Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
private-net: should forwarded ports work on localhost? #1256
Currently ports that are forwarded to containers are not accessible on the host via localhost:forwarded-port. It would be possible to do enable that and the technique is generally called NAT loopback.
It's a matter of choice if we want to change this or not so I want to bring it up for discussion.
Personally I'm unsure if we need it, but it could help in situations when service discovery is not there and the host expects a service on localhost while the container is not supposed to share the host netns.
Do you have an example of commands to show what is not available? I tried the following:
It exposes the port 6379:
And then on the host:
I also tried to setup a ssh forwarded port with
Oh sorry, I should not use the defaut network namespace for testing this. So the full command I tried is:
And then I have the behavior you described when trying with
Do you know if kube-proxy uses localhost to connect to a kubernetes endpoint?
changed the title from
should forwarded ports work on localhost?
private-net: should forwarded ports work on localhost?
Aug 7, 2015
I was bitten by this yesterday. I think the principle of least surprise would dictate that the forwarded port is also reachable via localhost. I'd be fine with it being a runtime option (to
referenced this issue
Jan 3, 2016
@iaguis it looks like we're having trouble getting this in at all.
Rewriting localhost:forwarded-port -> container-IP:forwarded-port doesn't work by design with iptables.
As an example, the following rule
Will be matched, but it will leave the package destination unchanged, as can be seen in the TRACE output:
Any suggestions are welcome!
UPDATE: Fortunately I was wrong with my conclusion from last evening. I'll prepare a PR with a proposal.