Apply the iptables rule to all networks #48
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When using containerd publishing ports using 127.0.0.1 does not currently work. This issue seems to have existed since 1.7 or prior (I have only tested back to 1.7). The core of the issue is when a published port is bound to localhost the following CNI iptables rule is created for DNAT target for the running container: DNAT tcp -- anywhere localhost tcp dpt:555 to:10.4.0.2:80 While this rule works fine if a user was about to establish a connection from the localhost network (VM network), however, if a connection is established from the host network the destination NAT rule above is no longer able to handle the incoming connection from other networks. Since in the initial rule, the destination address is set to "localhost," the rule is designed to redirect incoming TCP packets from any source IP address to the destination loopback interface of the local machine (127.0.0.1:555). We modify this behavior by adding an additional rule below the existing rule to allow access to the service from external networks (host network) by setting the destination address to "anywhere." This means that the rule applies to packets with any destination IP address. To summarize: DNAT tcp -- anywhere localhost tcp dpt:555 to:10.4.0.2:80 // original rule DNAT tcp -- anywhere anywhere tcp dpt:555 to:10.4.0.2:80 // additional rule The original CNI rule redirects the traffic from any source to (from) destination localhost:servicePort to a final destination of 10.4.0.2:80. Whereas the additional rule redirects the traffic from any source to (from) any destination anywhere:servicePort to a final destination of 10.4.0.2:80. It is important to note that the additional rule does not directly modify or impact the existing behavior but rather enables wider network accessibility. Signed-off-by: Nino Kodabande <nkodabande@suse.com>
Nino-K
force-pushed
the
apply-iptable-rules-default-network
branch
from
4ea2c20
to
036c067
Compare
mook-as
approved these changes
Jun 16, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using containerd publishing ports using
127.0.0.1does not currently work. This issue seems to have existed since 1.7 or prior (I have only tested back to 1.7). The core of the issue is when a published port is bound to localhost the following CNI iptables rule is created forDNATtarget for the running container:While this rule works fine if a user was about to establish a connection from the localhost network (VM network), however, if a connection is established from the host network the destination NAT rule above is no longer able to handle the incoming connection from other networks.
Since in the initial rule, the destination address is set to "localhost," the rule is designed to redirect incoming TCP packets from any source IP address to the destination loopback interface of the local machine (127.0.0.1:555). We modify this behavior by adding an additional rule below the existing rule to allow access to the service from external networks (host network) by setting the destination address to "anywhere." This means that the rule applies to packets with any destination IP address.
To summarize:
The original CNI rule redirects the traffic from any source to (from) destination
localhost:servicePortto a final destination of10.4.0.2:80.Whereas the additional rule redirects the traffic from any source to (from) any destination
anywhere:servicePortto a final destination of10.4.0.2:80.It is important to note that the additional rule does not directly modify or impact the existing behavior but rather enables wider network accessibility.
Related to: #46