containernetworking / plugins / 19081210460
52%
master: 55%

LAST BUILD BRANCH: feature/go_version_bump
DEFAULT BRANCH: master
Ran
Jobs 1
Files 69
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 51.661%. First build
19081210460

Pull #1210

github

champtar 
portmap: ensure nftables backend only intercept local traffic

portmap iptables backend uses `-m addrtype --dst-type LOCAL`
and a common chain (CNI-HOSTPORT-DNAT) for both hostPort and hostIP/hostPort.

Before this commit, nftables backend was using 2 separate chains,
`hostip_hostports` and `hostports`. The goal was to avoid using
`fib daddr type local` before we jump to `hostip_hostports`,
but this is a behavior change compared to iptables backend,
and a security issue (hostIP: 1.1.1.1 / hostPort: 53).
Also while switching from input to prerouting hook, we forgot to
add the fib lookup for `hostports`, rendering the nftables backend half broken.

To allow transparent upgrades and avoid running the fib lookup twice,
if the chain `hostip_hostports` exists and is not empty, we use an extra chain
```
add chain ip cni_hostport hostip_hostports
add chain ip cni_hostport hostports
add chain ip cni_hostport hostports_all
add rule ip cni_hostport hostports_all jump hostip_hostports
add rule ip cni_hostport hostports_all jump hostports
add rule ip cni_hostport output a b fib daddr type local jump hostports_all
add rule ip cni_hostport prerouting a b fib daddr type local jump hostports_all
```

If `hostip_hostports` doesn't exists or is empty, we only use the `hostports` chain
```
add chain ip cni_hostport hostports
add rule ip cni_hostport output a b fib daddr type local jump hostports
add rule ip cni_hostport prerouting a b fib daddr type local jump hostports
```

In both cases we add the new rules to `hostports` chain only,
and delete from both `hostports` and `hostip_hostports`.

After running the nft transaction, we check again the state of
`hostip_hostports`, if it changed we run again.

We can't use implicit chains (`jump { jump hostip_hostports; jump hostports }`)
as it's not supported by knftables.Fake.

Fixes 9296c5f80
Fixes 01a94e17c

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Pull Request #1210: portmap: ensure nftables backend only intercept local traffic

41 of 49 new or added lines in 1 file covered. (83.67%)

4883 of 9452 relevant lines covered (51.66%)

26.51 hits per line

New Missed Lines in Diff

Lines Coverage File
8
72.14
 plugins/meta/portmap/portmap_nftables.go
Jobs
ID Job ID Ran Files Coverage
1 19081210460.1 69
51.66
 GitHub Action Run
Source Files on build 19081210460