diff options
| author | Kevin Krakauer <krakauer@google.com> | 2020-06-05 11:22:44 -0700 |
|---|---|---|
| committer | Kevin Krakauer <krakauer@google.com> | 2020-07-22 16:49:11 -0700 |
| commit | 89bd71c942146f9a77aabab8bc832ec5c3912d6b (patch) | |
| tree | 2b5d6a1a00706f9f22bcb8994241da43ed7cbf57 /pkg/tcpip/stack/iptables_targets.go | |
| parent | bd98f820141208d9f19b0e12dee93f6f6de3ac97 (diff) | |
iptables: don't NAT existing connections
Fixes a NAT bug that manifested as:
- A SYN was sent from gVisor to another host, unaffected by iptables.
- The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule
despite being part of the existing connection.
- The socket that sent the SYN never received the SYN/ACK and thus a
connection could not be established.
We handle this (as Linux does) by tracking all connections, inserting a
no-op conntrack rule for new connections with no rules of their own.
Needed for istio support (#170).
Diffstat (limited to 'pkg/tcpip/stack/iptables_targets.go')
| -rw-r--r-- | pkg/tcpip/stack/iptables_targets.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/tcpip/stack/iptables_targets.go b/pkg/tcpip/stack/iptables_targets.go index d43f60c67..dc88033c7 100644 --- a/pkg/tcpip/stack/iptables_targets.go +++ b/pkg/tcpip/stack/iptables_targets.go @@ -153,7 +153,7 @@ func (rt RedirectTarget) Action(pkt *PacketBuffer, ct *ConnTrack, hook Hook, gso // Set up conection for matching NAT rule. Only the first // packet of the connection comes here. Other packets will be // manipulated in connection tracking. - if conn := ct.createConnFor(pkt, hook, rt); conn != nil { + if conn := ct.insertRedirectConn(pkt, hook, rt); conn != nil { ct.handlePacket(pkt, hook, gso, r) } default: |