Clarify rules; correct error in SRC_NAT

bboreham · bboreham · commit 8a8815d73452 · 2019-01-09T18:00:21.000Z
diff --git a/probe/endpoint/nat.go b/probe/endpoint/nat.go
@@ -44,40 +44,40 @@ Pod to pod via Kubernetes service
   picked up by ebpf as 10.32.0.16:47600->10.105.173.176:5432 and 10.32.0.6:5432 (??)
   NAT IPS_DST_NAT orig: 10.32.0.16:47600->10.105.173.176:5432, reply: 10.32.0.6:5432->10.32.0.16:47600
   We want: 10.32.0.16:47600->10.32.0.6:5432
-   - replace the destination (== NAT orig dst) with the NAT reply source
+   - replace the destination (== NAT orig dst) with the NAT reply source (A)
 
 Incoming from outside the cluster to a NodePort:
   picked up by ebpf as 10.32.0.1:13488->10.32.0.7:80
   NAT: IPS_SRC_NAT IPS_DST_NAT orig: 37.157.33.76:13488->172.31.2.17:30081, reply: 10.32.0.7:80->10.32.0.1:13488
   We want: 37.157.33.76:13488->10.32.0.7:80
-   - replace the source (== NAT reply dst) with the NAT original source
+   - replace the source (== NAT reply dst) with the NAT original source (B)
   To match another probe with the other side of this connection, also want 37.157.33.76:13488->172.31.2.17:30081
-   - add NAT original dst as a copy of nat reply dst
+   - add NAT original dst as a copy of nat reply source (C)
 
 Outgoing from a pod:
   picked up by ebpf as 10.32.0.7:36078->18.221.99.178:443
   NAT:  IPS_SRC_NAT orig: 10.32.0.7:36078->18.221.99.178:443, reply: 18.221.99.178:443->172.31.2.17:36078
   We want: 10.32.0.7:36078->18.221.99.178:443
-   - leave it alone.
+   - leave it alone. (D)
 
 Docker container exposing port to similar on different host
 host1:
   picked up by ebpf as ip-172-31-5-80;172.17.0.2:43042->172.31.2.17:8080
   NAT: IPS_SRC_NAT orig: 172.17.0.2:43042->172.31.2.17:8080, reply: 172.31.2.17:8080-> 172.31.5.80:43042
   We want: 172.31.5.80:43042->172.31.2.17:8080
-   - can't have a blanket rule to replace NAT original source with NAT reply destination, because that breaks the "Outgoing from a pod" case
-  we could add 172.31.5.80:43042 (nat reply destination) as a copy of ip-172-31-5-80;172.17.0.2:43042 (nat orig source)
+   - can't have a blanket rule to replace NAT original source with NAT reply destination, because that breaks case D.
+  we could add 172.31.5.80:43042 (nat reply destination) as a copy of ip-172-31-5-80;172.17.0.2:43042 (nat orig source) (E)
 host2:
   picked up by ebpf as 172.31.5.80:43042->ip-172-31-2-17;172.17.0.2:80
   NAT: IPS_DST_NAT orig: 172.31.5.80:43042->172.31.2.17:8080, reply: 172.17.0.2:80->172.31.5.80:43042
   Ideally we might want: ip-172-31-5-80;172.17.0.2:43042->ip-172-31-2-17;172.17.0.2:80
-  we could add 172.31.2.17:8080 (nat original destination) as a copy of ip-172-31-2-17;172.17.0.2:80 (nat reply source)
+  we could add 172.31.2.17:8080 (nat original destination) as a copy of ip-172-31-2-17;172.17.0.2:80 (nat reply source) (F)
 
 All of the above can be satisfied by these rules:
-  For SRC_NAT either add NAT orig source as a copy of NAT reply destination
-    or add NAT reply destination as a copy of NAT original source
-  For DST_NAT replace NAT original destination in adjacencies with the NAT reply source
-    or add nat original destination as a copy of nat reply source
+  For SRC_NAT either add NAT original destination as a copy of NAT reply source (C)
+    or add NAT reply destination as a copy of NAT original source  (E)
+  For DST_NAT replace NAT original destination in adjacencies with the NAT reply source (A),(B)
+    or add nat original destination as a copy of nat reply source (F)
 */
 
 // applyNAT modifies Nodes in the endpoint topology of a report, based on
@@ -89,14 +89,15 @@ func (n natMapper) applyNAT(rpt report.Report, scope string) {
 			replyDstID := endpointNodeID(scope, f.Reply.Dst, f.Reply.DstPort)
 			origSrcID := endpointNodeID(scope, f.Orig.Src, f.Orig.SrcPort)
 			if replyDstID != origSrcID {
-				// either add NAT orig source as a copy of NAT reply destination
+				// either add NAT original destination as a copy of NAT reply destination (C)
 				if replyDstNode, ok := rpt.Endpoint.Nodes[replyDstID]; ok {
-					newNode := replyDstNode.WithID(origSrcID).WithLatests(map[string]string{
+					origDstID := endpointNodeID(scope, f.Orig.Dst, f.Orig.DstPort)
+					newNode := replyDstNode.WithID(origDstID).WithLatests(map[string]string{
 						CopyOf: replyDstID,
 					})
 					rpt.Endpoint.AddNode(newNode)
 				} else if origSrcNode, ok := rpt.Endpoint.Nodes[origSrcID]; ok {
-					// or add NAT reply destination as a copy of NAT original source
+					// or add NAT reply destination as a copy of NAT original source (E)
 					newNode := origSrcNode.WithID(replyDstID).WithLatests(map[string]string{
 						CopyOf: origSrcID,
 					})
@@ -116,12 +117,12 @@ func (n natMapper) applyNAT(rpt report.Report, scope string) {
 				}
 
 				if fromNode.Adjacency.Contains(origDstID) {
-					// replace destination with reply source
+					// replace destination with reply source (A),(B)
 					fromNode.Adjacency = fromNode.Adjacency.Minus(origDstID)
 					fromNode = fromNode.WithAdjacent(replySrcID)
 					rpt.Endpoint.Nodes[fromID] = fromNode
 				} else {
-					// add nat original destination as a copy of nat reply source
+					// add nat original destination as a copy of nat reply source (F)
 					replySrcNode, ok := rpt.Endpoint.Nodes[replySrcID]
 					if !ok {
 						replySrcNode = report.MakeNode(replySrcID)
