype", "!", "--dst-type", "LOCAL", "-j", "SNAT", "--to-source", primaryAddr.String()} - if n.randomizeSNAT == randomHashSNAT { + if n.typeOfSNAT == randomHashSNAT { snatRule = append(snatRule, "--random") } - if n.randomizeSNAT == randomPRNGSNAT { - snatRule = append(snatRule, "--random-fully") + if n.typeOfSNAT == randomPRNGSNAT { + if ipt.HasRandomFully() { + snatRule = append(snatRule, "--random-fully") + } else { + log.Warning("prng (--random-fully) requested, but iptables version does not support it." + + "Falling back to hashrandom (--random)") + snatRule = append(snatRule, "--random") + } } iptableRules = append(iptableRules, iptablesRule{ name: "last SNAT rule for non-VPC outbound traffic", @@ -331,7 +338,6 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, log.Debugf("iptableRules: %v", iptableRules) iptableRules = append(iptableRules, iptablesRule{ - name: "connmark for primary ENI", shouldExist: n.nodePortSupportEnabled, table: "mangle", @@ -449,29 +455,30 @@ func useExternalSNAT() bool { return getBoolEnvVar(envExternalSNAT, false) } -func randomizeSNAT() snatType { +func typeOfSNAT() snatType { defaultValue := randomHashSNAT - defaultString := "hash based random" - strValue := os.Getenv(envRandomizeSNAT) - if strValue == "" { + defaultString := "hashrandom" + switch os.Getenv(envRandomizeSNAT) { + case "": // empty means default return defaultValue - } - if strValue == "prng" { + case "prng": // prng means to use --random-fully + // note: for old versions of iptables, this will fall back to --random return randomPRNGSNAT - } - if strValue == "none" { + case "none": // none means to disable randomisation (no flag) return sequentialSNAT - } - if strValue == "hashrandom" { + + case defaultString: // hashrandom means to use --random return randomHashSNAT + default: + // if we get to this point, the environment variable has an invalid value + log.Error("Failed to parse " + envRandomizeSNAT + "; using default: " + defaultString + ". Provided string was " + + strValue) + return defaultValue } - // if we get to this point, the environment variable has an invalid value - log.Error("Failed to parse " + envRandomizeSNAT + "; using default: " + defaultString + ". Provided string was " + strValue) - return defaultValue } func nodePortSupportEnabled() bool { From f04d1ca8a812e4dcca8a91efdb255958683fa74d Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 21:29:43 +1100 Subject: [PATCH 08/15] Fixed error with unreference strValue and Error/Warnings --- pkg/networkutils/network.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index dada163142..a5cd7da971 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -322,7 +322,7 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, if ipt.HasRandomFully() { snatRule = append(snatRule, "--random-fully") } else { - log.Warning("prng (--random-fully) requested, but iptables version does not support it." + + log.Warn("prng (--random-fully) requested, but iptables version does not support it. " + "Falling back to hashrandom (--random)") snatRule = append(snatRule, "--random") } @@ -458,13 +458,14 @@ func useExternalSNAT() bool { func typeOfSNAT() snatType { defaultValue := randomHashSNAT defaultString := "hashrandom" - switch os.Getenv(envRandomizeSNAT) { + strValue := os.Getenv(envRandomizeSNAT) + switch strValue { case "": // empty means default return defaultValue case "prng": // prng means to use --random-fully - // note: for old versions of iptables, this will fall back to --random + // note: for old versions of iptables/, this will fall back to --random return randomPRNGSNAT case "none": // none means to disable randomisation (no flag) @@ -475,7 +476,7 @@ func typeOfSNAT() snatType { return randomHashSNAT default: // if we get to this point, the environment variable has an invalid value - log.Error("Failed to parse " + envRandomizeSNAT + "; using default: " + defaultString + ". Provided string was " + + log.Errorf("Failed to parse %s; using default: %s. Provided string was \"%s\"", envRandomizeSNAT, defaultString, strValue) return defaultValue } From e052c6ff3d825f13a6670ef0fa7948a6c02aafe8 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 21:32:52 +1100 Subject: [PATCH 09/15] removed typo with / in comment --- pkg/networkutils/network.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index a5cd7da971..6b64bc5262 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -465,7 +465,7 @@ func typeOfSNAT() snatType { return defaultValue case "prng": // prng means to use --random-fully - // note: for old versions of iptables/, this will fall back to --random + // note: for old versions of iptables, this will fall back to --random return randomPRNGSNAT case "none": // none means to disable randomisation (no flag) From cabd8f008256a0b362b5c0a219ba2452d8a45230 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 21:47:14 +1100 Subject: [PATCH 10/15] Completed go-iptables interface --- pkg/networkutils/network.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 6b64bc5262..1ea00b0129 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -117,9 +117,15 @@ type linuxNetwork struct { type iptablesIface interface { Exists(table, chain string, rulespec ...string) (bool, error) + Insert(table, chain string, pos int, rulespec ...string) error Append(table, chain string, rulespec ...string) error Delete(table, chain string, rulespec ...string) error + List(table, chain string) ([]string, error) NewChain(table, chain string) error + ClearChain(table, chain string) error + DeleteChain(table, chain string) error + ListChains(table string) ([]string, error) + HasRandomFully() bool } type snatType uint32 @@ -319,7 +325,7 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, snatRule = append(snatRule, "--random") } if n.typeOfSNAT == randomPRNGSNAT { - if ipt.HasRandomFully() { + if ipt.HasRandomFully { snatRule = append(snatRule, "--random-fully") } else { log.Warn("prng (--random-fully) requested, but iptables version does not support it. " + From 76ba5c026b56855ba7a315799fff9700547d056b Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 21:50:29 +1100 Subject: [PATCH 11/15] Accidently removed () from function, restoring --- Gopkg.toml | 4 ++++ pkg/networkutils/network.go | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Gopkg.toml b/Gopkg.toml index 4195cd2923..3c78c62e01 100644 --- a/Gopkg.toml +++ b/Gopkg.toml @@ -92,3 +92,7 @@ name = "k8s.io/client-go" # revision for tag "kubernetes-1.10.1" revision = "989be4278f353e42f26c416c53757d16fcff77db" + +[[constraint]] + name = "firepear.net/qsplit" + version = "2.2.2" diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 1ea00b0129..ad0382a2ea 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -325,7 +325,7 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string, snatRule = append(snatRule, "--random") } if n.typeOfSNAT == randomPRNGSNAT { - if ipt.HasRandomFully { + if ipt.HasRandomFully() { snatRule = append(snatRule, "--random-fully") } else { log.Warn("prng (--random-fully) requested, but iptables version does not support it. " + From 3c1a613a78db7731a90fae280a111af1a49f7e40 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 22:13:31 +1100 Subject: [PATCH 12/15] Created dummy mock functions to complete interface --- pkg/networkutils/network_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/networkutils/network_test.go b/pkg/networkutils/network_test.go index d8d14136fe..efc58b18c6 100644 --- a/pkg/networkutils/network_test.go +++ b/pkg/networkutils/network_test.go @@ -313,6 +313,10 @@ func (ipt *mockIptables) Exists(table, chainName string, rulespec ...string) (bo return false, nil } +func (ipt *mockIptables) Insert(table, chain string, pos int, rulespec ...string) error { + return nil +} + func (ipt *mockIptables) Append(table, chain string, rulespec ...string) error { if ipt.dataplaneState[table] == nil { ipt.dataplaneState[table] = map[string][][]string{} @@ -339,10 +343,32 @@ func (ipt *mockIptables) Delete(table, chainName string, rulespec ...string) err return nil } +func (ipt *mockIptables) List(table, chain string) ([]string, error) { + return nil, nil + +} + func (ipt *mockIptables) NewChain(table, chain string) error { return nil } +func (ipt *mockIptables) ClearChain(table, chain string) error { + return nil +} + +func (ipt *mockIptables) DeleteChain(table, chain string) error { + return nil +} + +func (ipt *mockIptables) ListChains(table string) ([]string, error) { + return nil, nil +} + +func (ipt *mockIptables) HasFullyRandom() bool { + // TODO: Work out how to write a test case for this + return true +} + type mockFile struct { closed bool data string From c776b6bafc9c317a4d26b187fbd19af725dc111a Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 22:21:00 +1100 Subject: [PATCH 13/15] HasRandomFully() not HasFullyRandom() --- pkg/networkutils/network_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/networkutils/network_test.go b/pkg/networkutils/network_test.go index efc58b18c6..4b68d68fdd 100644 --- a/pkg/networkutils/network_test.go +++ b/pkg/networkutils/network_test.go @@ -364,7 +364,7 @@ func (ipt *mockIptables) ListChains(table string) ([]string, error) { return nil, nil } -func (ipt *mockIptables) HasFullyRandom() bool { +func (ipt *mockIptables) HasRandomFully() bool { // TODO: Work out how to write a test case for this return true } From a5db8d7cd5cf75dced1d09dc7f3aef61b2eb994b Mon Sep 17 00:00:00 2001 From: TaylorB Date: Tue, 8 Jan 2019 22:30:54 +1100 Subject: [PATCH 14/15] Removed package as it's not required for this PR. --- Gopkg.toml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Gopkg.toml b/Gopkg.toml index 3c78c62e01..4195cd2923 100644 --- a/Gopkg.toml +++ b/Gopkg.toml @@ -92,7 +92,3 @@ name = "k8s.io/client-go" # revision for tag "kubernetes-1.10.1" revision = "989be4278f353e42f26c416c53757d16fcff77db" - -[[constraint]] - name = "firepear.net/qsplit" - version = "2.2.2" From e59edf200179e82d6cd141d8e394f4d4b7978bb4 Mon Sep 17 00:00:00 2001 From: TaylorB Date: Wed, 9 Jan 2019 10:50:35 +1100 Subject: [PATCH 15/15] Cleaned up documentation order and typo. --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 06f2089b6e..a5d8a1acc6 100644 --- a/README.md +++ b/README.md @@ -103,8 +103,9 @@ Disable SNAT if you need to allow inbound communication to your pods from extern Type: String Default: `hashrandom` Valid Values: `hashrandom`, `prng`, `none` -Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled (`hashrandom`) the `--random` flag will be added to the SNAT `iptables` rule. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use `prng` for the environment variable. -Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections. For old versions if iptables that do not support `--random-fully` this option will fall back to `--random`. +Specifies weather the SNAT `iptables` rule should randomize the outgoing ports for connections. When enabled (`hashrandom`) the `--random` flag will be added to the SNAT `iptables` rule. +To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use `prng` for the environment variable. For old versions of `iptables` that do not support `--random-fully` this option will fall back to `--random`. +Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections. `WARM_ENI_TARGET` Type: Integer