Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: enables bridge-nf-call-iptables by default #539

Merged
merged 1 commit into from
Aug 23, 2023

Conversation

sam-berning
Copy link
Contributor

Issue #, if available: #538

Description of changes:

Enables net.bridge.bridge-nf-call-iptables by default in sysctl. This will send packets in a bridge network to iptables for processing.

This will also fix the warning on finch info:

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Testing done:

  1. finch info
  2. Inspected /etc/sysctl.d/99-lima.conf to ensure all of the expected fields are there
  3. Reproduced Finch does not apply iptables rules to containers running in a bridge network #538 against my local Finch, and it succeeded.

To discuss: is it worth creating a new sysctl config file instead of appending to /etc/sysctl.d/99-lima.conf?

  • I've reviewed the guidance in CONTRIBUTING.md

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

pendo324
pendo324 previously approved these changes Aug 18, 2023
Copy link
Member

@pendo324 pendo324 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

finch.yaml Outdated Show resolved Hide resolved
@weikequ
Copy link
Contributor

weikequ commented Aug 18, 2023

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Any reason why it's disabled by default? There's no issues on lima nor is there any references to this in the codebase except for a k8s example that is almost the same as what we've written here. Good job on figuring this out!

weikequ
weikequ previously approved these changes Aug 18, 2023
@sam-berning
Copy link
Contributor Author

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Yeah, I think that's a good call. Will open a PR to Lima too

@pendo324
Copy link
Member

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Yeah, I think that's a good call. Will open a PR to Lima too

This is probably where I'd put it in Lima
https://github.com/lima-vm/lima/blob/master/pkg/cidata/cidata.TEMPLATE.d/boot/00-modprobe.sh

@sam-berning
Copy link
Contributor Author

Any reason why it's disabled by default? There's no issues on lima nor is there any references to this

According to this page: it's disabled in Fedora by default because it can cause traffic to virtual machines to be blocked if the host's iptables rules do not account for the guest. It also notes that it's enabled in the Linux kernel settings by default, and only some distributions have it disabled -- I think this is likely why Lima doesn't have any logic to enable it.

@pendo324
Copy link
Member

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Yeah, I think that's a good call. Will open a PR to Lima too

You might want to ask on an issue or on Slack why its not in the list already though. It seems like a weird thing to not include, unless they left it out on purpose.

@sam-berning sam-berning dismissed stale reviews from weikequ and pendo324 via 3828f54 August 18, 2023 18:49
@sam-berning sam-berning force-pushed the enable-bridge-iptables branch from 4a88538 to 3828f54 Compare August 18, 2023 18:49
mharwani
mharwani previously approved these changes Aug 19, 2023
pendo324
pendo324 previously approved these changes Aug 21, 2023
@sam-berning sam-berning dismissed stale reviews from pendo324 and mharwani via daa8ac9 August 21, 2023 17:45
@sam-berning sam-berning force-pushed the enable-bridge-iptables branch from 3828f54 to daa8ac9 Compare August 21, 2023 17:45
@sam-berning
Copy link
Contributor Author

@mharwani I realized that though the br_netfilter kernel module enables these configs by default, it's probably safer long term to explicitly configure them vs. relying on the defaults, so I added /etc/sysctl.d/99-finch.conf. I think it probably won't matter but this approach is ever so slightly safer

mharwani
mharwani previously approved these changes Aug 22, 2023
Copy link
Contributor

@monirul monirul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@sam-berning sam-berning merged commit 6ea1499 into runfinch:main Aug 23, 2023
KevinLiAWS pushed a commit that referenced this pull request Sep 26, 2023
🤖 I have created a release *beep* *boop*
---


## [0.9.0](v0.8.0...v0.9.0)
(2023-09-25)


### Features

* support push with SOCI
([#578](#578))
([69721b7](69721b7))
* supports adding files inside the VM to support bundles
([#549](#549))
([3b1df46](3b1df46))


### Bug Fixes

* enables bridge-nf-call-iptables by default
([#539](#539))
([6ea1499](6ea1499))
* **Makefile:** use POSIX tar syntax for stdin
([#529](#529))
([e222131](e222131))


### Build System or External Dependencies

* **deps:** Bump github.com/docker/cli from 24.0.5+incompatible to
24.0.6+incompatible
([#560](#560))
([21bb893](21bb893))
* **deps:** Bump github.com/docker/docker from 24.0.5+incompatible to
24.0.6+incompatible
([#561](#561))
([e0160be](e0160be))
* **deps:** Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0
([#542](#542))
([8536481](8536481))
* **deps:** Bump github.com/runfinch/common-tests from 0.7.2 to 0.7.3
([#548](#548))
([a054ef3](a054ef3))
* **deps:** Bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8
([#552](#552))
([cf9399a](cf9399a))
* **deps:** Bump golang.org/x/crypto from 0.12.0 to 0.13.0
([#558](#558))
([f24264d](f24264d))
* **deps:** Bump golang.org/x/tools from 0.12.0 to 0.13.0
([#559](#559))
([0f56d23](0f56d23))
* **deps:** Bump k8s.io/apimachinery from 0.28.0 to 0.28.1
([#543](#543))
([675f76f](675f76f))
* **deps:** Bump k8s.io/apimachinery from 0.28.1 to 0.28.2
([#568](#568))
([915d658](915d658))
* **deps:** Bump submodules and dependencies
([#544](#544))
([94b7497](94b7497))
* **deps:** Bump submodules and dependencies
([#551](#551))
([baf645f](baf645f))
* **deps:** Bump submodules and dependencies
([#565](#565))
([c02413f](c02413f))
* **deps:** Bump submodules and dependencies
([#567](#567))
([f70314e](f70314e))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
ginglis13 pushed a commit to ginglis13/finch that referenced this pull request Sep 27, 2023
🤖 I have created a release *beep* *boop*
---


## [0.9.0](runfinch/finch@v0.8.0...v0.9.0)
(2023-09-25)


### Features

* support push with SOCI
([runfinch#578](runfinch#578))
([69721b7](runfinch@69721b7))
* supports adding files inside the VM to support bundles
([runfinch#549](runfinch#549))
([3b1df46](runfinch@3b1df46))


### Bug Fixes

* enables bridge-nf-call-iptables by default
([runfinch#539](runfinch#539))
([6ea1499](runfinch@6ea1499))
* **Makefile:** use POSIX tar syntax for stdin
([runfinch#529](runfinch#529))
([e222131](runfinch@e222131))


### Build System or External Dependencies

* **deps:** Bump github.com/docker/cli from 24.0.5+incompatible to
24.0.6+incompatible
([runfinch#560](runfinch#560))
([21bb893](runfinch@21bb893))
* **deps:** Bump github.com/docker/docker from 24.0.5+incompatible to
24.0.6+incompatible
([runfinch#561](runfinch#561))
([e0160be](runfinch@e0160be))
* **deps:** Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0
([runfinch#542](runfinch#542))
([8536481](runfinch@8536481))
* **deps:** Bump github.com/runfinch/common-tests from 0.7.2 to 0.7.3
([runfinch#548](runfinch#548))
([a054ef3](runfinch@a054ef3))
* **deps:** Bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8
([runfinch#552](runfinch#552))
([cf9399a](runfinch@cf9399a))
* **deps:** Bump golang.org/x/crypto from 0.12.0 to 0.13.0
([runfinch#558](runfinch#558))
([f24264d](runfinch@f24264d))
* **deps:** Bump golang.org/x/tools from 0.12.0 to 0.13.0
([runfinch#559](runfinch#559))
([0f56d23](runfinch@0f56d23))
* **deps:** Bump k8s.io/apimachinery from 0.28.0 to 0.28.1
([runfinch#543](runfinch#543))
([675f76f](runfinch@675f76f))
* **deps:** Bump k8s.io/apimachinery from 0.28.1 to 0.28.2
([runfinch#568](runfinch#568))
([915d658](runfinch@915d658))
* **deps:** Bump submodules and dependencies
([runfinch#544](runfinch#544))
([94b7497](runfinch@94b7497))
* **deps:** Bump submodules and dependencies
([runfinch#551](runfinch#551))
([baf645f](runfinch@baf645f))
* **deps:** Bump submodules and dependencies
([runfinch#565](runfinch#565))
([c02413f](runfinch@c02413f))
* **deps:** Bump submodules and dependencies
([runfinch#567](runfinch#567))
([f70314e](runfinch@f70314e))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants