Install iptables rules to allow wireguard packets #7030
Conversation
|
/test-all |
|
/test-windows-all |
2 similar comments
|
/test-windows-all |
|
/test-windows-all |
There was a problem hiding this comment.
cc @Dhruv-J who is working on something similar for NodeLatencyMonitor (ICMP filter rules)
wenyingd
changed the title
|
/test-all |
| }, | ||
| }, | ||
| { | ||
| name: "encap,wireguard,egress=true,multicastEnabled=true,proxyAll=true,nodeNetworkPolicy=true,nodeSNATRandomFully=true", |
There was a problem hiding this comment.
would it make the tests a bit less verbose if we removed multicast and proxyAll?
There was a problem hiding this comment.
sure, I will update.
There was a problem hiding this comment.
I saw the change for the second test case but not this one, was it intentional?
There was a problem hiding this comment.
Yes, this case is for the case to test all features enabled. hmm, maybe I should remove the previous one ""encap,egress=true,multicastEnabled=true,proxyAll=true,nodeNetworkPolicy=true,nodeSNATRandomFully=true"?
pkg/agent/route/route_linux.go
Outdated
| // wireguardIPTablesIPv4 caches all existing IPv4 iptables chains and rules for Wireguard. | ||
| wireguardIPTablesIPv4 sync.Map | ||
| // wireguardIPTablesIPv6 caches all existing IPv6 iptables chains and rules for Wireguard. | ||
| wireguardIPTablesIPv6 sync.Map |
There was a problem hiding this comment.
s/Wireguard/WireGuard
please check other occurrences.
There was a problem hiding this comment.
Should we add a comment in this doc https://github.com/antrea-io/antrea/blob/main/docs/network-requirements.md to remind users about this change?
@antoninbas any suggestion?
There was a problem hiding this comment.
yes, good idea, let's mention it in that doc
we should also mention in the table that most of these ports are configurable (right now we only mention it for the BGP server port)
| @@ -244,7 +244,9 @@ func run(o *Options) error { | |||
| multicastEnabled, | |||
| o.config.SNATFullyRandomPorts, | |||
| *o.config.Egress.SNATFullyRandomPorts, | |||
| serviceCIDRProvider) | |||
| serviceCIDRProvider, | |||
| wireguardConfig.Port, | |||
There was a problem hiding this comment.
Another concern is about the WireGuard port check, looks like we didn't check the range before:
if o.config.WireGuard.Port == 0 {
o.config.WireGuard.Port = apis.WireGuardListenPort
}
I suppose we should go through and update the validation to make sure it's a valid port? @antoninbas
There was a problem hiding this comment.
That sounds good to me but we should do it in a separate PR, we have other ports that we could validate as well, e.g. the tunnelPort. Can you open an issue to track this?
There was a problem hiding this comment.
Issue created: #7035, I will take a look at it later today.
wenyingd
force-pushed
the
issue_7009
branch
2 times, most recently
from
71afced to
a209673
Compare
|
/test-all |
|
/test-windows-all |
| | Antrea with feature BGPPolicy enabled | Selected by user-provided BGPPolicies | TCP 179<sup>[1]</sup> | | | ||
| | All | Kube-apiserver host | TCP 443 or 6443<sup>[2]</sup> | | | ||
| | All | All | TCP 10349, 10350, 10351, UDP 10351 | | | ||
| | Configuration | Host(s) | Protocols/Ports | Configurable | Other | |
There was a problem hiding this comment.
The table is not displayed properly: https://github.com/antrea-io/antrea/blob/a209673dfb1f8e155f1f644d5295f56351986c48/docs/network-requirements.md
pkg/agent/route/route_linux.go
Outdated
| addFilterRulesToChain(iptablesFilterRulesByChainV4, &c.nodeNetworkPolicyIPTablesIPv4) | ||
| addFilterRulesToChain(iptablesFilterRulesByChainV4, &c.wireguardIPTablesIPv4) |
There was a problem hiding this comment.
should static rule (wireguard) be installed before the dynamic rules (NodeNetworkPolicy)? this should be slightly more efficient as wireguard traffic will be the majority of node traffic.
There was a problem hiding this comment.
updated accordingly.
wenyingd
force-pushed
the
issue_7009
branch
2 times, most recently
from
2e80f16 to
fa0e05a
Compare
|
/test-all |
|
/test-windows-conformance |
1 similar comment
|
/test-windows-conformance |
test/integration/agent/route_test.go
Outdated
| @@ -100,7 +100,7 @@ type routeClientOptions struct { | |||
| } | |||
|
|
|||
| func newTestRouteClient(networkConfig *config.NetworkConfig, options routeClientOptions) (*route.Client, error) { | |||
| return route.NewClient(networkConfig, options.noSNAT, false, false, false, false, options.nodeSNATRandomFully, false, nil) | |||
| return route.NewClient(networkConfig, options.noSNAT, false, false, false, false, options.nodeSNATRandomFully, false, nil, 51820) | |||
There was a problem hiding this comment.
maybe use the WireGuardListenPort constant from pkg/apis to make the code more readable
| }, | ||
| }, | ||
| { | ||
| name: "encap,wireguard,egress=true,multicastEnabled=true,proxyAll=true,nodeNetworkPolicy=true,nodeSNATRandomFully=true", |
There was a problem hiding this comment.
I saw the change for the second test case but not this one, was it intentional?
| } | ||
|
|
||
| iptablesFilterRulesByChainV4 := make(map[string][]string) | ||
| addFilterRulesToChain(iptablesFilterRulesByChainV4, &c.wireguardIPTablesIPv4) |
There was a problem hiding this comment.
I think we should add a comment explaining that we are intentionally adding static iptables rules (WireGuard for now) first for performance reasons.
docs/network-requirements.md
Outdated
|
|
||
| [1] _The default value is 179, but a user created BGPPolicy can assign a different | ||
| port number._ | ||
|
|
||
| [2] _The value is passed to kube-apiserver `--secure-port` flag. You can find the port | ||
| number from the output of `kubectl get svc kubernetes -o yaml`._ | ||
|
|
||
| [3] _Antrea now automatically adds the firewall rules to allow the WireGuard packets, |
There was a problem hiding this comment.
better to specify the version (starting with v2.4) instead of writing "now" IMO
wenyingd
force-pushed
the
issue_7009
branch
2 times, most recently
from
36eea72 to
321373e
Compare
|
/test-all |
docs/network-requirements.md
Outdated
| | Antrea Multi-cluster with WireGuard encryption | Multi-cluster Gateway Node | UDP 51821 | Yes | | | ||
| | Antrea with feature BGPPolicy enabled | Selected by user-provided BGPPolicies | TCP 179<sup>[1]</sup> | Yes | | | ||
| | All | Kube-apiserver host | TCP 443 or 6443<sup>[2]</sup> | No | | | ||
| | All | All | TCP 10349, 10350, 10351, UDP 10351 | No | | |
There was a problem hiding this comment.
10349, 10350, and 10351 are all configurable.
Actually even kube-apiserver port is configurable via kube-apiserver itself.
This change is to actively configure the iptables rules wireguard.port when wireguard is used as the encryption mode. This can fix traffic issues if the Node is configured with iptables default DROP policy. Signed-off-by: Wenying Dong <[email protected]>
|
/test-all |
There was a problem hiding this comment.
we should probably try to improve this file in the future, as the configurable column is a bit generic and maybe should indicate how the port can be configured. we could also extract the kube-apiserver requirement from the table and mention it separately, as the requirement doesn't come from Antrea.
This change is to actively configure the iptables rules wireguard.port when wireguard is used as the encryption mode. This can fix traffic issues if the Node is configured with iptables default DROP policy.
Fix: #7009