Deduplicate Iptables Rules with Dynamic ASG's #102

klapkov · 2023-11-14T03:44:08Z

Issue

We have noticed a strange case when we have Dynamic ASG's enabled. If there are two ASGs that define the same rules, and both are assigned to the same Space - in case of Static ASGs, when an application is deployed, in the iptables there will be only one rule for this ASG, and with Dynamic ASGs there will be two rules.

Steps to Reproduce

Enable dynamic ASG's
Create multiple security groups with the same rule
Bind them to a space and push an application
Ssh to the diego-cell that hosts the one of the app's instances.
Use iptables -L to list all the rules

Current result

We can see multiple identical rules

netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.207-10.0.25.207 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.207-10.0.25.207 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.206-10.0.25.206 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.206-10.0.25.206 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.213-10.0.25.213 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.213-10.0.25.213 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.212-10.0.25.212 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.212-10.0.25.212 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.211-10.0.25.211 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.211-10.0.25.211 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.207-10.0.25.207 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.207-10.0.25.207 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.206-10.0.25.206 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.206-10.0.25.206 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.213-10.0.25.213 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.213-10.0.25.213 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.212-10.0.25.212 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.212-10.0.25.212 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.211-10.0.25.211 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.211-10.0.25.211 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:http
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:https
netout--09cc0b12-2608-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:http

Expected result

Even though there are multiple ASG's defining our rule, there should be only one iptables entry for that rule.

Dump with the dedupe function added:

netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.213-10.0.25.213 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.213-10.0.25.213 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.212-10.0.25.212 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.212-10.0.25.212 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.211-10.0.25.211 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.211-10.0.25.211 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.210-10.0.25.210 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.209-10.0.25.209 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.208-10.0.25.208 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.207-10.0.25.207 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.207-10.0.25.207 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.206-10.0.25.206 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.25.206-10.0.25.206 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.2.32-10.0.2.63 tcp dpt:2222
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.2.32-10.0.2.63 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.2.32-10.0.2.63 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.1.32-10.0.1.63 tcp dpt:2222
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.1.32-10.0.1.63 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.1.32-10.0.1.63 tcp dpt:http
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.0.32-10.0.0.63 tcp dpt:2222
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.0.32-10.0.0.63 tcp dpt:https
netout--57942260-0d24-4--log  tcp  --  anywhere             anywhere            [goto]  destination IP range 10.0.0.32-10.0.0.63 tcp dpt:http

Possible Fix

#101

Additional Context

We introduced a temporary fix by using a patched up version of the iptables-restore binary, that removes duplicate rules when called. This solution has been running live for a few month and we have seen great results.

The text was updated successfully, but these errors were encountered:

ameowlia · 2024-01-02T22:22:51Z

fix is released in https://github.com/cloudfoundry/silk-release/releases/tag/v3.40.0

Thank you all!

cf-foundation-community-automation bot added this to Application Runtime Platform Working Group Nov 14, 2023

cf-foundation-community-automation bot moved this to Inbox in Application Runtime Platform Working Group Nov 14, 2023

ameowlia self-assigned this Dec 8, 2023

ameowlia closed this as completed Jan 2, 2024

github-project-automation bot moved this from Inbox to Done in Application Runtime Platform Working Group Jan 2, 2024

ctlong removed this from Application Runtime Platform Working Group Feb 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deduplicate Iptables Rules with Dynamic ASG's #102

Deduplicate Iptables Rules with Dynamic ASG's #102

klapkov commented Nov 14, 2023 •

edited

Loading

ameowlia commented Jan 2, 2024

Deduplicate Iptables Rules with Dynamic ASG's #102

Deduplicate Iptables Rules with Dynamic ASG's #102

Comments

klapkov commented Nov 14, 2023 • edited Loading

Issue

Steps to Reproduce

Current result

Expected result

Possible Fix

Additional Context

ameowlia commented Jan 2, 2024

klapkov commented Nov 14, 2023 •

edited

Loading