What is the purpose of adding iptables to a non-gateway node? #2179

zcz-1020 · 2022-12-07T08:55:58Z

zcz-1020
Dec 7, 2022

The SUBMARINER-POSTROUTING chain is added to the NAT table on non-gateway nodes. I do not understand that cross-cluster traffic between nodes in a cluster is established through vx-submariner, and NAT is not performed. What problem is the SUBMARINER-POSTROUTING chain added to the nat table to solve?

Chain POSTROUTING (policy ACCEPT 219 packets, 13342 bytes)
pkts bytes target prot opt in out source destination
1558K 95M cali-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O3lYWMrLQYEMJtB5 /
1558K 95M SUBMARINER-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
1558K 95M KUBE-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 / kubernetes postrouting rules */
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0

sridhargaddam · 2022-12-08T18:49:15Z

sridhargaddam
Dec 8, 2022
Maintainer

Normally the SUBMARINER-POSTROUTING chain has two set of rules.
a. For traffic from pod with HostNetworking enabled (or from the host itself) to remote cluster - a rule to perform SNAT with the cniInterfaceIP of the node.
b. For traffic coming from regular pods scheduled on the node - Rules to allow traffic to remote CIDRs.

Sample output:

Chain SUBMARINER-POSTROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       10   600 SNAT       all  --  *      vx-submariner  240.0.0.0/8          0.0.0.0/0            to:10.131.0.1
2        0     0 ACCEPT     all  --  *      *       10.131.0.0/16        100.66.0.0/16
3        0     0 ACCEPT     all  --  *      *       100.66.0.0/16        10.131.0.0/16
4       12   720 ACCEPT     all  --  *      *       10.131.0.0/16        10.130.0.0/16
5        0     0 ACCEPT     all  --  *      *       10.130.0.0/16        10.131.0.0/16

In the above output entry number 1 supports the first use-case and the remaining entries support the second use-case.

Looking at the output you shared, I see that you are using Calico CNI. In case of Calico, some of the submariner chains may not be hit as we program Calico IPPools.

1 reply

zcz-1020 Dec 13, 2022
Author

Thank you for your answer. If you have time to check this problem,【 #2121 (comment) 】 ,I think the FORWARD chain of the filter table lacks rules.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

What is the purpose of adding iptables to a non-gateway node? #2179

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

What is the purpose of adding iptables to a non-gateway node? #2179

Uh oh!

zcz-1020 Dec 7, 2022

Replies: 1 comment · 1 reply

Uh oh!

sridhargaddam Dec 8, 2022 Maintainer

Uh oh!

zcz-1020 Dec 13, 2022 Author

zcz-1020
Dec 7, 2022

Replies: 1 comment 1 reply

sridhargaddam
Dec 8, 2022
Maintainer

zcz-1020 Dec 13, 2022
Author