search

vagrant-landrush / landrush

A Vagrant plugin that provides a simple DNS server for Vagrant guests
MIT License
666 stars 78 forks source link

Issue #321 Change from OUTPUT to PREROUTING #322

Closed ianmiell closed 6 years ago

ianmiell commented 6 years ago

I believe PREROUTING was the correct iptables stage to use, and a kernel change causes problems on eg 18.04 ubuntu.

Tested on older kernels, and is back-compatible.

Fix for issue #321

hferentschik commented 6 years ago

@ianmiell sorry for the long turn-around. I was wondering how you tested the change. Changing from OUTPUT to PREROUTING does indeed prevent the occurrence of an error, but does this work. When I test locally with an Ubuntu 18.04 switching to PREROUTING, DNS does not work as expected anymore. For example, I am adding the following to my Vagrantfile:

config.landrush.host 'static1.example.com', '1.2.3.4'
config.landrush.host 'static2.example.com', '2.3.4.5'

Then once the machine is up, I ssh into it and dig static1.example.com. Does that work for you?

hferentschik commented 6 years ago

So here is what I tried. Using the following Vagrantfile:

Vagrant.configure(2) do |config|
  config.vm.box = 'ubuntu/xenial64'
  #config.vm.box = 'ubuntu/bionic64'

  config.landrush.enabled = true
  config.vm.hostname = 'foo.vagrant.test'

  config.landrush.host 'static1.example.com', '1.2.3.4'
  config.landrush.host 'static2.example.com', '2.3.4.5'
end
$ vagrant up
$ vagrant ssh -- dig static1.example.com

The latter should return the IP 1.2.3.4. It works with xenial64. It fails with bionic64 with the error:

../../../../lib/isc/unix/socket.c:2135: internal_send: 127.0.0.53#53: Invalid argument

Using the proposed changes to the iptables rules the dig command does not work at all anymore. For all I can the iptables does not get triggered in this case. One can, for example, look at the package count per rule using something like sudo iptables -L OUTPUT -t nat -v.

IMO the iptables rules are sounds as they are. It looks more like an Ubuntu specific problem related to its current way to handle DNS.

hferentschik commented 6 years ago

Going to close this pull request, since changing from OUTPUT to PREROUTING does not have the intended effect and iptables even gets bypassed in this case.

There seems to be more to this issue. The discussion to discover the root cause continues on the issue itself https://github.com/vagrant-landrush/landrush/issues/321#issuecomment-418688756