Re: Query on nftables DNAT for localhost-to-localhost traffic in IPv6 or without route_localnet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Florian,

On Mon, Aug 04, 2025 at 10:25:37AM +0200, Florian Westphal wrote:
> Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx> wrote:
> > We (kubernetes) are currently exploring options for port forwarding
> > traffic that originates from localhost and is also destined for
> > localhost, to redirect it to a different destination IP address and
> > port [1].
> 
> Don't think its a good idea, has much higher risk of exposing
> credentials.  Maybe fixable by placing macsec or ipsec tunnel.
> 
> > We can use the route_localnet sysctl parameter, however, that does not
> > work for IPv6.
> 
> Seems no kernel changes are needed, but its ugly because daddr ::1 has
> to be concealed in prerouting to prevent RT6_LOOKUP_F_IFACE flag:
> 
>         if (rt6_need_strict(&fl6->daddr) && dev->type != ARPHRD_PIMREG)
>                 flags |= RT6_LOOKUP_F_IFACE;
>
> ... in ip6_route_input_lookup().

>This seems to do the trick:

To simplify this example below, would it be possible to extend nft_fib
to attach DST_METADATA in prerouting to modify the ip6_route_input_lookup()
behaviour? This is similar to the conntrack template, but for routing.

> define fakein6 = dead::1ce
> table inet test {
>         chain nat_pr {
>                 type nat hook postrouting priority srcnat ; policy accept;
>                 ct status dnat ct original ip6 saddr ::1 masquerade
>         }
> 
>         chain nat_out {
>                 type nat hook output priority dstnat ; policy accept;
>                 ip6 daddr ::1 tcp dport 12345 dnat to [dead:beef:0:227:300::3]:22
>         }
> 
>         chain pre {
>                 type filter hook prerouting priority 0 ; policy accept;
>                 ct status dnat,snat ct original ip6 saddr ::1 ct original ip6 daddr ::1 ip6 daddr set $fakein6 comment "daddr is ::1 but that forces strict route lookup"
>         }
> 
>         chain in {
>                 type filter hook input priority 0 ; policy accept;
>                 ct status dnat,snat ct original ip6 saddr ::1 ct original ip6 daddr ::1 ip6 daddr set ::1 comment " get rid if fakein6"
>         }
> }
> 
> $ ip -6 addr show dev lo
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>     inet6 dead::1ce/128 scope global
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host noprefixroute
>        valid_lft forever preferred_lft forever
> 
> $ uname -sr ; ssh -p 12345 ::1 uname -sr
> Linux 6.15.8-200.fc42.x86_64
> Linux 6.1.0-37-amd64
>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux