2034411 – [Egress Router] No NAT rules for ipv6 source and destination created in ip6tables-save

Bug 2034411 - [Egress Router] No NAT rules for ipv6 source and destination created in ip6tables-save

Summary: [Egress Router] No NAT rules for ipv6 source and destination created in ip6ta...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Surya Seetharaman
QA Contact:	Anurag saxena
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-20 20:35 UTC by Weibin Liang
Modified:	2022-08-10 10:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-10 10:41:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift egress-router-cni pull 60	0	None	open	Bug 2034411: Call ip6tables for v6 mode	2022-02-09 22:49:20 UTC
Red Hat Product Errata	RHSA-2022:5069	0	None	None	None	2022-08-10 10:41:27 UTC

Description Weibin Liang 2021-12-20 20:35:09 UTC

Description of problem:
Test egress router feature in dual-stack cluster, comparing ipv4, there are no NAT rules created in ip6tables-save

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-12-14-083101

How reproducible:
Always

Steps to Reproduce:
## Test egress router ipv4
[weliang@weliang ~]$ oc new-project test
Now using project "test" on server "https://api.weliang-203.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname

[weliang@weliang ~]$ oc create -f test.yaml
egressrouter.network.operator.openshift.io/egress-router-test created
[weliang@weliang ~]$ oc get pod -o wide
NAME                                            READY   STATUS    RESTARTS   AGE   IP            NODE                                                NOMINATED NODE   READINESS GATES
egress-router-cni-deployment-6db7d48667-98fqf   1/1     Running   0          9s    10.128.2.34   worker-01.weliang-203.qe.devcluster.openshift.com   <none>           <none>
[weliang@weliang ~]$ oc exec egress-router-cni-deployment-6db7d48667-98fqf -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0@if41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default 
    link/ether 0a:58:0a:80:02:22 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.128.2.34/23 brd 10.128.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd01:0:0:5::22/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::858:aff:fe80:222/64 scope link 
       valid_lft forever preferred_lft forever
4: net1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 2a:47:3c:d2:55:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 147.75.197.175/30 brd 147.75.197.175 scope global net1
       valid_lft forever preferred_lft forever
    inet6 fe80::2847:3cff:fed2:5509/64 scope link 
       valid_lft forever preferred_lft forever
[weliang@weliang ~]$ oc debug node/worker-01.weliang-203.qe.devcluster.openshift.com
W1220 15:18:01.166951   11861 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volume "host"), privileged (container "container-00" must not set securityContext.privileged=true)
Starting pod/worker-01weliang-203qedevclusteropenshiftcom-debug ...
To use host binaries, run `chroot /host`
Pod IP: 147.75.197.174
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# cat /tmp/egress-router-log 
2021-12-20T18:35:24Z [debug] Called CNI ADD
2021-12-20T18:35:24Z [debug] Gateway: 10.0.192.1
2021-12-20T18:35:24Z [debug] IP Source Addresses: [10.0.212.194/19]
2021-12-20T18:35:24Z [debug] IP Destinations: [80 TCP 142.250.81.206]
2021-12-20T18:35:24Z [debug] Created macvlan interface
2021-12-20T18:35:24Z [debug] Renamed macvlan to "net1"
2021-12-20T18:35:24Z [debug] Adding IPv4 route to gateway 10.0.192.1 on macvlan interface
2021-12-20T18:35:24Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: 10.128.2.1 Flags: [] Table: 254}
2021-12-20T18:35:24Z [debug] Added new default route with gateway 10.0.192.1
2021-12-20T18:35:24Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 142.250.81.206
2021-12-20T18:35:24Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 10.0.212.194
2021-12-20T18:39:57Z [debug] Called CNI ADD
2021-12-20T18:39:57Z [debug] Gateway: fe80::5054:ff:fe1f:5fc
2021-12-20T18:39:57Z [debug] IP Source Addresses: [fd2e:6f44:5dd8::64/64]
2021-12-20T18:39:57Z [debug] IP Destinations: [80 TCP 2607:f8b0:4004:808::200e]
2021-12-20T18:39:57Z [debug] Created macvlan interface
2021-12-20T18:39:57Z [debug] Renamed macvlan to "net1"
2021-12-20T18:39:57Z [error] Unable to read sysctl value net.ipv6.conf.lo.disable_ipv6
2021-12-20T18:39:57Z [error] Unable to read sysctl value net.ipv6.conf.net1.disable_ipv6
2021-12-20T18:39:59Z [debug] Adding IPv6 route to gateway fe80::5054:ff:fe1f:5fc on macvlan interface
2021-12-20T18:39:59Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: fd01:0:0:5::1 Flags: [] Table: 254}
2021-12-20T18:39:59Z [debug] Added new default route with gateway fe80::5054:ff:fe1f:5fc
2021-12-20T18:39:59Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 2607:f8b0:4004:808::200e
2021-12-20T18:39:59Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source fd2e:6f44:5dd8::64
2021-12-20T19:54:02Z [debug] Called CNI ADD
2021-12-20T19:54:02Z [debug] Gateway: 147.75.197.173
2021-12-20T19:54:02Z [debug] IP Source Addresses: [147.75.197.175/30]
2021-12-20T19:54:02Z [debug] IP Destinations: [80 TCP 142.250.81.206]
2021-12-20T19:54:02Z [debug] Created macvlan interface
2021-12-20T19:54:02Z [debug] Renamed macvlan to "net1"
2021-12-20T19:54:02Z [debug] Adding IPv4 route to gateway 147.75.197.173 on macvlan interface
2021-12-20T19:54:02Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: 10.128.2.1 Flags: [] Table: 254}
2021-12-20T19:54:02Z [debug] Added new default route with gateway 147.75.197.173
2021-12-20T19:54:02Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 142.250.81.206
2021-12-20T19:54:02Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 147.75.197.175
2021-12-20T19:59:16Z [debug] Called CNI ADD
2021-12-20T19:59:16Z [debug] Gateway: 2604:1380:0:de00::16
2021-12-20T19:59:16Z [debug] IP Source Addresses: [2604:1380:0:de00::14/127]
2021-12-20T19:59:16Z [debug] IP Destinations: [80 TCP 2607:f8b0:4004:808::200e]
2021-12-20T19:59:16Z [debug] Created macvlan interface
2021-12-20T19:59:16Z [debug] Renamed macvlan to "net1"
2021-12-20T19:59:16Z [error] Unable to read sysctl value net.ipv6.conf.lo.disable_ipv6
2021-12-20T19:59:16Z [error] Unable to read sysctl value net.ipv6.conf.net1.disable_ipv6
2021-12-20T19:59:18Z [debug] Adding IPv6 route to gateway 2604:1380:0:de00::16 on macvlan interface
2021-12-20T19:59:18Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: fd01:0:0:5::1 Flags: [] Table: 254}
2021-12-20T19:59:18Z [debug] Added new default route with gateway 2604:1380:0:de00::16
2021-12-20T19:59:18Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 2607:f8b0:4004:808::200e
2021-12-20T19:59:18Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 2604:1380:0:de00::14
2021-12-20T20:17:29Z [debug] Called CNI ADD
2021-12-20T20:17:29Z [debug] Gateway: 147.75.197.173
2021-12-20T20:17:29Z [debug] IP Source Addresses: [147.75.197.175/30]
2021-12-20T20:17:29Z [debug] IP Destinations: [80 TCP 142.250.81.206]
2021-12-20T20:17:29Z [debug] Created macvlan interface
2021-12-20T20:17:29Z [debug] Renamed macvlan to "net1"
2021-12-20T20:17:29Z [debug] Adding IPv4 route to gateway 147.75.197.173 on macvlan interface
2021-12-20T20:17:29Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: 10.128.2.1 Flags: [] Table: 254}
2021-12-20T20:17:29Z [debug] Added new default route with gateway 147.75.197.173
2021-12-20T20:17:29Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 142.250.81.206
2021-12-20T20:17:29Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 147.75.197.175
sh-4.4# crictl ps | grep egress
8637ae41d2fa3       d38e39880b6835352c7728cf4d3e1dae0b96313d00f3d242e8323b08c6b1d7a6                                                         58 seconds ago      Running             egress-router-cni-pod                0                   d2c55363b5641
sh-4.4# crictl inspect 8637ae41d2fa3 | grep pid
    "pid": 266338,
          "pids": {
            "type": "pid"
sh-4.4# nsenter -n -t 266338
[root@worker-01 /]# iptables-save -t nat
# Generated by iptables-save v1.8.4 on Mon Dec 20 20:19:10 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 142.250.81.206
-A POSTROUTING -o net1 -j SNAT --to-source 147.75.197.175
COMMIT
# Completed on Mon Dec 20 20:19:10 2021
[root@worker-01 /]# exit
logout
sh-4.4# exit
exit
sh-4.4# exit
exit

Removing debug pod ...
[weliang@weliang ~]$ cat test.yaml 
apiVersion: network.operator.openshift.io/v1
kind: EgressRouter
metadata:
  name: egress-router-test
spec:
  addresses: [
    {
      ip: "147.75.197.175/30",
      gateway: "147.75.197.173"
    },
  ]
  mode: Redirect
  redirect: {
    redirectRules: [
      {
        destinationIP: "142.250.81.206",
        port: 80,
        protocol: TCP
      },
    ]
  }

## Test egress router ipv6
[weliang@weliang ~]$ oc delete -f test.yaml 
egressrouter.network.operator.openshift.io "egress-router-test" deleted
[weliang@weliang ~]$ oc delete project test
project.project.openshift.io "test" deleted
[weliang@weliang ~]$ oc new-project test1
Now using project "test1" on server "https://api.weliang-203.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname

[weliang@weliang ~]$ cat test1.yaml 
apiVersion: network.operator.openshift.io/v1
kind: EgressRouter
metadata:
  name: egress-router-test
spec:
  addresses: [
    {
      ip: "2604:1380:0:de00::14/127",
      gateway: "2604:1380:0:de00::16"
    },
  ]
  mode: Redirect
  redirect: {
    redirectRules: [
      {
        destinationIP: "2607:f8b0:4004:808::200e",
        port: 80,
        protocol: TCP,
      },
    ]
  }
[weliang@weliang ~]$ oc create -f test1.yaml
egressrouter.network.operator.openshift.io/egress-router-test created
[weliang@weliang ~]$ oc get pod -o wide
NAME                                            READY   STATUS    RESTARTS   AGE   IP            NODE                                                NOMINATED NODE   READINESS GATES
egress-router-cni-deployment-6db7d48667-npnzh   1/1     Running   0          6s    10.128.2.35   worker-01.weliang-203.qe.devcluster.openshift.com   <none>           <none>
[weliang@weliang ~]$ oc exec egress-router-cni-deployment-6db7d48667-npnzh -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0@if42: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default 
    link/ether 0a:58:0a:80:02:23 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.128.2.35/23 brd 10.128.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd01:0:0:5::23/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::858:aff:fe80:223/64 scope link 
       valid_lft forever preferred_lft forever
4: net1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 96:b6:2f:31:bd:53 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 2604:1380:0:de00::14/127 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::94b6:2fff:fe31:bd53/64 scope link 
       valid_lft forever preferred_lft forever
[weliang@weliang ~]$ oc debug node/worker-01.weliang-203.qe.devcluster.openshift.com
W1220 15:23:06.320252   12327 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volume "host"), privileged (container "container-00" must not set securityContext.privileged=true)
Starting pod/worker-01weliang-203qedevclusteropenshiftcom-debug ...
To use host binaries, run `chroot /host`
Pod IP: 147.75.197.174
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-4.4# cat /tmp/egress-router-log 
2021-12-20T18:35:24Z [debug] Called CNI ADD
2021-12-20T18:35:24Z [debug] Gateway: 10.0.192.1
2021-12-20T18:35:24Z [debug] IP Source Addresses: [10.0.212.194/19]
2021-12-20T18:35:24Z [debug] IP Destinations: [80 TCP 142.250.81.206]
2021-12-20T18:35:24Z [debug] Created macvlan interface
2021-12-20T18:35:24Z [debug] Renamed macvlan to "net1"
2021-12-20T18:35:24Z [debug] Adding IPv4 route to gateway 10.0.192.1 on macvlan interface
2021-12-20T18:35:24Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: 10.128.2.1 Flags: [] Table: 254}
2021-12-20T18:35:24Z [debug] Added new default route with gateway 10.0.192.1
2021-12-20T18:35:24Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 142.250.81.206
2021-12-20T18:35:24Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 10.0.212.194
2021-12-20T18:39:57Z [debug] Called CNI ADD
2021-12-20T18:39:57Z [debug] Gateway: fe80::5054:ff:fe1f:5fc
2021-12-20T18:39:57Z [debug] IP Source Addresses: [fd2e:6f44:5dd8::64/64]
2021-12-20T18:39:57Z [debug] IP Destinations: [80 TCP 2607:f8b0:4004:808::200e]
2021-12-20T18:39:57Z [debug] Created macvlan interface
2021-12-20T18:39:57Z [debug] Renamed macvlan to "net1"
2021-12-20T18:39:57Z [error] Unable to read sysctl value net.ipv6.conf.lo.disable_ipv6
2021-12-20T18:39:57Z [error] Unable to read sysctl value net.ipv6.conf.net1.disable_ipv6
2021-12-20T18:39:59Z [debug] Adding IPv6 route to gateway fe80::5054:ff:fe1f:5fc on macvlan interface
2021-12-20T18:39:59Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: fd01:0:0:5::1 Flags: [] Table: 254}
2021-12-20T18:39:59Z [debug] Added new default route with gateway fe80::5054:ff:fe1f:5fc
2021-12-20T18:39:59Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 2607:f8b0:4004:808::200e
2021-12-20T18:39:59Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source fd2e:6f44:5dd8::64
2021-12-20T19:54:02Z [debug] Called CNI ADD
2021-12-20T19:54:02Z [debug] Gateway: 147.75.197.173
2021-12-20T19:54:02Z [debug] IP Source Addresses: [147.75.197.175/30]
2021-12-20T19:54:02Z [debug] IP Destinations: [80 TCP 142.250.81.206]
2021-12-20T19:54:02Z [debug] Created macvlan interface
2021-12-20T19:54:02Z [debug] Renamed macvlan to "net1"
2021-12-20T19:54:02Z [debug] Adding IPv4 route to gateway 147.75.197.173 on macvlan interface
2021-12-20T19:54:02Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: 10.128.2.1 Flags: [] Table: 254}
2021-12-20T19:54:02Z [debug] Added new default route with gateway 147.75.197.173
2021-12-20T19:54:02Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 142.250.81.206
2021-12-20T19:54:02Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 147.75.197.175
2021-12-20T19:59:16Z [debug] Called CNI ADD
2021-12-20T19:59:16Z [debug] Gateway: 2604:1380:0:de00::16
2021-12-20T19:59:16Z [debug] IP Source Addresses: [2604:1380:0:de00::14/127]
2021-12-20T19:59:16Z [debug] IP Destinations: [80 TCP 2607:f8b0:4004:808::200e]
2021-12-20T19:59:16Z [debug] Created macvlan interface
2021-12-20T19:59:16Z [debug] Renamed macvlan to "net1"
2021-12-20T19:59:16Z [error] Unable to read sysctl value net.ipv6.conf.lo.disable_ipv6
2021-12-20T19:59:16Z [error] Unable to read sysctl value net.ipv6.conf.net1.disable_ipv6
2021-12-20T19:59:18Z [debug] Adding IPv6 route to gateway 2604:1380:0:de00::16 on macvlan interface
2021-12-20T19:59:18Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: fd01:0:0:5::1 Flags: [] Table: 254}
2021-12-20T19:59:18Z [debug] Added new default route with gateway 2604:1380:0:de00::16
2021-12-20T19:59:18Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 2607:f8b0:4004:808::200e
2021-12-20T19:59:18Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 2604:1380:0:de00::14
2021-12-20T20:17:29Z [debug] Called CNI ADD
2021-12-20T20:17:29Z [debug] Gateway: 147.75.197.173
2021-12-20T20:17:29Z [debug] IP Source Addresses: [147.75.197.175/30]
2021-12-20T20:17:29Z [debug] IP Destinations: [80 TCP 142.250.81.206]
2021-12-20T20:17:29Z [debug] Created macvlan interface
2021-12-20T20:17:29Z [debug] Renamed macvlan to "net1"
2021-12-20T20:17:29Z [debug] Adding IPv4 route to gateway 147.75.197.173 on macvlan interface
2021-12-20T20:17:29Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: 10.128.2.1 Flags: [] Table: 254}
2021-12-20T20:17:29Z [debug] Added new default route with gateway 147.75.197.173
2021-12-20T20:17:29Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 142.250.81.206
2021-12-20T20:17:29Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 147.75.197.175
2021-12-20T20:22:41Z [debug] Called CNI ADD
2021-12-20T20:22:41Z [debug] Gateway: 2604:1380:0:de00::16
2021-12-20T20:22:41Z [debug] IP Source Addresses: [2604:1380:0:de00::14/127]
2021-12-20T20:22:41Z [debug] IP Destinations: [80 TCP 2607:f8b0:4004:808::200e]
2021-12-20T20:22:41Z [debug] Created macvlan interface
2021-12-20T20:22:41Z [debug] Renamed macvlan to "net1"
2021-12-20T20:22:41Z [error] Unable to read sysctl value net.ipv6.conf.lo.disable_ipv6
2021-12-20T20:22:41Z [error] Unable to read sysctl value net.ipv6.conf.net1.disable_ipv6
2021-12-20T20:22:43Z [debug] Adding IPv6 route to gateway 2604:1380:0:de00::16 on macvlan interface
2021-12-20T20:22:43Z [debug] deleted default route {Ifindex: 3 Dst: <nil> Src: <nil> Gw: fd01:0:0:5::1 Flags: [] Table: 254}
2021-12-20T20:22:43Z [debug] Added new default route with gateway 2604:1380:0:de00::16
2021-12-20T20:22:43Z [debug] Added iptables rule: iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 2607:f8b0:4004:808::200e
2021-12-20T20:22:43Z [debug] Added iptables rule: iptables -t nat -o net1 -j SNAT --to-source 2604:1380:0:de00::14
sh-4.4# crictl ps | grep egress
f4f16a250d7be       d38e39880b6835352c7728cf4d3e1dae0b96313d00f3d242e8323b08c6b1d7a6                                                         48 seconds ago      Running             egress-router-cni-pod                0                   5ac3346793463
sh-4.4# crictl inspect f4f16a250d7be | grep pid
    "pid": 271689,
          "pids": {
            "type": "pid"
sh-4.4# nsenter -n -t 271689
[root@worker-01 /]# ip6tables-save -t nat
# Generated by ip6tables-save v1.8.4 on Mon Dec 20 20:24:18 2021
*nat
COMMIT
# Completed on Mon Dec 20 20:24:18 2021
[root@worker-01 /]# 
[root@worker-01 /]# ip6tables-save
# Generated by ip6tables-save v1.8.4 on Mon Dec 20 20:28:44 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --dport 22623 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p tcp -m tcp --dport 22624 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp6-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 22623 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp6-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 22624 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Mon Dec 20 20:28:44 2021
[root@worker-01 /]# 


Actual results:
[root@worker-01 /]# ip6tables-save -t nat
Empty

Expected results:
As ipv4, show have ipv6 source and destination rules showed in ip6tables-save -t nat

Additional info:

Comment 3 Weibin Liang 2022-02-10 20:18:25 UTC

Tested and verified in 4.11.0-0.nightly-2022-02-10-031822

sh-4.4# nsenter -n -t 122859
[root@worker-0-1 /]# ip6tables-save -t nat
# Generated by ip6tables-save v1.8.4 on Thu Feb 10 19:53:07 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 2607:f8b0:4004:808::200e
-A POSTROUTING -o net1 -j SNAT --to-source fd2e:6f44:5dd8::72
COMMIT
# Completed on Thu Feb 10 19:53:07 2022
[root@worker-0-1 /]#

Comment 5 errata-xmlrpc 2022-08-10 10:41:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069

Note You need to log in before you can comment on or make changes to this bug.