Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable UDP protocol in iptable scanning #7762

Open
Nino-K opened this issue Nov 13, 2024 · 3 comments
Open

Enable UDP protocol in iptable scanning #7762

Nino-K opened this issue Nov 13, 2024 · 3 comments
Assignees
@Nino-K
Labels
area/networking area/wsl WSL integration

Comments

@Nino-K
Copy link
Member

Nino-K commented Nov 13, 2024

As of this PR we have enabled iptables scanning for some of the entries in CNI-DN. However, using the lima's iptable's scanning code it can only return a boolean for TCP as discussed here.. As part of this issue, we should investigate how the entries in CNI-DN are created and how to enable UDP since the current condition only checks for TCP.
@Nino-K Nino-K added area/networking area/wsl WSL integration labels Nov 13, 2024
@Nino-K Nino-K self-assigned this Nov 13, 2024
@mikeseese
Copy link
Contributor

I have not found a specific clarification of if there are options other than TCP but after looking at the CNI port map plugin, a -p option is always provided. The regex pattern used to ultimately create the TCP bool condition looks for the inclusion of -p tcp to set that bool. So if -p tcp is not found, then -p <something else> must be specified (the regex wouldn't match otherwise and the CNI portmap plugin code linked also specifies that it always provides the -p option).

While yes, there are many other protocols at the transport layer, I feel like assuming !TCP == UDP would be a value add and not detrimental of the assumption was wrong; because otherwise the protocol wouldn't succeed because it's not TCP or UDP (in which case, would still not work since it's not TCP).

I'd love to have this feature in as it's blocking a customer from remotely accessing UDP game servers running in the K3S cluster via RD.

There is a simple fix to lima to add another boolean for UDP if you're not keen on making the above assumption.

@mikeseese
Copy link
Contributor

I got this assumption working and made an installer to unblock my customer.

I tested this with this TCP/UDP echo server:

apiVersion: v1
kind: Pod
metadata:
  name: echo-server
  namespace: realm-default
spec:
  containers:
    - name: echo-server
      image: vhiribarren/echo-server
      imagePullPolicy: IfNotPresent
      ports:
        - containerPort: 4001
          hostPort: 12345
          protocol: UDP
        - containerPort: 5001
          hostPort: 12346
          protocol: TCP
      resources:
        limits:
          cpu: 50m
          memory: 128Mi
        requests:
          cpu: 50m
          memory: 128Mi

and used this JS port of nc to test it. I also saw the UDP port mapped properly using TCP Viewer.

@Nino-K
Copy link
Member Author

Nino-K commented Feb 19, 2025

I have not found a specific clarification of if there are options other than TCP but after looking at the CNI port map plugin, a -p option is always provided. The regex pattern used to ultimately create the TCP bool condition looks for the inclusion of -p tcp to set that bool. So if -p tcp is not found, then -p <something else> must be specified (the regex wouldn't match otherwise and the CNI portmap plugin code linked also specifies that it always provides the -p option).

@mikeseese that's a good point, let me investigate a bit further, we could potentially take the approach you suggested here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nino-K Nino-K

Labels
area/networking area/wsl WSL integration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikeseese @Nino-K