kubeovn vpc pod 访问自己的 snat 公网 ip 抓包

bobz965
5 阅读3分钟 



root@debian:~
▶ k get fip |grep ns8-bgp-gw
ns8-eip-fip   ns8-bgp-eip   192.168.7.2   10.177.0.1          true    ns8-bgp-gw
(v.v)
root@debian:~
▶ k get snat | grep ns8-bgp-gw
ns8-bgp-eip1   ns8-bgp-eip1   192.168.7.3          10.177.0.0/16   ns8-bgp-gw   true
(v.v)
root@debian:~
▶ kgp | grep netshoot
ns7           ns7-netshoot-http-b7rpj                       1/1     Running   0          47m   10.177.0.1        debian   <none>           <none>
ns7           ns7-netshoot1-http-bn99h                      1/1     Running   0          47m   10.177.0.11       debian   <none>           <none>
ns8           ns8-netshoot-http-88fcd                       1/1     Running   0          47m   10.177.0.1        debian   <none>           <none>
ns8           ns8-netshoot1-http-29kwb                      1/1     Running   0          47m   10.177.0.11       debian   <none>           <none>
(v.v)
root@debian:~
▶ kgp | grep ns8-bgp-gw
kube-system   vpc-nat-gw-ns8-bgp-gw-0                       1/1     Running   0          44m   10.177.255.253    debian   <none>           <none>
(v.v)
root@debian:~
▶ k exec -it -n kube-system   vpc-nat-gw-ns8-bgp-gw-0 -- bash
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn#
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn#
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: net1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0e:32:45:6b:9a:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.7.2/24 scope global net1
       valid_lft forever preferred_lft forever
    inet 192.168.7.3/24 scope global secondary net1
       valid_lft forever preferred_lft forever
    inet6 fe80::c32:45ff:fe6b:9a85/64 scope link
       valid_lft forever preferred_lft forever
37: eth0@if38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default
    link/ether c2:45:f5:ea:78:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.177.255.253/16 brd 10.177.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::c045:f5ff:feea:784d/64 scope link
       valid_lft forever preferred_lft forever
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.7.1     0.0.0.0         UG    0      0        0 net1
10.96.0.0       10.177.255.254  255.240.0.0     UG    0      0        0 eth0
10.177.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
192.168.6.254   0.0.0.0         255.255.255.255 UH    0      0        0 net1
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 net1
root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# iptables-save
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 24 09:12:14 2026
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [5:348]
:DNAT_FILTER - [0:0]
:EXCLUSIVE_DNAT - [0:0]
:EXCLUSIVE_SNAT - [0:0]
:SHARED_DNAT - [0:0]
:SHARED_SNAT - [0:0]
:SNAT_FILTER - [0:0]
-A PREROUTING -j DNAT_FILTER
-A POSTROUTING -j SNAT_FILTER
-A DNAT_FILTER -j EXCLUSIVE_DNAT
-A DNAT_FILTER -j SHARED_DNAT
-A EXCLUSIVE_DNAT -d 192.168.7.2/32 -j DNAT --to-destination 10.177.0.1
-A EXCLUSIVE_SNAT -s 10.177.0.1/32 -j SNAT --to-source 192.168.7.2
-A SHARED_SNAT -s 10.177.0.0/16 -o net1 -j SNAT --to-source 192.168.7.3 --random-fully
-A SNAT_FILTER -j EXCLUSIVE_SNAT
-A SNAT_FILTER -j SHARED_SNAT
COMMIT
# Completed on Tue Feb 24 09:12:14 2026

抓包


root@vpc-nat-gw-ns8-bgp-gw-0:/kube-ovn# tcpdump -i any  -netvv
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
eth0  In  ifindex 37 5e:b4:00:4f:96:9c ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 63, id 1122, offset 0, flags [DF], proto ICMP (1), length 84)
    10.177.0.11 > 192.168.7.3: ICMP echo request, id 27, seq 1, length 64
eth0  Out ifindex 37 c2:45:f5:ea:78:4d ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 58841, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.7.3 > 10.177.0.11: ICMP echo reply, id 27, seq 1, length 64

⏺ 分析:10.177.0.11 ping SNAT EIP 192.168.7.3

包1 (eth0 In): 10.177.0.11 → 192.168.7.3 ICMP echo request 包2 (eth0 Out): 192.168.7.3 → 10.177.0.11 ICMP echo reply

这直接通了! 原因是 192.168.7.3 是 NAT GW 自己 net1 接口上的本地 IP 地址。包到达 NAT GW 后:

  • DNAT 链没有匹配(没有 -d 192.168.7.3 的规则)
  • 目的地址 192.168.7.3 是 NAT GW 本机地址,内核直接走 INPUT 链本地处理
  • 内核回复 echo reply:192.168.7.3 → 10.177.0.11,从 eth0 直接发回

注意包2 的 TTL 是 64(本机生成的包),而不是 62(转发的包),证实了这是 NAT GW 本地回复的。

已经天然就通了,不需要任何改动。

avatar
文章
阅读
粉丝