Closed dafydd2277 closed 3 years ago
@dafydd2277 , thank you for the issue! Feel free to submit a PR for this one. I might get to it later this summer. Currently, my focus is https://github.com/greenpau/caddy-auth-portal
Heh. I got as far as "Oh, crap! Go is strongly typed!" and gave up for the night. I may need a week or two. :grin:
So I don't lose the thought, the modification would also need this rule for completeness:
ip daddr 127.0.0.1 tcp dport 80 dnat to 10.88.0.11:80
After a week of reinventing the wheel, I finally look at @ististan 's PR and realize that modifying
chain output {
type nat hook output priority -100; policy accept;
ip daddr 127.0.0.1 jump cni-npr-78f486a1c7999cfe8e0526d
}
to include all IP addresses attached to the container host is exactly what I need. Except, I don't get his changes. I still get the old-style rule.
# cat /proc/sys/net/ipv4/conf/all/route_localnet
1
# cat /proc/sys/net/ipv4/conf/default/route_localnet
1
# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,cni-nftables-portmap,cni-nftables-firewall
# podman container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
769eba2bc569 docker.io/docker/getting-started:latest nginx -g daemon o... 30 minutes ago Up 30 minutes ago 0.0.0.0:8080->80/tcp boring_pike
# nft -a list chain nat output
table ip nat {
chain output { # handle 3
type nat hook output priority -100; policy accept;
jump cni-npr-57bf961e3f4fa756c612076 # handle 8
}
}
# nft -a list chain nat cni-npr-57bf961e3f4fa756c612076
table ip nat {
chain cni-npr-57bf961e3f4fa756c612076 { # handle 6
iifname != "cni-podman0" tcp dport 8080 dnat to 10.88.0.3:80 # handle 9
}
}
# nft -a list chain nat cni-npo-57bf961e3f4fa756c612076
table ip nat {
chain cni-npo-57bf961e3f4fa756c612076 { # handle 10
iifname "cni-podman0" ip saddr 10.88.0.3 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return # handle 12
iifname "cni-podman0" ip saddr 10.88.0.3 ip daddr 255.255.255.255 counter packets 0 bytes 0 return # handle 13
iifname "cni-podman0" ip saddr 10.88.0.3 counter packets 0 bytes 0 masquerade # handle 14
}
}
Neither of the 127.0.0.1 rules he added are showing up. So, I'm troubleshooting that, instead. Then, I'll look at adding something like a net.IP
loop to call CreateJumpRuleWithIPSourceMatch
(I think) once for each IP address a host is listening to.
Okay, troubleshooting done. @greenpau, the go get -u http://...
command is still grabbing tag 1.0.6, which predates the merge of #11. So, I'm still seeing the old jump rule.
Also, if you can spare me five minutes, what's a good link for examples on how to build binaries from my (modified) git clone of your project? (Again, not even remotely a Go programmer.) My google-fu isn't giving me good answers.
After some not actually helpful advice, I'm building locally, and it's building to HEAD
, not to git tag 1.0.6. So, now I can start working on possible rule changes.
I'm still working on a loop to jump all local IP addresses, not just localhost. Right now, the firewall/forward rules don't clearly define which packets get forwarded to containers versus packets that get forwarded to an external interface.
This is a great plug in, and I'm glad you made it.
What I'm getting is probably issue #10, but I'm not sure. On my NAT system, the nftables rules are being set up to intercept all traffic to (eg.) port 80, including traffic intended to be forwarded from the internal to the external interfaces.
Here is the relevant part of my base ruleset, with a little bit of obfuscation.
Now, run a container.
And the diff in the ruleset.
I think the problem is the rule
This intercepts anything going to port 80, whether it's coming to this host or just passing through. If I'm on an internal system and I try
http://www.google.com/
I get redirected to the container before the request ever leaves my NAT firewall.My suggested fix is to change the conditional in the rule to something like this:
The IP addresses could be acquired automatically. Or, for more user control, you could read a list added to the plugin options.
(I realize I probably have that syntax wrong.) This would give users a more finely grained control over how the firewall intercepts container traffic. I'm going to fork this and see how fast I can learn Go and
podman
container plugins.