From: Florian Westphal <fw@strlen.de>
To: Yafang Shao <laoar.shao@gmail.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org,
David Miller <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: Re: [BUG REPORT] netfilter: DNS/SNAT Issue in Kubernetes Environment
Date: Wed, 28 May 2025 23:48:44 +0200 [thread overview]
Message-ID: <aDeEvHI-qJNkrruz@strlen.de> (raw)
In-Reply-To: <CALOAHbA2fT+zcnjivX8-D00FrNyGnj3tvvEX1PghAEwk+uyRSg@mail.gmail.com>
Yafang Shao <laoar.shao@gmail.com> wrote:
> On Wed, May 28, 2025 at 9:20 PM Florian Westphal <fw@strlen.de> wrote:
> > ... and that makes no sense to me.
> > The reply should be coming from 127.0.0.1:53.
> >
> > I suspect stack refuses to send a packet from 127.0.0.1 to foreign/nonlocal address?
> >
> > As far as conntrack is concerned, the origin 169.254.1.2:53 is a new flow.
> >
> > We do expect this:
> > 127.0.0.1:53 -> 10.242.249.78:46858, which would be classified as matching response to the
> > existing entry.
>
> Could this issue be caused by misconfigured SNAT/DNAT rules? However,
> I haven't been able to identify any problematic rules in my
> investigation.
No, because even if there was an SNAT rule it would not be used
for a reply packet.
Can you check the dns proxy and confirm that it is using the "wrong",
i.e. the public address as source for the udp packets?
Alternatively you could also try adding a NOTRACK rule in -t raw OUTPUT, for
udp packets coming from sport 53. It should prevent this problem and
make your setup work.
Assuming the dns proxy already uses the public address, no dnat reversal
is needed.
next prev parent reply other threads:[~2025-05-28 21:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 9:03 [BUG REPORT] netfilter: DNS/SNAT Issue in Kubernetes Environment Yafang Shao
2025-05-28 11:22 ` Florian Westphal
2025-05-28 11:41 ` Yafang Shao
2025-05-28 12:14 ` Florian Westphal
2025-05-28 12:31 ` Yafang Shao
2025-05-28 12:43 ` Yafang Shao
2025-05-28 13:10 ` Florian Westphal
2025-05-28 13:20 ` Florian Westphal
2025-05-28 14:07 ` Yafang Shao
2025-05-28 21:48 ` Florian Westphal [this message]
2025-05-29 2:20 ` Yafang Shao
2025-05-28 23:43 ` Shaun Brady
2025-05-29 3:46 ` Yafang Shao
2025-05-30 0:45 ` Florian Westphal
2025-05-30 2:44 ` Yafang Shao
2025-05-30 3:37 ` Shaun Brady
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aDeEvHI-qJNkrruz@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.