Skip to content

Commit 10f9afb

Browse files
champtarchamptar
committed
portmap: ensure nftables backend only intercept local traffic
This aligns the behavior with the iptables backend. Fixes 9296c5f Fixes 01a94e1 Signed-off-by: Etienne Champetier <[email protected]>
1 parent 372953d commit 10f9afb

File tree

2 files changed

+11
-22
lines changed

2 files changed

+11
-22
lines changed

plugins/meta/portmap/portmap_nftables.go

Lines changed: 7 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -123,14 +123,11 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
123123
Chain: "prerouting",
124124
Rule: knftables.Concat(
125125
conditions,
126-
"jump", hostIPHostPortsChain,
127-
),
128-
})
129-
tx.Add(&knftables.Rule{
130-
Chain: "prerouting",
131-
Rule: knftables.Concat(
132-
conditions,
126+
"fib daddr type local",
127+
"jump {",
128+
"jump", hostIPHostPortsChain, ";",
133129
"jump", hostPortsChain,
130+
"}",
134131
),
135132
})
136133

@@ -143,19 +140,15 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
143140
tx.Flush(&knftables.Chain{
144141
Name: "output",
145142
})
146-
tx.Add(&knftables.Rule{
147-
Chain: "output",
148-
Rule: knftables.Concat(
149-
conditions,
150-
"jump", hostIPHostPortsChain,
151-
),
152-
})
153143
tx.Add(&knftables.Rule{
154144
Chain: "output",
155145
Rule: knftables.Concat(
156146
conditions,
157147
"fib daddr type local",
148+
"jump {",
149+
"jump", hostIPHostPortsChain, ";",
158150
"jump", hostPortsChain,
151+
"}",
159152
),
160153
})
161154

plugins/meta/portmap/portmap_nftables_test.go

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -93,10 +93,8 @@ add rule ip cni_hostport hostports udp dport 8082 dnat to 10.0.0.2:82 comment "i
9393
add rule ip cni_hostport hostports tcp dport 8084 dnat to 10.0.0.2:84 comment "icee6giejonei6so"
9494
add rule ip cni_hostport masquerading ip saddr 10.0.0.2 ip daddr 10.0.0.2 masquerade comment "icee6giejonei6so"
9595
add rule ip cni_hostport masquerading ip saddr 127.0.0.1 ip daddr 10.0.0.2 masquerade comment "icee6giejonei6so"
96-
add rule ip cni_hostport output a b jump hostip_hostports
97-
add rule ip cni_hostport output a b fib daddr type local jump hostports
98-
add rule ip cni_hostport prerouting a b jump hostip_hostports
99-
add rule ip cni_hostport prerouting a b jump hostports
96+
add rule ip cni_hostport output a b fib daddr type local jump { jump hostip_hostports ; jump hostports }
97+
add rule ip cni_hostport prerouting a b fib daddr type local jump { jump hostip_hostports ; jump hostports }
10098
`)
10199
actualRules := strings.TrimSpace(ipv4Fake.Dump())
102100
Expect(actualRules).To(Equal(expectedRules))
@@ -121,10 +119,8 @@ add rule ip6 cni_hostport hostports tcp dport 8081 dnat to [2001:db8::2]:80 comm
121119
add rule ip6 cni_hostport hostports udp dport 8080 dnat to [2001:db8::2]:81 comment "icee6giejonei6so"
122120
add rule ip6 cni_hostport hostports udp dport 8082 dnat to [2001:db8::2]:82 comment "icee6giejonei6so"
123121
add rule ip6 cni_hostport hostports tcp dport 8086 dnat to [2001:db8::2]:86 comment "icee6giejonei6so"
124-
add rule ip6 cni_hostport output c d jump hostip_hostports
125-
add rule ip6 cni_hostport output c d fib daddr type local jump hostports
126-
add rule ip6 cni_hostport prerouting c d jump hostip_hostports
127-
add rule ip6 cni_hostport prerouting c d jump hostports
122+
add rule ip6 cni_hostport output c d fib daddr type local jump { jump hostip_hostports ; jump hostports }
123+
add rule ip6 cni_hostport prerouting c d fib daddr type local jump { jump hostip_hostports ; jump hostports }
128124
`)
129125
actualRules = strings.TrimSpace(ipv6Fake.Dump())
130126
Expect(actualRules).To(Equal(expectedRules))

0 commit comments

Comments
 (0)