plugins [feature request] `portmap` support `masquerade-all` option

[feature request] `portmap` support `masquerade-all` option

Open BSWANG opened this issue 2 years ago • 5 comments

When k8s cluster use ipvlan L3/L2, macvlan or other underlay network plugin. The traffic come back from pod to host maybe not go through conntrack in host, and can not un-snat to hostip which client requested.

Masquerad all traffic can make sure the pod reply come back to host and go through conntrack in host.

Sep 16 '22 07:09 BSWANG

I'm having trouble understanding what is going on.

What addresses live where?

Sep 19 '22 15:09 mccv1r0

@BSWANG can you clarify the diagram? What are 1.1.1.1 and 2.2.2.2?

Is the square a node in a cluster? And is 192.168.0.1 and 0.2 NICs on the node?

Is 10.0.0.1 the container?

Sep 19 '22 15:09 dcbw

In your use-case, what is the source-ip and dest-ip of the incoming packet from client -> pod?

When the pod replies, what is the source-ip and dest-ip of hte outgoing packet?

Sep 19 '22 15:09 dcbw

Are you able to give the output of 'ip r' on the host node?

Sep 19 '22 16:09 MikeZappa87

@dcbw @MikeZappa87 Thanks for reply. I have updated the description, for some underlay plugins scenarios.

Oct 25 '22 12:10 BSWANG

plugins plugins copied to clipboard

[feature request] `portmap` support `masquerade-all` option

plugins
plugins copied to clipboard