Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

Fix exposed ports accessible from localhost only, fixes #3886 #3887

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix exposed ports accessible from localhost only, fixes #3886 #3887

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions networking/portfwd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ func portRules(fp commonnet.ForwardedPort, podIP net.IP, chainDNAT, chainSNAT st
chainSNAT,
[]string{
"-p", fp.PodPort.Protocol,
"-s", "127.0.0.1",
"-s", dstIPHost,
"-d", podIP.String(),
"--dport", dstPortPod,
"-j", "MASQUERADE",
Expand Down Expand Up @@ -233,7 +233,7 @@ func (e *podEnv) portFwdChain(name string) string {
func (e *podEnv) portFwdChainRuleSpec(chain string, name string) []string {
switch name {
case "SNAT":
return []string{"-s", "127.0.0.1", "!", "-d", "127.0.0.1", "-j", chain}
return []string{"!", "-d", "127.0.0.1", "-j", chain}
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source was set here as well as in the chain... different masquerade rules might have different dstIPHost's within the same chain though so seems best just to remove it from this rule.

case "DNAT":
return []string{"-m", "addrtype", "--dst-type", "LOCAL", "-j", chain}
default:
Expand Down