From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>, netfilter@vger.kernel.org
Subject: Re: Query on nftables DNAT for localhost-to-localhost traffic in IPv6 or without route_localnet
Date: Mon, 11 Aug 2025 22:08:22 +0200 [thread overview]
Message-ID: <aJpNme8xRUbhNs4P@calendula> (raw)
In-Reply-To: <aJBugbUKvPaiZ_PD@strlen.de>
Hi Florian,
On Mon, Aug 04, 2025 at 10:25:37AM +0200, Florian Westphal wrote:
> Antonio Ojea <antonio.ojea.garcia@gmail.com> wrote:
> > We (kubernetes) are currently exploring options for port forwarding
> > traffic that originates from localhost and is also destined for
> > localhost, to redirect it to a different destination IP address and
> > port [1].
>
> Don't think its a good idea, has much higher risk of exposing
> credentials. Maybe fixable by placing macsec or ipsec tunnel.
>
> > We can use the route_localnet sysctl parameter, however, that does not
> > work for IPv6.
>
> Seems no kernel changes are needed, but its ugly because daddr ::1 has
> to be concealed in prerouting to prevent RT6_LOOKUP_F_IFACE flag:
>
> if (rt6_need_strict(&fl6->daddr) && dev->type != ARPHRD_PIMREG)
> flags |= RT6_LOOKUP_F_IFACE;
>
> ... in ip6_route_input_lookup().
>This seems to do the trick:
To simplify this example below, would it be possible to extend nft_fib
to attach DST_METADATA in prerouting to modify the ip6_route_input_lookup()
behaviour? This is similar to the conntrack template, but for routing.
> define fakein6 = dead::1ce
> table inet test {
> chain nat_pr {
> type nat hook postrouting priority srcnat ; policy accept;
> ct status dnat ct original ip6 saddr ::1 masquerade
> }
>
> chain nat_out {
> type nat hook output priority dstnat ; policy accept;
> ip6 daddr ::1 tcp dport 12345 dnat to [dead:beef:0:227:300::3]:22
> }
>
> chain pre {
> type filter hook prerouting priority 0 ; policy accept;
> ct status dnat,snat ct original ip6 saddr ::1 ct original ip6 daddr ::1 ip6 daddr set $fakein6 comment "daddr is ::1 but that forces strict route lookup"
> }
>
> chain in {
> type filter hook input priority 0 ; policy accept;
> ct status dnat,snat ct original ip6 saddr ::1 ct original ip6 daddr ::1 ip6 daddr set ::1 comment " get rid if fakein6"
> }
> }
>
> $ ip -6 addr show dev lo
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> inet6 dead::1ce/128 scope global
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host noprefixroute
> valid_lft forever preferred_lft forever
>
> $ uname -sr ; ssh -p 12345 ::1 uname -sr
> Linux 6.15.8-200.fc42.x86_64
> Linux 6.1.0-37-amd64
>
next prev parent reply other threads:[~2025-08-11 20:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-31 22:59 Query on nftables DNAT for localhost-to-localhost traffic in IPv6 or without route_localnet Antonio Ojea
2025-08-04 8:25 ` Florian Westphal
2025-08-11 20:08 ` Pablo Neira Ayuso [this message]
2025-08-12 11:17 ` Florian Westphal
2025-08-12 12:18 ` Pablo Neira Ayuso
2025-08-18 16:11 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJpNme8xRUbhNs4P@calendula \
--to=pablo@netfilter.org \
--cc=antonio.ojea.garcia@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.