Merge pull request #962 from Luap99/strict-rpf

openshift-merge-bot[bot] · web-flow · commit 44e25b1e23ad · 2024-04-16T12:58:01.000Z
fix port forward with strict RPF and multi networks
diff --git a/src/network/bridge.rs b/src/network/bridge.rs
@@ -570,6 +570,17 @@ fn create_interfaces(
                     CoreUtils::apply_sysctl_value(br_accept_ra, "0")?;
                 }
 
+                // Disable strict reverse path search validation. On RHEL it is set to strict mode
+                // which breaks port forwarding when multiple networks are attached as the package
+                // may be routed over a different interface on the reverse path.
+                // As documented for the sysctl for complicated or asymmetric routing loose mode (2)
+                // is recommended.
+                let br_rp_filter = format!(
+                    "/proc/sys/net/ipv4/conf/{}/rp_filter",
+                    &data.bridge_interface_name
+                );
+                CoreUtils::apply_sysctl_value(br_rp_filter, "2")?;
+
                 let link = host
                     .get_link(netlink::LinkID::Name(
                         data.bridge_interface_name.to_string(),
@@ -690,6 +701,13 @@ fn create_veth_pair<'fd>(
             &data.container_interface_name
         );
         core_utils::CoreUtils::apply_sysctl_value(enable_arp_notify, "1")?;
+
+        // disable strict reverse path search validation
+        let rp_filter = format!(
+            "/proc/sys/net/ipv4/conf/{}/rp_filter",
+            &data.container_interface_name
+        );
+        CoreUtils::apply_sysctl_value(rp_filter, "2")?;
         Ok::<(), NetavarkError>(())
     });
     // check the result and return error
diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats
@@ -554,6 +554,35 @@ fw_driver=iptables
     test_port_fw ip=6 proto=udp hostip="fd65:8371:648b:0c06::1"
 }
 
+# Test that port forwarding works with strict Reverse Path Forwarding enabled on the host
+@test "$fw_driver - port forwarding with two networks and RPF - tcp" {
+    # First, enable strict RPF on host/container ns.
+    run_in_host_netns sysctl -w net.ipv4.conf.all.rp_filter=1
+    run_in_host_netns sysctl -w net.ipv4.conf.default.rp_filter=1
+    run_in_container_netns sysctl -w net.ipv4.conf.all.rp_filter=1
+    run_in_container_netns sysctl -w net.ipv4.conf.default.rp_filter=1
+
+    # We need a dummy interface with a host ip,
+    # if we connect directly to the bridge ip it doesn't reproduce.
+    add_dummy_interface_on_host dummy0 "10.0.0.1/24"
+
+    run_netavark --file ${TESTSDIR}/testfiles/two-networks.json setup $(get_container_netns_path)
+    result="$output"
+
+    run_in_host_netns cat /proc/sys/net/ipv4/conf/podman2/rp_filter
+    assert "2" "rp_filter podman2 bridge"
+    run_in_host_netns cat /proc/sys/net/ipv4/conf/podman3/rp_filter
+    assert "2" "rp_filter podman3 bridge"
+
+    run_in_container_netns cat /proc/sys/net/ipv4/conf/eth0/rp_filter
+    assert "2" "rp_filter eth0 interface"
+    run_in_container_netns cat /proc/sys/net/ipv4/conf/eth1/rp_filter
+    assert "2" "rp_filter eth1 interface"
+
+    # Important: Use the "host" ip here and not localhost or bridge ip.
+    run_nc_test "0" "tcp" 8080 "10.0.0.1" 8080
+}
+
 @test "bridge ipam none" {
            read -r -d '\0' config <<EOF
 {
@@ -789,6 +818,8 @@ EOF
     # when the sysctl value is already set correctly we should not error
     run_in_host_netns sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
     run_in_container_netns sh -c "echo 1 > /proc/sys/net/ipv4/conf/default/arp_notify"
+    run_in_host_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
+    run_in_container_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
     run_in_host_netns mount -t proc -o ro,nosuid,nodev,noexec proc /proc
 
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats
@@ -696,6 +696,8 @@ EOF
     # when the sysctl value is already set correctly we should not error
     run_in_host_netns sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
     run_in_container_netns sh -c "echo 1 > /proc/sys/net/ipv4/conf/default/arp_notify"
+    run_in_host_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
+    run_in_container_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
     run_in_host_netns mount -t proc -o ro,nosuid,nodev,noexec proc /proc
 
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
diff --git a/test/testfiles/two-networks.json b/test/testfiles/two-networks.json
@@ -3,7 +3,7 @@
     "container_name": "heuristic_archimedes",
     "port_mappings": [
         {
-          "host_ip": "127.0.0.1",
+          "host_ip": "",
           "container_port": 8080,
           "host_port": 8080,
           "range": 1,

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"container_name": "heuristic_archimedes",`
`4`	`4`	`"port_mappings": [`
`5`	`5`	`{`
`6`		`- "host_ip": "127.0.0.1",`
	`6`	`+ "host_ip": "",`
`7`	`7`	`"container_port": 8080,`
`8`	`8`	`"host_port": 8080,`
`9`	`9`	`"range": 1,`