Re: Query on nftables DNAT for localhost-to-localhost traffic in IPv6 or without route_localnet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote:
> We (kubernetes) are currently exploring options for port forwarding
> traffic that originates from localhost and is also destined for
> localhost, to redirect it to a different destination IP address and
> port [1].

Don't think its a good idea, has much higher risk of exposing
credentials.  Maybe fixable by placing macsec or ipsec tunnel.

> We can use the route_localnet sysctl parameter, however, that does not
> work for IPv6.

Seems no kernel changes are needed, but its ugly because daddr ::1 has
to be concealed in prerouting to prevent RT6_LOOKUP_F_IFACE flag:

        if (rt6_need_strict(&fl6->daddr) && dev->type != ARPHRD_PIMREG)
                flags |= RT6_LOOKUP_F_IFACE;

... in ip6_route_input_lookup().  This seems to do the trick:

define fakein6 = dead::1ce
table inet test {
        chain nat_pr {
                type nat hook postrouting priority srcnat ; policy accept;
                ct status dnat ct original ip6 saddr ::1 masquerade
        }

        chain nat_out {
                type nat hook output priority dstnat ; policy accept;
                ip6 daddr ::1 tcp dport 12345 dnat to [dead:beef:0:227:300::3]:22
        }

        chain pre {
                type filter hook prerouting priority 0 ; policy accept;
                ct status dnat,snat ct original ip6 saddr ::1 ct original ip6 daddr ::1 ip6 daddr set $fakein6 comment "daddr is ::1 but that forces strict route lookup"
        }

        chain in {
                type filter hook input priority 0 ; policy accept;
                ct status dnat,snat ct original ip6 saddr ::1 ct original ip6 daddr ::1 ip6 daddr set ::1 comment " get rid if fakein6"
        }
}

$ ip -6 addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet6 dead::1ce/128 scope global
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever

$ uname -sr ; ssh -p 12345 ::1 uname -sr
Linux 6.15.8-200.fc42.x86_64
Linux 6.1.0-37-amd64
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux