IP-MASQ-AGENT rule location in POSTROUTING chain is wrong - openshift

kubernetes-sigs / ip-masq-agent

Manage IP masquerade on nodes

Apache License 2.0

217 stars 70 forks source link

IP-MASQ-AGENT rule location in POSTROUTING chain is wrong - openshift #26

Closed zvikaga closed 5 years ago

zvikaga commented 5 years ago

The agent puts the IP-MASQ-AGENT rule at the end of the POSTROUTING chain. In Openshift it does not take any effect as there is already the OPENSHIFT-MASQUERADE at the beginning and being matched.

The following is how this chain looks like in Openshift:

Chain POSTROUTING (policy ACCEPT 42 packets, 4260 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
   34337  3071902 OPENSHIFT-MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* rules for masquerading OpenShift traffic */
   32964  2975002 KUBE-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes postrouting rules */
       0        0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
       0        0 MASQUERADE  all  --  *      tun0    127.0.0.0/8          0.0.0.0/0            /* SNAT for localhost access to hostports */
    9545   931580 IP-MASQ-AGENT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* ip-masq-agent: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ-

MrHohn commented 5 years ago

@zvikaga It seems to me it won't matter whether we put IP-MASQ-AGENT at the end or beginning --- traffic will be captured and masqueraded by OPENSHIFT-MASQUERADE rule anyway as it will be eventually traversed?

fejta-bot commented 5 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot commented 5 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot commented 5 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

k8s-ci-robot commented 5 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes-incubator/ip-masq-agent/issues/26#issuecomment-505722079): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.