search

greenpau / cni-plugins

CNI Plugins compatible with nftables
Apache License 2.0
48 stars 13 forks source link

nft rules redirects outgoing packets #10

Closed barzog closed 3 years ago

barzog commented 3 years ago

I have following setup: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 3c:7c:3f:14:49:65 brd ff:ff:ff:ff:ff:ff 3: macvlan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 76:ba:1c:ce:93:6f brd ff:ff:ff:ff:ff:ff inet 192.168.2.10/24 brd 192.168.2.255 scope global noprefixroute macvlan0 valid_lft forever preferred_lft forever 4: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 46:d5:4b:4b:16:23 brd ff:ff:ff:ff:ff:ff inet 10.88.0.1/16 brd 10.88.255.255 scope global cni0 valid_lft forever preferred_lft forever

eth0 is a master of macvlan0@eth0 interface cni0 is podman CNI bridge interface.

I have simple container with two mappings: 382b2967e22c linuxserver/oscam 6 minutes ago Up 6 minutes ago 0.0.0.0:8888-8889->8888-8889/tcp oscam

the problem is when I do smth like telnet google.com 8888 from host-OS it gets nated to container. So, if I publish 443 port, this nft dnat all https to container. table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; jump cni-npo-e473f99609250c52ac6769b jump cni-npo-5e8c57a9412955846493f75 }

    chain cni-npo-5e8c57a9412955846493f75 {
            iifname "cni0" ip saddr 10.88.0.9 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.9 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.9 counter packets 0 bytes 0 masquerade
    }

    chain prerouting {
            type nat hook prerouting priority dstnat; policy accept;
            jump cni-npr-e473f99609250c52ac6769b
    }

    chain output {
            type nat hook output priority -100; policy accept;
            jump cni-npr-e473f99609250c52ac6769b
    }

    chain input {
            type nat hook input priority 100; policy accept;
    }

    chain cni-npr-e473f99609250c52ac6769b {
            iifname != "cni0" tcp dport 8888 dnat to 10.88.0.10:8888
            iifname != "cni0" tcp dport 8889 dnat to 10.88.0.10:8889
    }

    chain cni-npo-e473f99609250c52ac6769b {
            iifname "cni0" ip saddr 10.88.0.10 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.10 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.10 counter packets 0 bytes 0 masquerade
    }

}

I suspect that this is caused by cni-npr-e473f99609250c52ac6769b which should not catch ougoing host packets.

ghost commented 3 years ago

Yup. My bad. Working on fix already.

barzog commented 3 years ago

Also I must mention that on container stop rules from nat table output chain is NOT deleted. table ip nat { # handle 19 chain output { # handle 3 type nat hook output priority -100; policy accept; jump cni-npr-d5e70868487c6db0d91d248 # handle 7 } chain cni-npr-d5e70868487c6db0d91d248 { # handle 5 iifname != "cni0" tcp dport 8888 dnat to 10.88.0.7:8888 # handle 8 iifname != "cni0" tcp dport 8889 dnat to 10.88.0.7:8889 # handle 9 }

So, this one remains. Rules from filter-forward and nat-postrouting is deleted.