kube-static-egress-ip icon indicating copy to clipboard operation
kube-static-egress-ip copied to clipboard

Published 20 hours ago verified publisher icon nirmata

SNAT doesn't take effect

Open JSilent opened this issue 4 years ago • 3 comments

Hi, the messages to the specified destination can be routed to the gateway. However the SNAT doesn't take effect, since Calico ensures it's always the first rule in POSTROUTING, even though I manually move STATIC-EGRESS-NAT-CHAIN before MASQUERADE.

$ sudo iptables -L STATIC-EGRESS-NAT-CHAIN -t nat
Chain STATIC-EGRESS-NAT-CHAIN (1 references)
target     prot opt source               destination
SNAT       all  --  anywhere             10.124.200.68        match-set EGRESS-IP-A6RUBTJVWO4N6RIK src to:10.41.82.253
$ sudo iptables -L POSTROUTING -t nat --line-number
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    cali-POSTROUTING  all  --  anywhere             anywhere             /* cali:O3lYWMrLQYEMJtB5 */
2    STATIC-EGRESS-BYPASS-CNI  all  --  anywhere             anywhere
3    STATIC-EGRESS-NAT-CHAIN  all  --  anywhere             anywhere
4    KUBE-POSTROUTING  all  --  anywhere             anywhere             /* kubernetes postrouting rules */
5    MASQUERADE  all  --  bovis-z1020-172-17-0-0.extern.sw.ericsson.se/16  anywhere
$  sudo iptables -L cali-POSTROUTING -t nat --line-number
Chain cali-POSTROUTING (1 references)
num  target     prot opt source               destination
1    cali-fip-snat  all  --  anywhere             anywhere             /* cali:Z-c7XtVd2Bq7s_hA */
2    cali-nat-outgoing  all  --  anywhere             anywhere             /* cali:nYKhEzDlr11Jccal */
3    MASQUERADE  all  --  anywhere             anywhere             /* cali:JHlpT-eSqR1TvyYm */ ADDRTYPE match src-type !LOCAL limit-out ADDRTYPE match src-type LOCAL
$  sudo iptables -L cali-fip-snat -t nat --line-number
Chain cali-fip-snat (1 references)
num  target     prot opt source               destination
$  sudo iptables -L cali-nat-outgoing -t nat --line-number
Chain cali-nat-outgoing (1 references)
num  target     prot opt source               destination
1    MASQUERADE  all  --  anywhere             anywhere             /* cali:Dw4T8UWPnCLxRJiI */ match-set cali40masq-ipam-pools src ! match-set cali40all-ipam-pools dst

By the way, the ipipEnabled is true in calico's configuration.

JSilent avatar Jul 08 '20 07:07 JSilent

Indeed, my solution is to turn off calico's natoutgoing :smile:

lyyao09 avatar Jul 11 '20 03:07 lyyao09

so it not possible to have a mixed setup ?

kifeo avatar Jul 20 '20 08:07 kifeo

@kifeo Maybe you can modify the following parameters for a mixed setup.

Configuration parameter Environment variable Description Schema
ChainInsertMode FELIX_CHAININSERTMODE Controls whether Felix hooks the kernel’s top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. Insert is the safe default since it prevents Calico’s rules from being bypassed. If you switch to Append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: Insert] Insert, Append

lyyao09 avatar Jul 24 '20 11:07 lyyao09