bugzilla-daemon at netfilter.org
2019-Mar-01 04:14 UTC
[Bug 1324] New: with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet
https://bugzilla.netfilter.org/show_bug.cgi?id=1324 Bug ID: 1324 Summary: with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet Product: iptables Version: 1.6.x Hardware: All OS: RedHat Linux Status: NEW Severity: critical Priority: P5 Component: ip6tables Assignee: netfilter-buglog at lists.netfilter.org Reporter: sbezverk at cisco.com I encountered a bug in 4.20.11 kernel, specifically in ip6tables redirects. It is kubernetes environment where two containers running in the same pod and sharing the same network stack. One container sends tcp traffic curl to port 443, and output chain rule will redirect it to ::1:15001. In the second container there is a process listening on :::15001. In kernel 4.20.11 environment, this process does not see redirected traffic, but in Centos 7.6 with kernel 3.10.0-957.5.1.el7 it works as expected. The issue is 100% reproducible. Below is ip6tables rules. Exactly the same rules work as expected with 3.10.0-957.5.1 kernel. # Generated by ip6tables-save v1.4.21 on Fri Mar 1 01:41:47 2019 *mangle :PREROUTING ACCEPT [6761:1065175] :INPUT ACCEPT [6730:1062747] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [6661:651696] :POSTROUTING ACCEPT [6661:651696] COMMIT # Completed on Fri Mar 1 01:41:47 2019 # Generated by ip6tables-save v1.4.21 on Fri Mar 1 01:41:47 2019 *filter :INPUT ACCEPT [6732:1063164] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [6663:651930] COMMIT # Completed on Fri Mar 1 01:41:47 2019 # Generated by ip6tables-save v1.4.21 on Fri Mar 1 01:41:47 2019 *nat :PREROUTING ACCEPT [596:47680] :INPUT ACCEPT [596:47680] :OUTPUT ACCEPT [441:52134] :POSTROUTING ACCEPT [442:52214] :ISTIO_INBOUND - [0:0] :ISTIO_IN_REDIRECT - [0:0] :ISTIO_OUTPUT - [0:0] :ISTIO_REDIRECT - [0:0] -A PREROUTING -p tcp -j ISTIO_INBOUND -A OUTPUT -p tcp -j ISTIO_OUTPUT -A ISTIO_INBOUND -p tcp -m tcp --dport 50705 -j ISTIO_IN_REDIRECT -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001 -A ISTIO_OUTPUT ! -d ::1/128 -o lo -j ISTIO_REDIRECT -A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN -A ISTIO_OUTPUT -d ::1/128 -j RETURN -A ISTIO_OUTPUT -j ISTIO_REDIRECT -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001 COMMIT # Completed on Fri Mar 1 01:41:47 2019 Please let me know if I should file a bug or you need any further details. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190301/8b6580b2/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-01 14:15 UTC
[Bug 1324] with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet
https://bugzilla.netfilter.org/show_bug.cgi?id=1324 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fw at strlen.de --- Comment #1 from Florian Westphal <fw at strlen.de> --- This is most likely fixed by commit 15df03c661cb362366ecfc3a21820cb934f3e4ca netfilter: ipv6: Don't preserve original oif for loopback address which was added to 4.20.13. If that doesn't help, please provide a reproducer. This works for me: nc -6 -l -p 12344 ip6tables -t nat -A OUTPUT -p tcp --dport 12345 -j REDIRECT --to-ports 12344 nc -6 ::1 12345 # connects -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190301/2d78c652/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-01 14:57 UTC
[Bug 1324] with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet
https://bugzilla.netfilter.org/show_bug.cgi?id=1324 --- Comment #2 from Serguei Bezverkhi <sbezverk at cisco.com> --- Thank you for letting me know. I will test 4.20.13 once it is available at elrepo, for now please do not close this bug. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190301/c88a4a65/attachment.html>