Fix issue caused by different iptables versions

[geektoor]

A backport of "nft: Optimize class-based IP prefix matches" from newer iptables versions broke the hairpin mode detection of ipv6nat. This is caused by newer versions on the host create optimized ipt rules, which will be interpreted different by older versions of iptables. This can be spotted when you dump the rules on the host and compare it to the rules dumped inside the ipv6nat container. The outside rule contains the correct subnet for the detection, 127.0.0.0/8 while inside it is displayed as 127.0.0.0/32 which causes the detection (code in manager.go) to fail. As this is only a display issue (the rule is correct), accepting both versions should be fine to get around this issue.

Big thanks to Phil Sutter who provided me the code to implement my idea to cover old and new versions to be matched, as it is very hard to ensure the same iptables version to be used inside and outside the container. A test build is available on docker hub at geektoor/ipv6nat-devel.

Closes: #67 Cc: Phil Sutter phil@nwl.cc Signed-off-by: Sven Michels michels@redhat.com

[dragoangel]

Tested with https://hub.docker.com/r/geektoor/ipv6nat-devel in https://github.com/mailcow/mailcow-dockerized/issues/3940 - this PR resolve issue for me.

OS: CentOS-8 uname -a output: Linux 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Installed Packages Name : iptables Version : 1.8.4 Release : 17.el8 Architecture : x86_64 Size : 1.9 M Source : iptables-1.8.4-17.el8.src.rpm Repository : @System From repo : baseos

[robbertkl]

Thanks @geektoor, great to have this fixed! 🎉 I'll take a good look + test soon and get this merged + push out a new release.

On non-RH/CentOS systems, where the issue is not present, this fix should not break anything, right?

@dragoangel Thanks for confirming the fix works CentOS 8!

[geektoor]

@robbertkl it should not. Its mainly just accepting both possible outputs, the /8 and the /32 netmask. This might happen on other systems as well as soon as the iptables version between host and container are not having the same patch implemented. The backport on CentOS/RHEL made it just visible on CentOS/RHEL, but other combos might also cause this. I tried to summarize it in the changelog a bit more, but let me know if you want even more technical details :)

[dragoangel]

Thanks :)

[dragoangel]

@robbertkl can you please tell when your docker image will contain this PR? Thank you in advance. 👍

[robbertkl]

Yep, I'm building a new release and was gonna comment here, but you're too quick 😄 Still doing some checks and maybe update some deps, will update when the new release & docker images are up!

[dragoangel]

Thanks, great

[robbertkl]

Just pushed out v0.4.4! Docker images for all architectures are on Docker Hub as :0.4.4 and :latest. Thanks again @geektoor!