Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop invalid conntrack packets #816

Closed
mccv1r0 opened this issue Jan 20, 2023 · 0 comments · May be fixed by containernetworking/cni#957
Closed

Drop invalid conntrack packets #816

mccv1r0 opened this issue Jan 20, 2023 · 0 comments · May be fixed by containernetworking/cni#957
Labels
Stale

Comments

@mccv1r0
Copy link
Member

mccv1r0 commented Jan 20, 2023

After RST is seen in either direction, conntrack fails to masquerade any packets in flight in the other direction. This leaks the internal IP address used. Users are not happy about it.

  462   5.788126 server_ip → client_ip TLSv1.2 90 Application Data
  463   5.788207 server_ip → client_ip TCP 66 443 → 45020 [FIN, ACK] Seq=3664 Ack=763 Win=31104 Len=0 TSval=675936350 TSecr=3317842872
  464   5.788447 client_ip → server_ip TLSv1.2 90 Application Data
  465   5.788479 client_ip → server_ip TCP 66 45020 → 443 [RST, ACK] Seq=787 Ack=3665 Win=39040 Len=0 TSval=3317842889 TSecr=675936350  <----- RST
  466   5.788581    10.88.0.8 → client_ip TCP 54 8443 → 45020 [RST] Seq=1 Win=0 Len=0   <------ leak
@mccv1r0 mccv1r0 mentioned this issue Jan 23, 2023
Closed
mccv1r0 added a commit to mccv1r0/plugins that referenced this issue Jan 24, 2023
@mccv1r0
When masquerade is set on bridge, add an iptables rule to drop any pa…
e9a92f4 
…ckets which conntrack consideres invalid.

When portmap is used in chain, do likewise.

Use container specific IP addresses in rules so that only this rule is removed in cniDel

Allow for portmap and ipMasq to co-exist or used independently

Fixes containernetworking#816

Signed-off-by: Michael Cambria <[email protected]>
mccv1r0 added a commit to mccv1r0/plugins that referenced this issue Jan 26, 2023
@mccv1r0
When masquerade is set on bridge, add an iptables rule to drop any pa…
a29221e 
…ckets which conntrack consideres invalid.

When portmap is used in chain, do likewise.

Use container specific IP addresses in rules so that only this rule is removed in cniDel

Allow for portmap and ipMasq to co-exist or used independently

Fixes containernetworking#816

Signed-off-by: Michael Cambria <[email protected]>
@mccv1r0 mccv1r0 mentioned this issue Jan 30, 2023
Open
@github-actions github-actions bot added the Stale label Mar 22, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
1 participant
@mccv1r0