ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

portmap: fix nftables backend

Browse Source 
We can't use dnat from the input hook,
depending on nftables (and kernel ?) version we get
"Error: Could not process rule: Operation not supported"
iptables backend also uses prerouting.

Also 'ip6 protocol tcp' is invalid, so rework / simplify the rules

Fixes 01a94e17c7

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
This commit is contained in:
Etienne Champetier
2024-11-05 13:35:44 -05:00
committed by Casey Callendrello
parent fec2d62676
commit 9296c5f80a
2 changed files with 28 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
plugins/meta/portmap/portmap_nftables.go
View File

@ -18,6 +18,7 @@ import (
"context"
"fmt"
"net"
"strconv"
"sigs.k8s.io/knftables"
)
@ -110,23 +111,23 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
})
tx.Add(&knftables.Chain{
Name: "input",
Name: "prerouting",
Type: knftables.PtrTo(knftables.NATType),
Hook: knftables.PtrTo(knftables.InputHook),
Hook: knftables.PtrTo(knftables.PreroutingHook),
Priority: knftables.PtrTo(knftables.DNATPriority),
})
tx.Flush(&knftables.Chain{
Name: "input",
Name: "prerouting",
})
tx.Add(&knftables.Rule{
Chain: "input",
Chain: "prerouting",
Rule: knftables.Concat(
conditions,
"jump", hostIPHostPortsChain,
),
})
tx.Add(&knftables.Rule{
Chain: "input",
Chain: "prerouting",
Rule: knftables.Concat(
conditions,
"jump", hostPortsChain,
@ -187,9 +188,8 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
Chain: hostIPHostPortsChain,
Rule: knftables.Concat(
ipX, "daddr", e.HostIP,
ipX, "protocol", e.Protocol,
"th dport", e.HostPort,
"dnat", ipX, "addr . port", "to", containerNet.IP, ".", e.ContainerPort,
e.Protocol, "dport", e.HostPort,
"dnat to", net.JoinHostPort(containerNet.IP.String(), strconv.Itoa(e.ContainerPort)),
),
Comment: &config.ContainerID,
})
@ -197,9 +197,8 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
tx.Add(&knftables.Rule{
Chain: hostPortsChain,
Rule: knftables.Concat(
ipX, "protocol", e.Protocol,
"th dport", e.HostPort,
"dnat", ipX, "addr . port", "to", containerNet.IP, ".", e.ContainerPort,
e.Protocol, "dport", e.HostPort,
"dnat to", net.JoinHostPort(containerNet.IP.String(), strconv.Itoa(e.ContainerPort)),
),
Comment: &config.ContainerID,
})