spooky RST with DNAT rules; macvlan + namespace

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Chris Burroughs <christopher@addthis.com>
To: netfilter@vger.kernel.org
Subject: spooky RST with DNAT rules;  macvlan + namespace
Date: Fri, 10 Apr 2015 15:56:02 -0400	[thread overview]
Message-ID: <55282AD2.9040009@addthis.com> (raw)

I have an existing application that relies on some custom iptables logic 
to function inside our network.  It uses several simple rules along the 
lines of:

iptables -t nat -A OUTPUT -j DNAT -p tcp --dst x.x.x.x --dport 7000 -o 
eth0 --to-destination y.y.y.y

There are several nodes and there is a DNAT rule for each node.  I've 
successfully been using rules like this on physical nodes for a few 
years without difficulty.

I'm trying to replace these nodes with 'containers' on centos6. 
Specifically by 'containers' I mean lxc with:
  * privileged containers
  * macvlan in bridge mode
  * network namespace

And running into trouble with the same iptables rules.  Specifically 
what happens between container A (initiates connection) on host X and 
container B (listening daemon) on host Y.

  * A: syn
  * B: syn+ack
  * A: rst

I've detected the RST with tcpdump from both within the container and on 
the host.  Visually in wireshark it looks like: 
http://i.imgur.com/lo1PF6k.png  Basic DROP rules like 'block inbound on 
this port' appear to work fine.

To add to the confusion, if A & B are co-located on the same physical 
host it appears to work okay.

I'm at at loss to explain where the RST is coming from or how to make 
the DNAT rule work correctly.

                 reply	other threads:[~2015-04-10 19:56 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55282AD2.9040009@addthis.com \
    --to=christopher@addthis.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox