From: "Serguei Bezverkhi (sbezverk)" <sbezverk@cisco.com>
To: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: masquerade
Date: Wed, 5 Feb 2020 15:20:54 +0000 [thread overview]
Message-ID: <E019C7FD-C763-465B-A32B-BE35A27C0B7A@cisco.com> (raw)
Hello,
I was addressing kubernetes hairpin case when a container connects to itself via exposed service.
Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.
I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.
Thank you
Serguei
next reply other threads:[~2020-02-05 15:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-05 15:20 Serguei Bezverkhi (sbezverk) [this message]
2020-02-05 15:41 ` masquerade Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E019C7FD-C763-465B-A32B-BE35A27C0B7A@cisco.com \
--to=sbezverk@cisco.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).