Skip to content

Commit e3bfb23

Browse files
smirasmira
committed
fix: make ingress firewall filter traffic to nodeports
This fixes #10347 The core issue was that Talos nftables chain had priority 0 (`filter`), while kube-proxy does DNAT for node ports at priority -110 (before Talos can see source traffic), so Talos rule doesn't match. Move Talos priority to -140, so it runs before kube-proxy. Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit 9463ac2)
1 parent 6d0db51 commit e3bfb23

File tree

3 files changed

+9
-3
lines changed

3 files changed

+9
-3
lines changed

hack/release.toml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,12 @@ preface = """
2222
* Flannel: 0.26.4
2323
2424
Talos is built with Go 1.23.6.
25+
"""
26+
27+
[notes.ingress-firewall]
28+
title = "Ingress Firewall"
29+
description = """\
30+
Talos Ingress Firewall now filters access to Kubernetes NodePort services correctly.
2531
"""
2632

2733
[make_deps]

internal/app/machined/pkg/controllers/network/nftables_chain_config.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ func (ctrl *NfTablesChainConfigController) Run(ctx context.Context, r controller
8383

8484
spec.Type = nethelpers.ChainTypeFilter
8585
spec.Hook = nethelpers.ChainHookInput
86-
spec.Priority = nethelpers.ChainPriorityFilter
86+
spec.Priority = nethelpers.ChainPriorityMangle + 10
8787
spec.Policy = nethelpers.VerdictAccept
8888

8989
// preamble

internal/app/machined/pkg/controllers/network/nftables_chain_config_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ func (suite *NfTablesChainConfigTestSuite) TestDefaultAccept() {
8787
spec := chain.TypedSpec()
8888

8989
asrt.Equal(nethelpers.ChainTypeFilter, spec.Type)
90-
asrt.Equal(nethelpers.ChainPriorityFilter, spec.Priority)
90+
asrt.Equal(nethelpers.ChainPriorityMangle+10, spec.Priority)
9191
asrt.Equal(nethelpers.ChainHookInput, spec.Hook)
9292
asrt.Equal(nethelpers.VerdictAccept, spec.Policy)
9393

@@ -165,7 +165,7 @@ func (suite *NfTablesChainConfigTestSuite) TestDefaultBlock() {
165165
spec := chain.TypedSpec()
166166

167167
asrt.Equal(nethelpers.ChainTypeFilter, spec.Type)
168-
asrt.Equal(nethelpers.ChainPriorityFilter, spec.Priority)
168+
asrt.Equal(nethelpers.ChainPriorityMangle+10, spec.Priority)
169169
asrt.Equal(nethelpers.ChainHookInput, spec.Hook)
170170
asrt.Equal(nethelpers.VerdictDrop, spec.Policy)
171171

0 commit comments

Comments
 (0)