Fix issue caused by different iptables versions #72
Conversation
A backport of "nft: Optimize class-based IP prefix matches" from newer iptables versions broke the hairpin mode detection of ipv6nat. This is caused by newer versions on the host create optimized ipt rules, which will be interpreted different by older versions of iptables. This can be spotted when you dump the rules on the host and compare it to the rules dumped inside the ipv6nat container. The outside rule contains the correct subnet for the detection, 127.0.0.0/8 while inside it is displayed as 127.0.0.0/32 which causes the detection (code in manager.go) to fail. As this is only a display issue (the rule is correct), accepting both versions should be fine to get around this issue. Big thanks to Phil Sutter who provided me the code to implement my idea to cover old and new versions to be matched, as it is very hard to ensure the same iptables version to be used inside and outside the container. A test build is available on docker hub at geektoor/ipv6nat-devel. Closes: robbertkl#67 Cc: Phil Sutter <phil@nwl.cc> Signed-off-by: Sven Michels <michels@redhat.com>
|
Tested with https://hub.docker.com/r/geektoor/ipv6nat-devel in mailcow/mailcow-dockerized#3940 - this PR resolve issue for me. OS: CentOS-8 Installed Packages |
|
Thanks @geektoor, great to have this fixed! 🎉 I'll take a good look + test soon and get this merged + push out a new release. On non-RH/CentOS systems, where the issue is not present, this fix should not break anything, right? @dragoangel Thanks for confirming the fix works CentOS 8! |
|
@robbertkl it should not. Its mainly just accepting both possible outputs, the /8 and the /32 netmask. This might happen on other systems as well as soon as the iptables version between host and container are not having the same patch implemented. The backport on CentOS/RHEL made it just visible on CentOS/RHEL, but other combos might also cause this. |
|
Thanks :) |
|
@robbertkl can you please tell when your docker image will contain this PR? Thank you in advance. 👍 |
|
Yep, I'm building a new release and was gonna comment here, but you're too quick 😄 Still doing some checks and maybe update some deps, will update when the new release & docker images are up! |
|
Thanks, great |
A backport of "nft: Optimize class-based IP prefix matches" from
newer iptables versions broke the hairpin mode detection of ipv6nat.
This is caused by newer versions on the host create optimized ipt
rules, which will be interpreted different by older versions of
iptables. This can be spotted when you dump the rules on the host
and compare it to the rules dumped inside the ipv6nat container.
The outside rule contains the correct subnet for the detection,
127.0.0.0/8 while inside it is displayed as 127.0.0.0/32 which
causes the detection (code in manager.go) to fail. As this is only
a display issue (the rule is correct), accepting both versions
should be fine to get around this issue.
Big thanks to Phil Sutter who provided me the code to implement
my idea to cover old and new versions to be matched, as it is
very hard to ensure the same iptables version to be used inside
and outside the container. A test build is available on docker
hub at geektoor/ipv6nat-devel.
Closes: #67
Cc: Phil Sutter phil@nwl.cc
Signed-off-by: Sven Michels michels@redhat.com