We are using python-iptables v0.12.0 in production within a dockerized environment orchestrated by kubernetes. The container application that uses python-iptables library consists of the following networking:
Two internal interfaces exist eth0 and eth1 (used for communication within containers), with one ipv4 and one ipv6 address each. One external interface ext0, with two ipv6 addresses used only for external communication purposes.
At startup, our application has the following ip6tables configuration created totally by python-iptables library. Note that LOGGING target is used only to log and drop packets:
All incoming ipv6 traffic coming from the outside world through ext0 interface ****should** be dropped**.
However, not only no packet is actually dropped but at the same time all packets match the second rule which corresponds to one of our internal interfaces!
Then, we accept all traffic for ext0 interface:
Still all traffic goes through eth0 interface instead of ext0!
If we delete the second rule hoping that traffic is going to match our external interface,
Still the same issue persists but now all traffic matches eth1 interface!
Now we add the same exactly rule so as to accept traffic using eth1 interface, but now instead of using python-iptables we use Linux iptables package:
You can see that Linux iptables package works as expected (not matching packets destined for ext0 iface), whereas the rule generated by python-iptables erroneously accepts all traffic!
It seems that there is potentially some difference on how ipv6 rules are generated between python-iptables and Linux iptables packages.
How to troubleshoot/approach this issue?
Our configuration setup:
- cat /etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.5 (Maipo)"
- uname -r
4.4.134-1.el7.elrepo.x86_64
[root@testEnv tmp]# python
Python 2.7.5 (default, Feb 20 2018, 09:19:12)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import iptc
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), "INPUT")
rule = iptc.Rule6()
rule.in_interface = "eth0"
target = iptc.Target(rule, "ACCEPT")
rule.target=target
chain.insert_rule(rule)
