Andrey Smirnov a3f88d2ef5

fix: block NodePort services with ingress firewall ...

The previous fix #10354 was not full/complete.

The problem lies in the fact that `kube-proxy` creates a rule like:

```
chain nat-prerouting {
	type nat hook prerouting priority dstnat; policy accept;
	jump services
}
```

This chain has a prerouting hook, which gets executed before Talos's
input hook, and rewrites (does DNAT) for NodePort services before Talos
has a chance to block the packet, but rewritten packet hits the input
chain with DNAT address, or might be forwarded to another host and never
hit the firewall again.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

2025-02-28 19:56:52 +04:00

..

testdata

fix: block NodePort services with ingress firewall

2025-02-28 19:56:52 +04:00

api.go

feat: add e2e-aws for nvidia extensions

2023-08-24 17:43:36 +05:30

apid.go

chore: bump golangci-lint to 1.57.0

2024-03-21 01:06:53 +03:00

apply-config.go

test: cleanup failed Kubernetes pods

2024-12-16 16:48:30 +04:00

cgroups.go

feat: remove cgroupsv1 in non-container mode

2024-12-18 18:48:11 +04:00

common.go

test: cleanup failed Kubernetes pods

2024-12-16 16:48:30 +04:00

containers.go

fix: update the CRI sandbox image reference

2024-10-28 14:52:19 +04:00

discovery.go

feat: update dependencies

2024-10-17 22:12:50 +04:00

diskusage.go

chore: bump dependencies

2024-08-29 20:44:37 +04:00

dmesg.go

chore: remove <-errCh where possible in grpc methods

2023-08-07 22:28:58 +03:00

etcd-recover.go

test: improve the reset integration tests

2024-04-24 18:35:39 +04:00

etcd.go

test: cleanup failed Kubernetes pods

2024-12-16 16:48:30 +04:00

ethernet.go

feat: implement the last ethtool feature - channels

2025-02-11 15:34:57 +04:00

events.go

refactor: rewrite code to include preliminary support for multi-doc

2023-05-31 18:38:05 +04:00

extensions_nvidia.go

chore: add tests for util-linux extensions

2023-09-05 19:29:50 +05:30

extensions_qemu.go

chore(ci): rework iscsi-tools extensions test

2025-01-20 23:27:10 +05:30

firewall.go

fix: block NodePort services with ingress firewall

2025-02-28 19:56:52 +04:00

generate-config.go

feat: rewrite install disk selector to use CEL expressions

2024-11-11 17:23:15 +04:00

hardware.go

test: fix hardware test not to require PCI devices

2024-06-03 17:20:42 +04:00

logs.go

feat: add auditd service

2024-11-02 22:25:04 +05:30

machine-status.go

chore: re-enable nolintlint and typecheck linters

2023-08-25 01:05:41 +04:00

monitoring.go

feat: display current CPU frequency on dashboard

2024-11-08 12:05:48 +04:00

node-annotations.go

test: use node informer instead of raw watch

2024-12-25 18:52:07 +04:00

node-labels.go

test: use node informer instead of raw watch

2024-12-25 18:52:07 +04:00

node-taints.go

test: use node informer instead of raw watch

2024-12-25 18:52:07 +04:00

pci_driver_rebind.go

feat: pcirebind controller

2024-12-20 17:35:37 +05:30

process.go

feat: remove cgroupsv1 in non-container mode

2024-12-18 18:48:11 +04:00

reboot.go

test: cleanup failed Kubernetes pods

2024-12-16 16:48:30 +04:00

reset.go

chore: code cleanup

2024-11-14 12:25:56 +03:00

resources.go

feat: update dependencies

2024-10-17 22:12:50 +04:00

rotate.go

test: bump timeout on rotate CA test

2025-01-28 18:42:06 +04:00

selinux.go

feat: update Linux to 6.12.1

2024-11-27 23:08:14 +04:00

serviceaccount.go

chore: simplify code

2024-07-08 18:14:00 +03:00

trusted-roots.go

feat: provide machine config document to update trusted CA roots

2024-07-12 19:28:31 +04:00

trustedboot.go

feat: add e2e-aws for nvidia extensions

2023-08-24 17:43:36 +05:30

update-hostname.go

test: cleanup failed Kubernetes pods

2024-12-16 16:48:30 +04:00

version.go

chore: rename talos-systems/talos to siderolabs/talos

2022-11-03 16:50:32 +04:00

volumes.go

feat: provide stable symlinks in disk resources

2025-01-24 18:46:56 +04:00

watchdog.go

chore: better lvm2 tests

2024-10-01 16:08:44 +04:00

wipe.go

chore(ci): add test for OpenEBS MayaStor

2025-01-16 09:47:17 +05:30