Conntrack not listening on correct port?

jasoncolburne · August 15, 2022, 12:02pm

I’m having an issue where clients fail to connect to a static port from outside my local networks, and it appears when I dig into the problem that conntrack isn’t understanding what is happening in these cases and either dropping or resetting the connection, depending on the topology between the client and host, I guess. It is not a sporadic issue, I can reproduce 100% of the time and have a way to test both cases.

In the following dumps, app-proxy is its envoy sidecar, and app-host is veth0 as described in my interface config. I measured through the bridge described in my config.

❯ nomad --version 
Nomad v1.3.3 (428b2cd8014c48ee9eae23f02712b7219da16d30)
❯ consul --version
Consul v1.13.1
Revision c6d0f9ec
Build Date 2022-08-11T19:07:00Z
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

routed.conntrack:
    [NEW] tcp      6 120 SYN_SENT src=client dst=app-host sport=54616 dport=443 [UNREPLIED] src=app-proxy dst=client sport=443 dport=54616
 [UPDATE] tcp      6 60 SYN_RECV src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616
 [UPDATE] tcp      6 432000 ESTABLISHED src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 [ASSURED]
 [UPDATE] tcp      6 120 FIN_WAIT src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 [ASSURED]
 [UPDATE] tcp      6 30 LAST_ACK src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 [ASSURED]
 [UPDATE] tcp      6 120 TIME_WAIT src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 [ASSURED]

tls.conntrack:
    [NEW] tcp      6 120 SYN_SENT src=client dst=app-host sport=57600 dport=443 [UNREPLIED] src=app-proxy dst=client sport=443 dport=57600
 [UPDATE] tcp      6 60 SYN_RECV src=client dst=app-host sport=57600 dport=443 src=app-proxy dst=client sport=443 dport=57600
    [NEW] tcp      6 120 SYN_SENT src=client dst=app-host sport=57601 dport=443 [UNREPLIED] src=app-proxy dst=client sport=443 dport=57601
 [UPDATE] tcp      6 60 SYN_RECV src=client dst=app-host sport=57601 dport=443 src=app-proxy dst=client sport=443 dport=57601
 [UPDATE] tcp      6 432000 ESTABLISHED src=client dst=app-host sport=57600 dport=443 src=app-proxy dst=client sport=443 dport=57600 [ASSURED]
    [NEW] tcp      6 300 ESTABLISHED src=app-host dst=client sport=443 dport=57600 [UNREPLIED] src=client dst=app-host sport=57600 dport=220
 [UPDATE] tcp      6 432000 ESTABLISHED src=client dst=app-host sport=57601 dport=443 src=app-proxy dst=client sport=443 dport=57601 [ASSURED]
    [NEW] tcp      6 300 ESTABLISHED src=app-host dst=client sport=443 dport=57601 [UNREPLIED] src=client dst=app-host sport=57601 dport=233

unrouted.conntrack:
    [NEW] tcp      6 120 SYN_SENT src=client dst=app-host sport=54600 dport=443 [UNREPLIED] src=app-proxy dst=client sport=443 dport=54600
 [UPDATE] tcp      6 60 SYN_RECV src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600
 [UPDATE] tcp      6 432000 ESTABLISHED src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 [ASSURED]
 [UPDATE] tcp      6 120 FIN_WAIT src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 [ASSURED]
 [UPDATE] tcp      6 30 LAST_ACK src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 [ASSURED]
 [UPDATE] tcp      6 120 TIME_WAIT src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 [ASSURED]

vpn.conntrack:
    [NEW] tcp      6 120 SYN_SENT src=client dst=app-host sport=55264 dport=443 [UNREPLIED] src=app-proxy dst=client sport=443 dport=55264
 [UPDATE] tcp      6 60 SYN_RECV src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264
 [UPDATE] tcp      6 432000 ESTABLISHED src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264 [ASSURED]
    [NEW] tcp      6 300 ESTABLISHED src=app-host dst=client sport=443 dport=55264 [UNREPLIED] src=client dst=app-host sport=55264 dport=407
[DESTROY] tcp      6 src=app-host dst=client sport=443 dport=55264 [UNREPLIED] src=client dst=app-host sport=55264 dport=407
 [UPDATE] tcp      6 10 CLOSE src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264 [ASSURED]

My network setup is kind of exotic but I turned off my openstack setup running with multiple network namespaces, and now I’m down to bridge with a bunch of physical nics, one of which is connected to the internet, and a virtual nic on the bridge that the host uses as the primary interface:

❯ uname -a                                
Linux core 5.10.0-15-sme-amd64 #1 SMP Debian 5.10.120-1 (2022-06-09) x86_64 GNU/Linux
❯ cat /etc/network/interfaces | tail -n 19
######################
# Bridge
######################

auto br-ext
iface br-ext inet static
  bridge_ports enp1s0f0 enp1s0f1 enp33s0f0 enp33s0f1 enp34s0f0 enp34s0f1 enp34s0f2 enp34s0f3 enp97s0f0 enp97s0f1 enp97s0f2 enp97s0f3 enp98s0f0 enp98s0f1 enp98s0f2 enp98s0f3 enp99s0f0 enp99s0f1 veth0-p
  address 192.168.1.250
  netmask 255.255.255.0
  pre-up    ip link add veth0 type veth peer name veth0-p && ip link set veth0 address 01:01:01:01:01:01
  up        brctl stp $IFACE on
  post-down ip link delete veth0

######################
# Primary Interface
######################

auto veth0
iface veth0 inet dhcp

This is connected to a router, which is behind another router that is built into my modem. I have forwarded the appropriate ports, and in dev mode things work fine. I’m trying to configure Nomad, Consul and Vault for a staging environment right now. The big differences since I’ve tried dev mode are that I started using consul services rather than nomad’s mesh. I imagine something about CNI, Nomad or Consul or Docker is misconfigured. I’ve turned off Docker’s iptables flag to debug this (and for more information, I don’t believe I ever got it working in dev mode with iptables in docker enabled).

I am using nomad-pack to deploy, but that shouldn’t be relevant. I rendered the job and ran it without pack with the same results. I have tcpdump and iptables data ready as well.

Here is the most basic job that fails (resources are over-provisioned but the server can definitely handle it):

job "front_end" {
  type = "service"

  region = "global"

  datacenters = ["dc1"]

  group "front_end" {
    network {

      mode = "bridge"

      port "https" {
        static = 443
        to     = 443
      }
    }

    task "react" {
      driver = "docker"

      vault {
        policies = ["kv"]
      }

      config {
        force_pull = true
        image      = "some-image"
      }

      template {
        data          = <<EOF
{{- with secret "kv/data/api_nginx_private_key" -}}
{{ .Data.data.value  }}
{{- end -}}
EOF
        destination   = "secrets/nginx-private-key.pem"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
        data          = <<EOF
{{- with secret "kv/data/api_nginx_certificate" -}}
{{ .Data.data.value  }}
{{- end -}}
EOF
        destination   = "secrets/nginx-certificate.pem"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      resources {
        cpu    = 2000
        memory = 3072
      }
    }
  }
}

/etc/docker/daemon.json

{
  "bip": "10.1.0.1/16",
  "dns": ["8.8.8.8", "8.8.4.4"],
  "iptables": false
}

❯ cat tls.host-external-bridge-view.tcpdump    
21:54:10.205404 IP client.52676 > app-proxy.https: Flags [S], seq 419624508, win 65535, options [mss 1452,nop,wscale 6,nop,nop,TS val 32965802 ecr 0,sackOK,eol], length 0
21:54:10.205533 IP app-host.https > client.52676: Flags [S.], seq 180633708, ack 419624509, win 65160, options [mss 1460,sackOK,TS val 1118519366 ecr 32965802,nop,wscale 7], length 0
21:54:10.267621 IP client.52676 > app-proxy.https: Flags [.], ack 180633709, win 2070, options [nop,nop,TS val 32965870 ecr 1118519366], length 0
21:54:10.293478 IP client.52676 > app-proxy.https: Flags [P.], seq 0:323, ack 1, win 2070, options [nop,nop,TS val 32965879 ecr 1118519366], length 323
21:54:10.293548 IP app-host.https > client.52676: Flags [.], ack 324, win 507, options [nop,nop,TS val 1118519454 ecr 32965879], length 0
21:54:10.293912 IP app-host.https > client.52676: Flags [P.], seq 1:100, ack 324, win 507, options [nop,nop,TS val 1118519455 ecr 32965879], length 99
21:54:10.530491 IP client.52676 > app-proxy.https: Flags [P.], seq 0:323, ack 1, win 2070, options [nop,nop,TS val 32966116 ecr 1118519366], length 323
21:54:10.530543 IP app-host.https > client.52676: Flags [.], ack 324, win 507, options [nop,nop,TS val 1118519691 ecr 32966116,nop,nop,sack 1 {1:324}], length 0
21:54:10.569400 IP app-host.https > client.52676: Flags [P.], seq 1:100, ack 324, win 507, options [nop,nop,TS val 1118519730 ecr 32966116], length 99
21:54:10.857403 IP app-host.https > client.52676: Flags [P.], seq 1:100, ack 324, win 507, options [nop,nop,TS val 1118520018 ecr 32966116], length 99
21:54:10.922469 IP client.52676 > app-proxy.https: Flags [P.], seq 0:323, ack 1, win 2070, options [nop,nop,TS val 32966521 ecr 1118519366], length 323
21:54:10.922529 IP app-host.https > client.52676: Flags [.], ack 324, win 507, options [nop,nop,TS val 1118520083 ecr 32966521,nop,nop,sack 1 {1:324}], length 0
21:54:11.401433 IP app-host.https > client.52676: Flags [P.], seq 1:100, ack 324, win 507, options [nop,nop,TS val 1118520562 ecr 32966521], length 99
21:54:11.534554 IP client.52676 > app-proxy.https: Flags [P.], seq 0:323, ack 1, win 2070, options [nop,nop,TS val 32967130 ecr 1118519366], length 323
21:54:11.534613 IP app-host.https > client.52676: Flags [.], ack 324, win 507, options [nop,nop,TS val 1118520695 ecr 32967130,nop,nop,sack 1 {1:324}], length 0
21:54:11.612472 IP client.52676 > app-proxy.https: Flags [F.], seq 323, ack 1, win 2070, options [nop,nop,TS val 32967210 ecr 1118519366], length 0
21:54:11.612722 IP app-host.https > client.52676: Flags [F.], seq 100, ack 325, win 507, options [nop,nop,TS val 1118520773 ecr 32967210], length 0
21:54:12.489446 IP app-host.https > client.52676: Flags [FP.], seq 1:100, ack 325, win 507, options [nop,nop,TS val 1118521650 ecr 32967210], length 99
21:54:12.553046 IP client.52676 > app-proxy.https: Flags [FP.], seq 0:323, ack 1, win 2070, options [nop,nop,TS val 32968146 ecr 1118519366], length 323
21:54:12.553179 IP app-host.https > client.52676: Flags [.], ack 325, win 507, options [nop,nop,TS val 1118521714 ecr 32968146,nop,nop,sack 1 {1:325}], length 0

❯ cat tls.client-primary-interface-view.tcpdump
21:54:10.059007 IP client.52676 > app-host.https: Flags [S], seq 419624508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 32965802 ecr 0,sackOK,eol], length 0
21:54:10.127439 IP app-host.https > client.52676: Flags [S.], seq 180633708, ack 419624509, win 65160, options [mss 1452,sackOK,TS val 1118519366 ecr 32965802,nop,wscale 7], length 0
21:54:10.127526 IP client.52676 > app-host.https: Flags [.], ack 1, win 2070, options [nop,nop,TS val 32965870 ecr 1118519366], length 0
21:54:10.135609 IP client.52676 > app-host.https: Flags [P.], seq 1:324, ack 1, win 2070, options [nop,nop,TS val 32965879 ecr 1118519366], length 323
21:54:10.372586 IP client.52676 > app-host.https: Flags [P.], seq 1:324, ack 1, win 2070, options [nop,nop,TS val 32966116 ecr 1118519366], length 323
21:54:10.777831 IP client.52676 > app-host.https: Flags [P.], seq 1:324, ack 1, win 2070, options [nop,nop,TS val 32966521 ecr 1118519366], length 323
21:54:11.387200 IP client.52676 > app-host.https: Flags [P.], seq 1:324, ack 1, win 2070, options [nop,nop,TS val 32967130 ecr 1118519366], length 323
21:54:11.466911 IP client.52676 > app-host.https: Flags [F.], seq 324, ack 1, win 2070, options [nop,nop,TS val 32967210 ecr 1118519366], length 0
21:54:12.402688 IP client.52676 > app-host.https: Flags [FP.], seq 1:324, ack 1, win 2070, options [nop,nop,TS val 32968146 ecr 1118519366], length 323

Help? It seems like the traffic is using the static port correctly and conntrack is expecting to see something on a dynamic port.

I’m also now realizing I may be able to run varying combinations of consul and nomad in dev mode using my current config to try and figure this out, but I don’t know enough about the software yet (I started using these tools just over a week ago) to know what might be going on, and I worry that I’d get incorrect results that would ultimately just slow me down.

I took quite a bit of care collecting this data but it’s possible I made a mistake. If something seems incorrect let me know and I’ll do another dump before debugging.

Thanks in advance!

jasoncolburne · August 15, 2022, 12:03pm

iptables nat rules:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         
1         123     7164 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         
1       29308  1759283 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         
1       30842  2039961 CNI-HOSTPORT-MASQ  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd requiring masquerade */
2           0        0 CNI-ee7dd5f82b675f8fbfaeb73e  all  --  *      *       172.26.68.127        0.0.0.0/0            /* name: "nomad" id: "17e351b8-1ca9-401a-aac2-1defe2c3619e" */
3           0        0 CNI-e1abe091ca15cc9dfb1e7773  all  --  *      *       172.26.68.128        0.0.0.0/0            /* name: "nomad" id: "3bb84c2b-1ab9-56f9-85d5-d3a7e9c2b01e" */
4           5      300 CNI-cfea90890ed499047c58f1c2  all  --  *      *       172.26.68.129        0.0.0.0/0            /* name: "nomad" id: "49f77209-1a6d-3ebb-b2ae-e52607819c1d" */
5           0        0 CNI-44ed7e680cdbc19babe48601  all  --  *      *       172.26.68.130        0.0.0.0/0            /* name: "nomad" id: "166e37e2-463c-8f2a-49ab-4acd094450ab" */
6           0        0 CNI-fcd5542090763fb7ddeb072e  all  --  *      *       172.26.68.131        0.0.0.0/0            /* name: "nomad" id: "8e5b590a-4441-69ae-fa82-485eede29f80" */
7           0        0 CNI-53533170a9bc4a35d7476655  all  --  *      *       172.26.68.132        0.0.0.0/0            /* name: "nomad" id: "043c890e-96ff-ee1b-5c02-b9dfde7dc332" */
8           0        0 CNI-50f32ea169077d1f04b3c859  all  --  *      *       172.26.68.133        0.0.0.0/0            /* name: "nomad" id: "e88f7bfd-1ce2-2b84-f47b-3e1e923ea004" */
9           1       60 CNI-e2bf7c31c5078670309ba2dc  all  --  *      *       172.26.68.134        0.0.0.0/0            /* name: "nomad" id: "a1275907-63cf-8203-1f57-20b3bd3f0d2f" */
10          0        0 CNI-c4d17c26c15340f1990273d9  all  --  *      *       172.26.68.135        0.0.0.0/0            /* name: "nomad" id: "bcc966fe-3d21-95e0-1ad0-643a829f6f88" */

Chain CNI-44ed7e680cdbc19babe48601 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "166e37e2-463c-8f2a-49ab-4acd094450ab" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "166e37e2-463c-8f2a-49ab-4acd094450ab" */

Chain CNI-50f32ea169077d1f04b3c859 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "e88f7bfd-1ce2-2b84-f47b-3e1e923ea004" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "e88f7bfd-1ce2-2b84-f47b-3e1e923ea004" */

Chain CNI-53533170a9bc4a35d7476655 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "043c890e-96ff-ee1b-5c02-b9dfde7dc332" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "043c890e-96ff-ee1b-5c02-b9dfde7dc332" */

Chain CNI-DN-44ed7e680cdbc19babe48 (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:27070
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:27070
3         155     9300 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:27070 to:172.26.68.130:27070
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:27070
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:27070
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27070 to:172.26.68.130:27070

Chain CNI-DN-50f32ea169077d1f04b3c (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:30188
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:30188
3         155     9300 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30188 to:172.26.68.133:30188
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:30188
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:30188
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:30188 to:172.26.68.133:30188

Chain CNI-DN-53533170a9bc4a35d7476 (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:27054
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:27054
3         155     9300 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:27054 to:172.26.68.132:27054
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:27054
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:27054
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27054 to:172.26.68.132:27054

Chain CNI-DN-c4d17c26c15340f199027 (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:26317
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:26317
3         155     9300 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:26317 to:172.26.68.135:26317
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:26317
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:26317
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:26317 to:172.26.68.135:26317

Chain CNI-DN-cfea90890ed499047c58f (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:8443
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:8443
3          10      600 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:172.26.68.129:443
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:8443
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:8443
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8443 to:172.26.68.129:443
7           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:22559
8           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:22559
9         155     9300 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22559 to:172.26.68.129:22559
10          0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:22559
11          0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:22559
12          0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:22559 to:172.26.68.129:22559

Chain CNI-DN-e1abe091ca15cc9dfb1e7 (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:23920
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:23920
3         156     9360 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23920 to:172.26.68.128:23920
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:23920
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:23920
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:23920 to:172.26.68.128:23920

Chain CNI-DN-e2bf7c31c5078670309ba (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:443
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:443
3           7      448 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.26.68.134:443
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:443
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:443
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443 to:172.26.68.134:443

Chain CNI-DN-ee7dd5f82b675f8fbfaeb (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:28005
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:28005
3         156     9360 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:28005 to:172.26.68.127:28005
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:28005
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:28005
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:28005 to:172.26.68.127:28005

Chain CNI-DN-fcd5542090763fb7ddeb0 (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       172.26.64.0/20       0.0.0.0/0            tcp dpt:21490
2           0        0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:21490
3         156     9360 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21490 to:172.26.68.131:21490
4           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       172.26.64.0/20       0.0.0.0/0            udp dpt:21490
5           0        0 CNI-HOSTPORT-SETMARK  udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:21490
6           0        0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:21490 to:172.26.68.131:21490

Chain CNI-HOSTPORT-DNAT (2 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1         156     9360 CNI-DN-ee7dd5f82b675f8fbfaeb  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "17e351b8-1ca9-401a-aac2-1defe2c3619e" */ multiport dports 28005
2           0        0 CNI-DN-ee7dd5f82b675f8fbfaeb  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "17e351b8-1ca9-401a-aac2-1defe2c3619e" */ multiport dports 28005
3         156     9360 CNI-DN-e1abe091ca15cc9dfb1e7  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "3bb84c2b-1ab9-56f9-85d5-d3a7e9c2b01e" */ multiport dports 23920
4           0        0 CNI-DN-e1abe091ca15cc9dfb1e7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "3bb84c2b-1ab9-56f9-85d5-d3a7e9c2b01e" */ multiport dports 23920
5         165     9900 CNI-DN-cfea90890ed499047c58f  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "49f77209-1a6d-3ebb-b2ae-e52607819c1d" */ multiport dports 8443,22559
6           0        0 CNI-DN-cfea90890ed499047c58f  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "49f77209-1a6d-3ebb-b2ae-e52607819c1d" */ multiport dports 8443,22559
7         155     9300 CNI-DN-44ed7e680cdbc19babe48  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "166e37e2-463c-8f2a-49ab-4acd094450ab" */ multiport dports 27070
8           0        0 CNI-DN-44ed7e680cdbc19babe48  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "166e37e2-463c-8f2a-49ab-4acd094450ab" */ multiport dports 27070
9         156     9360 CNI-DN-fcd5542090763fb7ddeb0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "8e5b590a-4441-69ae-fa82-485eede29f80" */ multiport dports 21490
10          0        0 CNI-DN-fcd5542090763fb7ddeb0  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "8e5b590a-4441-69ae-fa82-485eede29f80" */ multiport dports 21490
11        155     9300 CNI-DN-53533170a9bc4a35d7476  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "043c890e-96ff-ee1b-5c02-b9dfde7dc332" */ multiport dports 27054
12          0        0 CNI-DN-53533170a9bc4a35d7476  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "043c890e-96ff-ee1b-5c02-b9dfde7dc332" */ multiport dports 27054
13        155     9300 CNI-DN-50f32ea169077d1f04b3c  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "e88f7bfd-1ce2-2b84-f47b-3e1e923ea004" */ multiport dports 30188
14          0        0 CNI-DN-50f32ea169077d1f04b3c  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "e88f7bfd-1ce2-2b84-f47b-3e1e923ea004" */ multiport dports 30188
15          7      448 CNI-DN-e2bf7c31c5078670309ba  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "a1275907-63cf-8203-1f57-20b3bd3f0d2f" */ multiport dports 443
16          0        0 CNI-DN-e2bf7c31c5078670309ba  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "a1275907-63cf-8203-1f57-20b3bd3f0d2f" */ multiport dports 443
17        155     9300 CNI-DN-c4d17c26c15340f199027  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "bcc966fe-3d21-95e0-1ad0-643a829f6f88" */ multiport dports 26317
18          0        0 CNI-DN-c4d17c26c15340f199027  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "nomad" id: "bcc966fe-3d21-95e0-1ad0-643a829f6f88" */ multiport dports 26317

Chain CNI-HOSTPORT-MASQ (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2000/0x2000

Chain CNI-HOSTPORT-SETMARK (40 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd masquerade mark */ MARK or 0x2000

Chain CNI-c4d17c26c15340f1990273d9 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "bcc966fe-3d21-95e0-1ad0-643a829f6f88" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "bcc966fe-3d21-95e0-1ad0-643a829f6f88" */

Chain CNI-cfea90890ed499047c58f1c2 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "49f77209-1a6d-3ebb-b2ae-e52607819c1d" */
2           5      300 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "49f77209-1a6d-3ebb-b2ae-e52607819c1d" */

Chain CNI-e1abe091ca15cc9dfb1e7773 (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "3bb84c2b-1ab9-56f9-85d5-d3a7e9c2b01e" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "3bb84c2b-1ab9-56f9-85d5-d3a7e9c2b01e" */

Chain CNI-e2bf7c31c5078670309ba2dc (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "a1275907-63cf-8203-1f57-20b3bd3f0d2f" */
2           1       60 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "a1275907-63cf-8203-1f57-20b3bd3f0d2f" */

Chain CNI-ee7dd5f82b675f8fbfaeb73e (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "17e351b8-1ca9-401a-aac2-1defe2c3619e" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "17e351b8-1ca9-401a-aac2-1defe2c3619e" */

Chain CNI-fcd5542090763fb7ddeb072e (1 references)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            172.26.64.0/20       /* name: "nomad" id: "8e5b590a-4441-69ae-fa82-485eede29f80" */
2           0        0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "nomad" id: "8e5b590a-4441-69ae-fa82-485eede29f80" */

jasoncolburne · August 15, 2022, 12:06pm

I should mention what the file prefixes mean:
unrouted - straight from client to host
routed - to my internal routers gateway via it’s external ip, and back into my network
tls - remote connection without vpn
vpn - remote connection via vpn

and…

one more (vpn tcpdump):

❯ cat vpn.client-tunnel-view.tcpdump 
15:29:09.961303 IP client.51860 > app-host.https: Flags [S], seq 22576366, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3393977287 ecr 0,sackOK,eol], length 0
15:29:10.026534 IP app-host.https > client.51860: Flags [S.], seq 1953119618, ack 22576367, win 65160, options [mss 1286,sackOK,TS val 1108309700 ecr 3393977287,nop,wscale 7], length 0
15:29:10.027679 IP client.51860 > app-host.https: Flags [.], ack 1, win 2050, options [nop,nop,TS val 3393977352 ecr 1108309700], length 0
15:29:10.033650 IP client.51860 > app-host.https: Flags [P.], seq 1:324, ack 1, win 2050, options [nop,nop,TS val 3393977360 ecr 1108309700], length 323
15:29:10.265160 IP client.51860 > app-host.https: Flags [P.], seq 1:324, ack 1, win 2050, options [nop,nop,TS val 3393977591 ecr 1108309700], length 323
15:29:10.322776 IP app-host.https > client.51860: Flags [R], seq 1953119619, win 0, length 0

❯ cat vpn.host-external-bridge-view.tcpdump 
17:31:32.376093 IP (tos 0x0, ttl 43, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    client.57609 > app-proxy.https: Flags [S], cksum 0xa229 (correct), seq 2700227731, win 65535, options [mss 1286,nop,wscale 6,nop,nop,TS val 1802490175 ecr 0,sackOK,eol], length 0
17:31:32.376208 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    app-host.https > client.57609: Flags [S.], cksum 0xa327 (incorrect -> 0x55cf), seq 2820418961, ack 2700227732, win 65160, options [mss 1460,sackOK,TS val 87130309 ecr 1802490175,nop,wscale 7], length 0
17:31:32.484364 IP (tos 0x0, ttl 43, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    client.57609 > app-proxy.https: Flags [.], cksum 0x7d1c (correct), seq 2700227732, ack 2820418962, win 2050, options [nop,nop,TS val 1802490295 ecr 87130309], length 0
17:31:32.484379 IP (tos 0x0, ttl 43, id 0, offset 0, flags [DF], proto TCP (6), length 375)
    client.57609 > app-proxy.https: Flags [P.], cksum 0x5ca0 (correct), seq 0:323, ack 1, win 2050, options [nop,nop,TS val 1802490306 ecr 87130309], length 323
17:31:32.484473 IP (tos 0x0, ttl 63, id 15836, offset 0, flags [DF], proto TCP (6), length 52)
    app-host.https > client.57609: Flags [.], cksum 0xa31f (incorrect -> 0x7ef7), seq 1, ack 324, win 507, options [nop,nop,TS val 87130417 ecr 1802490306], length 0
17:31:32.484864 IP (tos 0x0, ttl 63, id 15837, offset 0, flags [DF], proto TCP (6), length 151)
    app-host.https > client.57609: Flags [P.], cksum 0xa382 (incorrect -> 0x6c39), seq 1:100, ack 324, win 507, options [nop,nop,TS val 87130417 ecr 1802490306], length 99
17:31:32.511152 IP (tos 0x0, ttl 42, id 47686, offset 0, flags [DF], proto TCP (6), length 40)
    client.57609 > app-host.https: Flags [R], cksum 0x5359 (correct), seq 2700228055, win 0, length 0
17:31:32.816795 IP (tos 0x0, ttl 43, id 0, offset 0, flags [DF], proto TCP (6), length 375)
    client.57609 > app-proxy.https: Flags [P.], cksum 0x5b4b (correct), seq 0:323, ack 1, win 2050, options [nop,nop,TS val 1802490647 ecr 87130309], length 323
17:31:32.816871 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    app-host.https > client.57609: Flags [R], cksum 0x5474 (correct), seq 2820418962, win 0, length 0

jasoncolburne · August 15, 2022, 4:15pm

I think my problem is in CNI.

This is what fails when I run tests:

• Failure [0.279 seconds]
portmap integration tests
/home/user/src/cni-plugins/plugins/meta/portmap/portmap_integ_test.go:68
  Creating an interface in a namespace with the ptp plugin
  /home/user/src/cni-plugins/plugins/meta/portmap/portmap_integ_test.go:102
    [1.0.0] forwards a TCP port on ipv4 [It]
    /home/user/src/cni-plugins/plugins/meta/portmap/portmap_integ_test.go:104

and this is the failure:

iptables: No chain/target/match by that name.

I’m doing this in my spare time but I’ll post results when I figure this out. I suspect it may be because I initially installed the version of CNI documented in one of the Hashicorp guides when setting up Consul ServiceMesh for Nomad, but realized later that it was incompatible. I upgraded but likely didn’t rm the source dir before I did, and as a result I may have built with mismatched dependencies.

jasoncolburne · August 16, 2022, 12:52am

I replaced whatever version I had of the CNI plugins (I guess I could grep for a commit hash?) with the 1.0.0 binaries referenced on the official Hashicorp page. I was incorrect, I must have seen a previous iteration of a guide or something and mistook it for the current. Since I still see no errors in the logs of Nomad or Consul, I ran the new binaries in the old test harness I had in my src dir and the portmap stuff worked. The only test that failed was due to a version mismatch so I doubt it’s actually failing.

I have various ideas of what I should try next but I keep coming back to conntrack expecting the wrong port. It seems like that is definitely wrong. Maybe though, it’s not able to figure things out because of the bridge that sits between my physical nic and my virtual adapter (app-host is the virtual).

jasoncolburne · August 16, 2022, 7:40am

It makes sense to me now. Conntrack was merely observing connections from another layer in my networking stack that were literally on the wrong port, due to my bridged setup. I removed the uplink nic from the bridge and reconfigured my machine and everything works now. Unfortunately this means I need to rebuild my internal network, but what can you do.