Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables missing --gateway flag for -j TEE #53170

Closed
ghost opened this issue Mar 1, 2019 · 3 comments · Fixed by #53465
Closed

iptables missing --gateway flag for -j TEE #53170

ghost opened this issue Mar 1, 2019 · 3 comments · Fixed by #53465
Assignees
@Akasurde
Labels
affects_2.8 This issue/PR affects Ansible v2.8 feature This issue/PR relates to a feature request. has_pr This issue has an associated PR. module This issue/PR relates to a module. P3 Priority 3 - Approved, No Time Limitation support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category

Comments

@ghost
Copy link

ghost commented Mar 1, 2019
edited by ghost

SUMMARY

The ip_tables module is missing a flag called gateway that is invoked with the -jump TEE extension.

iptables -t mangle -A PREROUTING -i bond0 -p udp --dport 9521 -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.1

Does anyone know how this cold be accomplished?

ISSUE TYPE
  • Feature Idea
  • Documentation needed
COMPONENT NAME

iptables

ADDITIONAL INFORMATION

This is needed to forward data to the local machine.
The use case is there are two rules, one for routing to local machine, and one rule for routing to destination machine.

iptables -t mangle -A PREROUTING -i bond0 -p udp --dport 9521 -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.1
iptables -t nat -A PREROUTING -i bond0 -p udp --dport 9521 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination <dest_ip>:9501

- name: IP Tables for sending to local RR
  iptables:
    table: mangle
    chain: PREROUTING
    in_interface: bond0
    protocol: udp
    match: state
    ctstate:
      - "NEW"
      - "ESTABLISHED"
      - "RELATED"
    destination_port: "{{ item.ingester_port }}"
    jump: TEE
    destination: 127.0.0.1
    comment: "Send web traffic to local port {{ item.ingester_port }}"
  with_items:
    - { "ingester_port": 9521 }
  become: yes

- name: IP Tables for sending to remote ingester
  iptables:
    table: nat
    chain: PREROUTING
    in_interface: bond0
    protocol: udp
    match: state
    ctstate:
      - "NEW"
      - "ESTABLISHED"
      - "RELATED"
    destination_port: "{{ item.ingester_port }}"
    to_ports: "{{ item.rr_port }}"
    jump: DNAT
    destination: <dest_ip>
    comment: "Redirect web traffic to port {{ item.rr_port }}"
  with_items:
    - { "ingester_port": 9521, "rr_port": 9501 }
  become: yes
TASK [ingester-classifiers : IP Tables for sending to localhost] *********************************************************************
failed: [desthost] (item={u'ingester_port': 9521}) => {"changed": false, "cmd": "/sbin/iptables -t mangle -A PREROUTING -p udp -d 127.0.0.1 -m state -j TEE -i bond0 --destination-port 9521 -m comment --comment 'Send web traffic to local port 9521' --state NEW,ESTABLISHED,RELATED", "item": {"ingester_port": 9521}, "msg": "iptables v1.4.21: TEE: option \"--gateway\" must be specified\n\nTry `iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.4.21: TEE: option \"--gateway\" must be specified\n\nTry `iptables -h' or 'iptables --help' for more information.\n", "stderr_lines": ["iptables v1.4.21: TEE: option \"--gateway\" must be specified", "", "Try `iptables -h' or 'iptables --help' for more information."], "stdout": "", "stdout_lines": []}
	to retry, use: --limit @/etc/ansible/playbooks/ingesters.retry
@ansibot
Copy link
Contributor

ansibot commented Mar 1, 2019

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Mar 1, 2019

cc @LinusU @sebastiendarocha
click here for bot help

@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 feature This issue/PR relates to a feature request. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category labels Mar 1, 2019
@bcoca bcoca added waiting_on_contributor This would be accepted but there are no plans to actively work on it. P3 Priority 3 - Approved, No Time Limitation and removed needs_triage Needs a first human triage before being processed. labels Mar 5, 2019
@Akasurde Akasurde mentioned this issue Mar 7, 2019
Merged
@mkrizek mkrizek added the has_pr This issue has an associated PR. label Mar 8, 2019
@Akasurde Akasurde self-assigned this Mar 10, 2019
@Akasurde
Copy link
Member

resolved_by_pr #53465

Akasurde added a commit to Akasurde/ansible that referenced this issue Mar 12, 2019
@Akasurde
iptables: Add support for gateway parameter
34c44f9 
When user specifies the JUMP value to 'tee', gateway is required.
This fix adds new parameter 'gateway' to support this functionality.

Fixes: ansible#53170

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde added a commit to Akasurde/ansible that referenced this issue Mar 13, 2019
@Akasurde
iptables: Add support for gateway parameter (ansible#53465)
f0ef4da 
When user specifies the JUMP value to 'tee', gateway is required.
This fix adds new parameter 'gateway' to support this functionality.

Fixes: ansible#53170

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
@ansible ansible locked and limited conversation to collaborators Jul 25, 2019
@sivel sivel removed the waiting_on_contributor This would be accepted but there are no plans to actively work on it. label Dec 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Akasurde Akasurde

Labels
affects_2.8 This issue/PR affects Ansible v2.8 feature This issue/PR relates to a feature request. has_pr This issue has an associated PR. module This issue/PR relates to a module. P3 Priority 3 - Approved, No Time Limitation support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

iptables: Add support for gateway parameter Akasurde/ansible
5 participants
@sivel @Akasurde @bcoca @mkrizek @ansibot