missing -d flag from https://github.com/cloudfoundry-community/port-forwarding-boshrelease/blob/master/jobs/port_forwarding/templates/bin/forward_ports.sh.erb#L28 #13
Conversation
|
Hey drnic! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA. |
| @@ -30,7 +30,7 @@ sysctl net.ipv4.conf.all.route_localnet=0 | |||
| <% internal_ip = rule['internal_ip'] || "127.0.0.1" %> | |||
| <% internal_port = rule['internal_port'] || raise("Expected non-empty 'internal_port' on '#{rule.inspect}' rule") %> | |||
|
|
|||
| sudo iptables -t nat -A portforwarding-release -p tcp --dport <%= external_port %> -j DNAT --to <%= internal_ip %>:<%= internal_port %> | |||
| sudo iptables -t nat -A portforwarding-release -p tcp -d <%= spec.networks.send(spec.networks.methods(false).first).ip %> --dport <%= external_port %> -j DNAT --to <%= internal_ip %>:<%= internal_port %> | |||
There was a problem hiding this comment.
or spec.address? https://bosh.io/docs/jobs.html#properties
It might make more sense to add support for rule['external_ip'] though (maybe falling back to spec.address, unless people would genuinely want to listen on all IPs).
|
@dpb587-pivotal thx, updated |
|
This issue also manifests on the host machine - without this PR I cannot even |
|
I'm going to log this issue within this PR. When I apply this PR to a bosh-lite, the host vm and its containers do not have same routes available to them: But |
|
I've added changes to allow loopbacks. |
|
Damnit, whilst |
|
I've rebuilt my bosh-lite using the original https://github.com/cloudfoundry-community/port-forwarding-boshrelease/blob/master/jobs/port_forwarding/templates/bin/forward_ports.sh.erb#L28 but I'm still getting the same behavior - containers within the bosh-lite vm are unable to I swear this used to work. Until the middle of this year I had lots of CI pipelines that deployed things to the same bosh-lite, registered service brokers, etc. |
|
I'm confused; are you saying this change is no needed or working as expected? |
|
This PR does something important; but apparently not everything. Without this PR as it stands, neither containers nor the host machine has a loopback to the port forwarding/nor egress access. The PR currently allows egress internet access and allows host machine to access the port forwarding via loopback.
But I cannot figure out how to allow containers (eg bosh-lite instances) to accsss the port forwarding rules.
Ideas?
…________________________________
From: Danny Berger <[email protected]>
Sent: Wednesday, November 1, 2017 10:41:58 AM
To: cloudfoundry/networking-release
Cc: Dr Nic Williams; Author
Subject: Re: [cloudfoundry/networking-release] missing -d flag from https://github.com/cloudfoundry-community/port-forwarding-boshrelease/blob/master/jobs/port_forwarding/templates/bin/forward_ports.sh.erb#L28 (#13)
I'm confused; are you saying this change is no needed or working as expected?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#13 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAAAbJHiyjKwwWZ3iIOfGHQvh4NiYwWJks5sx75WgaJpZM4Mjca9>.
|
|
@dpb587-pivotal this PR can be merged; the remaining issue of containers having egress access to host loopback can be solved later |
|
I have closure on the unresolved issue above that I claimed use to work. It never worked. I've searched thru my CI history and found jobs where I used to have "it working" - but it turns out I was not running bosh errands, rather I was hard coding errand functionality into concourse tasks - so I had ingress traffic from a 3rd party client (concourse) rather than bosh-lite containers (bosh errands) trying for egress traffic to the host machine. This PR is good to merge @dpb587-pivotal @cppforlife - or any final comments. |
|
@cppforlife @dpb587-pivotal can we merge this please and cut a release? |
|
@dpb587-pivotal @cppforlife this is the 1 year birthday of this ticket (I was randomly explaining why this PR exists and noticed its creation date). Could we merge + cut a release? |
| @@ -22,17 +22,19 @@ fi | |||
|
|
|||
| iptables -F ${CHAIN} || true | |||
|
|
|||
| # Reset in case when there is no localhost routing | |||
| sysctl net.ipv4.conf.all.route_localnet=0 | |||
| sysctl net.ipv4.conf.all.route_localnet=1 | |||
There was a problem hiding this comment.
i would prefer if this stays as is, conditional.
| sudo iptables -t nat -A portforwarding-release -p tcp -d <%= external_ip %> --dport <%= external_port %> -j DNAT --to <%= internal_ip %>:<%= internal_port %> | ||
|
|
||
| # loopback | ||
| sudo iptables -t nat -A portforwarding-release -p tcp -d 127.0.0.1 --dport <%= external_port %> -j DNAT --to <%= internal_ip %>:<%= internal_port %> -o lo |
There was a problem hiding this comment.
this should really be done thru port_forwarding config, instead of hard coded.
| <% internal_ip = rule['internal_ip'] || "127.0.0.1" %> | ||
| <% internal_port = rule['internal_port'] || raise("Expected non-empty 'internal_port' on '#{rule.inspect}' rule") %> | ||
| <% | ||
| external_ip = rule['external_ip'] || spec.address |
There was a problem hiding this comment.
spec.address -> spec.ip. spec.address may be a dns name.
Discussion of issue and missing
-dflag on #bosh channel https://cloudfoundry.slack.com/archives/C02HPPYQ2/p1490081101496048