portmap: ensure nftables backend only intercept local traffic

champtar · champtar · commit 409f4a29e939 · 2025-10-22T23:36:53.000-04:00
This aligns the behavior with the iptables backend. Implicit chain was introduced in - kernel 5.9: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") - nftables 0.9.7 https://git.netfilter.org/nftables/commit/?id=c330152b7f7779f15dba3e0862bf5616e7cb3eab https://lwn.net/Articles/835364/ Fixes 9296c5f Fixes 01a94e1 Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
diff --git a/plugins/meta/portmap/portmap_nftables.go b/plugins/meta/portmap/portmap_nftables.go
@@ -123,14 +123,11 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
 		Chain: "prerouting",
 		Rule: knftables.Concat(
 			conditions,
-			"jump", hostIPHostPortsChain,
-		),
-	})
-	tx.Add(&knftables.Rule{
-		Chain: "prerouting",
-		Rule: knftables.Concat(
-			conditions,
-			"jump", hostPortsChain,
+			"fib daddr type local",
+			"jump {",
+			"jump", hostIPHostPortsChain, ";",
+			"jump", hostPortsChain, ";",
+			"}",
 		),
 	})
 
@@ -143,19 +140,15 @@ func (pmNFT *portMapperNFTables) forwardPorts(config *PortMapConf, containerNet
 	tx.Flush(&knftables.Chain{
 		Name: "output",
 	})
-	tx.Add(&knftables.Rule{
-		Chain: "output",
-		Rule: knftables.Concat(
-			conditions,
-			"jump", hostIPHostPortsChain,
-		),
-	})
 	tx.Add(&knftables.Rule{
 		Chain: "output",
 		Rule: knftables.Concat(
 			conditions,
 			"fib daddr type local",
-			"jump", hostPortsChain,
+			"jump {",
+			"jump", hostIPHostPortsChain, ";",
+			"jump", hostPortsChain, ";",
+			"}",
 		),
 	})
 
diff --git a/plugins/meta/portmap/portmap_nftables_test.go b/plugins/meta/portmap/portmap_nftables_test.go
@@ -93,10 +93,8 @@ add rule ip cni_hostport hostports udp dport 8082 dnat to 10.0.0.2:82 comment "i
 add rule ip cni_hostport hostports tcp dport 8084 dnat to 10.0.0.2:84 comment "icee6giejonei6so"
 add rule ip cni_hostport masquerading ip saddr 10.0.0.2 ip daddr 10.0.0.2 masquerade comment "icee6giejonei6so"
 add rule ip cni_hostport masquerading ip saddr 127.0.0.1 ip daddr 10.0.0.2 masquerade comment "icee6giejonei6so"
-add rule ip cni_hostport output a b jump hostip_hostports
-add rule ip cni_hostport output a b fib daddr type local jump hostports
-add rule ip cni_hostport prerouting a b jump hostip_hostports
-add rule ip cni_hostport prerouting a b jump hostports
+add rule ip cni_hostport output a b fib daddr type local jump { jump hostip_hostports ; jump hostports ; }
+add rule ip cni_hostport prerouting a b fib daddr type local jump { jump hostip_hostports ; jump hostports ; }
 `)
 				actualRules := strings.TrimSpace(ipv4Fake.Dump())
 				Expect(actualRules).To(Equal(expectedRules))
@@ -121,10 +119,8 @@ add rule ip6 cni_hostport hostports tcp dport 8081 dnat to [2001:db8::2]:80 comm
 add rule ip6 cni_hostport hostports udp dport 8080 dnat to [2001:db8::2]:81 comment "icee6giejonei6so"
 add rule ip6 cni_hostport hostports udp dport 8082 dnat to [2001:db8::2]:82 comment "icee6giejonei6so"
 add rule ip6 cni_hostport hostports tcp dport 8086 dnat to [2001:db8::2]:86 comment "icee6giejonei6so"
-add rule ip6 cni_hostport output c d jump hostip_hostports
-add rule ip6 cni_hostport output c d fib daddr type local jump hostports
-add rule ip6 cni_hostport prerouting c d jump hostip_hostports
-add rule ip6 cni_hostport prerouting c d jump hostports
+add rule ip6 cni_hostport output c d fib daddr type local jump { jump hostip_hostports ; jump hostports ; }
+add rule ip6 cni_hostport prerouting c d fib daddr type local jump { jump hostip_hostports ; jump hostports ; }
 `)
 				actualRules = strings.TrimSpace(ipv6Fake.Dump())
 				Expect(actualRules).To(Equal(expectedRules))
