From a4939a293df1114b05a76ced66a67d811fb29485 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Tue, 29 Oct 2024 15:15:45 +0100 Subject: [PATCH] M #-: Change tproxy strategy for handling ARP requests (#3279) - Prevent ARP requests from reaching other HVs - Rename incorrectly named "comm" to "cmdline" (cherry picked from commit 0bd451171fb6551f8dc8f7d5b38ab6ec9f6a9cef) --- src/vnm_mad/remotes/lib/tproxy | 10 +++++----- src/vnm_mad/remotes/lib/tproxy.rb | 23 +++++++++-------------- 2 files changed, 14 insertions(+), 19 deletions(-) diff --git a/src/vnm_mad/remotes/lib/tproxy b/src/vnm_mad/remotes/lib/tproxy index 20b302a1bb..1fe0202ef8 100755 --- a/src/vnm_mad/remotes/lib/tproxy +++ b/src/vnm_mad/remotes/lib/tproxy @@ -326,8 +326,8 @@ module VNMMAD class Daemon - def initialize(comm) - @comm = comm + def initialize(cmdline) + @cmdline = cmdline end def run(argv = ARGV.dup, &block) @@ -346,13 +346,13 @@ module VNMMAD end if pid.nil? && ['start', 'restart'].include?(argv[0]) fork do - $0 = @comm + $0 = @cmdline Process.setsid $stdin.reopen '/dev/null' - $stdout.reopen "#{LOG_LOCATION}/#{@comm}.log", 'a' + $stdout.reopen "#{LOG_LOCATION}/#{@cmdline}.log", 'a' $stdout.sync = true $stderr.reopen $stdout @@ -369,7 +369,7 @@ module VNMMAD o, _, s = Open3.capture3 'ps', '--no-headers', '-wwo', 'pid,cmd', '-C', 'ruby' o.lines .map {|line| line.strip.split(' ', 2) } - .find {|_, cmd| cmd == @comm } if s.success? + .find {|_, cmd| cmd == @cmdline } if s.success? end end diff --git a/src/vnm_mad/remotes/lib/tproxy.rb b/src/vnm_mad/remotes/lib/tproxy.rb index a733f69bfb..24f22d55d9 100644 --- a/src/vnm_mad/remotes/lib/tproxy.rb +++ b/src/vnm_mad/remotes/lib/tproxy.rb @@ -90,28 +90,23 @@ module VNMMAD ip_netns_exec(brdev, "ip route replace default dev #{brdev}a") - veth_mac = ip_netns_exec(brdev, - "ip -j link show dev #{brdev}a", - :expect_json => true).dig(0, 0, 'address') - - # This is required to avoid 169.254.16.9 address conflicts in case of VNETs - # used on multiple different HV hosts are attached to multiple guest VMs. - # Basically, we short-circuit any 169.254.16.9 communication and - # forcefully redirect every packet destined to 169.254.16.9 to be handled - # locally (regardless of the actual ARP resolution in guest VMs). + # Prevent ARP requests from being propagated to other HV machines. + # It reduces network traffic and ensures that the closest HV handles + # proxied packets. nft(ERB.new(<<~NFT).result(binding)) table bridge one_tproxy { chain ch_<%= brdev %> { - type filter hook prerouting priority dstnat; policy accept; + type filter hook forward priority filter; policy accept; }; }; flush chain bridge one_tproxy ch_<%= brdev %>; table bridge one_tproxy { chain ch_<%= brdev %> { meta ibrname "<%= brdev %>" \ - ip daddr 169.254.16.9 \ - meta pkttype set host ether daddr set <%= veth_mac %> \ - accept; + oifname != "<%= brdev %>b" \ + arp operation request \ + arp daddr ip 169.254.16.9 \ + drop; }; }; NFT @@ -149,7 +144,7 @@ module VNMMAD nft(ERB.new(<<~NFT).result(binding)) table bridge one_tproxy { chain ch_<%= brdev %> { - type filter hook prerouting priority dstnat; policy accept; + type filter hook forward priority filter; policy accept; }; }; delete chain bridge one_tproxy ch_<%= brdev %>;