Apply the iptables rule to all networks #48
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using containerd publishing ports using
127.0.0.1
does not currently work. This issue seems to have existed since 1.7 or prior (I have only tested back to 1.7). The core of the issue is when a published port is bound to localhost the following CNI iptables rule is created forDNAT
target for the running container:While this rule works fine if a user was about to establish a connection from the localhost network (VM network), however, if a connection is established from the host network the destination NAT rule above is no longer able to handle the incoming connection from other networks.
Since in the initial rule, the destination address is set to "localhost," the rule is designed to redirect incoming TCP packets from any source IP address to the destination loopback interface of the local machine (127.0.0.1:555). We modify this behavior by adding an additional rule below the existing rule to allow access to the service from external networks (host network) by setting the destination address to "anywhere." This means that the rule applies to packets with any destination IP address.
To summarize:
The original CNI rule redirects the traffic from any source to (from) destination
localhost:servicePort
to a final destination of10.4.0.2:80
.Whereas the additional rule redirects the traffic from any source to (from) any destination
anywhere:servicePort
to a final destination of10.4.0.2:80
.It is important to note that the additional rule does not directly modify or impact the existing behavior but rather enables wider network accessibility.
Related to: #46