Should flannel masquerade the source ip addr when packages are from outer net to flannel net?

[silenceshell]

I want to find the real source ip addr in docker when the client is not on flannel net(for auditing), but flannel add a rule to iptables:

-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE

After SNAT, the source ip is changed to .0 of flannel.1, so I can not get the real ip.

I found the issue #318 , which added the rule to flannel. However, I don't quite understand it. In my opion, if the docker has a default route which point to the cni0 gateway, is there any need to do SNAT?

Please let know if I am wrong 😄

Expected Behavior

a change: do not SNAT packages if it is not from flannel net.

Current Behavior

a change: flannel now will SNAT packages if it is not from the flannel net.

Possible Solution

delete the iptables rule above.

Steps to Reproduce (for bugs)

1. start a nginx pod on flannel.
2. curl to the pod from another node.
3. use netstat to check the Foreign Address of this socket in nginx pod.

Context

I want to get the real source ip address, but the SNAT will change the source ip. I am using flannel 0.7(this version flannel won't check iptables rules every 5 seconds) and I deleteed the iptables rule above on all nodes, and for now everything works fine.

Your Environment

• Flannel version: v0.7
• Backend used (e.g. vxlan or udp): vxlan
• Etcd version: 2.2.5
• Kubernetes version (if used): 1.5.4
• Operating System and version: centos 7.2
• Link to your project (optional):

[tomdee]

This behavior no longer occurs with flannel release 0.8.0 and later - #745

[harryge00]

@tomdee
I still got rules like -A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE on my kube-node. I don't know whethter this rule is added by docker or flanneld. I have added -ip-masq=false to both flannel and docker.

Detailed can be found #835

[harryge00]

Solved after cleaning old iptables rules.