portmap: don't use unspecified address as iptables rule destination #487
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/assign @dcbw @danwinship @squeed This breaks KIND when using podman provider, because we are using unspecified addresses to do the portmapping only in the corresponding IP family /cc @BenTheElder @amwat |
aojea
changed the title
|
makes sense to me |
bboreham
reviewed
May 27, 2020
It may happen that you want to map a port only in one IP family. It can be achieved using the unspecified IP address of the corresponding IP family as HostIP i.e.: podman run --rm --name some-nginx -d -p 0.0.0.0:8080:80 nginx The problem is that current implementation considers the unspecified address valid and appends it to the iptables rule: -A CNI-DN-60380cb3197c5457ed6ba -s 10.88.0.0/16 -d 0.0.0.0/32 -p tcp -m tcp --dport 8080 -j CNI-HOSTPORT-SETMARK This rule is not forwarding the traffic to the mapped port. We should use the unspecified address only to discriminate the IP family of the port mapping, but not use it to filter the dst. Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
squeed
approved these changes
Jun 3, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It may happen that you want to map a port only in one IP family.
It can be achieved using the unspecified IP address of the
corresponding IP family as HostIP i.e.:
podman run --rm --name some-nginx -d -p 0.0.0.0:8080:80 nginx
The problem is that current implementation considers the
unspecified address valid and appends it to the iptables rule:
-A CNI-DN-60380cb3197c5457ed6ba -s 10.88.0.0/16
-d 0.0.0.0/32 -p tcp -m tcp --dport 8080 -j CNI-HOSTPORT-SETMARK
This rule is not forwarding the traffic to the corresponding port.
We should use the unspecified address only to discriminate the IP
family of the port mapping, but not use it to filter the dst.