fix port forward with strict RPF and multi networks

Luap99 · Luap99 · commit 9a73a52c5fd1 · 2024-04-16T13:17:07.000+02:00
As it turns out our routing setup doesn't play nice with strict Reverse Path Forwarding. The issue is that the incoming packages are routed in via one bridge but may be routed out from the container via another bridge and thus get dropped by strict filtering. The fix is simple, set the filter to loose mode. From the sysctl doc: If using asymmetric routing or other complicated routing, then loose mode is recommended. This applies to us so it seems like the proper fix. Added tests to ensure it works. Fixes https://issues.redhat.com/browse/RHEL-32500 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
diff --git a/src/network/bridge.rs b/src/network/bridge.rs
@@ -570,6 +570,17 @@ fn create_interfaces(
                     CoreUtils::apply_sysctl_value(br_accept_ra, "0")?;
                 }
 
+                // Disable strict reverse path search validation. On RHEL it is set to strict mode
+                // which breaks port forwarding when multiple networks are attached as the package
+                // may be routed over a different interface on the reverse path.
+                // As documented for the sysctl for complicated or asymmetric routing loose mode (2)
+                // is recommended.
+                let br_rp_filter = format!(
+                    "/proc/sys/net/ipv4/conf/{}/rp_filter",
+                    &data.bridge_interface_name
+                );
+                CoreUtils::apply_sysctl_value(br_rp_filter, "2")?;
+
                 let link = host
                     .get_link(netlink::LinkID::Name(
                         data.bridge_interface_name.to_string(),
@@ -690,6 +701,13 @@ fn create_veth_pair<'fd>(
             &data.container_interface_name
         );
         core_utils::CoreUtils::apply_sysctl_value(enable_arp_notify, "1")?;
+
+        // disable strict reverse path search validation
+        let rp_filter = format!(
+            "/proc/sys/net/ipv4/conf/{}/rp_filter",
+            &data.container_interface_name
+        );
+        CoreUtils::apply_sysctl_value(rp_filter, "2")?;
         Ok::<(), NetavarkError>(())
     });
     // check the result and return error
diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats
@@ -554,6 +554,35 @@ fw_driver=iptables
     test_port_fw ip=6 proto=udp hostip="fd65:8371:648b:0c06::1"
 }
 
+# Test that port forwarding works with strict Reverse Path Forwarding enabled on the host
+@test "$fw_driver - port forwarding with two networks and RPF - tcp" {
+    # First, enable strict RPF on host/container ns.
+    run_in_host_netns sysctl -w net.ipv4.conf.all.rp_filter=1
+    run_in_host_netns sysctl -w net.ipv4.conf.default.rp_filter=1
+    run_in_container_netns sysctl -w net.ipv4.conf.all.rp_filter=1
+    run_in_container_netns sysctl -w net.ipv4.conf.default.rp_filter=1
+
+    # We need a dummy interface with a host ip,
+    # if we connect directly to the bridge ip it doesn't reproduce.
+    add_dummy_interface_on_host dummy0 "10.0.0.1/24"
+
+    run_netavark --file ${TESTSDIR}/testfiles/two-networks.json setup $(get_container_netns_path)
+    result="$output"
+
+    run_in_host_netns cat /proc/sys/net/ipv4/conf/podman2/rp_filter
+    assert "2" "rp_filter podman2 bridge"
+    run_in_host_netns cat /proc/sys/net/ipv4/conf/podman3/rp_filter
+    assert "2" "rp_filter podman3 bridge"
+
+    run_in_container_netns cat /proc/sys/net/ipv4/conf/eth0/rp_filter
+    assert "2" "rp_filter eth0 interface"
+    run_in_container_netns cat /proc/sys/net/ipv4/conf/eth1/rp_filter
+    assert "2" "rp_filter eth1 interface"
+
+    # Important: Use the "host" ip here and not localhost or bridge ip.
+    run_nc_test "0" "tcp" 8080 "10.0.0.1" 8080
+}
+
 @test "bridge ipam none" {
            read -r -d '\0' config <<EOF
 {
@@ -789,6 +818,8 @@ EOF
     # when the sysctl value is already set correctly we should not error
     run_in_host_netns sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
     run_in_container_netns sh -c "echo 1 > /proc/sys/net/ipv4/conf/default/arp_notify"
+    run_in_host_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
+    run_in_container_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
     run_in_host_netns mount -t proc -o ro,nosuid,nodev,noexec proc /proc
 
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats
@@ -696,6 +696,8 @@ EOF
     # when the sysctl value is already set correctly we should not error
     run_in_host_netns sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
     run_in_container_netns sh -c "echo 1 > /proc/sys/net/ipv4/conf/default/arp_notify"
+    run_in_host_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
+    run_in_container_netns sh -c "echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter"
     run_in_host_netns mount -t proc -o ro,nosuid,nodev,noexec proc /proc
 
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
diff --git a/test/testfiles/two-networks.json b/test/testfiles/two-networks.json
@@ -3,7 +3,7 @@
     "container_name": "heuristic_archimedes",
     "port_mappings": [
         {
-          "host_ip": "127.0.0.1",
+          "host_ip": "",
           "container_port": 8080,
           "host_port": 8080,
           "range": 1,

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"container_name": "heuristic_archimedes",`
`4`	`4`	`"port_mappings": [`
`5`	`5`	`{`
`6`		`- "host_ip": "127.0.0.1",`
	`6`	`+ "host_ip": "",`
`7`	`7`	`"container_port": 8080,`
`8`	`8`	`"host_port": 8080,`
`9`	`9`	`"range": 1,`