plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon containernetworking

[feature request] `portmap` support `masquerade-all` option

Open BSWANG opened this issue 3 years ago • 5 comments

When k8s cluster use ipvlan L3/L2, macvlan or other underlay network plugin. The traffic come back from pod to host maybe not go through conntrack in host, and can not un-snat to hostip which client requested.

image

Masquerad all traffic can make sure the pod reply come back to host and go through conntrack in host.

image

BSWANG avatar Sep 16 '22 07:09 BSWANG

I'm having trouble understanding what is going on.

What addresses live where?

mccv1r0 avatar Sep 19 '22 15:09 mccv1r0

@BSWANG can you clarify the diagram? What are 1.1.1.1 and 2.2.2.2?

Is the square a node in a cluster? And is 192.168.0.1 and 0.2 NICs on the node?

Is 10.0.0.1 the container?

dcbw avatar Sep 19 '22 15:09 dcbw

In your use-case, what is the source-ip and dest-ip of the incoming packet from client -> pod?

When the pod replies, what is the source-ip and dest-ip of hte outgoing packet?

dcbw avatar Sep 19 '22 15:09 dcbw

Are you able to give the output of 'ip r' on the host node?

MikeZappa87 avatar Sep 19 '22 16:09 MikeZappa87

@dcbw @MikeZappa87 Thanks for reply. I have updated the description, for some underlay plugins scenarios.

BSWANG avatar Oct 25 '22 12:10 BSWANG