Skip to content

pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain#244

Merged
leonnicolas merged 3 commits intomainfrom
forward_allow_option
Sep 30, 2021
Merged

pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain#244
leonnicolas merged 3 commits intomainfrom
forward_allow_option

Conversation

@leonnicolas
Copy link
Copy Markdown
Collaborator

@leonnicolas leonnicolas commented Sep 30, 2021

Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.

Fixes #241

@leonnicolas
pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain
52a6431 
Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
@squat
Copy link
Copy Markdown
Owner

squat commented Sep 30, 2021

xref: #112, #106,

squat
squat reviewed Sep 30, 2021
View reviewed changes
Comment thread cmd/kg/main.go Outdated
@leonnicolas @squat
Update cmd/kg/main.go
5e7d0e9 
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
squat
squat previously approved these changes Sep 30, 2021
View reviewed changes
Copy link
Copy Markdown
Owner

@squat squat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. This implements exactly the same semantics as the identically named flag in Flannel (https://github.com/flannel-io/flannel/blob/master/main.go#L144).

Do you think we want a warning in the flag description?

@leonnicolas
Copy link
Copy Markdown
Collaborator Author

leonnicolas commented Sep 30, 2021

Looks good to me. This implements exactly the same semantics as the identically named flag in Flannel (https://github.com/flannel-io/flannel/blob/master/main.go#L144).

That was my plan, but I imagined an extra dash ^^

Do you think we want a warning in the flag description?

Something like: warning this may break firewalls with a deny all policy?

@squat
Copy link
Copy Markdown
Owner

squat commented Sep 30, 2021

Something like: warning this may break firewalls with a deny all policy?

Yes something like that would be great. Warning: this may break firewalls with a deny all policy and is potentially insecure

leonnicolas
leonnicolas commented Sep 30, 2021
View reviewed changes
Comment thread cmd/kg/main.go Outdated
@leonnicolas leonnicolas requested a review from squat September 30, 2021 12:19
squat
squat approved these changes Sep 30, 2021
View reviewed changes
Copy link
Copy Markdown
Owner

@squat squat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work

@leonnicolas leonnicolas merged commit 9b14c22 into main Sep 30, 2021
@leonnicolas leonnicolas deleted the forward_allow_option branch September 30, 2021 13:59
@leonnicolas leonnicolas mentioned this pull request Oct 10, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squat squat squat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Iptables FORWARD CHAIN POLICY

2 participants

@leonnicolas @squat