Support filtering IPs for outgoing traffic #702
Comments
|
This would be great to have. We have an external API we use, and we have to allow list specific IPs. So we've allowlisted our k8s cluster. I want to be able to call that API, but the code will also write to the db, and I want to write to my local db not the remote one |
|
My usecase is https://www.prisma.io/ which starts an "engine" that listens on a random port (it seems to me). Which makes it impossible to use, as the "in cluster pod" might not be listening on exactly the same port 😦 |
|
I have implemented #1154 until we get this done fully. We need to decide whether we leave this config after we add the full filtering functionality or let users use the new one. |
|
Another usacese we have is: We are running mirrord in docker container (A). This is currently not possible. As A would route all traffic via K8S, and K8S can't access B, as B is on the developers laptop not in the K8S. To allow us to have mixed remote and local resources that we can connect to. |
* outgoing filter #702 * Update .lock * Refactoring connect, move connect to local address into UserSocket impl. * Revert to free function to avoid dup issue. * Extracting values from config (unsatisfied). * Changes im not sure about. * Add outgoing filter parsing. * Add some invalid cases for testing. * Outgoing filter initialization. * No need to re-create filters with TCP UDP distinction for ANY, as they will be checked in connect_outgoing ConnectType anyway. * Filter is plugged in. * Appease clippy * Add default to config. * Add default for remote/local config. Fix comparing resolved address, now compares user address on port 0 (resolved addresses always have port 0). * inline comparison. * Docs in layer. * unused. * remove comments. * Improve bypass for filtered out. Add to analytics. * Update schema. * Log more stuff in connect_outgoing. * Only bypass on selector if its not unix. * Add more logs. * Log on socket close. * Revert localhost connect refactor. * Add reference, fix compilation * Dont bypass on unix stream, or on empty option for selector. * Better if else. * Better connect_to_local_address (question mark). * Small cleanup and docs. * Add docs for config. * More docs for parsing. * Appease clippy * Modify outgoing test to take filter. Fix filter not properly checking ip port when unspecified. * Docs detailing precedence. * changelog * Removed unused type. * debug->trace * Remove some more logs. * Missed log. * Fix broken doc link. * s/input/rest as the return binding in the parser functions. * Address (hehe) CR. Improve docs. Improve names for bindings. Remove many1 concats where digit1 is used. * appease clipy * Docs for outgoing local test. * Only allow either remote or local to be specified. Remove intersection check (cant specify both anymore). * deal with strs instead of bytes. * Improve docs. Co-authored-by: t4lz <t4lz.git@gmail.com> * Fix check on connect_remote. Update docs. * Convert outgoing filter into enum, to typefy that the user can only specify 1 variant. * Improve config, now it works and no long allows remote + local together. * Fix docs (update them to the new config). * Mark with unstable. * Update schema. * Add error on empty values when using from_env outgoing filter. * Change log level for connect. * Improve config, take out inner filter struct. * Remove outdated file. * Fix config for tests. * Run test on mac and linux * Improve config path handling in test. Co-authored-by: t4lz <t4lz.git@gmail.com> * Working config. * Build test for macos. * Sanity check that missing remote address doesnt trigger daemon messages and hangs. * Fix docs. Co-authored-by: t4lz <t4lz.git@gmail.com> * update schema * fix docs * fix missing closing code doc * update schema --------- Co-authored-by: t4lz <t4lz.git@gmail.com>
|
I think part of DNS resolving should be done in the DNS feature itself, we could expand it to also be filter-like, and have Doing so would help in the case where the user has |
|
Makes sense to me. Should we still let the user configure a hostname filter under |
I don't think we need an extra list, I think we can use the outgoing filter. |
|
Yup, my mistake, you're right |
|
Putting this in the outgoing filter feels confusing to me, for example: This is kinda what I expect, when I enable DNS resolving, I want things to be resolved on the agent. So changing the DNS behavior on the filter config like this: Feels a bit like the outgoing filter is going over its boundaries? Like, the 2 features enter in a bit of a contradiction (subverts expectations)? What do you guys think? In my opinion, we should put DNS handling stuff in the DNS feature, the user would need something like: Is explicit better than implicit here? |
|
I think we definitely don't want the user to have to specify two lists.
What I'd do is show a warning if the user specified DNS on/off explicitly, and also specified a hostname in the filter. |
|
tal's suggestion link:
|
|
Agree with the last line, @aviramha wdyt? |
|
Sounds good |
* outgoing filter #702 * Update .lock * Refactoring connect, move connect to local address into UserSocket impl. * Revert to free function to avoid dup issue. * Extracting values from config (unsatisfied). * Changes im not sure about. * Add outgoing filter parsing. * Add some invalid cases for testing. * Outgoing filter initialization. * No need to re-create filters with TCP UDP distinction for ANY, as they will be checked in connect_outgoing ConnectType anyway. * Filter is plugged in. * Appease clippy * Add default to config. * Add default for remote/local config. Fix comparing resolved address, now compares user address on port 0 (resolved addresses always have port 0). * inline comparison. * Docs in layer. * unused. * remove comments. * Improve bypass for filtered out. Add to analytics. * Update schema. * Log more stuff in connect_outgoing. * Only bypass on selector if its not unix. * Add more logs. * Log on socket close. * Revert localhost connect refactor. * Add reference, fix compilation * Dont bypass on unix stream, or on empty option for selector. * Better if else. * Better connect_to_local_address (question mark). * Small cleanup and docs. * Add docs for config. * More docs for parsing. * Appease clippy * Modify outgoing test to take filter. Fix filter not properly checking ip port when unspecified. * Docs detailing precedence. * changelog * Removed unused type. * debug->trace * Remove some more logs. * Missed log. * Adding DNS resolution to outgoing filter (issue #702). * Notes on what to do in getaddrinfo * Fix broken doc link. * s/input/rest as the return binding in the parser functions. * Change getaddrinfo, now its possible to resolve dns with it through the remote directly. Resolve DNS for named addresses in the outgoing filter when REMOTE_DNS is enabled. * Address (hehe) CR. Improve docs. Improve names for bindings. Remove many1 concats where digit1 is used. * appease clipy * Docs for outgoing local test. * Only allow either remote or local to be specified. Remove intersection check (cant specify both anymore). * deal with strs instead of bytes. * Improve docs. Co-authored-by: t4lz <t4lz.git@gmail.com> * Fix check on connect_remote. Update docs. * Convert outgoing filter into enum, to typefy that the user can only specify 1 variant. * Improve config, now it works and no long allows remote + local together. * Fix docs (update them to the new config). * Mark with unstable. * Update schema. * Add error on empty values when using from_env outgoing filter. * Change log level for connect. * Improve config, take out inner filter struct. * Remove outdated file. * Fix config for tests. * Run test on mac and linux * Improve config path handling in test. Co-authored-by: t4lz <t4lz.git@gmail.com> * Working config. * Build test for macos. * Sanity check that missing remote address doesnt trigger daemon messages and hangs. * Fix docs. Co-authored-by: t4lz <t4lz.git@gmail.com> * update schema * Fix compilation. Added some notes on how to improve DNS resolution. * Appease clippy * Fix filtering unresolved hosts (bool flag was wrong). Add a few logs. Outgoing named filter should be working now. * Add test for DNS resolving filter. * panic on unexpected message. * use magic service * trying to get the flow right * the test keeps growing (and not working) * Use e2e outgoing_traffic_udp_with_connect to test outgoing named filter. * Remove integration changes. * revert files * Fix config * Use dynamic internal service name in config. * cleanup, fix docs * changelog * use service name as the random string for test file * remove commented code * Resolve DNS locally when local is used. * Address review. Better length calculation. Improve name of closure. Dont reuse test. Better order for filtering. * Warn on potential misuse of remote + dns turned off. * new warning Co-authored-by: t4lz <t4lz.git@gmail.com> * Move warning to cli execution thingy. * use warning to print warning * Improving DNS resolving for connect filter. Now local = port 7777 resolves with the correct local address, and swap it on the users connect call. * remote filter on port now resolves and connects to address from cluster * fix local resolve dns for filters not having port * simplify retrieval of connection address from dns_cache. * docs * appease clippy * docs for DNS_CACHE * cargo.lock * improve docs. refactor some names. simplify local resolve check in dns_cache. * debug -> trace * cache -> reverse mapping * docs for local selector * improve docs Co-authored-by: t4lz <t4lz.git@gmail.com> * appease fmt lint --------- Co-authored-by: t4lz <t4lz.git@gmail.com>
|
The filter should now be supporting almost everything listed in the issue, except for custom resolvers:
A little bit of stateful DNS was added, to make the filter behave nicely with a mix of DNS and other ip/port configs, not the full thing mentioned in the issue though (there is no socket<->dns state). |
|
Closing this in favor of #1826 |
We should let users enable outgoing traffic, but then specify a list of IPs for which outgoing traffic would remain local.
Motivation
We want to let users mix and match resources to be used, locally and remote.
Implementation
outgoingconfig should support the fieldremoteandlocal, each overriding the default behavior of the general setting.The value for these fields will be a list of items with the following format:
[PROTOCOL://]IP/[subnet]:PORTHOST:PORT:PORTHOSTFor example:
will lead to the following behavior:
Details
This issue should solve the following use cases:
Warnings
This feature has some sharp edges that might hurt, those edges come to mind:
google.comwe would want to passthrough connections to it but we need to maintain some state dns <-> sockets that doesn't exist currently -> can be deferred to another issueThe text was updated successfully, but these errors were encountered: