kubeovn vpc pod 访问自己的公网 ip 抓包

bobz965
0 阅读12分钟

结论: icmp 和 tcp 都没有问题


root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.7.1     0.0.0.0         UG    0      0        0 net1
10.96.0.0       10.177.255.254  255.240.0.0     UG    0      0        0 eth0
10.177.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
192.168.6.254   0.0.0.0         255.255.255.255 UH    0      0        0 net1
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 net1
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# iptables-save
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 24 08:42:22 2026
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [5:348]
:DNAT_FILTER - [0:0]
:EXCLUSIVE_DNAT - [0:0]
:EXCLUSIVE_SNAT - [0:0]
:SHARED_DNAT - [0:0]
:SHARED_SNAT - [0:0]
:SNAT_FILTER - [0:0]
-A PREROUTING -j DNAT_FILTER
-A POSTROUTING -j SNAT_FILTER
-A DNAT_FILTER -j EXCLUSIVE_DNAT
-A DNAT_FILTER -j SHARED_DNAT
-A EXCLUSIVE_DNAT -d 192.168.7.2/32 -j DNAT --to-destination 10.177.0.1
-A EXCLUSIVE_SNAT -s 10.177.0.1/32 -j SNAT --to-source 192.168.7.2
-A SHARED_SNAT -s 10.177.0.0/16 -o net1 -j SNAT --to-source 192.168.7.3 --random-fully
-A SNAT_FILTER -j EXCLUSIVE_SNAT
-A SNAT_FILTER -j SHARED_SNAT
COMMIT
# Completed on Tue Feb 24 08:42:22 2026
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: net1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0e:32:45:6b:9a:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.7.2/24 scope global net1
       valid_lft forever preferred_lft forever
    inet 192.168.7.3/24 scope global secondary net1
       valid_lft forever preferred_lft forever
    inet6 fe80::c32:45ff:fe6b:9a85/64 scope link
       valid_lft forever preferred_lft forever
37: eth0@if38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default
    link/ether c2:45:f5:ea:78:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.177.255.253/16 brd 10.177.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::c045:f5ff:feea:784d/64 scope link
       valid_lft forever preferred_lft forever

抓包



root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# tcpdump -i any  -netvv
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes



eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 63, id 37782, offset 0, flags [DF], proto ICMP (1), length 84)
    10.177.0.1 > 192.168.7.2: ICMP echo request, id 25, seq 1, length 64
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 62, id 37782, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.7.2 > 10.177.0.1: ICMP echo request, id 25, seq 1, length 64
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 63, id 37783, offset 0, flags [none], proto ICMP (1), length 84)
    10.177.0.1 > 192.168.7.2: ICMP echo reply, id 25, seq 1, length 64
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 62, id 37783, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.7.2 > 10.177.0.1: ICMP echo reply, id 25, seq 1, length 64
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 7568, offset 0, flags [DF], proto TCP (6), length 60)
    10.177.0.1.41226 > 192.168.7.2.8080: Flags [S], cksum 0xd487 (correct), seq 3094336312, win 65280, options [mss 1360,sackOK,TS val 67392053 ecr 0,nop,wscale 10], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 7568, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.7.2.41226 > 10.177.0.1.8080: Flags [S], cksum 0xd487 (correct), seq 3094336312, win 65280, options [mss 1360,sackOK,TS val 67392053 ecr 0,nop,wscale 10], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.177.0.1.8080 > 192.168.7.2.41226: Flags [S.], cksum 0xd28a (incorrect -> 0x5da0), seq 917302319, ack 3094336313, win 64704, options [mss 1360,sackOK,TS val 67392054 ecr 67392053,nop,wscale 10], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.7.2.8080 > 10.177.0.1.41226: Flags [S.], cksum 0xd28a (incorrect -> 0x5da0), seq 917302319, ack 3094336313, win 64704, options [mss 1360,sackOK,TS val 67392054 ecr 67392053,nop,wscale 10], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 7569, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.41226 > 192.168.7.2.8080: Flags [.], cksum 0xd282 (incorrect -> 0x888b), seq 1, ack 1, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 7569, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.41226 > 10.177.0.1.8080: Flags [.], cksum 0xd282 (incorrect -> 0x888b), seq 1, ack 1, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 63, id 7570, offset 0, flags [DF], proto TCP (6), length 131)
    10.177.0.1.41226 > 192.168.7.2.8080: Flags [P.], cksum 0xd2d1 (incorrect -> 0xeea6), seq 1:80, ack 1, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 79: HTTP, length: 79
	GET / HTTP/1.1
	Host: 192.168.7.2:8080
	User-Agent: curl/8.7.1
	Accept: */*

eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 62, id 7570, offset 0, flags [DF], proto TCP (6), length 131)
    192.168.7.2.41226 > 10.177.0.1.8080: Flags [P.], cksum 0xd2d1 (incorrect -> 0xeea6), seq 1:80, ack 1, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 79: HTTP, length: 79
	GET / HTTP/1.1
	Host: 192.168.7.2:8080
	User-Agent: curl/8.7.1
	Accept: */*

eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 27752, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.8080 > 192.168.7.2.41226: Flags [.], cksum 0xd282 (incorrect -> 0x883c), seq 1, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 27752, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.8080 > 10.177.0.1.41226: Flags [.], cksum 0xd282 (incorrect -> 0x883c), seq 1, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 227: (tos 0x0, ttl 63, id 27753, offset 0, flags [DF], proto TCP (6), length 207)
    10.177.0.1.8080 > 192.168.7.2.41226: Flags [P.], cksum 0xd31d (incorrect -> 0x982e), seq 1:156, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 155: HTTP, length: 155
	HTTP/1.0 200 OK
	Server: SimpleHTTP/0.6 Python/3.12.3
	Date: Tue, 24 Feb 2026 09:04:07 GMT
	Content-type: text/html; charset=utf-8
	Content-Length: 187

eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 227: (tos 0x0, ttl 62, id 27753, offset 0, flags [DF], proto TCP (6), length 207)
    192.168.7.2.8080 > 10.177.0.1.41226: Flags [P.], cksum 0xd31d (incorrect -> 0x982e), seq 1:156, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 155: HTTP, length: 155
	HTTP/1.0 200 OK
	Server: SimpleHTTP/0.6 Python/3.12.3
	Date: Tue, 24 Feb 2026 09:04:07 GMT
	Content-type: text/html; charset=utf-8
	Content-Length: 187

eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 7571, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.41226 > 192.168.7.2.8080: Flags [.], cksum 0xd282 (incorrect -> 0x87a1), seq 80, ack 156, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 7571, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.41226 > 10.177.0.1.8080: Flags [.], cksum 0xd282 (incorrect -> 0x87a1), seq 80, ack 156, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 259: (tos 0x0, ttl 63, id 27754, offset 0, flags [DF], proto TCP (6), length 239)
    10.177.0.1.8080 > 192.168.7.2.41226: Flags [P.], cksum 0xd33d (incorrect -> 0x7604), seq 156:343, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 187: HTTP
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 259: (tos 0x0, ttl 62, id 27754, offset 0, flags [DF], proto TCP (6), length 239)
    192.168.7.2.8080 > 10.177.0.1.41226: Flags [P.], cksum 0xd33d (incorrect -> 0x7604), seq 156:343, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 187: HTTP
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 7572, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.41226 > 192.168.7.2.8080: Flags [.], cksum 0xd282 (incorrect -> 0x86e6), seq 80, ack 343, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 7572, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.41226 > 10.177.0.1.8080: Flags [.], cksum 0xd282 (incorrect -> 0x86e6), seq 80, ack 343, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 27755, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.8080 > 192.168.7.2.41226: Flags [F.], cksum 0xd282 (incorrect -> 0x86e5), seq 343, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 27755, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.8080 > 10.177.0.1.41226: Flags [F.], cksum 0xd282 (incorrect -> 0x86e5), seq 343, ack 80, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 7573, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.41226 > 192.168.7.2.8080: Flags [F.], cksum 0xd282 (incorrect -> 0x86e4), seq 80, ack 344, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 7573, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.41226 > 10.177.0.1.8080: Flags [F.], cksum 0xd282 (incorrect -> 0x86e4), seq 80, ack 344, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 63, id 27756, offset 0, flags [DF], proto TCP (6), length 52)
    10.177.0.1.8080 > 192.168.7.2.41226: Flags [.], cksum 0xd282 (incorrect -> 0x86e4), seq 344, ack 81, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 62, id 27756, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.7.2.8080 > 10.177.0.1.41226: Flags [.], cksum 0xd282 (incorrect -> 0x86e4), seq 344, ack 81, win 64, options [nop,nop,TS val 67392054 ecr 67392054], length 0

⏺ 实测数据很清楚,TCP 三次握手和完整的 HTTP 请求/响应都通了。我之前关于 TCP 不通的判断是错误的。

修正分析

TCP 能通的原因是:conntrack 在这个"反弹"路径下工作得很好。看 TCP 三次握手:

SYN: 10.177.0.1:41226 → 192.168.7.2:8080 (进入 NAT GW) DNAT+SNAT 后: 192.168.7.2:41226 → 10.177.0.1:8080 (发回内网)

SYN-ACK: 10.177.0.1:8080 → 192.168.7.2:41226 (回到 NAT GW) conntrack 反转: 192.168.7.2:8080 → 10.177.0.1:41226 (发回内网)

ACK: 10.177.0.1:41226 → 192.168.7.2:8080 (同上)

conntrack 把这当成一个正常的连接在跟踪,DNAT+SNAT 的源目的互换是确定性的、对称的,所以 TCP 状态机没有问题。端口号也被正确保留。

结论

场景(FIP ping 自己的 EIP)在当前规则下已经完全工作,ICMP 和 TCP 都通。"反弹"路径虽然多了 2 跳延迟,但功能上没有问题,conntrack 处理得很好。

avatar
文章
阅读
粉丝