-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cilium-cni: Reserve ports that can conflict with transparent DNS proxy #32128
cilium-cni: Reserve ports that can conflict with transparent DNS proxy #32128
Conversation
7a814da
to
c7afe2f
Compare
I did some manual testing by forcing WireGuard conflicts (port 51871) by reducing the ephemeral port range via |
/test |
c7afe2f
to
d819ae1
Compare
Thanks for the feedback! I've replied inline, hope that answers some of the questions. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API changes look good, thank you!
This is a follow-up suggested by Julian in a previous PR: cilium#32128 (comment) Fixes: 11fe7cc ("cilium-cni: Reserve ports that can conflict with transparent DNS proxy") Note: This fix has already been applied to the backported version of the above commit. Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This is a follow-up suggested by Julian in a previous PR: #32128 (comment) Fixes: 11fe7cc ("cilium-cni: Reserve ports that can conflict with transparent DNS proxy") Note: This fix has already been applied to the backported version of the above commit. Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This is a follow-up suggested by Julian in a previous PR: cilium#32128 (comment) Fixes: 11fe7cc ("cilium-cni: Reserve ports that can conflict with transparent DNS proxy") Note: This fix has already been applied to the backported version of the above commit. Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
@@ -604,13 +628,12 @@ func (cmd *Cmd) Add(args *skel.CmdArgs) (err error) { | |||
|
|||
if err = ns.Do(func() error { | |||
if ipv6IsEnabled(ipam) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like local IP ports are reserved only if IPv6 is enabled?
This commit adds the ability for the cilium-cni plugin to reserve IP ports (via the
ip_local_reserved_ports
sysctl knob) during CNI ADD. Reserving these ports will prevent the container network namespace to use these ports as an ephemeral source port, while still allowing the port to be explicitly allocated (see [1]).This functionality is added as a workaround for #31535 where transparent DNS proxy mode causes conflicts when an ephemeral source port is being chosen that is already being used in the host network namespace. By reserving ports used by Cilium itself (such as WireGuard and VXLAN), we hopefully reduce the number of such conflicts.
The set of reserved ports can be configured via a newly introduced agent flag. By default, it will reserve an auto-generated set of ports. The list of ports is configurable such that users running custom UDP services on ports in the ephemeral port range can provide their own set of ports. The flag may be set to an empty string to disable reservations altogether.
[1] https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt