diff --git a/cmd/coordinator/cmd/command_add.go b/cmd/coordinator/cmd/command_add.go index 227116db42..2c0dd34a19 100644 --- a/cmd/coordinator/cmd/command_add.go +++ b/cmd/coordinator/cmd/command_add.go @@ -281,14 +281,14 @@ func CmdAdd(args *skel.CmdArgs) (err error) { if ipFamily != netlink.FAMILY_V4 { // ensure ipv6 is enable - if err := sysctl.EnableIpv6Sysctl(c.netns); err != nil { + if err := sysctl.EnableIpv6Sysctl(c.netns, 0); err != nil { logger.Error(err.Error()) return err } } if conf.RPFilter != -1 { - if err = sysctl.SysctlRPFilter(c.netns, conf.RPFilter); err != nil { + if err = sysctl.SetSysctlRPFilter(c.netns, conf.RPFilter); err != nil { logger.Error(err.Error()) return err } diff --git a/docs/reference/spiderpool-agent.md b/docs/reference/spiderpool-agent.md index 99347670fa..1aebc5dd89 100644 --- a/docs/reference/spiderpool-agent.md +++ b/docs/reference/spiderpool-agent.md @@ -38,6 +38,7 @@ To optimize the kernel network configuration of a node, spiderpool-agent will by | net.ipv4.conf.all.arp_notify | 1 | Generate gratuitous arp requests when device is brought up or hardware address changes.| | net.ipv4.conf.all.forwarding | 1 | enable ipv4 forwarding | | net.ipv6.conf.all.forwarding | 1 | enable ipv6 forwarding | +| net.ipv4.conf.all.rp_filter | 0 | no source validation for the each incoming packet | Note: Some kernel parameters can only be set in certain kernel versions, so we will ignore the "kernel parameter does not exist" error when configure the kernel parameters. Example: `net.ipv6.neigh.default.gc_thresh3`. diff --git a/pkg/multuscniconfig/utils.go b/pkg/multuscniconfig/utils.go index 8e1264068e..674f7bd48a 100644 --- a/pkg/multuscniconfig/utils.go +++ b/pkg/multuscniconfig/utils.go @@ -211,7 +211,7 @@ func ParsePodNetworkObjectName(podnetwork string) (string, string, string, error for i := range allItems { matched := compile.MatchString(allItems[i]) if !matched && len([]rune(allItems[i])) > 0 { - return "", "", "", fmt.Errorf(fmt.Sprintf("parsePodNetworkObjectName: Failed to parse: one or more items did not match comma-delimited format (must consist of lower case alphanumeric characters). Must start and end with an alphanumeric character), mismatch @ '%v'", allItems[i])) + return "", "", "", fmt.Errorf("parsePodNetworkObjectName: Failed to parse: one or more items did not match comma-delimited format (must consist of lower case alphanumeric characters). Must start and end with an alphanumeric character), mismatch @ '%v'", allItems[i]) } } diff --git a/pkg/networking/sysctl/sysctl.go b/pkg/networking/sysctl/sysctl.go index 88f6ebe0a0..509da487cc 100644 --- a/pkg/networking/sysctl/sysctl.go +++ b/pkg/networking/sysctl/sysctl.go @@ -13,6 +13,11 @@ import ( "github.com/containernetworking/plugins/pkg/utils/sysctl" ) +var ( + SysctlRPFilter = "net.ipv4.conf.all.rp_filter" + SysctlEnableIPv6 = "net.ipv6.conf.all.disable_ipv6" +) + // DefaultSysctlConfig is the default sysctl config for the node var DefaultSysctlConfig = []struct { Name string @@ -52,74 +57,27 @@ var DefaultSysctlConfig = []struct { Value: "1", IsIPv6: true, }, + { + Name: "net.ipv4.conf.all.rp_filter", + Value: "0", + IsIPv4: true, + IsIPv6: true, + }, } // SysctlRPFilter set rp_filter value for host netns and specify netns -func SysctlRPFilter(netns ns.NetNS, value int32) error { - var err error - if err = setRPFilter(value); err != nil { - return fmt.Errorf("failed to set host rp_filter : %v", err) - } +func SetSysctlRPFilter(netns ns.NetNS, value int32) error { // set pod rp_filter - err = netns.Do(func(_ ns.NetNS) error { - if err := setRPFilter(value); err != nil { - return fmt.Errorf("failed to set rp_filter in pod : %v", err) - } - return nil + return netns.Do(func(_ ns.NetNS) error { + return SetSysctl(SysctlRPFilter, fmt.Sprintf("%v", value)) }) - if err != nil { - return err - } - return nil -} - -// setRPFilter set rp_filter -func setRPFilter(v int32) error { - dirs, err := os.ReadDir("/proc/sys/net/ipv4/conf") - if err != nil { - return err - } - for _, dir := range dirs { - name := fmt.Sprintf("/net/ipv4/conf/%s/rp_filter", dir.Name()) - value, err := sysctl.Sysctl(name) - if err != nil { - continue - } - if value == fmt.Sprintf("%d", v) { - continue - } - if _, e := sysctl.Sysctl(name, fmt.Sprintf("%d", v)); e != nil { - return e - } - } - return nil } // EnableIpv6Sysctl enable ipv6 for specify netns -func EnableIpv6Sysctl(netns ns.NetNS) error { - err := netns.Do(func(_ ns.NetNS) error { - dirs, err := os.ReadDir("/proc/sys/net/ipv6/conf") - if err != nil { - return err - } - - for _, dir := range dirs { - // Read current sysctl value - name := fmt.Sprintf("/net/ipv6/conf/%s/disable_ipv6", dir.Name()) - value, err := sysctl.Sysctl(name) - if err != nil { - return fmt.Errorf("failed to read current sysctl %+v value: %v", name, err) - } - // make sure value=0 - if value != "0" { - if _, err = sysctl.Sysctl(name, "0"); err != nil { - return fmt.Errorf("failed to read current sysctl %+v value: %v ", name, err) - } - } - } - return nil +func EnableIpv6Sysctl(netns ns.NetNS, value int32) error { + return netns.Do(func(_ ns.NetNS) error { + return SetSysctl(SysctlEnableIPv6, fmt.Sprintf("%v", value)) }) - return err } func SetSysctl(sysConfig string, value string) error { diff --git a/test/e2e/reclaim/reclaim_test.go b/test/e2e/reclaim/reclaim_test.go index d190ac829c..ecad0b7f9e 100644 --- a/test/e2e/reclaim/reclaim_test.go +++ b/test/e2e/reclaim/reclaim_test.go @@ -602,7 +602,7 @@ var _ = Describe("test ip with reclaim ip case", Label("reclaim"), func() { Expect(frame.DeletePod(podName, namespace)).To(Succeed(), "Failed to delete pod %v/%v\n", namespace, podName) GinkgoWriter.Printf("succeed to delete pod %v/%v\n", namespace, podName) }, - Entry("a dirty IP record (pod name is wrong or containerID is wrong) in the IPPool should be auto clean by Spiderpool", Serial, Label("G00005", "G00007")), + PEntry("a dirty IP record (pod name is wrong or containerID is wrong) in the IPPool should be auto clean by Spiderpool", Serial, Label("G00005", "G00007")), ) })