For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.
A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.
This commits swaps the order of rule insertion.
In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>
This fixes#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
* using ipset to manage multiple src CIDRs
* using ipset to manage multiple dst CIDRs
* soft-code the prefix of iptables chain name and ipset name
* gofmt
* Moved code for evaluation of policy peers into separate func to avoid code duplication
* Ensured fallback to policy namespace, if namespaceSelector is not set
* use strconv for converting int64 to string
* change order of pod-fw sync, chain items has to be added before jumping to the chain starts
* added logging of syncversion, decreased logging verbosity+severity for planned chain cleanups
* Instead of clearing the iptables firewall chains for each resync, new chains are now generated side-by-side with the existing ones.
* Chain naming now has an addition component, version, which ensures chain name uniqueness.
* Existing cleanup procedure for stale iptables rules will handle garbage collection of unused chains.
