search

nirmata / kube-static-egress-ip

Kubernetes CRD to manage static egress IP addresses for workloads
Apache License 2.0
213 stars 38 forks source link

SNAT doesn't take effect #46

Open JSilent opened 4 years ago

JSilent commented 4 years ago

Hi, the messages to the specified destination can be routed to the gateway. However the SNAT doesn't take effect, since Calico ensures it's always the first rule in POSTROUTING, even though I manually move STATIC-EGRESS-NAT-CHAIN before MASQUERADE.

$ sudo iptables -L STATIC-EGRESS-NAT-CHAIN -t nat
Chain STATIC-EGRESS-NAT-CHAIN (1 references)
target     prot opt source               destination
SNAT       all  --  anywhere             10.124.200.68        match-set EGRESS-IP-A6RUBTJVWO4N6RIK src to:10.41.82.253
$ sudo iptables -L POSTROUTING -t nat --line-number
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    cali-POSTROUTING  all  --  anywhere             anywhere             /* cali:O3lYWMrLQYEMJtB5 */
2    STATIC-EGRESS-BYPASS-CNI  all  --  anywhere             anywhere
3    STATIC-EGRESS-NAT-CHAIN  all  --  anywhere             anywhere
4    KUBE-POSTROUTING  all  --  anywhere             anywhere             /* kubernetes postrouting rules */
5    MASQUERADE  all  --  bovis-z1020-172-17-0-0.extern.sw.ericsson.se/16  anywhere
$  sudo iptables -L cali-POSTROUTING -t nat --line-number
Chain cali-POSTROUTING (1 references)
num  target     prot opt source               destination
1    cali-fip-snat  all  --  anywhere             anywhere             /* cali:Z-c7XtVd2Bq7s_hA */
2    cali-nat-outgoing  all  --  anywhere             anywhere             /* cali:nYKhEzDlr11Jccal */
3    MASQUERADE  all  --  anywhere             anywhere             /* cali:JHlpT-eSqR1TvyYm */ ADDRTYPE match src-type !LOCAL limit-out ADDRTYPE match src-type LOCAL
$  sudo iptables -L cali-fip-snat -t nat --line-number
Chain cali-fip-snat (1 references)
num  target     prot opt source               destination
$  sudo iptables -L cali-nat-outgoing -t nat --line-number
Chain cali-nat-outgoing (1 references)
num  target     prot opt source               destination
1    MASQUERADE  all  --  anywhere             anywhere             /* cali:Dw4T8UWPnCLxRJiI */ match-set cali40masq-ipam-pools src ! match-set cali40all-ipam-pools dst

By the way, the ipipEnabled is true in calico's configuration.

lyyao09 commented 4 years ago

Indeed, my solution is to turn off calico's natoutgoing :smile:

kifeo commented 4 years ago

so it not possible to have a mixed setup ?

lyyao09 commented 4 years ago

@kifeo Maybe you can modify the following parameters for a mixed setup.

Configuration parameter Environment variable Description Schema
ChainInsertMode FELIX_CHAININSERTMODE Controls whether Felix hooks the kernel’s top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. Insert is the safe default since it prevents Calico’s rules from being bypassed. If you switch to Append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: Insert] Insert, Append