From de101ea4d9b476c1587329d337b5a11af379ac51 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Mon, 30 Dec 2024 11:21:51 +0100
Subject: [PATCH] fix: fix reverse routing for KubeSpan

This allows it to not come down when rp_filter is enabled.
Fixes #9814

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 .../machined/pkg/controllers/kubespan/manager.go    | 13 +++++++++++++
 .../controllers/runtime/kernel_param_defaults.go    |  5 +++++
 2 files changed, 18 insertions(+)

diff --git a/internal/app/machined/pkg/controllers/kubespan/manager.go b/internal/app/machined/pkg/controllers/kubespan/manager.go
index 1ca0e473d3..33670c8ef4 100644
--- a/internal/app/machined/pkg/controllers/kubespan/manager.go
+++ b/internal/app/machined/pkg/controllers/kubespan/manager.go
@@ -378,6 +378,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 						},
 						Verdict: pointer.To(nethelpers.VerdictAccept),
 					},
+					// Mark packets to be sent over the KubeSpan link.
 					{
 						MatchDestinationAddress: &network.NfTablesAddressMatch{
 							IncludeSubnets: allowedIPsSet.Prefixes(),
@@ -388,6 +389,18 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 						},
 						Verdict: pointer.To(nethelpers.VerdictAccept),
 					},
+					// Mark incoming packets from the KubeSpan link for rp_filter to find the correct routing table.
+					{
+						MatchIIfName: &network.NfTablesIfNameMatch{
+							InterfaceNames: []string{constants.KubeSpanLinkName},
+							Operator:       nethelpers.OperatorEqual,
+						},
+						SetMark: &network.NfTablesMark{
+							Mask: ^uint32(constants.KubeSpanDefaultFirewallMask),
+							Xor:  constants.KubeSpanDefaultForceFirewallMark,
+						},
+						Verdict: pointer.To(nethelpers.VerdictAccept),
+					},
 				}
 
 				return nil
diff --git a/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go b/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go
index 467e5276d4..41eb8e235c 100644
--- a/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go
+++ b/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go
@@ -120,6 +120,11 @@ func (ctrl *KernelParamDefaultsController) getKernelParams() []*kernel.Param {
 			Key:   "proc.sys.net.ipv4.tcp_keepalive_intvl",
 			Value: "60",
 		},
+		// Consider fwmark for rp_filter routing table lookup.
+		{
+			Key:   "proc.sys.net.ipv4.conf.kubespan.src_valid_mark",
+			Value: "1",
+		},
 		{
 			Key:   "proc.sys.kernel.panic",
 			Value: "10",