search

k8snetworkplumbingwg / multi-networkpolicy-iptables

MultiNetworkPolicy iptable based implementation
Apache License 2.0
13 stars 19 forks source link

Ingress only rule should allow outgoing TCP connection #18

Closed zeeke closed 1 year ago

zeeke commented 2 years ago

I discovered a behavior that differs from regular NetworkPolicies about ingress rules and outgoing traffic. Let me know if it is the intended behavior:

The scenario can be reproduced in a Kind (with Calico as default CNI network plugin) using this fork (branch multinetpolicy-bugs):

$ cd e2e
$ ./get_tools.sh
$ ./setup_cluster.sh
$ kubectl apply -f stacked.yml
$ ./onweay-test.sh

The scenario creates

oneway-test.sh reproduces the behavior:

$ kubectl apply -f oneway.yml
networkattachmentdefinition.k8s.cni.cncf.io/macvlan1-oneway created
namespace/test-oneway-multi created
pod/pod-a created
pod/pod-b created
pod/pod-c created
multinetworkpolicy.k8s.cni.cncf.io/test-multinetwork-policy-oneway-1 created
namespace/test-oneway-regular created
pod/pod-a created
pod/pod-b created
pod/pod-c created
networkpolicy.networking.k8s.io/test-network-policy-oneway-1 created

$ ./oneway-test.sh
pod/pod-a condition met
(1 = NO connection, 0 = can connect)
MULTI: pod-a <-- pod-b 0
MULTI: pod-a <-- pod-c 1
MULTI: pod-a --> pod-b 0
MULTI: pod-a --> pod-c 1
REGULAR: pod-a <-- pod-b 0
REGULAR: pod-a <-- pod-c 1
REGULAR: pod-a --> pod-b 0
REGULAR: pod-a --> pod-c 0

test-oneway-multi/pod-a iptables

Chain INPUT (policy ACCEPT 9 packets, 486 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13   726 MULTI-INGRESS  all  --  net1   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 10 packets, 546 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   10   546 MULTI-EGRESS  all  --  *      net1    0.0.0.0/0            0.0.0.0/0           

Chain MULTI-0-INGRESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   726 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0xfffcffff
   13   726 MULTI-0-INGRESS-0-PORTS  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   13   726 MULTI-0-INGRESS-0-FROM  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    9   486 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x30000/0x30000
    4   240 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MULTI-0-INGRESS-0-FROM (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   486 MARK       all  --  net1   *       2.2.6.10             0.0.0.0/0            MARK or 0x20000

Chain MULTI-0-INGRESS-0-PORTS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   726 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* no ingress ports, skipped */ MARK or 0x10000

Chain MULTI-EGRESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MULTI-INGRESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   726 MULTI-0-INGRESS  all  --  net1   *       0.0.0.0/0            0.0.0.0/0            /* policy:test-multinetwork-policy-oneway-1 net-attach-def:default/macvlan1-oneway */

With regular NetworkPolicies, pod-a is able to create connections to pod-c, while it is not possible with MultiNetworkPolicies.

MULTI: pod-a --> pod-c 1
REGULAR: pod-a --> pod-c 0

Let me know if I can work on a fix on this

s1061123 commented 2 years ago

Thanks for the issue. Will take a look into it when I'm back from off.

s1061123 commented 2 years ago

Hi @zeeke, thank you for filing the issue. I repro it and I could understand that. Yeah, could you please work on that?

zeeke commented 2 years ago

Yes, I can tackle it

zeeke commented 1 year ago

@s1061123 I tried it after #28 and seems to be fixed. Closing this