* masquerade
@ 2020-02-05 15:20 Serguei Bezverkhi (sbezverk)
2020-02-05 15:41 ` masquerade Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Serguei Bezverkhi (sbezverk) @ 2020-02-05 15:20 UTC (permalink / raw)
To: netfilter-devel
Hello,
I was addressing kubernetes hairpin case when a container connects to itself via exposed service.
Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.
I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.
Thank you
Serguei
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: masquerade
2020-02-05 15:20 masquerade Serguei Bezverkhi (sbezverk)
@ 2020-02-05 15:41 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2020-02-05 15:41 UTC (permalink / raw)
To: Serguei Bezverkhi (sbezverk); +Cc: netfilter-devel
Serguei Bezverkhi (sbezverk) <sbezverk@cisco.com> wrote:
> Hello,
>
> I was addressing kubernetes hairpin case when a container connects to itself via exposed service.
>
> Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.
>
> I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.
They have same behaviour. MASQUERADE target (xtables) and nft
masquerade are frontends for the same code.
The address masqueraded to is the primary address of the outgoing interface.
nftables masquerade code:
static void nft_masq_ipv4_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_masq *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
®s->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
®s->data[priv->sreg_proto_max]);
}
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
&range, nft_out(pkt));
}
... and xtables one:
static unsigned int
masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_nat_range2 range;
const struct nf_nat_ipv4_multi_range_compat *mr;
mr = par->targinfo;
range.flags = mr->range[0].flags;
range.min_proto = mr->range[0].min;
range.max_proto = mr->range[0].max;
return nf_nat_masquerade_ipv4(skb, xt_hooknum(par), &range,
xt_out(par));
}
As you can see, both use same function, except nft feeds the arguments
from nftables registers and x_tables uses the targets arguments from
iptables command line.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-05 15:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-05 15:20 masquerade Serguei Bezverkhi (sbezverk)
2020-02-05 15:41 ` masquerade Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).