0

The rule is

-A KUBE-SEP-G3HEJMIUHDVUA2GR -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination

which is part of a kube service rule:

-N KUBE-SEP-G3HEJMIUHDVUA2GR
-A KUBE-SEP-G3HEJMIUHDVUA2GR -s 10.233.64.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-G3HEJMIUHDVUA2GR -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination

As I know normally this rule would have a specific destination like this one:

-A KUBE-SEP-XEZU3EBQ2WW4MLUB -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination 10.233.116.87:443

while the first one don't have a specific desitination which might because this service has only one endpoint, but I want to know:

  1. What does the destination ":0" mean?
  2. Why "--destination" appears three times?
  3. What is the use of "--persistent" here?
  4. Where can I find more detailed document about DNAT target?
Improve this question
5
  • 1
    check this out frozentux.net/iptables-tutorial/iptables-tutorial.html Commented Jul 11, 2023 at 19:52
  • @Consideratus I have read DNAT target on this site, but didn't find explaination for ":0" , the multiple "--destination" and "--persistent" Commented Jul 12, 2023 at 1:45
  • Apologize for that I really thought I've read the description there. Anyway, according to manual "For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses" The --persistent option is unknown to me and I cannot find it anywhere. The :0 port I believe means dynamic port allocation. Here is some information lifewire.com/port-0-in-tcp-and-udp-818145 Commented Jul 12, 2023 at 11:42
  • No need to apologize. I found explaination for "--persistent" at netfilter's documents: ipset.netfilter.org/iptables-extensions.man.html, checkout the DNAT part. Commented Jul 13, 2023 at 1:28
  • Nice, so you've found the answers :). Now I see why I wasn't able to find info in manual for the iptables. I didn't know about existence of extensions. Thanks for sharing that. Commented Jul 15, 2023 at 16:27

1 Answer 1

Reset to default
0

This exactly is not an anwser. After digging more, I found the iptables rules in kube-proxy container are different from iptables rule on host machine.

 -N KUBE-SEP-OYL6BTTAC4W4HXLZ
-A KUBE-SEP-OYL6BTTAC4W4HXLZ -s 10.233.64.38/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-OYL6BTTAC4W4HXLZ -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination

(the name and ip changed because I reboot my machine)

Then I checked the versions of both iptables cli and found they are not mached. I upgraded the kernel before, this might cause some problems. But I don't want to dig more, I'm not an expert of kernel.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.