-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.13.0
-
None
-
Yes
-
Rejected
-
False
-
Description of problem:
Ingress node firewall rule doesn't seem to be working with bond interfaces on dual stack clusters
Version-Release number of selected component (if applicable):
4.13
How reproducible:
Always
Steps to Reproduce:
1. Create a nodeport svc and pod $ ogpow -n e2e-test-networking-infw-9zm4z NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES hello-pod1 1/1 Running 0 91m 10.131.0.29 worker-00.qe-anurag87b.qe.devcluster.openshift.com <none> <none> [fedora@fedora root]$ ogs -n e2e-test-networking-infw-9zm4z NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test-service NodePort 172.30.195.222 <none> 27017:32665/TCP 91 2.Create INW config and INFW apiVersion: ingressnodefirewall.openshift.io/v1alpha1 kind: IngressNodeFirewallConfig metadata: name: ingressnodefirewallconfig namespace: openshift-ingress-node-firewall spec: nodeSelector: node-role.kubernetes.io/worker: "" tolerations: - key: "Example" operator: "Exists" effect: "NoExecute" Rule: spec: ingress: - rules: - action: Deny order: 1 protocolConfig: protocol: TCP tcp: ports: 32665-32670 - action: Allow order: 2 protocolConfig: protocol: TCP tcp: ports: 32665-32670 sourceCIDRs: - 2604:1380:4642:7e00::f/128 - 147.28.149.167/32 interfaces: - bond0 nodeSelector: matchLabels: node-role.kubernetes.io/worker: "" status: syncStatus: Synchronized 3. the pod is on worker0, let say curl to worker0IP:nodePort from worker1 sh-4.4# curl [2604:1380:4642:7e00::17]:32665;curl 139.178.82.147:32665 Hello OpenShift! Hello OpenShift!
Actual results:
Step 3 passing
Expected results:
Step 3 should fail as per Deny rule
Additional info:
tcpdump -i bond0 port 32665 shows traffic passing through sh-4.4# tcpdump -i bond0 port 32665 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:12:32.946045 IP6 worker-01.qe-anurag87b.qe.devcluster.openshift.com.50206 > worker-00.qe-anurag87b.qe.devcluster.openshift.com.32665: Flags [S], seq 1516204202, win 64800, options [mss 1440,sackOK,TS val 2151453611 ecr 0,nop,wscale 7], length 0 16:12:32.946278 IP6 worker-00.qe-anurag87b.qe.devcluster.openshift.com.32665 > worker-01.qe-anurag87b.qe.devcluster.openshift.com.50206: Flags [S.], seq 2486771182, ack 1516204203, win 65072, options [mss 1340,sackOK,TS val 3146185205 ecr 2151453611,nop,wscale 7], length 0 16:12:32.946504 IP6 worker-01.qe-anurag87b.qe.devcluster.openshift.com.50206 > worker-00.qe-anurag87b.qe.devcluster.openshift.com.32665: Flags [.], ack 1, win 507, options [nop,nop,TS val 2151453612 ecr 3146185205], length 0 16:12:32.946557 IP6 worker-01.qe-anurag87b.qe.devcluster.openshift.com.50206 > worker-00.qe-anurag87b.qe.devcluster.openshift.com.32665: Flags [P.], seq 1:96, ack 1, win 507, options [nop,nop,TS val 2151453612 ecr 3146185205], length 95 16:12:32.946596 IP6 worker-00.qe-anurag87b.qe.devcluster.openshift.com.32665 > worker-01.qe-anurag87b.qe.devcluster.openshift.com.50206: Flags [.], ack 96, win 508, options [nop,nop,TS val 3146185206 ecr 2151453612], length 0 16:12:32.946725 IP6 worker-00.qe-anurag87b.qe.devcluster.openshift.com.32665 > worker-01.qe-anurag87b.qe.devcluster.openshift.com.50206: Flags [P.], seq 1:157, ack 96, win 508, options [nop,nop,TS val 3146185206 ecr 2151453612], length 156
- links to
-
RHSA-2023:5006
OpenShift Container Platform 4.14.z security update
