Re: masquerade

[Florian Westphal <fw@strlen.de>]

Serguei Bezverkhi (sbezverk) <sbezverk@cisco.com> wrote:
> Hello,
> 
> I was addressing kubernetes hairpin case when a container connects to itself via exposed service.
> 
> Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via   service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.
> 
> I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.

They have same behaviour.  MASQUERADE target (xtables) and nft
masquerade are frontends for the same code.
The address masqueraded to is the primary address of the outgoing interface.

nftables masquerade code:

static void nft_masq_ipv4_eval(const struct nft_expr *expr,
                               struct nft_regs *regs,
                               const struct nft_pktinfo *pkt)
{
        struct nft_masq *priv = nft_expr_priv(expr);
        struct nf_nat_range2 range;

        memset(&range, 0, sizeof(range));
        range.flags = priv->flags;
        if (priv->sreg_proto_min) {
                range.min_proto.all = (__force __be16)nft_reg_load16(
                        &regs->data[priv->sreg_proto_min]);
                range.max_proto.all = (__force __be16)nft_reg_load16(
                        &regs->data[priv->sreg_proto_max]);
        }
        regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
                                                    &range, nft_out(pkt));
}

... and xtables one:
static unsigned int
masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
        struct nf_nat_range2 range;
        const struct nf_nat_ipv4_multi_range_compat *mr;

        mr = par->targinfo;
        range.flags = mr->range[0].flags;
        range.min_proto = mr->range[0].min;
        range.max_proto = mr->range[0].max;

        return nf_nat_masquerade_ipv4(skb, xt_hooknum(par), &range,
                                      xt_out(par));
}

As you can see, both use same function, except nft feeds the arguments
from nftables registers and x_tables uses the targets arguments from
iptables command line.