-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nftables / CentOS8 support #306
Comments
Hi @iptizer , |
sure thing! [root@myserver ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N KUBE-MARK-DROP
-N KUBE-MARK-MASQ
-N KUBE-POSTROUTING
-N KUBE-KUBELET-CANARY
-N cali-PREROUTING
-N cali-POSTROUTING
-N cali-OUTPUT
-N cali-fip-dnat
-N cali-fip-snat
-N cali-nat-outgoing
-N CNI-HOSTPORT-SETMARK
-N CNI-HOSTPORT-MASQ
-N CNI-HOSTPORT-DNAT
-N CNI-DN-ff88843368fae4d5cdfae
-N CNI-DN-f0f13904d22032106b1e7
-N CNI-DN-442e7af5e08e6bf46621a
-N CNI-DN-e4582bd2b3ff7ed196a28
-N CNI-DN-365d9a185cff3e5ea9379
-N CNI-DN-90b43263af9d462e04f9b
-N CNI-DN-f54bc33afc414d6e64133
-N CNI-DN-fc95996fce81df369bc47
-N CNI-DN-ea59c359e9d718f7116dc
-N CNI-DN-9a7663babfc285ea01c15
-N CNI-DN-fc387103aa44e3b189d09
-N CNI-DN-bcfdb00a9541b4df781a0
-N CNI-DN-2a1d84389734e54983abb
-N CNI-DN-38f4d538cd34246b81019
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "CNI portfwd requiring masquerade" -j CNI-HOSTPORT-MASQ
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE --random-fully
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:SXWvdsbh4Mw7wOln" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE --random-fully
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:flqWnvo8yq4ULQLa" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE --random-fully
-A CNI-HOSTPORT-SETMARK -m comment --comment "CNI portfwd masquerade mark" -j MARK --set-xmark 0x2000/0x2000
-A CNI-HOSTPORT-MASQ -m mark --mark 0x2000/0x2000 -j MASQUERADE
-A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cni0\" id: \"e05c0b7dc624c20da56c8db60492744381eb27b7449e28e87f8efa6da8210a9e\"" -m multiport --dports 10081,8443 -j CNI-DN-bcfdb00a9541b4df781a0
-A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cni0\" id: \"24b63cb1cbda96c6c89e5fb89700141460323010decfb98160b6434700e3a9a4\"" -m multiport --dports 10081,8443 -j CNI-DN-2a1d84389734e54983abb
-A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cni0\" id: \"c6578acfe6765587433b73388f55424e1f6e8996f3bb38c1e7ab573995f34245\"" -m multiport --dports 10081,8443 -j CNI-DN-38f4d538cd34246b81019
-A CNI-DN-f0f13904d22032106b1e7 -s 10.233.124.132/32 -p tcp -m tcp --dport 10080 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-f0f13904d22032106b1e7 -s 127.0.0.1/32 -p tcp -m tcp --dport 10080 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-f0f13904d22032106b1e7 -p tcp -m tcp --dport 10080 -j DNAT --to-destination 10.233.124.132:80
-A CNI-DN-442e7af5e08e6bf46621a -s 10.233.124.122/32 -p tcp -m tcp --dport 10080 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-442e7af5e08e6bf46621a -s 127.0.0.1/32 -p tcp -m tcp --dport 10080 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-442e7af5e08e6bf46621a -p tcp -m tcp --dport 10080 -j DNAT --to-destination 10.233.124.122:80
-A CNI-DN-e4582bd2b3ff7ed196a28 -s 10.233.124.141/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-e4582bd2b3ff7ed196a28 -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-365d9a185cff3e5ea9379 -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-365d9a185cff3e5ea9379 -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.245:80
-A CNI-DN-90b43263af9d462e04f9b -s 10.233.124.192/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-90b43263af9d462e04f9b -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-90b43263af9d462e04f9b -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.192:80
-A CNI-DN-90b43263af9d462e04f9b -s 10.233.124.192/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-90b43263af9d462e04f9b -s 127.0.0.1/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-90b43263af9d462e04f9b -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.233.124.192:443
-A CNI-DN-9a7663babfc285ea01c15 -s 10.233.124.151/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-9a7663babfc285ea01c15 -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-9a7663babfc285ea01c15 -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.151:80
-A CNI-DN-9a7663babfc285ea01c15 -s 10.233.124.151/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-9a7663babfc285ea01c15 -s 127.0.0.1/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-9a7663babfc285ea01c15 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.233.124.151:443
-A CNI-DN-fc387103aa44e3b189d09 -s 10.233.124.36/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-fc387103aa44e3b189d09 -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-fc387103aa44e3b189d09 -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.36:80
-A CNI-DN-fc387103aa44e3b189d09 -s 10.233.124.36/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-fc387103aa44e3b189d09 -s 127.0.0.1/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-fc387103aa44e3b189d09 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.233.124.36:443
-A CNI-DN-bcfdb00a9541b4df781a0 -s 10.233.124.50/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-bcfdb00a9541b4df781a0 -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-bcfdb00a9541b4df781a0 -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.50:80
-A CNI-DN-bcfdb00a9541b4df781a0 -s 10.233.124.50/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-bcfdb00a9541b4df781a0 -s 127.0.0.1/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-bcfdb00a9541b4df781a0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.233.124.50:443
-A CNI-DN-2a1d84389734e54983abb -s 10.233.124.73/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2a1d84389734e54983abb -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2a1d84389734e54983abb -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.73:80
-A CNI-DN-2a1d84389734e54983abb -s 10.233.124.73/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2a1d84389734e54983abb -s 127.0.0.1/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2a1d84389734e54983abb -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.233.124.73:443
-A CNI-DN-38f4d538cd34246b81019 -s 10.233.124.236/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-38f4d538cd34246b81019 -s 127.0.0.1/32 -p tcp -m tcp --dport 10081 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-38f4d538cd34246b81019 -p tcp -m tcp --dport 10081 -j DNAT --to-destination 10.233.124.236:80
-A CNI-DN-38f4d538cd34246b81019 -s 10.233.124.236/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-38f4d538cd34246b81019 -s 127.0.0.1/32 -p tcp -m tcp --dport 8443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-38f4d538cd34246b81019 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.233.124.236:443
# Warning: iptables-legacy tables present, use iptables-legacy to see them |
My understanding is, even though nftables provides a compatibility layer and the CLI is similar, under the hood it's a different library. Python-iptables interacts with iptables via the C libraries, so it doesn't work with nftables. Recently the official nftables project added python bindings it seems: https://git.netfilter.org/nftables/tree/py so you might want to give that a try. I haven't tested it personally though. |
I am not 100% sure how things are related between iptables and nftables, so I though I'll highlight my problem here, maybe there is a solution.
Setup
I am using Kubernetes with Calico on CentOS8. CentOS8 uses nftables. Felix (the Calico component for setting iptables on a host) is setup with backend=NFT. This works, but some things are not working 100% so I thought let's fix this using python.
My iptables command is linked to xtables:
Problem
Listing chains with
iptables -L -t nat
andiptc.easy.dump_table('nat', ipv6=False)
show different results:[root@ns3032787 moritz]# iptables -L -t nat | grep -i chain Chain PREROUTING (policy ACCEPT) Chain INPUT (policy ACCEPT) Chain POSTROUTING (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain KUBE-MARK-DROP (0 references) Chain KUBE-MARK-MASQ (0 references) Chain KUBE-POSTROUTING (1 references) Chain KUBE-KUBELET-CANARY (0 references) Chain cali-PREROUTING (1 references) Chain cali-POSTROUTING (1 references) Chain cali-OUTPUT (1 references) Chain cali-fip-dnat (2 references) Chain cali-fip-snat (1 references) Chain cali-nat-outgoing (1 references) Chain CNI-HOSTPORT-SETMARK (19 references) Chain CNI-HOSTPORT-MASQ (1 references) Chain CNI-HOSTPORT-DNAT (2 references) Chain CNI-DN-ff88843368fae4d5cdfae (0 references) Chain CNI-DN-f0f13904d22032106b1e7 (0 references) Chain CNI-DN-442e7af5e08e6bf46621a (0 references) Chain CNI-DN-e4582bd2b3ff7ed196a28 (0 references) Chain CNI-DN-365d9a185cff3e5ea9379 (0 references) Chain CNI-DN-90b43263af9d462e04f9b (0 references) Chain CNI-DN-f54bc33afc414d6e64133 (1 references) Chain CNI-DN-fc95996fce81df369bc47 (1 references) Chain CNI-DN-ea59c359e9d718f7116dc (0 references) Chain CNI-DN-9a7663babfc285ea01c15 (1 references) Chain CNI-DN-fc387103aa44e3b189d09 (1 references)
So, some chains are showing up, some not.
Question: Is this even supposed to work? Or are the differences between iptables and nftables so large, that using a different python library is recommended?
The text was updated successfully, but these errors were encountered: