[PATCH net] netfilter: socket: Lookup orig tuple for IPv6 SNAT

[PATCH net] netfilter: socket: Lookup orig tuple for IPv6 SNAT

[Maxim Mikityanskiy]

nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
restore the original 5-tuple in case of SNAT, to be able to find the
right socket (if any). Then socket_match() can correctly check whether
the socket was transparent.

However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
conntrack lookup, making xt_socket fail to match on the socket when the
packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.

IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
with the node's external address. Cilium leverages Envoy to enforce L7
policies, and Envoy uses transparent sockets. Cilium inserts an iptables
prerouting rule that matches on `-m socket --transparent` and redirects
the packets to localhost, but it fails to match SNATed IPv6 packets due
to that missing conntrack lookup.

Closes: https://github.com/cilium/cilium/issues/37932
Fixes: b64c9256a9b7 ("tproxy: added IPv6 support to the socket match")
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
---
 net/ipv6/netfilter/nf_socket_ipv6.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c
index a7690ec62325..9ea5ef56cb27 100644
--- a/net/ipv6/netfilter/nf_socket_ipv6.c
+++ b/net/ipv6/netfilter/nf_socket_ipv6.c
@@ -103,6 +103,10 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,
 	struct sk_buff *data_skb = NULL;
 	int doff = 0;
 	int thoff = 0, tproto;
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn const *ct;
+#endif
 
 	tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
 	if (tproto < 0) {
@@ -136,6 +140,25 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,
 		return NULL;
 	}
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+	/* Do the lookup with the original socket address in
+	 * case this is a reply packet of an established
+	 * SNAT-ted connection.
+	 */
+	ct = nf_ct_get(skb, &ctinfo);
+	if (ct &&
+	    ((tproto != IPPROTO_ICMPV6 &&
+	      ctinfo == IP_CT_ESTABLISHED_REPLY) ||
+	     (tproto == IPPROTO_ICMPV6 &&
+	      ctinfo == IP_CT_RELATED_REPLY)) &&
+	    (ct->status & IPS_SRC_NAT_DONE)) {
+		daddr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.in6;
+		dport = (tproto == IPPROTO_TCP) ?
+			ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.tcp.port :
+			ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
+	}
+#endif
+
 	return nf_socket_get_sock_v6(net, data_skb, doff, tproto, saddr, daddr,
 				     sport, dport, indev);
 }
-- 
2.48.1

Re: [PATCH net] netfilter: socket: Lookup orig tuple for IPv6 SNAT

[Florian Westphal]

Maxim Mikityanskiy <maxtram95@gmail.com> wrote:
> nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
> restore the original 5-tuple in case of SNAT, to be able to find the
> right socket (if any). Then socket_match() can correctly check whether
> the socket was transparent.
> 
> However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
> conntrack lookup, making xt_socket fail to match on the socket when the
> packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.
> 
> IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
> pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
> with the node's external address. Cilium leverages Envoy to enforce L7
> policies, and Envoy uses transparent sockets. Cilium inserts an iptables
> prerouting rule that matches on `-m socket --transparent` and redirects
> the packets to localhost, but it fails to match SNATed IPv6 packets due
> to that missing conntrack lookup.
> 
> Closes: https://github.com/cilium/cilium/issues/37932
> Fixes: b64c9256a9b7 ("tproxy: added IPv6 support to the socket match")

Note that this commit predates IPv6 NAT support in netfilter.
No need to send a v2, just saying.

Reviewed-by: Florian Westphal <fw@strlen.de>

Re: [PATCH net] netfilter: socket: Lookup orig tuple for IPv6 SNAT

[Pablo Neira Ayuso]

On Tue, Mar 18, 2025 at 09:13:23PM +0100, Florian Westphal wrote:
> Maxim Mikityanskiy <maxtram95@gmail.com> wrote:
> > nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
> > restore the original 5-tuple in case of SNAT, to be able to find the
> > right socket (if any). Then socket_match() can correctly check whether
> > the socket was transparent.
> > 
> > However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
> > conntrack lookup, making xt_socket fail to match on the socket when the
> > packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.
> > 
> > IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
> > pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
> > with the node's external address. Cilium leverages Envoy to enforce L7
> > policies, and Envoy uses transparent sockets. Cilium inserts an iptables
> > prerouting rule that matches on `-m socket --transparent` and redirects
> > the packets to localhost, but it fails to match SNATed IPv6 packets due
> > to that missing conntrack lookup.
> > 
> > Closes: https://github.com/cilium/cilium/issues/37932
> > Fixes: b64c9256a9b7 ("tproxy: added IPv6 support to the socket match")
> 
> Note that this commit predates IPv6 NAT support in netfilter.

Right. I am inclined to put this into nf-next.

> No need to send a v2, just saying.
> 
> Reviewed-by: Florian Westphal <fw@strlen.de>

Thanks.