On Tue, Mar 18, 2025 at 09:13:23PM +0100, Florian Westphal wrote: > Maxim Mikityanskiy <maxtram95@xxxxxxxxx> wrote: > > nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to > > restore the original 5-tuple in case of SNAT, to be able to find the > > right socket (if any). Then socket_match() can correctly check whether > > the socket was transparent. > > > > However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this > > conntrack lookup, making xt_socket fail to match on the socket when the > > packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6. > > > > IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as > > pods' addresses are in the fd00::/8 ULA subnet and need to be replaced > > with the node's external address. Cilium leverages Envoy to enforce L7 > > policies, and Envoy uses transparent sockets. Cilium inserts an iptables > > prerouting rule that matches on `-m socket --transparent` and redirects > > the packets to localhost, but it fails to match SNATed IPv6 packets due > > to that missing conntrack lookup. > > > > Closes: https://github.com/cilium/cilium/issues/37932 > > Fixes: b64c9256a9b7 ("tproxy: added IPv6 support to the socket match") > > Note that this commit predates IPv6 NAT support in netfilter. Right. I am inclined to put this into nf-next. > No need to send a v2, just saying. > > Reviewed-by: Florian Westphal <fw@xxxxxxxxx> Thanks.
