github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Do not set sysctlRouteLocalnet (CVE-2020-8558)

Browse Source 
Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com>
This commit is contained in:
Laurent Bernaille 2020-07-09 19:08:17 +02:00
parent c66576b212
commit 15439148da
No known key found for this signature in database
GPG Key ID: 382970648224EF01
1 changed files with 0 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/proxy/ipvs/proxier.go
View File

@ -190,7 +190,6 @@ var ipsetWithIptablesChain = []struct {
} }
// In IPVS proxy mode, the following flags need to be set // In IPVS proxy mode, the following flags need to be set
const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables" const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"
const sysctlVSConnTrack = "net/ipv4/vs/conntrack" const sysctlVSConnTrack = "net/ipv4/vs/conntrack"
const sysctlConnReuse = "net/ipv4/vs/conn_reuse_mode" const sysctlConnReuse = "net/ipv4/vs/conn_reuse_mode"
@ -361,11 +360,6 @@ func NewProxier(ipt utiliptables.Interface,
nodePortAddresses []string, nodePortAddresses []string,
kernelHandler KernelHandler, kernelHandler KernelHandler,
) (*Proxier, error) { ) (*Proxier, error) {
// Set the route_localnet sysctl we need for
if err := utilproxy.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
return nil, err
}
// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers // Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
// are connected to a Linux bridge (but not SDN bridges). Until most // are connected to a Linux bridge (but not SDN bridges). Until most
// plugins handle this, log when config is missing // plugins handle this, log when config is missing