You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to find the real source ip addr in docker when the client is not on flannel net(for auditing), but flannel add a rule to iptables:
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE
After SNAT, the source ip is changed to .0 of flannel.1, so I can not get the real ip.
I found the issue #318 , which added the rule to flannel. However, I don't quite understand it. In my opion, if the docker has a default route which point to the cni0 gateway, is there any need to do SNAT?
Please let know if I am wrong 😄
Expected Behavior
a change: do not SNAT packages if it is not from flannel net.
Current Behavior
a change: flannel now will SNAT packages if it is not from the flannel net.
Possible Solution
delete the iptables rule above.
Steps to Reproduce (for bugs)
start a nginx pod on flannel.
curl to the pod from another node.
use netstat to check the Foreign Address of this socket in nginx pod.
Context
I want to get the real source ip address, but the SNAT will change the source ip. I am using flannel 0.7(this version flannel won't check iptables rules every 5 seconds) and I deleteed the iptables rule above on all nodes, and for now everything works fine.
Your Environment
Flannel version: v0.7
Backend used (e.g. vxlan or udp): vxlan
Etcd version: 2.2.5
Kubernetes version (if used): 1.5.4
Operating System and version: centos 7.2
Link to your project (optional):
The text was updated successfully, but these errors were encountered:
@tomdee
I still got rules like -A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE on my kube-node. I don't know whethter this rule is added by docker or flanneld. I have added -ip-masq=false to both flannel and docker.
I want to find the real source ip addr in docker when the client is not on flannel net(for auditing), but flannel add a rule to iptables:
After SNAT, the source ip is changed to
.0
of flannel.1, so I can not get the real ip.I found the issue #318 , which added the rule to flannel. However, I don't quite understand it. In my opion, if the docker has a default route which point to the cni0 gateway, is there any need to do SNAT?
Please let know if I am wrong 😄
Expected Behavior
a change: do not SNAT packages if it is not from flannel net.
Current Behavior
a change: flannel now will SNAT packages if it is not from the flannel net.
Possible Solution
delete the iptables rule above.
Steps to Reproduce (for bugs)
Foreign Address
of this socket in nginx pod.Context
I want to get the real source ip address, but the SNAT will change the source ip. I am using flannel 0.7(this version flannel won't check iptables rules every 5 seconds) and I deleteed the iptables rule above on all nodes, and for now everything works fine.
Your Environment
The text was updated successfully, but these errors were encountered: