maiqueb
commented
1 year ago IIUC, this would work in the pod's netns whenever the interface is a bridge port (since it is set in the bridge family).
For it to take effect when the interface is not a bridge port, we would need to write the mac spoof prevention into the IP family post-routing chain (from the netfilter hooks diagram).
So far so good. Now my question is how will you know if a pod interface (which is created via CNI) is a port of a bridge that will be created out of band (after CNI).
@EdDev
EdDev
github-actions[bot]
The spoofcheck nftables rules have been applied on the node root network namespace for ingress traffic that arrives from the pod netns.
When there are a large amount of rules visible, the user-space processing of adding and removing rules becomes slow. Field results showed the
nftcommands taking minutes to complete.In addition, the removal of the rules is dependent on the execution of the DEL command, which is not always assured to occur. Therefore, the current solution where the rules are set on the node root network namespace may cause nftables configuration leaks.
This change suggests to place the rules in the pod network namespace, solving both issues.
It adds rules at two places: IP and Bridge stacks, on the postrouting hook.