Comments (3)
Sure. If the packet doesn't match the first three rules (locally-destined packets), it then hits the catch-all -j MASQUERADE
rule and returns from the chain at that point, right?
Here's an output with the amount of packets that have hit the rules:
$ sudo iptables -t nat -nvL KILO-NAT
Chain KILO-NAT (2 references)
pkts bytes target prot opt in out source destination
1743 105K RETURN all -- * * 0.0.0.0/0 172.30.16.0/22 /* Kilo: do not NAT packets destined for the local Pod subnet */
0 0 RETURN all -- * * 0.0.0.0/0 172.28.128.0/24 /* Kilo: do not NAT packets destined for the Kilo subnet */
0 0 RETURN all -- * * 172.30.16.0/22 172.28.129.1 /* Kilo: do not NAT packets from local pod subnet to peers */
0 0 RETURN all -- * * 172.30.16.0/22 192.168.1.0/24 /* Kilo: do not NAT packets from local pod subnet to peers */
2823 232K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* Kilo: NAT remaining packets */
0 0 RETURN all -- * * 172.30.16.0/22 172.30.4.0/22 /* Kilo: do not NAT packets from local pod subnet to remote pod subnets */
0 0 RETURN all -- * * 172.30.16.0/22 172.30.0.0/22 /* Kilo: do not NAT packets from local pod subnet to remote pod subnets */
0 0 RETURN all -- * * 172.30.16.0/22 172.30.12.0/22 /* Kilo: do not NAT packets from local pod subnet to remote pod subnets */
0 0 RETURN all -- * * 172.30.16.0/22 172.30.8.0/22 /* Kilo: do not NAT packets from local pod subnet to remote pod subnets */
0 0 RETURN all -- * * 0.0.0.0/0 10.255.255.253 /* Kilo: do not NAT packets destined for the local private IP */
Here's an http call from a source host:
root@test-pod:/# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.16.3 netmask 255.255.252.0 broadcast 0.0.0.0
ether 5e:59:42:62:aa:f5 txqueuelen 0 (Ethernet)
RX packets 14861990 bytes 27847081553 (27.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23475078 bytes 48491026535 (48.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@test-pod:/# curl 172.30.8.4
curl: (7) Failed to connect to 172.30.8.4 port 80: Connection refused
Here's a tcpdump from the destination host:
$ sudo tcpdump -vvvni kilo0 "host 172.30.8.4"
dropped privs to tcpdump
tcpdump: listening on kilo0, link-type RAW (Raw IP), capture size 262144 bytes
17:20:39.879485 IP (tos 0x0, ttl 63, id 56731, offset 0, flags [DF], proto TCP (6), length 60)
172.28.128.1.43858 > 172.30.8.4.80: Flags [S], cksum 0xd30b (correct), seq 719155311, win 29200, options [mss 1460,sackOK,TS val 362595862 ecr 0,nop,wscale 9], length 0
17:20:39.879567 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
172.30.8.4.80 > 172.28.128.1.43858: Flags [R.], cksum 0x88a0 (correct), seq 0, ack 719155312, win 0, length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
The packet has been masqueraded and looks like it is coming from the host when really it should be coming from the pod IP (since it is heading to another pod IP).
From looking at:
Lines 275 to 298 in c93fa1e
It looks like you put the rules in the right order in code but you probably don't insert the rules correctly if some of them already exist in iptables.
from kilo.
Hey, thanks for taking a look. Can you elaborate? It looks to me like they do get hit and provide functionality. In fact, turning them off breaks networking.
from kilo.
@SerialVelocity thanks once again for the super detailed write up as well as for digging through the code base. I think your analysis is exactly right: order matters and the code doesn't check to make sure that order is preserved when the rules change.
from kilo.
Related Issues (20)
- Installation help HOT 3
- NAT Node not ready, cannot ping wireguard HOT 1
- The pod kilo-* in node was evicted when the memory is out HOT 2
- Connection to K8S Service - SourceIP is not preserved (Source NAT) HOT 7
- istio support HOT 1
- Add Kilo in Cilium USER.md HOT 4
- 在k3s上运行失败 HOT 2
- Peering clusters behind nat HOT 3
- Calico or Althea support HOT 1
- [Question]How Kilo works?
- nodes with same subnet in cluster
- spamming error "exit status 1: iptables v1.8.4 (nf_tables): table `filter' is incompatible, use 'nft' tool." HOT 8
- Request: Add feature to specify source ip address for all egress HOT 7
- Cluster with control-plane running in GKE and edge nodes behind NAT HOT 1
- does kilo support aws eks with aws-vpc-cni? HOT 2
- Use private network where possible in fully meshed network HOT 4
- Use Pod/Service IP as Egress Point / Egress Gateway Implementation
- Kilo Incorrectly Chooses an eth0 IP Over Node's Configured Internal IP HOT 6
- kgctl connect improve availability
- Has anyone tried to hack `k0s` support together?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kilo.