通过 iptables log 日志追踪 Kubernetes 网络
If you are debugging IPTables, it is handy to be able to trace the packets while it traverses the various chains. I was trying to find out why port forwarding from the external NIC to a virtual machine attached to a virtual bridge device was not working.
You need to perform the following preparations:
Load the (IPv4) netfilter log kernel module:
# modprobe nf_log_ipv4
Enable logging for the IPv4 (AF Family 2):
# sysctl net.netfilter.nf_log.2=nf_log_ipv4
reconfigure rsyslogd to log kernel messages (kern.*) to /var/log/messages:
# cat /etc/rsyslog.conf | grep -e "^kern"
kern.*;*.info;mail.none;authpriv.none;cron.none /var/log/messages
[root@centos7 ~]# cat /etc/rsyslog.conf | grep -e "^kern" kern.* /var/log/kern.debug.log [root@centos7 ~]#
restart rsyslogd:
# systemctl restart rsyslog
Now check the raw tables – you’ll see that there are already entries coming from firewalld:
# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
We’ll want to add our tracing rules before the existing rules. In this example we’ll trace everything related to HTTP (port 80)
定义 Iptable 追踪规则
追踪 raw 表,规则链PREROUTING和OUTPUT, TRACE 模块将匹配的数据包记录至后端日志中,最后的 1 为规则num(如果已有规则中编号 1 已存在,则将新规则插入编号 1 前,并将新规则后面所有规则编号+1)。
# iptables -t raw -j TRACE -p tcp --dport 80 -I PREROUTING 1
# iptables -t raw -j TRACE -p tcp --dport 80 -I OUTPUT 1
iptables -t raw -A PREROUTING -p icmp -j TRACE
iptables -t raw -A OUTPUT -p icmp -j TRACE
![]()
The rules now look as follows:
# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TRACE tcp -- anywhere anywhere tcp dpt:http
PREROUTING_direct all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TRACE tcp -- anywhere anywhere tcp dpt:http
OUTPUT_direct all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
两个不同ns的pod 之间ping
公网也无法访问
root@ubuntu:~/go_learn/example.com/hello# kubectl exec -it calico1-busybox -n ns-calico1 -- ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss command terminated with exit code 1
root@ubuntu:~/tenant# kubectl exec -it calico1-busybox -n ns-calico1 -- ping 10.244.129.131 PING 10.244.129.131 (10.244.129.131): 56 data bytes ^C --- 10.244.129.131 ping statistics --- 12 packets transmitted, 0 packets received, 100% packet loss command terminated with exit code 1 root@ubuntu:~/tenant# kubectl exec -it calico1-busybox -n ns-calico1 -- wget http://10.244.129.131:80 Connecting to 10.244.129.131:80 (10.244.129.131:80) wget: can't connect to remote host (10.244.129.131): Connection timed out command terminated with exit code 1 root@ubuntu:~/tenant#
[root@centos7 ~]# tail -f /var/log/kern.debug.log Jul 15 05:33:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) MARK=0x40000 Jul 15 05:33:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-from-wl-dispatch:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:6 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:7 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-po-_2Wxn51hylsXDhXiIl9a:return:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) Jul 15 05:33:50 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:9 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38292 DF PROTO=TCP SPT=50172 DPT=80 SEQ=2295767305 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F04861E0000000001030307) ^C [root@centos7 ~]#
tcdpdump
pod 分布
[root@centos7 ~]# kubectl get pods -n ns-calico1 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES calico1-busybox 1/1 Running 27 27h 10.244.129.130 centos7 <none> <none> calico1-nginx-688fdbb89b-vctjv 1/1 Running 0 45h 10.244.29.18 bogon <none> <none> [root@centos7 ~]# kubectl get pods -n ns-calico2 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES calico2-busybox 1/1 Running 45 45h 10.244.29.12 bogon <none> <none> calico2-nginx-76fd9968f4-svfmt 1/1 Running 0 21h 10.244.129.131 centos7 <none> <none> [root@centos7 ~]#
[root@centos7 ~]# tail -f /var/log/kern.debug.log Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) MARK=0x40000 Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-from-wl-dispatch:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:6 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:7 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-po-_2Wxn51hylsXDhXiIl9a:return:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) Jul 15 05:41:43 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:9 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14574 DF PROTO=TCP SPT=51376 DPT=80 SEQ=4026127701 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (020405A00402080A4F0BC0170000000001030307) ^C [root@centos7 ~]# ip a sh cali347b41e63b1 27: cali347b41e63b1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 2 inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever [root@centos7 ~]# ip a sh cali2769e3081b5 26: cali2769e3081b5@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever
设备 IN=cali2769e3081b5 OUT=cali347b41e63b1
[root@centos7 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.16.254 0.0.0.0 UG 0 0 0 enp125s0f0 10.10.16.0 0.0.0.0 255.255.255.0 U 0 0 0 enp125s0f0 10.10.102.0 0.0.0.0 255.255.255.0 U 0 0 0 enp6s0 10.244.2.0 10.10.16.47 255.255.255.0 UG 0 0 0 tunl0 10.244.29.0 10.10.16.81 255.255.255.192 UG 0 0 0 tunl0 10.244.41.0 10.10.16.47 255.255.255.192 UG 0 0 0 tunl0 10.244.129.128 0.0.0.0 255.255.255.192 U 0 0 0 * 10.244.129.129 0.0.0.0 255.255.255.255 UH 0 0 0 cali06a2cdc2c69 10.244.129.130 0.0.0.0 255.255.255.255 UH 0 0 0 cali2769e3081b5 10.244.129.131 0.0.0.0 255.255.255.255 UH 0 0 0 cali347b41e63b1 10.244.243.192 10.10.16.82 255.255.255.192 UG 0 0 0 tunl0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
Chain cali-tw-cali2769e3081b5 (1 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wgG7MvXWzn9sdmn2 */ ctstate RELATED,ESTABLISHED 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-tjR5fZvLFrq_iri */ ctstate INVALID 3 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:3Bon-siFWHMEmpP- */ MARK and 0xfffeffff 4 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:rXI1s62ODzmceedz */ /* Start of policies */ MARK and 0xfffdffff 5 cali-pi-_ro89733SpIyAzMkuOSY all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_q6zxjzrfnhrhDqB */ mark match 0x0/0x20000 6 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:XS6RM7LrFeJ9TQXP */ /* Return if policy accepted */ mark match 0x10000/0x10000 7 cali-pi-_2Wxn51hylsXDhXiIl9a all -- 0.0.0.0/0 0.0.0.0/0 /* cali:JHdbuhecs1h2Q06M */ mark match 0x0/0x20000 8 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:qSQHX9dgNt6V-PQ7 */ /* Return if policy accepted */ mark match 0x10000/0x10000 9 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:g0CtOwf4HucpVF97 */ /* Drop if no policies passed packet */ mark match 0x0/0x20000 10 cali-pri-kns.ns-calico1 all -- 0.0.0.0/0 0.0.0.0/0 /* cali:BmZ4QzFT6N-drKkS */ 11 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:1rMno4eYVMLOPmTp */ /* Return if profile accepted */ mark match 0x10000/0x10000 12 cali-pri-_8Cq7uSyTGAC1eyOT4n all -- 0.0.0.0/0 0.0.0.0/0 /* cali:noc8BDMl14DoNhmc */ 13 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:cIh-bAHE8Nxnt4OO */ /* Return if profile accepted */ mark match 0x10000/0x10000 14 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:gTCap-VBTff9Gh95 */ /* Drop if no profiles matched */
root@centos7 ~]# iptables --list-rules cali-fw-cali2769e3081b5 -N cali-fw-cali2769e3081b5 -A cali-fw-cali2769e3081b5 -m comment --comment "cali:0yLw0AQla-amzC6L" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A cali-fw-cali2769e3081b5 -m comment --comment "cali:GbLMFm3sFhvtdaYu" -m conntrack --ctstate INVALID -j DROP -A cali-fw-cali2769e3081b5 -m comment --comment "cali:MU_GaIe-6dfIb_8z" -j MARK --set-xmark 0x0/0x10000 -A cali-fw-cali2769e3081b5 -p udp -m comment --comment "cali:vEU9xJVviqWG5k8g" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP -A cali-fw-cali2769e3081b5 -p ipv4 -m comment --comment "cali:epMeJxcxi2dSofno" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP -A cali-fw-cali2769e3081b5 -m comment --comment "cali:jJWF6vZOwm-KuHZK" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x20000 -A cali-fw-cali2769e3081b5 -m comment --comment "cali:zb15r6P5gLLWClZH" -m mark --mark 0x0/0x20000 -j cali-po-_2Wxn51hylsXDhXiIl9a -A cali-fw-cali2769e3081b5 -m comment --comment "cali:__SxpcaJUmWRCGYA" -m comment --comment "Return if policy accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-fw-cali2769e3081b5 -m comment --comment "cali:Xsu-8UCzhcMc_uYL" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x20000 -j DROP -A cali-fw-cali2769e3081b5 -m comment --comment "cali:odlnhJlb5xUTK-rk" -j cali-pro-kns.ns-calico1 -A cali-fw-cali2769e3081b5 -m comment --comment "cali:UOsG0_K4q2ZOnDPY" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-fw-cali2769e3081b5 -m comment --comment "cali:b6JiRwMqilVCJdw_" -j cali-pro-_8Cq7uSyTGAC1eyOT4n -A cali-fw-cali2769e3081b5 -m comment --comment "cali:fLa0XTPX7g6CH8BB" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-fw-cali2769e3081b5 -m comment --comment "cali:3ozn9sHW6I7ZL4mP" -m comment --comment "Drop if no profiles matched" -j DROP [root@centos7 ~]# iptables --list-rules cali-po-_2Wxn51hylsXDhXiIl9a -N cali-po-_2Wxn51hylsXDhXiIl9a -A cali-po-_2Wxn51hylsXDhXiIl9a -m comment --comment "cali:ybbuHrSCdNqBk27r" -m set --match-set cali40s:jmjSdQKnfl0G-0h1JJpU-UZ dst -j MARK --set-xmark 0x10000/0x10000 -A cali-po-_2Wxn51hylsXDhXiIl9a -m comment --comment "cali:tv1ZCdSgkIH2KzZR" -m mark --mark 0x10000/0x10000 -j RETURN
开始规则匹配
1、 "Start of policies" -j MARK --set-xmark 0x0/0x20000
2、-m mark --mark 0x0/0x20000 -j cali-po-_2Wxn51hylsXDhXiIl9a
跳转到cali-po-_2Wxn51hylsXDhXiIl9a
[root@centos7 ~]# iptables --list-rules cali-po-_2Wxn51hylsXDhXiIl9a -N cali-po-_2Wxn51hylsXDhXiIl9a -A cali-po-_2Wxn51hylsXDhXiIl9a -m comment --comment "cali:ybbuHrSCdNqBk27r" -m set --match-set cali40s:jmjSdQKnfl0G-0h1JJpU-UZ dst -j MARK --set-xmark 0x10000/0x10000 -A cali-po-_2Wxn51hylsXDhXiIl9a -m comment --comment "cali:tv1ZCdSgkIH2KzZR" -m mark --mark 0x10000/0x10000 -j RETURN [root@centos7 ~]# ipset list cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Name: cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 472 References: 2 Number of entries: 2 Members: 10.244.29.18 10.244.129.130
3、目的ip是10.244.29.18、10.244.129.130则更改mark,否则不更改后续会被
--mark 0x0/0x20000 -j DROP
[root@centos7 ~]# iptables -L cali-tw-cali347b41e63b1 -n -v -t filter Chain cali-tw-cali347b41e63b1 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:u0hVnh5fm3T2AkOq */ ctstate RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VWVsvumIyL4SffgY */ ctstate INVALID 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:21qeoTAirh5QEHbL */ MARK and 0xfffeffff 0 0 cali-pri-kns.ns-calico2 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AMHrY8VlSdnFJGdN */ 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O4lkuz7AJx-k17vj */ /* Return if profile accepted */ mark match 0x10000/0x10000 0 0 cali-pri-_LhcX5BaXU_QdrISzV6 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jRBilnU5snlP7D-T */ 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:0n2eBCTGz5_QEMDg */ /* Return if profile accepted */ mark match 0x10000/0x10000 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:kNTv2E1JYbb2T2PY */ /* Drop if no profiles matched */ [root@centos7 ~]# iptables -S -t filter | grep cali-sm-cali347b41e63b1 -N cali-sm-cali347b41e63b1 -A cali-set-endpoint-mark -i cali347b41e63b1 -m comment --comment "cali:3HLGHQu2hOpSeGrq" -g cali-sm-cali347b41e63b1 -A cali-sm-cali347b41e63b1 -m comment --comment "cali:slhkKojdBlRXinvp" -j MARK --set-xmark 0xaa200000/0xfff00000 [root@centos7 ~]#
[root@centos7 ~]# iptables -L cali-tw-cali347b41e63b1 -n -v -t filter --line-number Chain cali-tw-cali347b41e63b1 (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:u0hVnh5fm3T2AkOq */ ctstate RELATED,ESTABLISHED 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VWVsvumIyL4SffgY */ ctstate INVALID 3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:21qeoTAirh5QEHbL */ MARK and 0xfffeffff 4 0 0 cali-pri-kns.ns-calico2 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AMHrY8VlSdnFJGdN */ 5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O4lkuz7AJx-k17vj */ /* Return if profile accepted */ mark match 0x10000/0x10000 6 0 0 cali-pri-_LhcX5BaXU_QdrISzV6 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jRBilnU5snlP7D-T */ 7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:0n2eBCTGz5_QEMDg */ /* Return if profile accepted */ mark match 0x10000/0x10000 8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:kNTv2E1JYbb2T2PY */ /* Drop if no profiles matched */ [root@centos7 ~]#
[root@centos7 ~]# iptables --list-rules cali-fw-cali2769e3081b5 -N cali-fw-cali2769e3081b5 -A cali-fw-cali2769e3081b5 -m comment --comment "cali:0yLw0AQla-amzC6L" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A cali-fw-cali2769e3081b5 -m comment --comment "cali:GbLMFm3sFhvtdaYu" -m conntrack --ctstate INVALID -j DROP -A cali-fw-cali2769e3081b5 -m comment --comment "cali:MU_GaIe-6dfIb_8z" -j MARK --set-xmark 0x0/0x10000 -A cali-fw-cali2769e3081b5 -p udp -m comment --comment "cali:vEU9xJVviqWG5k8g" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP -A cali-fw-cali2769e3081b5 -p ipv4 -m comment --comment "cali:epMeJxcxi2dSofno" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP -A cali-fw-cali2769e3081b5 -m comment --comment "cali:jJWF6vZOwm-KuHZK" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x20000 -A cali-fw-cali2769e3081b5 -m comment --comment "cali:zb15r6P5gLLWClZH" -m mark --mark 0x0/0x20000 -j cali-po-_2Wxn51hylsXDhXiIl9a -A cali-fw-cali2769e3081b5 -m comment --comment "cali:__SxpcaJUmWRCGYA" -m comment --comment "Return if policy accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-fw-cali2769e3081b5 -m comment --comment "cali:Xsu-8UCzhcMc_uYL" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x20000 -j DROP -A cali-fw-cali2769e3081b5 -m comment --comment "cali:odlnhJlb5xUTK-rk" -j cali-pro-kns.ns-calico1 -A cali-fw-cali2769e3081b5 -m comment --comment "cali:UOsG0_K4q2ZOnDPY" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-fw-cali2769e3081b5 -m comment --comment "cali:b6JiRwMqilVCJdw_" -j cali-pro-_8Cq7uSyTGAC1eyOT4n -A cali-fw-cali2769e3081b5 -m comment --comment "cali:fLa0XTPX7g6CH8BB" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-fw-cali2769e3081b5 -m comment --comment "cali:3ozn9sHW6I7ZL4mP" -m comment --comment "Drop if no profiles matched" -j DROP
ipset match-set
[root@centos7 ~]# iptables -S -t filter | grep match-set -A cali-INPUT -p ipv4 -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT -A cali-OUTPUT -p ipv4 -m comment --comment "cali:AJBkLho_0Qd8LNr3" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT -A cali-forward-check -p tcp -m comment --comment "cali:ZD-6UxuUtGW-xtzg" -m comment --comment "To kubernetes NodePort service" -m multiport --dports 30000:32767 -m set --match-set cali40this-host dst -g cali-set-endpoint-mark -A cali-forward-check -p udp -m comment --comment "cali:CbPfUajQ2bFVnDq4" -m comment --comment "To kubernetes NodePort service" -m multiport --dports 30000:32767 -m set --match-set cali40this-host dst -g cali-set-endpoint-mark -A cali-forward-check -m comment --comment "cali:jmhU0ODogX-Zfe5g" -m comment --comment "To kubernetes service" -m set ! --match-set cali40this-host dst -j cali-set-endpoint-mark -A cali-pi-_2Wxn51hylsXDhXiIl9a -m comment --comment "cali:Bmi0mgxWwV1qeW6x" -m set --match-set cali40s:jmjSdQKnfl0G-0h1JJpU-UZ src -j MARK --set-xmark 0x10000/0x10000 -A cali-po-_2Wxn51hylsXDhXiIl9a -m comment --comment "cali:ybbuHrSCdNqBk27r" -m set --match-set cali40s:jmjSdQKnfl0G-0h1JJpU-UZ dst -j MARK --set-xmark 0x10000/0x10000 [root@centos7 ~]# ipset list cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Name: cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 472 References: 2 Number of entries: 2 Members: 10.244.29.18 10.244.129.130 [root@centos7 ~]# ipset list cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Name: cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 472 References: 2 Number of entries: 2 Members: 10.244.29.18 10.244.129.130 [root@centos7 ~]# kubectl get pods -n ns-calico1 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES calico1-busybox 1/1 Running 23 23h 10.244.129.130 centos7 <none> <none> calico1-nginx-688fdbb89b-vctjv 1/1 Running 0 41h 10.244.29.18 bogon <none> <none> [root@centos7 ~]# kubectl get pods -n ns-calico2 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES calico2-busybox 1/1 Running 41 41h 10.244.29.12 bogon <none> <none> calico2-nginx-76fd9968f4-svfmt 1/1 Running 0 17h 10.244.129.131 centos7 <none> <none> [root@centos7 ~]# ipset list cali40this-host Name: cali40this-host Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 424 References: 3 Number of entries: 7 Members: 10.244.129.128 127.0.0.0 10.10.102.251 10.10.16.251 172.17.0.1 10.10.16.249 127.0.0.1 [root@centos7 ~]# ipset list cali40all-hosts-net Name: cali40all-hosts-net Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 600 References: 2 Number of entries: 4 Members: 10.10.16.251 10.10.16.82 10.10.16.81 10.10.16.47 [root@centos7 ~]#
[root@centos7 ~]# ipset list | grep cali40s:jmjSdQKnfl0G-0h1JJpU-UZ -A 20 Name: cali40s:jmjSdQKnfl0G-0h1JJpU-UZ Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 472 References: 2 Number of entries: 2 Members: 10.244.29.18 10.244.129.130 [root@centos7 ~]#
ipset mark
ipset -N blocked_sites iphash
ipset -A blocked_sites badsite1.com
ipset -A blocked_sites badsite2.com
ipset -A blocked_sites badsite3.com
iptables -I FORWARD -m mark --mark 0x187 -j DROP
iptables -I FORWARD \
-m mark --mark 0x187 \
-m mac --mac-source 11:11:11:11:11:11 \
-j MARK --set-mark 0x0
iptables -I FORWARD \
-m mark --mark 0x187 \
-m mac --mac-source 22:22:22:22:22:22 \
-j MARK --set-mark 0x0
iptables -I FORWARD \
-m set --set blocked_sites dst \
-j MARK --set-mark 0x187
正如您所看到的,因为您没有使用ipset来执行上一个示例中的所有匹配工作,所以这些命令更复杂。 因为有多个iptables命令,所以必须认识到它们的顺序非常重要。
请注意,这些规则是使用-I选项(插入)而不是-A(追加)添加的。 插入规则后,它将添加到链的顶部,将所有现有规则向下推。 因为正在插入这些规则中的每一个,所以有效顺序是相反的,因为随着每个规则的添加,它将被插入到前一个规则之上。
上面的最后一个iptables命令实际上成为FORWARD链中的第一个规则。 此规则匹配目标与blocked_sites ipset匹配的所有数据包,然后使用0x187(任意选择的十六进制数)标记这些数据包。 接下来的两条规则仅匹配要排除的主机的数据包以及已标记为0x187的数据包。 然后这两个规则将这些数据包上的标记设置为0x0,“清除”0x187标记。
最后,最后一个iptables规则(由上面的第一个iptables命令表示)丢弃所有具有0x187标记的数据包。 这应该匹配在blocked_sites集中具有目的地的所有数据包,除了来自任一排除的MAC的数据包,因为这些数据包上的标记在达到DROP规则之前被清除。
这只是解决问题的一种方法。 除了使用第二个ipset之外,另一种方法是利用用户定义的链。
如果你想使用第二个ipset而不是mark技术,你将无法达到上述的确切结果,因为ipset没有machash集类型。 但是,有一个macipmap集类型,但这需要在IP和MAC上匹配,而不是像上面那样单独使用MAC。
注意事项:在大多数实际情况中,此解决方案实际上不适用于网站,因为许多可能成为blocked_sites集合的主机(如Facebook,MySpace等)可能有多个IP地址,这些IP可能经常变化。 iptables / ipset的一般限制是只有在解析为单个IP时才应指定主机名。
此外,主机名查找仅在命令运行时发生,因此如果IP地址更改,防火墙规则将不会知道更改,仍将引用旧IP。 因此,实现这些类型的Web访问策略的更好方法是使用HTTP代理解决方案,例如Squid。 该主题显然超出了本文的范围。
MARK这个扩展目标可以用来给数据包(Packet)打标记,由于连接追踪(Conntrack)也有标记,为了区分,约定把数据包的标记叫nfmark,把连接的标记叫ctmark,这一节我们讲的标记就是nfmark。
nfmark占四个字节32位,我们可以把它看成是一个长度为32位的无符号整数,一般用16进制来表示。
该目标有可以通过上面的五个选项中的某一个来设置数据包的标记,接下来我们来介绍一下。
--set-xmark value[/mask]
上面的value和掩码mask都是32位无符号整数,一般用16进制表示。内核设置数据包nfmark值的流程分为两步:(1)首先,内核会先用mask预处理数据包原来的nfmark,处理方法是:如果mask的第N位(二进制)为1,那么将数据包的nfmark第的N位(二进制)设置为0 ,nfmark其他的位保持不变(2)接着,再用上面预处理后的nfmark和value做异或操作,得到数据包最后的nfmark值。
举个例子:假设我们设置了--set-xmark 0x4000/0xffffffff,掩码为0xffffffff,掩码表示为二进制的话32位都为1,那么内核首先会将数据包原来的nfmark所有的位都设置为0(相当于是先把nfmark置0),然后再和value做异或操作,那么得到的最后的nfmark值就是0x4000。所以,数据包经过这条规则后,它的nfmark值就是0x4000。
上面的掩码mask是个可选项,如果没有设置的话,默认为0xffffffff。
通过--set-xmark value可以快速设置数据包的nfmark值为value,可以自己推导一下(0 XOR value = value)
--set-mark value[/mask]
该设置方法上面类似,也是两步。第一步预处理和上面一样,第二步不同中,该方法是将预处理的nfmark和value做或(OR)操作。
通过--set-mark value可以快速设置数据包的nfmark值为value,可以自己推导一下(0 OR value = value)。
--and-mark bits
bits相当于就是上面的value,也是32位,16进制表示。该选项的意思就是:直接拿bits和数据包原来的nfmark做与(AND)操作,得到数据包新的nfmark。
它的效果和--set-xmark 0/invbits的效果是一样的,我们可以来推导一下。
invbits就是把bits中的位反过来,1的位变为0,0的位变为1。假设bits有n位为1,分别为第X1,...,Xn位,那么--and-mark bits的效果就是,nfmark的第X1,...,Xn位保持不变,其他位都变为0。然后再来看--set-xmark 0/invbits的效果:invbits的第X1,...,Xn位都为0,其他位都为1,那么nfmark经过invbits的预处理后,nfmark的第X1,...,Xn位都保持不变,其他位都变成了0,然后再与0做异或操作,而0与任何值做异或都是该值本身,所以nfmark的最终值就是经过invbits预处理之后的值,和--and-mark bits的效果是一样的。
--or-mark bits
该选项的意思就是:直接拿bits和数据包原来的nfmark做或(OR)操作,得到数据包新的nfmark。
它的效果和--set-xmark bits/bits是一样的,可自己推导一下
--xor-mark bits
该选项的意思就是:直接拿bits和数据包原来的nfmark做异或(XOR)操作,得到数据包新的nfmark。
它的效果和--set-xmark bits/0是一样的,可自己推导一下
MARK是一个32位整数值, MARK目标可以使用3种方法来设置mark值:
--set-mark value: 直接设置mark值为value--and-mark value: 将mark值与value做位与运算后设置为新mark值--or-mark value: 将mark值与value做位或运算后设置为新mark值
如何匹配mark
iptables -t mangle -A INPUT -m mark --mark 1
-m 即match匹配的意思。 mark的格式是 --mark value[/mask] ,如上面的例子是没有掩码的,带掩码的例子如 --mark 1/1 。如果指定了掩码,就先把mark值和掩码取逻辑与,然后再和包的mark值比较。
Terminating Or Non-Terminating
Non-Terminating
示例1
上面我们有五种方法来设置数据包的nfmark。比如说,我们添加如下一条规则,把源地址为1.1.1.1的数据包的nfmark值设置为0x1,然后查看这条规则
$ iptables -t mangle -A PREROUTING -s 1.1.1.1 -j MARK --set-mark 0x1
$ iptables -t mangle -nL PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
...
MARK all -- 1.1.1.1 0.0.0.0/0 MARK set 0x1
--set-mark 0x1的效果就是不管原来的nfmark,直接把nfmark重新设置为0x1;所以我们在查看这条规则时,显示的MARK set 0x1就是这个意思。
接着,我们再添加如下一条规则,然后再查看
$ iptables -t mangle -A PREROUTING -s 1.1.1.2 -j MARK --set-xmark 0x1/0x1
$ iptables -t mangle -nL PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
...
MARK all -- 1.1.1.2 0.0.0.0/0 MARK or 0x1
我们知道,--set-xmark bits/bits的效果和--or-mark bits是一样的,所在我们通过--set-xmark 0x1/0x1去设置nfmark,只不过显示的时候是or 0x1
解决公网不能访问的问题
kubectl exec -it calico1-busybox -n ns-calico1 -- ping 10.244.129.131
kubectl exec -it calico1-busybox -n ns-calico1 -- ping 10.244.129.131 PING 10.244.129.131 (10.244.129.131): 56 data bytes
iptables 匹配
Jul 22 02:56:21 centos7 kernel: TRACE: raw:PREROUTING:policy:4 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:KUBE-SERVICES:return:12 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: nat:PREROUTING:policy:4 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x40000 Jul 22 02:56:21 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:21 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-from-wl-dispatch:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:6 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:7 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-po-_d4qo2yLPU80D48kRfyX:rule:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-po-_d4qo2yLPU80D48kRfyX:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x10000 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:8 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x10000 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-FORWARD:rule:4 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x10000 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-to-wl-dispatch:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x10000 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 MARK=0x10000 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:4 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:5 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-pi-_d4qo2yLPU80D48kRfyX:return:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0 Jul 22 02:56:22 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:7 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23797 DF PROTO=ICMP TYPE=8 CODE=0 ID=44 SEQ=0
[root@centos7 ~]# tail -f /var/log/kern.debug.log Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-po-_d4qo2yLPU80D48kRfyX:rule:1 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-po-_d4qo2yLPU80D48kRfyX:rule:2 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 MARK=0x10000 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:8 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 MARK=0x10000 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:4 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 MARK=0x10000 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-to-wl-dispatch:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 MARK=0x10000 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 MARK=0x10000 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:4 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:5 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-pi-_d4qo2yLPU80D48kRfyX:return:3 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP TYPE=8 CODE=0 ID=8 SEQ=219 Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-tw-cali347b41e63b1:rule:7 IN=cali2769e3081b5 OUT=cali347b41e63b1 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=10.244.129.131 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4732 DF PROTO=ICMP T
发生丢包
[root@centos7 ~]# iptables -nv -L cali-tw-cali347b41e63b1 -t filter --line-number Chain cali-tw-cali347b41e63b1 (1 references) num pkts bytes target prot opt in out source destination 1 5 348 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:u0hVnh5fm3T2AkOq */ ctstate RELATED,ESTABLISHED 2 5 260 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VWVsvumIyL4SffgY */ ctstate INVALID 3 410 34416 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:21qeoTAirh5QEHbL */ MARK and 0xfffeffff 4 391 32844 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Jl1l4dSWEO-Ov6H4 */ /* Start of policies */ MARK and 0xfffdffff 5 391 32844 cali-pi-_d4qo2yLPU80D48kRfyX all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:m58pgQIbLfUvgFEG */ mark match 0x0/0x20000 6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wkQQ3aJA6nKKrcvS */ /* Return if policy accepted */ mark match 0x10000/0x10000 7 391 32844 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:cS9y1_R1Y7Dy979y */ /* Drop if no policies passed packet */ mark match 0x0/0x20000 8 0 0 cali-pri-kns.ns-calico2 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:30f9oQmTII-CGab8 */ 9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:cTJVNCjNdLea6o1e */ /* Return if profile accepted */ mark match 0x10000/0x10000 10 0 0 cali-pri-_LhcX5BaXU_QdrISzV6 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:UTFkGUMB2VyvkY2n */ 11 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:SvhW7ID4qE6shLTx */ /* Return if profile accepted */ mark match 0x10000/0x10000 12 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:oflca_XQJmDKJhnL */ /* Drop if no profiles matched */
[root@centos7 ~]# iptables -S -t filter | grep cali-pi-_d4qo2yLPU80D48kRfyX -N cali-pi-_d4qo2yLPU80D48kRfyX -A cali-pi-_d4qo2yLPU80D48kRfyX -m comment --comment "cali:g4yVdp-aDhBfIFYj" -m set --match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB src -m set --match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB dst -j MARK --set-xmark 0x10000/0x10000 -A cali-pi-_d4qo2yLPU80D48kRfyX -m comment --comment "cali:H0FDsVywIfehzJca" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-cali2769e3081b5 -m comment --comment "cali:wVat3UYwOrEmLYci" -m mark --mark 0x0/0x20000 -j cali-pi-_d4qo2yLPU80D48kRfyX -A cali-tw-cali347b41e63b1 -m comment --comment "cali:m58pgQIbLfUvgFEG" -m mark --mark 0x0/0x20000 -j cali-pi-_d4qo2yLPU80D48kRfyX
[root@centos7 ~]# ipset list cali40s:9Hlc81Gd85Ibld7JGuPSvtB Name: cali40s:9Hlc81Gd85Ibld7JGuPSvtB Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 472 References: 2 Number of entries: 2 Members: 10.244.29.18 10.244.129.130
[root@centos7 ~]# tcpdump -i cali2769e3081b5 icmp -env tcpdump: listening on cali2769e3081b5, link-type EN10MB (Ethernet), capture size 262144 bytes 02:44:52.934249 4e:20:58:93:4e:16 > ee:ee:ee:ee:ee:ee, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 38049, offset 0, flags [DF], proto ICMP (1), length 84) 10.244.129.130 > 10.244.129.131: ICMP echo request, id 15, seq 361, length 64 02:44:54.698225 4e:20:58:93:4e:16 > ee:ee:ee:ee:ee:ee, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 38219, offset 0, flags [DF], proto ICMP (1), length 84) 10.244.129.130 > 10.244.129.131: ICMP echo request, id 15, seq 362, length 64 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos7 ~]# tcpdump -i cali347b41e63b1 icmp -env --抓不到报文 tcpdump: listening on cali347b41e63b1, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@centos7 ~]#
也就是报文在转发给cali347b41e63b1之前已经drop了
cali-to-wl-dispatch
Jul 22 02:30:49 centos7 kernel: TRACE: filter:cali-to-wl-dispatch:rule:3 IN=cali2769e3081b5 OUT=cali347b41e63b1
[root@centos7 ~]# iptables -nv -L cali-to-wl-dispatch -t filter --line-number Chain cali-to-wl-dispatch (2 references) num pkts bytes target prot opt in out source destination 1 0 0 cali-tw-cali06a2cdc2c69 all -- * cali06a2cdc2c69 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:k3hns8YCWtcZPJ4Q */ 2 1056 94813 cali-tw-cali2769e3081b5 all -- * cali2769e3081b5 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:OtAlv2r8LxCvt3uI */ 3 668 55856 cali-tw-cali347b41e63b1 all -- * cali347b41e63b1 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:3mrld5FTvq6e5Vyd */ 4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:vwGkA5EdyYhPIbzG */ /* Unknown interface */ [root@centos7 ~]#
[root@centos7 ~]# iptables -S -t filter | grep cali-to-wl-dispatch -N cali-to-wl-dispatch -A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch -A cali-forward-endpoint-mark -o cali+ -m comment --comment "cali:aFl0WFKRxDqj8oA6" -j cali-to-wl-dispatch -A cali-to-wl-dispatch -o cali06a2cdc2c69 -m comment --comment "cali:k3hns8YCWtcZPJ4Q" -g cali-tw-cali06a2cdc2c69 -A cali-to-wl-dispatch -o cali2769e3081b5 -m comment --comment "cali:OtAlv2r8LxCvt3uI" -g cali-tw-cali2769e3081b5 -A cali-to-wl-dispatch -o cali347b41e63b1 -m comment --comment "cali:3mrld5FTvq6e5Vyd" -g cali-tw-cali347b41e63b1 -A cali-to-wl-dispatch -m comment --comment "cali:vwGkA5EdyYhPIbzG" -m comment --comment "Unknown interface" -j DROP
[root@centos7 ~]# iptables -S -t filter | grep cali-tw-cali347b41e63b1 -N cali-tw-cali347b41e63b1 -A cali-to-wl-dispatch -o cali347b41e63b1 -m comment --comment "cali:3mrld5FTvq6e5Vyd" -g cali-tw-cali347b41e63b1 -A cali-tw-cali347b41e63b1 -m comment --comment "cali:u0hVnh5fm3T2AkOq" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A cali-tw-cali347b41e63b1 -m comment --comment "cali:VWVsvumIyL4SffgY" -m conntrack --ctstate INVALID -j DROP -A cali-tw-cali347b41e63b1 -m comment --comment "cali:21qeoTAirh5QEHbL" -j MARK --set-xmark 0x0/0x10000 -A cali-tw-cali347b41e63b1 -m comment --comment "cali:Jl1l4dSWEO-Ov6H4" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x20000 -A cali-tw-cali347b41e63b1 -m comment --comment "cali:m58pgQIbLfUvgFEG" -m mark --mark 0x0/0x20000 -j cali-pi-_d4qo2yLPU80D48kRfyX -A cali-tw-cali347b41e63b1 -m comment --comment "cali:wkQQ3aJA6nKKrcvS" -m comment --comment "Return if policy accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-cali347b41e63b1 -m comment --comment "cali:cS9y1_R1Y7Dy979y" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x20000 -j DROP -A cali-tw-cali347b41e63b1 -m comment --comment "cali:30f9oQmTII-CGab8" -j cali-pri-kns.ns-calico2 -A cali-tw-cali347b41e63b1 -m comment --comment "cali:cTJVNCjNdLea6o1e" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-cali347b41e63b1 -m comment --comment "cali:UTFkGUMB2VyvkY2n" -j cali-pri-_LhcX5BaXU_QdrISzV6 -A cali-tw-cali347b41e63b1 -m comment --comment "cali:SvhW7ID4qE6shLTx" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-cali347b41e63b1 -m comment --comment "cali:oflca_XQJmDKJhnL" -m comment --comment "Drop if no profiles matched" -j DROP
[root@centos7 ~]# iptables -nv -L cali-from-wl-dispatch -t filter --line-number Chain cali-from-wl-dispatch (2 references) num pkts bytes target prot opt in out source destination 1 863K 63M cali-fw-cali06a2cdc2c69 all -- cali06a2cdc2c69 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:g5HZtoHpnFC-kfJW */ 2 2161 179K cali-fw-cali2769e3081b5 all -- cali2769e3081b5 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:0qgbRT_uqniX0s-k */ 3 16 5525 cali-fw-cali347b41e63b1 all -- cali347b41e63b1 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:nYdkVkI8TwLHEyim */ 4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Y1OG-V6H5BbjjOs1 */ /* Unknown interface */
kubectl exec -it calico1-busybox -n ns-calico1 -- ping 8.8.8.8
root@ubuntu:~/tenant# kubectl exec -it calico1-busybox -n ns-calico1 -- ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=100 time=1320.419 ms
Jul 22 02:48:27 centos7 kernel: TRACE: raw:PREROUTING:policy:4 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:KUBE-SERVICES:return:12 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:PREROUTING:policy:4 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x40000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-from-wl-dispatch:rule:2 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:3 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:6 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:7 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-po-_d4qo2yLPU80D48kRfyX:rule:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-po-_d4qo2yLPU80D48kRfyX:rule:2 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:8 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: filter:FORWARD:rule:9 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:27 centos7 kernel: TRACE: nat:cali-nat-outgoing:rule:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64535 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=0 MARK=0x10000 Jul 22 02:48:28 centos7 kernel: TRACE: raw:PREROUTING:policy:4 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.10.16.251 LEN=84 TOS=0x00 PREC=0x00 TTL=101 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.10.16.251 LEN=84 TOS=0x00 PREC=0x00 TTL=101 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.10.16.251 LEN=84 TOS=0x00 PREC=0x00 TTL=101 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:cali-FORWARD:rule:4 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:cali-to-wl-dispatch:rule:2 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: filter:cali-tw-cali2769e3081b5:rule:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:28 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=0 Jul 22 02:48:29 centos7 kernel: TRACE: raw:PREROUTING:policy:4 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 MARK=0x40000 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 MARK=0x40000 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=cali2769e3081b5 OUT= MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 MARK=0x40000 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 MARK=0x40000 Jul 22 02:48:29 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 MARK=0x40000 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 MARK=0x40000 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-from-wl-dispatch:rule:2 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-fw-cali2769e3081b5:rule:1 IN=cali2769e3081b5 OUT=enp125s0f0 MAC=ee:ee:ee:ee:ee:ee:4e:20:58:93:4e:16:08:00 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=enp125s0f0 SRC=10.244.129.130 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=64640 DF PROTO=ICMP TYPE=8 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: raw:PREROUTING:policy:4 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.10.16.251 LEN=84 TOS=0x00 PREC=0x00 TTL=101 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.10.16.251 LEN=84 TOS=0x00 PREC=0x00 TTL=101 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.10.16.251 LEN=84 TOS=0x00 PREC=0x00 TTL=101 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-FORWARD:rule:4 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-to-wl-dispatch:rule:2 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: filter:cali-tw-cali2769e3081b5:rule:1 IN=enp125s0f0 OUT=cali2769e3081b5 MAC=b0:08:75:5f:b8:5b:f4:1d:6b:87:53:2a:08:00 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=cali2769e3081b5 SRC=8.8.8.8 DST=10.244.129.130 LEN=84 TOS=0x00 PREC=0x00 TTL=100 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=37 SEQ=1 Jul 22 02:48:29 centos
nodeport
iptables日志追踪
[root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 30090 -I PREROUTING 1 [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 30090 -I OUTPUT 1
root@ubuntu:~/tenant# cat web-ngx-svc.yml apiVersion: v1 kind: Service metadata: name: nodeport-svc namespace: ns-calico1 spec: type: NodePort selector: app: calico1-nginx ports: - protocol: TCP port: 3000 targetPort: 80 nodePort: 30090
root@ubuntu:~/tenant# kubectl get svc -o wide -n ns-calico1 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR calico1-nginx ClusterIP 10.101.254.195 <none> 80/TCP 8d app=nginx nodeport-svc NodePort 10.101.100.192 <none> 3000:30090/TCP 14m app=calico1-nginx root@ubuntu:~/tenant#
root@ubuntu:~/tenant# cat web-ngx-svc.yml apiVersion: v1 kind: Service metadata: name: nodeport-svc namespace: ns-calico1 spec: type: NodePort selector: app: calico1-nginx ports: - protocol: TCP port: 3000 targetPort: 80 nodePort: 30090 root@ubuntu:~/tenant# kubectl get pods -o wide -n calico1-nginx No resources found in calico1-nginx namespace. root@ubuntu:~/tenant# kubectl get pods -n ns-calico1 NAME READY STATUS RESTARTS AGE calico1-busybox 1/1 Running 197 8d calico1-nginx-688fdbb89b-vctjv 1/1 Running 0 9d root@ubuntu:~/tenant# kubectl get pods -n ns-calico1 -o die error: unable to match a printer suitable for the output format "die", allowed formats are: custom-columns,custom-columns-file,go-template,go-template-file,json,jsonpath,jsonpath-file,name,template,templatefile,wide,yaml root@ubuntu:~/tenant# kubectl get pods -n ns-calico1 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES calico1-busybox 1/1 Running 197 8d 10.244.129.130 centos7 <none> <none> calico1-nginx-688fdbb89b-vctjv 1/1 Running 0 9d 10.244.29.18 bogon <none> <none> root@ubuntu:~/tenant#
无法访问
Chain FORWARD (policy DROP
打上了--mark 0x10000/0x10000 的丢掉
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[root@centos7 ~]# iptables -nL FORWARD --line-number Chain FORWARD (policy DROP) num target prot opt source destination 1 cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ 2 KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 3 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 4 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0 5 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 10 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000
[root@centos7 ~]# iptables -nL FORWARD --line-number Chain FORWARD (policy DROP) num target prot opt source destination 1 cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ 2 KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 3 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 4 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0 5 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 10 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000 [root@centos7 ~]# iptables -t filter -L FORWARD -n -v Chain FORWARD (policy DROP 67 packets, 4020 bytes) pkts bytes target prot opt in out source destination 3353 289K cali-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ 283 21108 KUBE-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 266 20088 KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 266 20088 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 199 16068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 67 4020 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000
root@ubuntu:~/tenant# telnet 10.10.16.251 30090
Trying 10.10.16.251...
^C
Jul 22 23:41:19 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-SERVICES:rule:13 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-SVC-LR6KBEL46TKXCUNE:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: nat:KUBE-SEP-2RKZ3KM6TGCI2FEZ:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9362 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:19 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9362 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EB810000000001030307) MARK=0x4000 Jul 22 23:41:20 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9363 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9363 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9363 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9363 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9363 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9363 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) Jul 22 23:41:20 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9363 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7EF860000000001030307) MARK=0x10000 Jul 22 23:41:22 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9364 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9364 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9364 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9364 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9364 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9364 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) Jul 22 23:41:22 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9364 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA7F7660000000001030307) MARK=0x10000 Jul 22 23:41:26 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9365 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9365 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9365 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9365 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9365 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=9365 DF PROTO=TCP SPT=54910 DPT=30090 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) Jul 22 23:41:26 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=9365 DF PROTO=TCP SPT=54910 DPT=80 SEQ=1066243124 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA807E60000000001030307) MARK=0x10000
一个新的连接从nat开始
Jul 23 04:47:48 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-SERVICES:rule:13 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-SVC-LR6KBEL46TKXCUNE:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-SEP-2RKZ3KM6TGCI2FEZ:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000
ID发生改变 Jul 23 04:47:49 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) MARK=0x10000
[root@centos7 ~]# cat /var/log/kern.debug.log | grep 'ID=1420' Jul 21 13:09:03 centos7 kernel: TRACE: raw:OUTPUT:rule:3 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: raw:OUTPUT:policy:5 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: mangle:OUTPUT:policy:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:OUTPUT:rule:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:cali-OUTPUT:rule:5 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:cali-OUTPUT:rule:6 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:cali-to-host-endpoint:return:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:cali-OUTPUT:return:8 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:03 centos7 kernel: TRACE: filter:KUBE-FIREWALL:return:2 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:OUTPUT:policy:4 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK URGP=0 OPT (0101080A51EA8ABF022AF1B7) UID=0 GID=0 Jul 23 04:47:48 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-SERVICES:rule:13 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-SVC-LR6KBEL46TKXCUNE:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: nat:KUBE-SEP-2RKZ3KM6TGCI2FEZ:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1420 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:48 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 Jul 23 04:47:49 centos7 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1420 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC084D90000000001030307) MARK=0x4000 [root@centos7 ~]# cat /var/log/kern.debug.log | grep 'ID=1421' Jul 21 13:09:04 centos7 kernel: TRACE: raw:OUTPUT:rule:3 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: raw:OUTPUT:policy:5 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:OUTPUT:policy:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:OUTPUT:rule:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:cali-OUTPUT:rule:5 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:cali-OUTPUT:rule:6 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:cali-to-host-endpoint:return:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:cali-OUTPUT:return:8 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:OUTPUT:rule:3 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:KUBE-FIREWALL:return:2 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: filter:OUTPUT:policy:4 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 21 13:09:04 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=enp125s0f0 SRC=10.10.16.251 DST=103.109.101.20 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=42694 DPT=80 SEQ=1810758209 ACK=2425589182 WINDOW=398 RES=0x00 ACK FIN URGP=0 OPT (0101080A51EA8C67022AF1B7) UID=0 GID=0 Jul 23 04:47:49 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1421 DF PROTO=TCP SPT=49910 DPT=30090 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:49 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) Jul 23 04:47:50 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1421 DF PROTO=TCP SPT=49910 DPT=80 SEQ=4033598320 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDC088C60000000001030307) MARK=0x10000 [root@centos7 ~]#
[root@centos7 ~]# iptables -t filter -L FORWARD -n -v Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3386 292K cali-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ 316 23572 KUBE-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 272 20448 KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 272 20448 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 199 16068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 73 4380 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000 [root@centos7 ~]# iptables -t filter -L FORWARD -n -v | column -t Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3386 292K cali-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ 316 23572 KUBE-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 272 20448 KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 272 20448 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 199 16068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 73 4380 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000 [root@centos7 ~]#
[root@centos7 ~]# iptables -t filter -L FORWARD --line-number | column -t Chain FORWARD (policy DROP) num target prot opt source destination 1 cali-FORWARD all -- anywhere anywhere /* cali:wUHhoiAYhphO9Mso */ 2 KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */ 3 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */ 4 DOCKER-ISOLATION all -- anywhere anywhere 5 DOCKER all -- anywhere anywhere 6 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 7 ACCEPT all -- anywhere anywhere 8 ACCEPT all -- anywhere anywhere 9 ACCEPT all -- anywhere anywhere /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 10 MARK all -- anywhere anywhere /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000 [root@centos7 ~]#
放通nodepport
root@ubuntu:~/tenant# kubectl delete -f ns-calico1-policy-allow.yaml
globalnetworkpolicy.crd.projectcalico.org "allow-label-ns-calico1-namesapce" deleted
root@ubuntu:~/tenant# telnet 10.10.16.251 30090
Trying 10.10.16.251...
Connected to 10.10.16.251.
Escape character is '^]'.
^CConnection closed by foreign host.
root@ubuntu:~/tenant#
Jul 22 23:42:36 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-SERVICES:rule:13 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-SVC-LR6KBEL46TKXCUNE:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: nat:KUBE-SEP-2RKZ3KM6TGCI2FEZ:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57908 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:36 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57908 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA9197C0000000001030307) MARK=0x4000 Jul 22 23:42:37 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57909 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57909 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57909 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57909 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57909 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=57909 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:37 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=57909 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538769 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFCA91D660000000001030307) MARK=0x10000 Jul 22 23:42:38 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57910 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57910 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57910 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57910 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA920EDE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57911 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57911 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57911 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:38 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57911 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK URGP=0 OPT (0101080AFCA9231AE777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=57912 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=57912 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=57912 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=57912 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538770 ACK=3375967996 WINDOW=502 RES=0x00 ACK PSH URGP=0 OPT (0101080AFCA92593E777DE06) Jul 22 23:42:39 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57913 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:39 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57913 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57913 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57913 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968305 WINDOW=501 RES=0x00 ACK URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57914 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57914 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=57914 DF PROTO=TCP SPT=55486 DPT=30090 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) ip 是pod ip
Jul 22 23:42:40 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:40 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:41 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E) Jul 22 23:42:41 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=57914 DF PROTO=TCP SPT=55486 DPT=80 SEQ=1638538775 ACK=3375968306 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT (0101080AFCA927C6E777E78E)
root@ubuntu:~/tenant# telnet 10.10.16.251 30090
Trying 10.10.16.251...
Connected to 10.10.16.251.
Escape character is '^]'.
^C^CConnection closed by foreign host.
[root@centos7 ~]# cat /var/log/kern.debug.log | grep 'ID=35937' Jul 23 04:15:39 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:39 centos7 kernel: TRACE: nat:KUBE-SERVICES:rule:13 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-SVC-LR6KBEL46TKXCUNE:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-SEP-2RKZ3KM6TGCI2FEZ:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=35937 DF PROTO=TCP SPT=35630 DPT=30090 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 Jul 23 04:15:40 centos7 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=35937 DF PROTO=TCP SPT=35630 DPT=80 SEQ=3934517224 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDA3170B0000000001030307) MARK=0x4000 [root@centos7 ~]# iptables -t filter -L KUBE-FORWARD -n --line-number | column -t Chain KUBE-FORWARD (1 references) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED [root@centos7 ~]#
ctstate RELATED,ESTABLISHED
放行报文
Jul 23 05:10:44 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:PREROUTING:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-SERVICES:rule:13 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-MARK-MASQ:return:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-NODEPORTS:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-SVC-LR6KBEL46TKXCUNE:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:44 centos7 kernel: TRACE: nat:KUBE-SEP-2RKZ3KM6TGCI2FEZ:rule:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52141 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000 Jul 23 05:10:45 centos7 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52141 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD584870000000001030307) MARK=0x4000
相关连接 Jul 23 05:10:45 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52142 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52142 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52142 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52142 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52142 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: mangle:PREROUTING:policy:2 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52142 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:45 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:4 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:DOCKER-ISOLATION:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:10 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307)
Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:policy:11 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=52142 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333061 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080AFDD588860000000001030307) MARK=0x10000
Jul 23 05:10:46 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=enp125s0f0 OUT= MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.10.16.251 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=60098 DPT=30090 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: mangle:FORWARD:policy:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:46 centos7 kernel: TRACE: filter:FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-cidr-block:return:1 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:cali-FORWARD:return:7 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:FORWARD:rule:2 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: filter:KUBE-FORWARD:rule:3 IN=enp125s0f0 OUT=tunl0 MAC=b0:08:75:5f:b8:5b:48:57:02:64:e7:ab:08:00 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: mangle:cali-POSTROUTING:rule:4 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: mangle:cali-to-host-endpoint:return:1 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:10:47 centos7 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=10.10.16.82 DST=10.244.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60098 DPT=80 SEQ=3929333062 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Jul 23 05:11:12 centos7 kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) ^C [root@centos7 ~]# iptables -t filter -L KUBE-FORWARD -n --line-number | column -t Chain KUBE-FORWARD (1 references) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED [root@centos7 ~]#
tcpdump
251节点
[root@centos7 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.16.254 0.0.0.0 UG 0 0 0 enp125s0f0 10.10.16.0 0.0.0.0 255.255.255.0 U 0 0 0 enp125s0f0 10.10.102.0 0.0.0.0 255.255.255.0 U 0 0 0 enp6s0 10.244.2.0 10.10.16.47 255.255.255.0 UG 0 0 0 tunl0 10.244.29.0 10.10.16.81 255.255.255.192 UG 0 0 0 tunl0 10.244.41.0 10.10.16.47 255.255.255.192 UG 0 0 0 tunl0 10.244.129.128 0.0.0.0 255.255.255.192 U 0 0 0 * 10.244.129.129 0.0.0.0 255.255.255.255 UH 0 0 0 cali06a2cdc2c69 10.244.129.130 0.0.0.0 255.255.255.255 UH 0 0 0 cali2769e3081b5 10.244.129.131 0.0.0.0 255.255.255.255 UH 0 0 0 cali347b41e63b1 10.244.243.192 10.10.16.82 255.255.255.192 UG 0 0 0 tunl0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 [root@centos7 ~]# ip a | grep 10.244.129.128 inet 10.244.129.128/32 scope global tunl0 [root@centos7 ~]# ip a | grep 10.244.129.128 -B 2 18: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 inet 10.244.129.128/32 scope global tunl0 [root@centos7 ~]#
bogon
[root@bogon ~]# ip a sh tunl0 99: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 inet 10.244.29.0/32 scope global tunl0 valid_lft forever preferred_lft forever [root@bogon ~]#
root@ubuntu:~/tenant# kubectl create -f ns-calico1-policy-allow.yaml
globalnetworkpolicy.crd.projectcalico.org/allow-label-ns-calico1-namesapce created
root@ubuntu:~/tenant# telnet 10.10.16.251 30090 Trying 10.10.16.251... ^C
bogon上抓到报文
[root@bogon ~]# tcpdump -i enahisic2i0 "ip proto 4" -eennvv
tcpdump: listening on enahisic2i0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:05:14.581329 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 3810, offset 0, flags [DF], proto IPIP (4), length 80)
10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 48310, offset 0, flags [DF], proto TCP (6), length 60)
10.244.129.128.61547 > 10.244.29.18.80: Flags [S], cksum 0xb617 (correct), seq 1519661982, win 64240, options [mss 1460,sackOK,TS val 4261897607 ecr 0,nop,wscale 7], length 0
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel
这个接口抓不到
[root@bogon ~]# tcpdump -i calied7f8899df7 tcp and port 80 -eennv
tcpdump: listening on calied7f8899df7, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@bogon ~]#
root@ubuntu:~/tenant# telnet 10.10.16.81 30090 Trying 10.10.16.81... ^C
[root@bogon ~]# tcpdump -i enahisic2i0 tcp and port 30090 -env tcpdump: listening on enahisic2i0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:52:40.549343 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 54016, offset 0, flags [DF], proto TCP (6), length 60) 10.10.16.82.42200 > 10.10.16.81.30090: Flags [S], cksum 0x27cc (correct), seq 902593788, win 64240, options [mss 1460,sackOK,TS val 283185792 ecr 0,nop,wscale 7], length 0 17:52:41.553645 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 54017, offset 0, flags [DF], proto TCP (6), length 60) 10.10.16.82.42200 > 10.10.16.81.30090: Flags [S], cksum 0x23df (correct), seq 902593788, win 64240, options [mss 1460,sackOK,TS val 283186797 ecr 0,nop,wscale 7], length 0
root@ubuntu:~/tenant# kubectl delete -f ns-calico1-policy-allow.yaml
root@ubuntu:~/tenant# telnet 10.10.16.251 30090 Trying 10.10.16.251... Connected to 10.10.16.251. Escape character is '^]'. Connection closed by foreign host.
tcpdump: listening on calied7f8899df7, link-type EN10MB (Ethernet), capture size 262144 bytes 18:00:22.992379 ee:ee:ee:ee:ee:ee > 42:40:41:37:d3:8b, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 62, id 55208, offset 0, flags [DF], proto TCP (6), length 60) 10.244.129.128.20502 > 10.244.29.18.80: Flags [S], cksum 0x19c2 (correct), seq 2551686607, win 64240, options [mss 1460,sackOK,TS val 4261606018 ecr 0,nop,wscale 7], length 0 18:00:22.992423 42:40:41:37:d3:8b > ee:ee:ee:ee:ee:ee, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.129.128.20502: Flags [S.], cksum 0xb4a8 (incorrect -> 0xc11b), seq 2867109179, ack 2551686608, win 27760, options [mss 1400,sackOK,TS val 3906057823 ecr 4261606018,nop,wscale 7], length 0 18:00:24.052471 42:40:41:37:d3:8b > ee:ee:ee:ee:ee:ee, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.129.128.20502: Flags [S.], cksum 0xb4a8 (incorrect -> 0xbcf7), seq 2867109179, ack 2551686608, win 27760, options [mss 1400,sackOK,TS val 3906058883 ecr 4261606018,nop,wscale 7], length 0 18:00:24.235971 ee:ee:ee:ee:ee:ee > 42:40:41:37:d3:8b, ethertype IPv4 (0x0800), length 66: (tos 0x10, ttl 62, id 55210, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.20502 > 10.244.29.18.80: Flags [.], cksum 0x52b5 (correct), ack 1, win 502, options [nop,nop,TS val 4261607923 ecr 3906057823], length 0 18:00:24.793158 ee:ee:ee:ee:ee:ee > 42:40:41:37:d3:8b, ethertype IPv4 (0x0800), length 66: (tos 0x10, ttl 62, id 55211, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.20502 > 10.244.29.18.80: Flags [.], cksum 0x5086 (correct), ack 1, win 502, options [nop,nop,TS val 4261608482 ecr 3906057823], length 0 ^C 5 packets captured 5 packets received by filter 0 packets dropped by kernel You have new mail in /var/spool/mail/root [root@bogon ~]#
tcpdump: listening on enahisic2i0, link-type EN10MB (Ethernet), capture size 262144 bytes 18:03:50.490734 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 63893, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 31728, offset 0, flags [DF], proto TCP (6), length 60) 10.244.129.128.60586 > 10.244.29.18.80: Flags [S], cksum 0x669b (correct), seq 3807463161, win 64240, options [mss 1460,sackOK,TS val 4261813517 ecr 0,nop,wscale 7], length 0 18:04:17.802311 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 65289, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 26410, offset 0, flags [DF], proto TCP (6), length 60) 10.244.129.128.32912 > 10.244.29.18.80: Flags [S], cksum 0x3638 (correct), seq 723071132, win 64240, options [mss 1460,sackOK,TS val 4261840832 ecr 0,nop,wscale 7], length 0 18:04:17.802535 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 12627, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.129.128.32912: Flags [S.], cksum 0x3297 (correct), seq 1577910226, ack 723071133, win 27760, options [mss 1400,sackOK,TS val 3906292631 ecr 4261840832,nop,wscale 7], length 0 18:04:18.852503 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 12645, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.129.128.32912: Flags [S.], cksum 0x2e7d (correct), seq 1577910226, ack 723071133, win 27760, options [mss 1400,sackOK,TS val 3906293681 ecr 4261840832,nop,wscale 7], length 0 18:04:19.042137 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 65393, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 26412, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.32912 > 10.244.29.18.80: Flags [.], cksum 0xc435 (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 4261842732 ecr 3906292631], length 0 18:04:19.596772 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 65431, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 26413, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.32912 > 10.244.29.18.80: Flags [.], cksum 0xc20a (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 4261843287 ecr 3906292631], length 0 18:04:21.581100 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 91: (tos 0x0, ttl 63, id 65485, offset 0, flags [DF], proto IPIP (4), length 77) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 26414, offset 0, flags [DF], proto TCP (6), length 57) 10.244.129.128.32912 > 10.244.29.18.80: Flags [P.], cksum 0xb450 (correct), seq 1:6, ack 1, win 502, options [nop,nop,TS val 4261845265 ecr 3906292631], length 5: HTTP 18:04:21.581249 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 12895, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 34137, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.129.128.32912: Flags [.], cksum 0xaca5 (correct), seq 1, ack 6, win 217, options [nop,nop,TS val 3906296410 ecr 4261845265], length 0 18:04:21.581423 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 395: (tos 0x0, ttl 63, id 12896, offset 0, flags [DF], proto IPIP (4), length 381) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 34138, offset 0, flags [DF], proto TCP (6), length 361) 10.244.29.18.80 > 10.244.129.128.32912: Flags [P.], cksum 0x1365 (correct), seq 1:310, ack 6, win 217, options [nop,nop,TS val 3906296410 ecr 4261845265], length 309: HTTP, length: 309
给 NodePort 配置 NetworkPolicy
方案一,将 tunl0 添加到网络策略白名单
root@ubuntu:~/tenant# cat ns-calico1-allow-nodeport.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: ns-calico1-allow-nodeport namespace: ns-calico1 spec: podSelector: matchLabels: {} policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 10.244.129.128/32
10.244.129.128 是251节点上tunl0的ip
[root@centos7 ~]# ip a | grep 10.244.129.128 -B 2 18: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 inet 10.244.129.128/32 scope global tunl0 [root@centos7 ~]#
root@ubuntu:~/tenant# kubectl create -f ns-calico1-allow-nodeport.yaml networkpolicy.networking.k8s.io/ns-calico1-allow-nodeport created root@ubuntu:~/tenant# telnet 10.10.16.251 30090 Trying 10.10.16.251... Connected to 10.10.16.251. Escape character is '^]'. ^CConnection closed by foreign host. root@ubuntu:~/tenant# ^C root@ubuntu:~/tenant# kubectl delete -f ns-calico1-allow-nodeport.yaml networkpolicy.networking.k8s.io "ns-calico1-allow-nodeport" deleted root@ubuntu:~/tenant# telnet 10.10.16.251 30090 Trying 10.10.16.251... ^C root@ubuntu:~/tenant#
添加其他节点添加
[root@bogon ~]# ip a sh tunl0 99: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 inet 10.244.29.0/32 scope global tunl0 valid_lft forever preferred_lft forever
root@ubuntu:~/tenant# ip a sh tunl0 9: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 inet 10.244.243.192/32 scope global tunl0 valid_lft forever preferred_lft forever
root@ubuntu:~/tenant# cat ns-calico1-allow-nodeport.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: ns-calico1-allow-nodeport namespace: ns-calico1 spec: podSelector: matchLabels: {} policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 10.244.243.192/32 - ipBlock: cidr: 10.244.29.0/32 - ipBlock: cidr: 10.244.129.128/32
root@ubuntu:~/tenant# telnet 10.10.16.81 30090 --无法访问,因为不需要经过tun Trying 10.10.16.81... ^C root@ubuntu:~/tenant# telnet 10.10.16.82 30090 Trying 10.10.16.82... Connected to 10.10.16.82. Escape character is '^]'. ^CConnection closed by foreign host. root@ubuntu:~/tenant# telnet 10.10.16.251 30090 Trying 10.10.16.251... Connected to 10.10.16.251. Escape character is '^]'. ^CConnection closed by foreign host. root@ubuntu:~/tenant# root@ubuntu:~/tenant#
[root@bogon ~]# tcpdump -i enahisic2i0 port 30090 -eennvv tcpdump: listening on enahisic2i0, link-type EN10MB (Ethernet), capture size 262144 bytes 15:36:29.212699 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 53117, offset 0, flags [DF], proto TCP (6), length 60) 10.10.16.82.36878 > 10.10.16.81.30090: Flags [S], cksum 0x0359 (correct), seq 4059989590, win 64240, options [mss 1460,sackOK,TS val 534214458 ecr 0,nop,wscale 7], length 0 15:36:30.223510 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 53118, offset 0, flags [DF], proto TCP (6), length 60) 10.10.16.82.36878 > 10.10.16.81.30090: Flags [S], cksum 0xff65 (correct), seq 4059989590, win 64240, options [mss 1460,sackOK,TS val 534215469 ecr 0,nop,wscale 7], length 0
[root@bogon ~]# tcpdump -i enahisic2i0 "ip proto 4" -eennvv tcpdump: listening on enahisic2i0, link-type EN10MB (Ethernet), capture size 262144 bytes 15:33:03.083357 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 1130, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.82 > 10.10.16.81: (tos 0x10, ttl 64, id 26910, offset 0, flags [DF], proto TCP (6), length 60) 10.244.243.192.60257 > 10.244.29.18.80: Flags [S], cksum 0x70ab (correct), seq 4158330560, win 65495, options [mss 65495,sackOK,TS val 2147171413 ecr 0,nop,wscale 7], length 0 15:33:03.083569 48:57:02:64:ea:1b > 48:57:02:64:e7:ab, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 48841, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.81 > 10.10.16.82: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.243.192.60257: Flags [S.], cksum 0xcbb4 (correct), seq 145643262, ack 4158330561, win 27760, options [mss 1400,sackOK,TS val 2605135801 ecr 2147171413,nop,wscale 7], length 0 15:33:03.083659 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 64, id 1131, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.82 > 10.10.16.81: (tos 0x10, ttl 64, id 26911, offset 0, flags [DF], proto TCP (6), length 52) 10.244.243.192.60257 > 10.244.29.18.80: Flags [.], cksum 0x64b4 (correct), seq 1, ack 1, win 512, options [nop,nop,TS val 2147171414 ecr 2605135801], length 0 15:33:04.655192 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 1183, offset 0, flags [DF], proto IPIP (4), length 74) 10.10.16.82 > 10.10.16.81: (tos 0x10, ttl 64, id 26912, offset 0, flags [DF], proto TCP (6), length 54) 10.244.243.192.60257 > 10.244.29.18.80: Flags [P.], cksum 0x517d (correct), seq 1:3, ack 1, win 512, options [nop,nop,TS val 2147172985 ecr 2605135801], length 2: HTTP 15:33:04.655350 48:57:02:64:ea:1b > 48:57:02:64:e7:ab, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 48890, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.82: (tos 0x0, ttl 63, id 30144, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.243.192.60257: Flags [.], cksum 0x5992 (correct), seq 1, ack 3, win 217, options [nop,nop,TS val 2605137373 ecr 2147172985], length 0 15:33:05.567676 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 91: (tos 0x0, ttl 64, id 1243, offset 0, flags [DF], proto IPIP (4), length 77) 10.10.16.82 > 10.10.16.81: (tos 0x10, ttl 64, id 26913, offset 0, flags [DF], proto TCP (6), length 57) 10.244.243.192.60257 > 10.244.29.18.80: Flags [P.], cksum 0x4eda (correct), seq 3:8, ack 1, win 512, options [nop,nop,TS val 2147173898 ecr 2605137373], length 5: HTTP 15:33:05.567868 48:57:02:64:ea:1b > 48:57:02:64:e7:ab, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 48904, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.82: (tos 0x0, ttl 63, id 30145, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.243.192.60257: Flags [.], cksum 0x526b (correct), seq 1, ack 8, win 217, options [nop,nop,TS val 2605138286 ecr 2147173898], length 0 15:33:05.567960 48:57:02:64:ea:1b > 48:57:02:64:e7:ab, ethertype IPv4 (0x0800), length 395: (tos 0x0, ttl 63, id 48905, offset 0, flags [DF], proto IPIP (4), length 381) 10.10.16.81 > 10.10.16.82: (tos 0x0, ttl 63, id 30146, offset 0, flags [DF], proto TCP (6), length 361) 10.244.29.18.80 > 10.244.243.192.60257: Flags [P.], cksum 0x9c31 (correct), seq 1:310, ack 8, win 217, options [nop,nop,TS val 2605138286 ecr 2147173898], length 309: HTTP, length: 309 HTTP/1.1 400 Bad Request Server: nginx/1.21.1 Date: Mon, 26 Jul 2021 07:33:05 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.21.1</center> </body> </html> 15:33:05.568003 48:57:02:64:ea:1b > 48:57:02:64:e7:ab, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 48906, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.82: (tos 0x0, ttl 63, id 30147, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.243.192.60257: Flags [F.], cksum 0x5135 (correct), seq 310, ack 8, win 217, options [nop,nop,TS val 2605138286 ecr 2147173898], length 0 15:33:05.568032 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 64, id 1244, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.82 > 10.10.16.81: (tos 0x10, ttl 64, id 26914, offset 0, flags [DF], proto TCP (6), length 52) 10.244.243.192.60257 > 10.244.29.18.80: Flags [.], cksum 0x5011 (correct), seq 8, ack 310, win 510, options [nop,nop,TS val 2147173898 ecr 2605138286], length 0 15:33:05.568101 48:57:02:64:e7:ab > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 64, id 1245, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.82 > 10.10.16.81: (tos 0x10, ttl 64, id 26915, offset 0, flags [DF], proto TCP (6), length 52) 10.244.243.192.60257 > 10.244.29.18.80: Flags [F.], cksum 0x500d (correct), seq 8, ack 311, win 512, options [nop,nop,TS val 2147173898 ecr 2605138286], length 0 15:33:05.568159 48:57:02:64:ea:1b > 48:57:02:64:e7:ab, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 48907, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.82: (tos 0x0, ttl 63, id 30148, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.243.192.60257: Flags [.], cksum 0x5134 (correct), seq 311, ack 9, win 217, options [nop,nop,TS val 2605138286 ecr 2147173898], length 0 15:33:24.287108 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 18953, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 45463, offset 0, flags [DF], proto TCP (6), length 60) 10.244.129.128.1309 > 10.244.29.18.80: Flags [S], cksum 0x143d (correct), seq 3633586932, win 64240, options [mss 1460,sackOK,TS val 217020019 ecr 0,nop,wscale 7], length 0 15:33:24.287274 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 23096, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.129.128.1309: Flags [S.], cksum 0xdcfe (correct), seq 107779322, ack 3633586933, win 27760, options [mss 1400,sackOK,TS val 4156437188 ecr 217020019,nop,wscale 7], length 0 15:33:25.332524 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 63, id 23200, offset 0, flags [DF], proto IPIP (4), length 80) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.29.18.80 > 10.244.129.128.1309: Flags [S.], cksum 0xd8e9 (correct), seq 107779322, ack 3633586933, win 27760, options [mss 1400,sackOK,TS val 4156438233 ecr 217020019,nop,wscale 7], length 0 15:33:25.527473 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 19055, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 45465, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.1309 > 10.244.29.18.80: Flags [.], cksum 0x6e99 (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 217021923 ecr 4156437188], length 0 15:33:26.081278 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 19069, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 45466, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.1309 > 10.244.29.18.80: Flags [.], cksum 0x6c6e (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 217022478 ecr 4156437188], length 0 15:33:27.751477 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 91: (tos 0x0, ttl 63, id 19103, offset 0, flags [DF], proto IPIP (4), length 77) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 45467, offset 0, flags [DF], proto TCP (6), length 57) 10.244.129.128.1309 > 10.244.29.18.80: Flags [P.], cksum 0x5fef (correct), seq 1:6, ack 1, win 502, options [nop,nop,TS val 217024141 ecr 4156437188], length 5: HTTP 15:33:27.751612 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 23259, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 47352, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.129.128.1309: Flags [.], cksum 0x597f (correct), seq 1, ack 6, win 217, options [nop,nop,TS val 4156440652 ecr 217024141], length 0 15:33:27.751671 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 395: (tos 0x0, ttl 63, id 23260, offset 0, flags [DF], proto IPIP (4), length 381) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 47353, offset 0, flags [DF], proto TCP (6), length 361) 10.244.29.18.80 > 10.244.129.128.1309: Flags [P.], cksum 0xa143 (correct), seq 1:310, ack 6, win 217, options [nop,nop,TS val 4156440652 ecr 217024141], length 309: HTTP, length: 309 HTTP/1.1 400 Bad Request Server: nginx/1.21.1 Date: Mon, 26 Jul 2021 07:33:27 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.21.1</center> </body> </html> 15:33:27.751707 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 23261, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 47354, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.129.128.1309: Flags [F.], cksum 0x5849 (correct), seq 310, ack 6, win 217, options [nop,nop,TS val 4156440652 ecr 217024141], length 0 15:33:28.305369 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 19127, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 45468, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.1309 > 10.244.29.18.80: Flags [.], cksum 0x54fd (correct), seq 6, ack 310, win 501, options [nop,nop,TS val 217024702 ecr 4156440652], length 0 15:33:28.865882 b0:08:75:5f:b8:5b > 48:57:02:64:ea:1b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 19129, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.251 > 10.10.16.81: (tos 0x10, ttl 63, id 45469, offset 0, flags [DF], proto TCP (6), length 52) 10.244.129.128.1309 > 10.244.29.18.80: Flags [F.], cksum 0x54fb (correct), seq 6, ack 311, win 501, options [nop,nop,TS val 217024702 ecr 4156440652], length 0 15:33:28.865969 48:57:02:64:ea:1b > b0:08:75:5f:b8:5b, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 63, id 23285, offset 0, flags [DF], proto IPIP (4), length 72) 10.10.16.81 > 10.10.16.251: (tos 0x0, ttl 63, id 47355, offset 0, flags [DF], proto TCP (6), length 52) 10.244.29.18.80 > 10.244.129.128.1309: Flags [.], cksum 0x51bc (correct), seq 311, ack 7, win 217, options [nop,nop,TS val 4156441767 ecr 217024702], length 0
规则分析 1
[root@bogon ~]# iptables -t raw -j TRACE -p tcp --dport 30090 -I OUTPUT 1 You have mail in /var/spool/mail/root [root@bogon ~]# iptables -t raw -j TRACE -p tcp --dport 30090 -I PREROUTING 1
root@ubuntu:~/tenant# telnet 10.10.16.82 30090 Trying 10.10.16.82... Connected to 10.10.16.82. Escape character is '^]'. ^CConnection closed by foreign host.
Jul 26 15:51:58 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: mangle:PREROUTING:policy:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-fip-dnat:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-PREROUTING:return:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:PREROUTING:rule:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:KUBE-SERVICES:return:14 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: nat:PREROUTING:policy:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:5 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-pi-_d4qo2yLPU80D48kRfyX:return:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:7 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-pi-_FLz4bxhaRDTH6JoEJYH:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-pi-_FLz4bxhaRDTH6JoEJYH:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:5 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:6 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-cidr-block:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:return:7 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:KUBE-FORWARD:return:5 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:KUBE-SERVICES:return:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:DOCKER-USER:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:5 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:10 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:neutron-filter-top:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:neutron-linuxbri-local:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:neutron-filter-top:return:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:11 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:neutron-linuxbri-FORWARD:return:7 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:12 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:KUBE-POSTROUTING:return:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000 Jul 26 15:51:58 bogon kernel: TRACE: nat:POSTROUTING:policy:6 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=221 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201486 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A800C91270000000001030307) MARK=0x10000
Jul 26 15:51:58 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:51:58 bogon kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=222 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK URGP=0 OPT (0101080A800C91299B588C84) Jul 26 15:52:00 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=64 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=57 TOS=0x10 PREC=0x00 TTL=63 ID=223 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201487 ACK=2315052866 WINDOW=512 RES=0x00 ACK PSH URGP=0 OPT (0101080A800C971B9B588C84) Jul 26 15:52:00 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=224 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053175 WINDOW=510 RES=0x00 ACK URGP=0 OPT (0101080A800C971C9B589276) Jul 26 15:52:00 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277) Jul 26 15:52:00 bogon kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=calied7f8899df7 SRC=10.244.243.192 DST=10.244.29.18 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=225 DF PROTO=TCP SPT=21338 DPT=80 SEQ=1139201492 ACK=2315053176 WINDOW=512 RES=0x00 ACK FIN URGP=0 OPT (0101080A800C971C9B589277)
Jul 26 15:51:58 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:7 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00
cali-pi-_d4qo2yLPU80D48kRfyX
不依赖不依赖于ipset
[root@bogon ~]# iptables -n -L cali-tw-calied7f8899df7 --line-numbers Chain cali-tw-calied7f8899df7 (1 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:kn4QebtExp2YeP53 */ ctstate RELATED,ESTABLISHED 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:NJHGlR222V6rIF6g */ ctstate INVALID 3 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:u_9WY525Ezzlp2Cm */ MARK and 0xfffeffff 4 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:s-VDlAmooRZkiuQk */ /* Start of policies */ MARK and 0xfffdffff 5 cali-pi-_d4qo2yLPU80D48kRfyX all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ADtCXwO5xstoAg-S */ mark match 0x0/0x20000 6 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:R-fu5TX8gUDgDTt1 */ /* Return if policy accepted */ mark match 0x10000/0x10000 7 cali-pi-_FLz4bxhaRDTH6JoEJYH all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-UH9xZbvfDBy-bUT */ mark match 0x0/0x20000 8 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bk6wC08Yu17R0fC0 */ /* Return if policy accepted */ mark match 0x10000/0x10000 9 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:lVsPrm8dAPJC3-Pd */ /* Drop if no policies passed packet */ mark match 0x0/0x20000 10 cali-pri-kns.ns-calico1 all -- 0.0.0.0/0 0.0.0.0/0 /* cali:YISILF2dnQ9cs8WZ */ 11 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Z9FO-kij_2bXKfxB */ /* Return if profile accepted */ mark match 0x10000/0x10000 12 cali-pri-_8Cq7uSyTGAC1eyOT4n all -- 0.0.0.0/0 0.0.0.0/0 /* cali:96nZCQpoi-dyCvwB */ 13 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:GgHheQZ0ZVuRkp1A */ /* Return if profile accepted */ mark match 0x10000/0x10000 14 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-cXPM5-tChbw1kFQ */ /* Drop if no profiles matched */ [root@bogon ~]# iptables -S -t filter | grep cali-tw-calied7f8899df7 -N cali-tw-calied7f8899df7 -A cali-to-wl-dispatch -o calied7f8899df7 -m comment --comment "cali:U4esAIF6rGgD_jUI" -g cali-tw-calied7f8899df7 -A cali-tw-calied7f8899df7 -m comment --comment "cali:kn4QebtExp2YeP53" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A cali-tw-calied7f8899df7 -m comment --comment "cali:NJHGlR222V6rIF6g" -m conntrack --ctstate INVALID -j DROP -A cali-tw-calied7f8899df7 -m comment --comment "cali:u_9WY525Ezzlp2Cm" -j MARK --set-xmark 0x0/0x10000 -A cali-tw-calied7f8899df7 -m comment --comment "cali:s-VDlAmooRZkiuQk" -m comment --comment "Start of policies" -j MARK --set-xmark 0x0/0x20000 -A cali-tw-calied7f8899df7 -m comment --comment "cali:ADtCXwO5xstoAg-S" -m mark --mark 0x0/0x20000 -j cali-pi-_d4qo2yLPU80D48kRfyX -A cali-tw-calied7f8899df7 -m comment --comment "cali:R-fu5TX8gUDgDTt1" -m comment --comment "Return if policy accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-calied7f8899df7 -m comment --comment "cali:-UH9xZbvfDBy-bUT" -m mark --mark 0x0/0x20000 -j cali-pi-_FLz4bxhaRDTH6JoEJYH -A cali-tw-calied7f8899df7 -m comment --comment "cali:bk6wC08Yu17R0fC0" -m comment --comment "Return if policy accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-calied7f8899df7 -m comment --comment "cali:lVsPrm8dAPJC3-Pd" -m comment --comment "Drop if no policies passed packet" -m mark --mark 0x0/0x20000 -j DROP -A cali-tw-calied7f8899df7 -m comment --comment "cali:YISILF2dnQ9cs8WZ" -j cali-pri-kns.ns-calico1 -A cali-tw-calied7f8899df7 -m comment --comment "cali:Z9FO-kij_2bXKfxB" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-calied7f8899df7 -m comment --comment "cali:96nZCQpoi-dyCvwB" -j cali-pri-_8Cq7uSyTGAC1eyOT4n -A cali-tw-calied7f8899df7 -m comment --comment "cali:GgHheQZ0ZVuRkp1A" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-calied7f8899df7 -m comment --comment "cali:-cXPM5-tChbw1kFQ" -m comment --comment "Drop if no profiles matched" -j DROP You have mail in /var/spool/mail/root [root@bogon ~]# iptables -n -L cali-pi-_d4qo2yLPU80D48kRfyX --line-numbers Chain cali-pi-_d4qo2yLPU80D48kRfyX (2 references) num target prot opt source destination 1 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:g4yVdp-aDhBfIFYj */ match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB src match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB dst MARK or 0x10000 2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:H0FDsVywIfehzJca */ mark match 0x10000/0x10000 [root@bogon ~]# iptables -n -L cali-pi-_FLz4bxhaRDTH6JoEJYH --line-numbers Chain cali-pi-_FLz4bxhaRDTH6JoEJYH (1 references) num target prot opt source destination 1 MARK all -- 10.244.243.192 0.0.0.0/0 /* cali:VxdNeYm8-5T5xtvD */ MARK or 0x10000 2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:W3iLaeW3pJ0EYgMm */ mark match 0x10000/0x10000 3 MARK all -- 10.244.29.0 0.0.0.0/0 /* cali:EyaU_cpCQhAodqMB */ MARK or 0x10000 4 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:DEkso6mTq5yOezpx */ mark match 0x10000/0x10000 5 MARK all -- 10.244.129.128 0.0.0.0/0 /* cali:6CNqXnI0R9KsgwFk */ MARK or 0x10000 6 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:NOO5_7m70AuQx5Gk */ mark match 0x10000/0x10000 [root@bogon ~]#
删除networkpolicy
root@ubuntu:~/tenant# telnet 10.10.16.82 30090 Trying 10.10.16.82... ^C root@ubuntu:~/tenant#
Jul 26 15:56:46 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: mangle:PREROUTING:policy:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:cali-fip-dnat:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:cali-PREROUTING:return:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:PREROUTING:rule:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:KUBE-SERVICES:return:14 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: nat:PREROUTING:policy:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:5 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-pi-_d4qo2yLPU80D48kRfyX:return:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:46 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:7 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48283 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F4A90000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: raw:PREROUTING:rule:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: raw:neutron-linuxbri-PREROUTING:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: raw:PREROUTING:policy:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: mangle:PREROUTING:policy:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:cali-fip-dnat:return:1 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:cali-PREROUTING:return:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:PREROUTING:rule:2 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:KUBE-SERVICES:return:14 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: nat:PREROUTING:policy:4 IN=tunl0 OUT= MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-to-wl-dispatch:rule:8 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:4 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:5 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-pi-_d4qo2yLPU80D48kRfyX:return:3 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307) Jul 26 15:56:47 bogon kernel: TRACE: filter:cali-tw-calied7f8899df7:rule:7 IN=tunl0 OUT=calied7f8899df7 MAC= SRC=10.244.243.192 DST=10.244.29.18 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48284 DF PROTO=TCP SPT=12128 DPT=80 SEQ=2877444456 ACK=0 WINDOW=65495 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A8010F89A0000000001030307)
[root@bogon ~]# iptables -n -L cali-tw-calied7f8899df7 --line-numbers Chain cali-tw-calied7f8899df7 (1 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:kn4QebtExp2YeP53 */ ctstate RELATED,ESTABLISHED 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:NJHGlR222V6rIF6g */ ctstate INVALID 3 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:u_9WY525Ezzlp2Cm */ MARK and 0xfffeffff 4 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:s-VDlAmooRZkiuQk */ /* Start of policies */ MARK and 0xfffdffff 5 cali-pi-_d4qo2yLPU80D48kRfyX all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ADtCXwO5xstoAg-S */ mark match 0x0/0x20000 6 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:R-fu5TX8gUDgDTt1 */ /* Return if policy accepted */ mark match 0x10000/0x10000 7 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:gp-IqFYXjcOWYSdX */ /* Drop if no policies passed packet */ mark match 0x0/0x20000 8 cali-pri-kns.ns-calico1 all -- 0.0.0.0/0 0.0.0.0/0 /* cali:p2TsJPZF_F-V_FPt */ 9 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:TZuxPOiE1nMecZ32 */ /* Return if profile accepted */ mark match 0x10000/0x10000 10 cali-pri-_8Cq7uSyTGAC1eyOT4n all -- 0.0.0.0/0 0.0.0.0/0 /* cali:HdXOrHt2bTVgLYrp */ 11 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:6SkHSFXke_wYUg_E */ /* Return if profile accepted */ mark match 0x10000/0x10000 12 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:vbNFY3yJ1CfPdnNx */ /* Drop if no profiles matched */ [root@bogon ~]# iptables -n -L cali-pi-_d4qo2yLPU80D48kRfyX --line-numbers Chain cali-pi-_d4qo2yLPU80D48kRfyX (2 references) num target prot opt source destination 1 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:g4yVdp-aDhBfIFYj */ match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB src match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB dst MARK or 0x10000 2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:H0FDsVywIfehzJca */ mark match 0x10000/0x10000 [root@bogon ~]# iptables -S -t filter | grep cali-pi-_d4qo2yLPU80D48kRfyX -N cali-pi-_d4qo2yLPU80D48kRfyX -A cali-pi-_d4qo2yLPU80D48kRfyX -m comment --comment "cali:g4yVdp-aDhBfIFYj" -m set --match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB src -m set --match-set cali40s:9Hlc81Gd85Ibld7JGuPSvtB dst -j MARK --set-xmark 0x10000/0x10000 -A cali-pi-_d4qo2yLPU80D48kRfyX -m comment --comment "cali:H0FDsVywIfehzJca" -m mark --mark 0x10000/0x10000 -j RETURN -A cali-tw-cali1f7fbcf364b -m comment --comment "cali:n71kjclRNGL7Irtz" -m mark --mark 0x0/0x20000 -j cali-pi-_d4qo2yLPU80D48kRfyX -A cali-tw-calied7f8899df7 -m comment --comment "cali:ADtCXwO5xstoAg-S" -m mark --mark 0x0/0x20000 -j cali-pi-_d4qo2yLPU80D48kRfyX [root@bogon ~]# ipset cali40s:9Hlc81Gd85Ibld7JGuPSvtB ipset v7.1: No command specified: unknown argument cali40s:9Hlc81Gd85Ibld7JGuPSvtB Try `ipset help' for more information. You have mail in /var/spool/mail/root [root@bogon ~]# ipset list cali40s:9Hlc81Gd85Ibld7JGuPSvtB Name: cali40s:9Hlc81Gd85Ibld7JGuPSvtB Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 1048576 Size in memory: 472 References: 2 Number of entries: 2 Members: 10.244.129.130 10.244.29.18 [root@bogon ~]#
添加日志追踪
root@centos7 ~]# ^C [root@centos7 ~]# ^C [root@centos7 ~]# ^C [root@centos7 ~]# cat /var/log/kern.debug.log | grep 5443 | grep 10.107.2.145 [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 80 host 10.107.2.145 -I PREROUTING 1 Bad argument `host' Try `iptables -h' or 'iptables --help' for more information. [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 80 -d host 10.107.2.145 -I PREROUTING 1 Bad argument `10.107.2.145' Try `iptables -h' or 'iptables --help' for more information. [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 5443 -d 10.107.2.145 -I PREROUTING 1 [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 5443 -d 10.107.2.145 -I OUTPUT 1 [root@centos7 ~]# cat /var/log/kern.debug.log | grep 5443 | grep 10.107.2.145 [root@centos7 ~]# tail -f /var/log/kern.debug.log | grep 5443 | grep 10.107.2.145 Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING:rule:2 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING_direct:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING:rule:3 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING_ZONES_SOURCE:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING:rule:4 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING_ZONES:rule:2 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public:rule:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public_log:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public:rule:2 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public_deny:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public:rule:3 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public_allow:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PRE_public:return:4 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: raw:PREROUTING:policy:5 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: mangle:PREROUTING:rule:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: mangle:PREROUTING_direct:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: mangle:PREROUTING:rule:2 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120 DPT=5443 SEQ=962131960 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AB3284FE50000000001030307) Sep 10 00:03:58 centos7 kernel: TRACE: mangle:PREROUTING_ZONES_SOURCE:return:1 IN=cni0 OUT= PHYSIN=veth626661db MAC=de:03:c3:e8:e0:ca:6e:8d:69:3a:95:9e:08:00 SRC=10.251.0.47 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57217 DF PROTO=TCP SPT=50120
FORWARD
-
iptables的FORWARD链中,会首先跳入
cali-FORWARD链,在cali-FORWARD链中会处理如下几种流量:- 来自node转发的流量
cali-from-hep-forward - 从pod中发出的流量
cali-from-wl-dispatch - 到达pod的流量
cali-to-wl-dispatch - 到达node的转发流量
cali-to-hep-forward - 纯粹的IP段到IP段的转发流量
cali-cidr-bloc
- 来自node转发的流量
CentOS通过raw表实现iptables日志输出和调试
通过 iptables 追踪 Kubernetes 网络
浙公网安备 33010602011771号