github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #92938 from DataDog/lbernail/CVE-2020-8558

Browse Source 
Do not set sysctlRouteLocalnet (CVE-2020-8558)
This commit is contained in:
Kubernetes Prow Robot 2021-01-11 17:38:24 -08:00 committed by GitHub
commit 5e22f7fead
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/proxy/ipvs/proxier.go
View File

@ -190,7 +190,6 @@ var ipsetWithIptablesChain = []struct {
} }
// In IPVS proxy mode, the following flags need to be set // In IPVS proxy mode, the following flags need to be set
const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables" const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"
const sysctlVSConnTrack = "net/ipv4/vs/conntrack" const sysctlVSConnTrack = "net/ipv4/vs/conntrack"
const sysctlConnReuse = "net/ipv4/vs/conn_reuse_mode" const sysctlConnReuse = "net/ipv4/vs/conn_reuse_mode"
@ -361,11 +360,6 @@ func NewProxier(ipt utiliptables.Interface,
nodePortAddresses []string, nodePortAddresses []string,
kernelHandler KernelHandler, kernelHandler KernelHandler,
) (*Proxier, error) { ) (*Proxier, error) {
// Set the route_localnet sysctl we need for
if err := utilproxy.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
return nil, err
}
// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers // Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
// are connected to a Linux bridge (but not SDN bridges). Until most // are connected to a Linux bridge (but not SDN bridges). Until most
// plugins handle this, log when config is missing // plugins handle this, log when config is missing