From: Florian Westphal <fw@strlen.de>
To: Yafang Shao <laoar.shao@gmail.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org,
David Miller <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: Re: [BUG REPORT] netfilter: DNS/SNAT Issue in Kubernetes Environment
Date: Wed, 28 May 2025 15:20:14 +0200 [thread overview]
Message-ID: <aDcNjpqOKNonzrT-@strlen.de> (raw)
In-Reply-To: <CALOAHbCYhYCLt7zJfdmSUWk_jpWXudLokXvQTGSJt_g4WALGsw@mail.gmail.com>
Yafang Shao <laoar.shao@gmail.com> wrote:
> After applying commit d8f84a9bc7c4, only one entry remains:
> $ cat /proc/net/nf_conntrack| grep 10.242.249.78
> ipv4 2 udp 17 106 src=10.242.249.78 dst=169.254.1.2
> sport=34616 dport=53 src=127.0.0.1 dst=10.242.249.78 sport=53
> dport=34616 [ASSURED] mark=0 zone=0 use=2
Makes sense to me, thats what would be expected, at least from ct state, no?
(I inderstand that things are not working as expected from DNS pov).
> After the additional custom hack, the entries now show two records:
> $ cat /proc/net/nf_conntrack| grep 10.242.249.78
> ipv4 2 udp 17 27 src=169.254.1.2 dst=10.242.249.78 sport=53
> dport=46858 [UNREPLIED] src=10.242.249.78 dst=169.254.1.2 sport=46858
> dport=53 mark=0 zone=0 use=2
> ipv4 2 udp 17 27 src=10.242.249.78 dst=169.254.1.2
> sport=46858 dport=53 src=127.0.0.1 dst=10.242.249.78 sport=53
> dport=46858 mark=0 zone=0 use=2
That makes no sense to me whatsoever.
The second entry looks correct/as expected:
10.242.249.78 -> 169.254.1.2 46858 -> 53 DNATed to 127.0.0.1:53 10.242.249.78:46858
... so we would expect replies coming from 127.0.0.1:53.
But the other entry makes no sense to me.
src=169.254.1.2 dst=10.242.249.78 sport=53 dport=46858 [UNREPLIED] src=10.242.249.78 dst=169.254.1.2 sport=46858 dport=53 mark=0 zone=0 use=2
This means conntrack saw a packet, not matching any existing entry for this:
169.254.1.2:53 -> 10.242.249.78:46858
... and that makes no sense to me.
The reply should be coming from 127.0.0.1:53.
I suspect stack refuses to send a packet from 127.0.0.1 to foreign/nonlocal address?
As far as conntrack is concerned, the origin 169.254.1.2:53 is a new flow.
We do expect this:
127.0.0.1:53 -> 10.242.249.78:46858, which would be classified as matching response to the
existing entry.
Do you have any load balancing, bridging etc. going on that would result in cloned
packets leaving the system, where one is going out unmodified?
Is route_localnet sysctl enabled? I have never tried such lo stunts myself.
next prev parent reply other threads:[~2025-05-28 13:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 9:03 [BUG REPORT] netfilter: DNS/SNAT Issue in Kubernetes Environment Yafang Shao
2025-05-28 11:22 ` Florian Westphal
2025-05-28 11:41 ` Yafang Shao
2025-05-28 12:14 ` Florian Westphal
2025-05-28 12:31 ` Yafang Shao
2025-05-28 12:43 ` Yafang Shao
2025-05-28 13:10 ` Florian Westphal
2025-05-28 13:20 ` Florian Westphal [this message]
2025-05-28 14:07 ` Yafang Shao
2025-05-28 21:48 ` Florian Westphal
2025-05-29 2:20 ` Yafang Shao
2025-05-28 23:43 ` Shaun Brady
2025-05-29 3:46 ` Yafang Shao
2025-05-30 0:45 ` Florian Westphal
2025-05-30 2:44 ` Yafang Shao
2025-05-30 3:37 ` Shaun Brady
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aDcNjpqOKNonzrT-@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.