diff options
author | Kevin Krakauer <krakauer@google.com> | 2020-06-05 11:22:44 -0700 |
---|---|---|
committer | Kevin Krakauer <krakauer@google.com> | 2020-07-22 16:49:11 -0700 |
commit | 89bd71c942146f9a77aabab8bc832ec5c3912d6b (patch) | |
tree | 2b5d6a1a00706f9f22bcb8994241da43ed7cbf57 /pkg/sentry/syscalls/linux/BUILD | |
parent | bd98f820141208d9f19b0e12dee93f6f6de3ac97 (diff) |
iptables: don't NAT existing connections
Fixes a NAT bug that manifested as:
- A SYN was sent from gVisor to another host, unaffected by iptables.
- The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule
despite being part of the existing connection.
- The socket that sent the SYN never received the SYN/ACK and thus a
connection could not be established.
We handle this (as Linux does) by tracking all connections, inserting a
no-op conntrack rule for new connections with no rules of their own.
Needed for istio support (#170).
Diffstat (limited to 'pkg/sentry/syscalls/linux/BUILD')
0 files changed, 0 insertions, 0 deletions