Maxim Mikityanskiy <maxtram95@xxxxxxxxx> wrote: > nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to > restore the original 5-tuple in case of SNAT, to be able to find the > right socket (if any). Then socket_match() can correctly check whether > the socket was transparent. > > However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this > conntrack lookup, making xt_socket fail to match on the socket when the > packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6. > > IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as > pods' addresses are in the fd00::/8 ULA subnet and need to be replaced > with the node's external address. Cilium leverages Envoy to enforce L7 > policies, and Envoy uses transparent sockets. Cilium inserts an iptables > prerouting rule that matches on `-m socket --transparent` and redirects > the packets to localhost, but it fails to match SNATed IPv6 packets due > to that missing conntrack lookup. > > Closes: https://github.com/cilium/cilium/issues/37932 > Fixes: b64c9256a9b7 ("tproxy: added IPv6 support to the socket match") Note that this commit predates IPv6 NAT support in netfilter. No need to send a v2, just saying. Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
