diff --git a/internal/app/machined/pkg/controllers/kubespan/manager.go b/internal/app/machined/pkg/controllers/kubespan/manager.go index 1ca0e473d3..33670c8ef4 100644 --- a/internal/app/machined/pkg/controllers/kubespan/manager.go +++ b/internal/app/machined/pkg/controllers/kubespan/manager.go @@ -378,6 +378,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo }, Verdict: pointer.To(nethelpers.VerdictAccept), }, + // Mark packets to be sent over the KubeSpan link. { MatchDestinationAddress: &network.NfTablesAddressMatch{ IncludeSubnets: allowedIPsSet.Prefixes(), @@ -388,6 +389,18 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo }, Verdict: pointer.To(nethelpers.VerdictAccept), }, + // Mark incoming packets from the KubeSpan link for rp_filter to find the correct routing table. + { + MatchIIfName: &network.NfTablesIfNameMatch{ + InterfaceNames: []string{constants.KubeSpanLinkName}, + Operator: nethelpers.OperatorEqual, + }, + SetMark: &network.NfTablesMark{ + Mask: ^uint32(constants.KubeSpanDefaultFirewallMask), + Xor: constants.KubeSpanDefaultForceFirewallMark, + }, + Verdict: pointer.To(nethelpers.VerdictAccept), + }, } return nil diff --git a/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go b/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go index 467e5276d4..41eb8e235c 100644 --- a/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go +++ b/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go @@ -120,6 +120,11 @@ func (ctrl *KernelParamDefaultsController) getKernelParams() []*kernel.Param { Key: "proc.sys.net.ipv4.tcp_keepalive_intvl", Value: "60", }, + // Consider fwmark for rp_filter routing table lookup. + { + Key: "proc.sys.net.ipv4.conf.kubespan.src_valid_mark", + Value: "1", + }, { Key: "proc.sys.kernel.panic", Value: "10",