<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1324">1324</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet
</td>
</tr>
<tr>
<th>Product</th>
<td>iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>1.6.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>RedHat Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>critical
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>ip6tables
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>sbezverk@cisco.com
</td>
</tr></table>
<p>
<div>
<pre>I encountered a bug in 4.20.11 kernel, specifically in ip6tables redirects.
It is kubernetes environment where two containers running in the same pod and
sharing the same network stack. One container sends tcp traffic curl to port
443, and output chain rule will redirect it to ::1:15001. In the second
container there is a process listening on :::15001. In kernel 4.20.11
environment, this process does not see redirected traffic, but in Centos 7.6
with kernel 3.10.0-957.5.1.el7 it works as expected. The issue is 100%
reproducible. Below is ip6tables rules. Exactly the same rules work as expected
with 3.10.0-957.5.1 kernel.
# Generated by ip6tables-save v1.4.21 on Fri Mar 1 01:41:47 2019
*mangle
:PREROUTING ACCEPT [6761:1065175]
:INPUT ACCEPT [6730:1062747]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6661:651696]
:POSTROUTING ACCEPT [6661:651696]
COMMIT
# Completed on Fri Mar 1 01:41:47 2019
# Generated by ip6tables-save v1.4.21 on Fri Mar 1 01:41:47 2019
*filter
:INPUT ACCEPT [6732:1063164]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6663:651930]
COMMIT
# Completed on Fri Mar 1 01:41:47 2019
# Generated by ip6tables-save v1.4.21 on Fri Mar 1 01:41:47 2019
*nat
:PREROUTING ACCEPT [596:47680]
:INPUT ACCEPT [596:47680]
:OUTPUT ACCEPT [441:52134]
:POSTROUTING ACCEPT [442:52214]
:ISTIO_INBOUND - [0:0]
:ISTIO_IN_REDIRECT - [0:0]
:ISTIO_OUTPUT - [0:0]
:ISTIO_REDIRECT - [0:0]
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 50705 -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_OUTPUT ! -d ::1/128 -o lo -j ISTIO_REDIRECT
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d ::1/128 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
COMMIT
# Completed on Fri Mar 1 01:41:47 2019
Please let me know if I should file a bug or you need any further details.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>