Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement traffic redirection exclusion based on proxy config and user-provided values #10134

Merged
merged 6 commits into from
Apr 29, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .changelog/10134.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
```release-note:feature
cli: Add additional flags to the `consul connect redirect-traffic` command to allow excluding inbound and outbound ports,
outbound CIDRs, and additional user IDs from traffic redirection.
```
```release-note:feature
cli: Automatically exclude ports from `envoy_prometheus_bind_addr`, `envoy_stats_bind_addr`, and `ListenerPort` from `Expose` config
from inbound traffic redirection rules if `proxy-id` flag is provided to the `consul connect redirect-traffic` command.
```
```release-note:feature
sdk: Allow excluding inbound and outbound ports, outbound CIDRs, and additional user IDs from traffic redirection in the `iptables` package.
```
88 changes: 77 additions & 11 deletions command/connect/redirecttraffic/redirect_traffic.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package redirecttraffic
import (
"flag"
"fmt"
"net"
"strconv"

"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/flags"
Expand Down Expand Up @@ -34,10 +36,14 @@ type cmd struct {
client *api.Client

// Flags.
proxyUID string
proxyID string
proxyInboundPort int
proxyOutboundPort int
proxyUID string
proxyID string
proxyInboundPort int
proxyOutboundPort int
excludeInboundPorts []string
excludeOutboundPorts []string
excludeOutboundCIDRs []string
excludeUIDs []string
}

func (c *cmd) init() {
Expand All @@ -48,6 +54,14 @@ func (c *cmd) init() {
c.flags.IntVar(&c.proxyInboundPort, "proxy-inbound-port", 0, "The inbound port that the proxy is listening on.")
c.flags.IntVar(&c.proxyOutboundPort, "proxy-outbound-port", iptables.DefaultTProxyOutboundPort,
"The outbound port that the proxy is listening on. When not provided, 15001 is used by default.")
c.flags.Var((*flags.AppendSliceValue)(&c.excludeInboundPorts), "exclude-inbound-port",
"Inbound port to exclude from traffic redirection. May be provided multiple times.")
c.flags.Var((*flags.AppendSliceValue)(&c.excludeOutboundPorts), "exclude-outbound-port",
"Outbound port to exclude from traffic redirection. May be provided multiple times.")
c.flags.Var((*flags.AppendSliceValue)(&c.excludeOutboundCIDRs), "exclude-outbound-cidr",
"Outbound CIDR to exclude from traffic redirection. May be provided multiple times.")
c.flags.Var((*flags.AppendSliceValue)(&c.excludeUIDs), "exclude-uid",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be valuable to also be able to exclude GIDs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it could be. The main reason we're adding this is to better support the VM use case when you might want to exclude other processes/uids/gids from traffic redirection. I'm inclined to wait for users' feedback on this one because I'm not sure what would be valuable there.

"Additional user ID to exclude from traffic redirection. May be provided multiple times.")

c.http = &flags.HTTPFlags{}
flags.Merge(c.flags, c.http.ClientFlags())
Expand Down Expand Up @@ -105,12 +119,18 @@ func (c *cmd) Help() string {
// with only the configuration values that we need to parse from Proxy.Config
// to apply traffic redirection rules.
type trafficRedirectProxyConfig struct {
BindPort int `mapstructure:"bind_port"`
BindPort int `mapstructure:"bind_port"`
PrometheusBindAddr string `mapstructure:"envoy_prometheus_bind_addr"`
StatsBindAddr string `mapstructure:"envoy_stats_bind_addr"`
}

// generateConfigFromFlags generates iptables.Config based on command flags.
func (c *cmd) generateConfigFromFlags() (iptables.Config, error) {
cfg := iptables.Config{ProxyUserID: c.proxyUID}
cfg := iptables.Config{
ProxyUserID: c.proxyUID,
ProxyInboundPort: c.proxyInboundPort,
ProxyOutboundPort: c.proxyOutboundPort,
}

// When proxyID is provided, we set up cfg with values
// from proxy's service registration in Consul.
Expand All @@ -132,21 +152,67 @@ func (c *cmd) generateConfigFromFlags() (iptables.Config, error) {
return iptables.Config{}, fmt.Errorf("service %s is not a proxy service", c.proxyID)
}

cfg.ProxyInboundPort = svc.Port
// Decode proxy's opaque config so that we can use it later to configure
// traffic redirection with iptables.
var trCfg trafficRedirectProxyConfig
if err := mapstructure.WeakDecode(svc.Proxy.Config, &trCfg); err != nil {
return iptables.Config{}, fmt.Errorf("failed parsing Proxy.Config: %s", err)
}

// Set the proxy's inbound port.
cfg.ProxyInboundPort = svc.Port
if trCfg.BindPort != 0 {
cfg.ProxyInboundPort = trCfg.BindPort
}

// todo: Change once it's configurable
// Set the proxy's outbound port.
cfg.ProxyOutboundPort = iptables.DefaultTProxyOutboundPort
} else {
cfg.ProxyInboundPort = c.proxyInboundPort
cfg.ProxyOutboundPort = c.proxyOutboundPort
if svc.Proxy.TransparentProxy != nil && svc.Proxy.TransparentProxy.OutboundListenerPort != 0 {
cfg.ProxyOutboundPort = svc.Proxy.TransparentProxy.OutboundListenerPort
}

// Exclude envoy_prometheus_bind_addr port from inbound redirection rules.
if trCfg.PrometheusBindAddr != "" {
_, port, err := net.SplitHostPort(trCfg.PrometheusBindAddr)
if err != nil {
return iptables.Config{}, fmt.Errorf("failed parsing host and port from envoy_prometheus_bind_addr: %s", err)
}

cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, port)
}

// Exclude envoy_stats_bind_addr port from inbound redirection rules.
if trCfg.StatsBindAddr != "" {
_, port, err := net.SplitHostPort(trCfg.StatsBindAddr)
if err != nil {
return iptables.Config{}, fmt.Errorf("failed parsing host and port from envoy_stats_bind_addr: %s", err)
}

cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, port)
}

// Exclude the ListenerPort from Expose configs from inbound traffic redirection.
for _, exposePath := range svc.Proxy.Expose.Paths {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing I'm realizing is missing is this bit of magic:
https://www.consul.io/docs/connect/registration/service-registration#checks

If someone enables this, Consul will dynamically expose checks on a listener for each check:

func (a *Agent) listenerPortLocked(svcID structs.ServiceID, checkID structs.CheckID) (int, error) {

We don't expose what port is allocated in any of our APIs, similarly to how we don't expose check definitions via any of our APIs, only check statuses. See this comment for more information on why: #7330 (comment)

There are a few potential solutions to discover those ports off the top of my head:

  1. Expand the structs.HealthCheck type to include the exposed path.
  2. Add a Meta map to checks, like we have for services, and include the exposed path there.
  3. Include all check definition details in structs.HealthCheck. That comes with the security risk mentioned above.

Copy link
Contributor

@freddygv freddygv Apr 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So based on the discussion today we should go with #1.

The exposed ports are generated in a few places.

One is where we add checks:

port, err := a.listenerPortLocked(sid, cid)

port, err := a.listenerPortLocked(sid, cid)

In addCheck it's easy to expand the HealthCheck type, since we already have the check pointer to it.

And the other is where we add services with checks:

func (a *Agent) rerouteExposedChecks(serviceID structs.ServiceID, proxyAddr string) error {

func (a *Agent) resetExposedChecks(serviceID structs.ServiceID) {

In these two other methods we'll need to query a.State.Check, I think, and modify that. (Assuming the state lock is held)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a great find! Let me address this in a separate PR so that this one can be included in beta2.

if exposePath.ListenerPort != 0 {
cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, strconv.Itoa(exposePath.ListenerPort))
}
}
}

for _, port := range c.excludeInboundPorts {
cfg.ExcludeInboundPorts = append(cfg.ExcludeInboundPorts, port)
}

for _, port := range c.excludeOutboundPorts {
cfg.ExcludeOutboundPorts = append(cfg.ExcludeOutboundPorts, port)
}

for _, cidr := range c.excludeOutboundCIDRs {
cfg.ExcludeOutboundCIDRs = append(cfg.ExcludeOutboundCIDRs, cidr)
}

for _, uid := range c.excludeUIDs {
cfg.ExcludeUIDs = append(cfg.ExcludeUIDs, uid)
}

return cfg, nil
Expand Down
Loading