nf_tables 抢占了 iptables

bobz965
0 阅读4分钟

image.png

**## 2. 核心冲突分析:Legacy 命令 vs. NFT 内核虽然你的 Docker 镜像强制使用了 iptables-legacy,但数据包在内核中的流转取决于内核的 Netfilter Hook 挂载情况。### 为什么 Legacy 命令无效?1. 规则写入成功,但未被调用:iptables-legacy 将规则写入内核的 Xtables 结构。

  1. NFT 占位:在异常环境(jfcs1003)中,内核加载了 nft_compat。这通常意味着宿主机系统(或容器启动时的初始化逻辑)已经将内核的 NAT 钩子切换到了 nf_tables 引擎。优先级差异:当数据包到达 PREROUTING 点时,内核会轮询钩子。如果 nf_tables 的钩子优先级更高,或者内核配置为只支持单引擎,数据包将直接走 nft 路径,而你通过 legacy 写入 Xtables 的规则就变成了“死代码”。**

正常情况下,使用 iptables nat 的情况如下


▶ lsmod | grep -e ip_tables -e iptable_nat -e iptable_filter
iptable_nat            16384  3
nf_nat                 57344  5 ip6table_nat,xt_nat,openvswitch,iptable_nat,xt_MASQUERADE
iptable_filter         16384  1
ip_tables              36864  4 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
x_tables               61440  20 ip6table_filter,xt_conntrack,iptable_filter,ip6table_nat,xt_tcpudp,xt_addrtype,xt_nat,xt_comment,xt_set,ip6_tables,ipt_REJECT,xt_CT,iptable_raw,ip_tables,iptable_nat,ip6table_mangle,xt_MASQUERADE,ip6t_REJECT,iptable_mangle,xt_mark

但是,如果还启用了 nft, 那么就会导致 nft 抢占 iptables


root@vpc-nat-gw-ns7-bgp-gw-0:/kube-ovn# lsmod | grep -e ip_tables -e iptable_nat -e iptable_filter
iptable_filter         16384  0
iptable_nat            16384  9
nf_nat                 49152  5 xt_nat,openvswitch,nft_chain_nat,iptable_nat,xt_MASQUERADE
ip_tables              32768  3 iptable_filter,iptable_nat,iptable_mangle
x_tables               53248  18 xt_conntrack,iptable_filter,nft_compat,xt_socket,xt_tcpudp,xt_addrtype,xt_nat,xt_comment,xt_set,xt_TPROXY,ipt_REJECT,xt_CT,ip_tables,iptable_nat,xt_MASQUERADE,ip6t_REJECT,iptable_mangle,xt_mark

这个时候就会出现,iptables(legacy) 的规则完全不生效


WARN: DEBUG_INFO_BTF_MODULES not enabled, some infomation, such as nf_tables, maybe incorrect
begin trace...
***************** 1edea600,1edea6e0 ***************
[97161.345753] [__tcp_transmit_skb  ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345763] [skb_clone           ] unknow
[97161.345770] [__ip_queue_xmit     ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345772] [__ip_local_out      ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345776] [nf_hook_slow        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *ipv4 in chain: OUTPUT*
[97161.345779] [nft_do_chain        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:raw, chain:OUTPUT*
[97161.345788] [ipt_do_table        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:mangle, chain:OUTPUT*
[97161.345791] [ipt_do_table        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:nat, chain:OUTPUT*
[97161.345794] [nft_do_chain        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:nat, chain:OUTPUT*
[97161.345801] [ipt_do_table        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:filter, chain:OUTPUT*
[97161.345803] [nft_do_chain        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:filter, chain:OUTPUT*
[97161.345809] [ip_output           ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345811] [nf_hook_slow        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *ipv4 in chain: POST_ROUTING*
[97161.345813] [ipt_do_table        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:mangle, chain:POST_ROUTING*
[97161.345815] [nft_do_chain        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:mangle, chain:POSTROU*
[97161.345818] [ipt_do_table        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:nat, chain:POST_ROUTING*
[97161.345820] [nft_do_chain        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *iptables table:nat, chain:POSTROU*
[97161.345829] [ip_finish_output    ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345833] [ip_finish_output2   ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345836] [__dev_queue_xmit    ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345840] [dev_hard_start_xmit ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *skb is successfully sent to the NIC driver*
[97161.345844] [enqueue_to_backlog  ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345848] [__netif_receive_skb_core] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345852] [tcf_classify        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345854] [cls_bpf_classify    ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345860] [ip_rcv              ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345862] [ip_rcv_core         ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345866] [nf_hook_slow        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *ipv4 in chain: PRE_ROUTING*
[97161.345869] [ip_rcv_finish       ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345872] [ip_route_input_slow ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345877] [fib_validate_source ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345882] [ip_local_deliver    ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345883] [nf_hook_slow        ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *ipv4 in chain: INPUT*
[97161.345887] [ip_local_deliver_finish] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345890] [tcp_v4_rcv          ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345894] [__inet_lookup_listener] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345899] [tcp_v4_send_reset   ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S
[97161.345938] [kfree_skb           ] TCP: 100.121.68.26:46730 -> 163.142.153.142:8080 seq:3345171504, ack:0, flags:S *reason: NO_SOCKET, tcp_v4_rcv+0x76* *packet is dropped by kernel*
[97161.346030] [__kfree_skb         ] unknow
avatar
文章
阅读
粉丝