Page MenuHomePhabricator
Create Task
Maniphest T352143

Firewall rules prevent IPIP/IP6IP6 encapsulated traffic from reaching realservers
Closed, ResolvedPublic
Actions

Description

As it can be seen on /var/log/ulogd/syslog.log:

ncredir4001 ulogd[967151]: [fw-in-drop] IN=ens13 OUT= MAC=aa:00:00:39:c6:fc:84:16:0c:df:11:70:86:dd SRC=100::fd1f:0 DST=2620:0:863:101:10:128:0:32 LEN=108 TC=0 HOPLIMIT=54 FLOWLBL=0 PROTO=41 MARK=0x0 
ncredir4001 ulogd[967151]: [fw-in-drop] IN=ens13 OUT= MAC=aa:00:00:39:c6:fc:84:16:0c:df:11:70:08:00 SRC=172.16.224.11 DST=10.128.0.32 LEN=60 TOS=00 PREC=0x00 TTL=56 ID=0 DF PROTO=4 MARK=0x0

host firewall was stopping ncredir from being able to serve traffic inbound via IPIP/IP6IP6 tunnels.

Due to ipip-multiqueue-optimizer, the source address on IPv4 is going to be 172.16/10 and 0100::/64 for IPv6:

// RFC1918: we are going to use 172.16/10 as our src (4268 is 172.16 in BE)
// for ipip header
#define IPIP_V4_PREFIX 4268
// RFC 6666: we are going to use 0100::/64 discard prefix as our src
// for ip(6)ip6 header
#define IPIP_V6_PREFIX1 1
#define IPIP_V6_PREFIX2 0
#define IPIP_V6_PREFIX3 0

on IPIP (IPv4) packets, proto is set to 4 (ipencap) and on IP6IP6 packet is set to 41 (IPv6). unless we inspect the inner headers, source and destination port is 0

Details

SubjectRepoBranchLines +/-
ncredir: Allow IPIP/IP6IP6 inbound trafficoperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Nov 28 2023, 8:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2023, 8:36 AM
Vgutierrez triaged this task as High priority.Nov 28 2023, 8:37 AM
Vgutierrez moved this task from Backlog to Traffic team actively servicing on the Traffic board.
Vgutierrez added a comment.Nov 28 2023, 8:45 AM

using the syntax on the good old iptables, this should work:

iptables -A INPUT -s 172.16.0.0/10 -p ipencap -j ACCEPT
ip6tables -A INPUT -s 0100::/64 -p ipv6 -j ACCEPT

resulting on:

$ ip6tables -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     41   --  100::/64             ::/0                
$ iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     4    --  172.0.0.0/10         0.0.0.0/0
gerritbot added a comment.Nov 28 2023, 8:51 AM

Change 977997 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] ncredir: Allow IPIP/IP6IP6 inbound traffic

https://gerrit.wikimedia.org/r/977997

gerritbot added a project: Patch-For-Review.Nov 28 2023, 8:51 AM
gerritbot added a comment.Nov 28 2023, 9:44 AM

Change 977997 merged by Vgutierrez:

[operations/puppet@production] ncredir: Allow IPIP/IP6IP6 inbound traffic

https://gerrit.wikimedia.org/r/977997

Maintenance_bot removed a project: Patch-For-Review.Nov 28 2023, 10:10 AM
Vgutierrez closed this task as Resolved.Nov 28 2023, 10:40 AM
Vgutierrez mentioned this in T351069: Enable IPIP encapsulation for ncredir.Nov 29 2023, 12:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL