From: Florian Westphal <fw@strlen.de>
To: "Serguei Bezverkhi (sbezverk)" <sbezverk@cisco.com>
Cc: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: Re: masquerade
Date: Wed, 5 Feb 2020 16:41:58 +0100 [thread overview]
Message-ID: <20200205154158.GJ26952@breakpoint.cc> (raw)
In-Reply-To: <E019C7FD-C763-465B-A32B-BE35A27C0B7A@cisco.com>
Serguei Bezverkhi (sbezverk) <sbezverk@cisco.com> wrote:
> Hello,
>
> I was addressing kubernetes hairpin case when a container connects to itself via exposed service.
>
> Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.
>
> I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.
They have same behaviour. MASQUERADE target (xtables) and nft
masquerade are frontends for the same code.
The address masqueraded to is the primary address of the outgoing interface.
nftables masquerade code:
static void nft_masq_ipv4_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct nft_masq *priv = nft_expr_priv(expr);
struct nf_nat_range2 range;
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
if (priv->sreg_proto_min) {
range.min_proto.all = (__force __be16)nft_reg_load16(
®s->data[priv->sreg_proto_min]);
range.max_proto.all = (__force __be16)nft_reg_load16(
®s->data[priv->sreg_proto_max]);
}
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
&range, nft_out(pkt));
}
... and xtables one:
static unsigned int
masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_nat_range2 range;
const struct nf_nat_ipv4_multi_range_compat *mr;
mr = par->targinfo;
range.flags = mr->range[0].flags;
range.min_proto = mr->range[0].min;
range.max_proto = mr->range[0].max;
return nf_nat_masquerade_ipv4(skb, xt_hooknum(par), &range,
xt_out(par));
}
As you can see, both use same function, except nft feeds the arguments
from nftables registers and x_tables uses the targets arguments from
iptables command line.
prev parent reply other threads:[~2020-02-05 15:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-05 15:20 masquerade Serguei Bezverkhi (sbezverk)
2020-02-05 15:41 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200205154158.GJ26952@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=sbezverk@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).