[Bug 1324] New: with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Mar 1 05:14:12 CET 2019 

https://bugzilla.netfilter.org/show_bug.cgi?id=1324

            Bug ID: 1324
           Summary: with kernel 4.20.11 ip6table REDIRECT, process
                    listening on redirected port does not get a packet
           Product: iptables
           Version: 1.6.x
          Hardware: All
                OS: RedHat Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ip6tables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: sbezverk at cisco.com

I encountered a bug in 4.20.11 kernel,  specifically in ip6tables redirects.

It is kubernetes environment where two containers running in the same pod and
sharing the same network stack.  One container sends tcp traffic curl to port
443, and output chain rule will redirect it to ::1:15001. In the second
container there is a process listening on :::15001. In kernel 4.20.11
environment, this process does not see redirected traffic, but in Centos 7.6
with kernel 3.10.0-957.5.1.el7 it works as expected. The issue is 100%
reproducible. Below is ip6tables rules. Exactly the same rules work as expected
with 3.10.0-957.5.1 kernel.

# Generated by ip6tables-save v1.4.21 on Fri Mar  1 01:41:47 2019
*mangle
:PREROUTING ACCEPT [6761:1065175]
:INPUT ACCEPT [6730:1062747]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6661:651696]
:POSTROUTING ACCEPT [6661:651696]
COMMIT
# Completed on Fri Mar  1 01:41:47 2019
# Generated by ip6tables-save v1.4.21 on Fri Mar  1 01:41:47 2019
*filter
:INPUT ACCEPT [6732:1063164]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6663:651930]
COMMIT
# Completed on Fri Mar  1 01:41:47 2019
# Generated by ip6tables-save v1.4.21 on Fri Mar  1 01:41:47 2019
*nat
:PREROUTING ACCEPT [596:47680]
:INPUT ACCEPT [596:47680]
:OUTPUT ACCEPT [441:52134]
:POSTROUTING ACCEPT [442:52214]
:ISTIO_INBOUND - [0:0]
:ISTIO_IN_REDIRECT - [0:0]
:ISTIO_OUTPUT - [0:0]
:ISTIO_REDIRECT - [0:0]
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 50705 -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_OUTPUT ! -d ::1/128 -o lo -j ISTIO_REDIRECT
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d ::1/128 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
COMMIT
# Completed on Fri Mar  1 01:41:47 2019

Please let me know if I should file a bug or you need any further details.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190301/8b6580b2/attachment.html>

More information about the netfilter-buglog mailing list