[WIP] Finalize firewalld port forwarding support #885
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Tagging WIP as I'm still working on some bugs, seemingly related to firewalld 2.0 |
mheon
force-pushed
the
firewalld_final
branch
2 times, most recently
from
d137e9b to
0d30930
Compare
|
Hm. Tests aren't even running firewalld, despite fw_driver=firewalld being set. |
mheon
force-pushed
the
firewalld_final
branch
from
0d30930 to
dc3ad39
Compare
mheon
force-pushed
the
firewalld_final
branch
from
dc3ad39 to
d707e32
Compare
|
Localhost port forwarding: still broken, being worked on. |
|
@mheon might I ask whether this is still being worked on? |
|
It is, though there were problems on the firewalld side that needed to be resolved before I went ahead. Those should be fixed, so I'm hoping to get back to this in January. |
mheon
force-pushed
the
firewalld_final
branch
from
d707e32 to
29c8187
Compare
|
@Luap99 After some further work, I have this working, with some serious caveats.
Problem 2 I think we can ship with, I'll just add an error if isolation is requested. Problem 1 prevents a lot of testing we could do in CI. I can sort of work around this until firewalld adds the functionality we need by querying firewalld to make sure the right rules are in place but that doesn't seem like a complete solution. |
mheon
force-pushed
the
firewalld_final
branch
from
29c8187 to
6aa2d19
Compare
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. This requires two new zones: one in which the actual port forward occurs, and one to allow traffic to 127.0.0.1 to be masqeuraded so we can talk to the container from localhost. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
force-pushed
the
firewalld_final
branch
from
6aa2d19 to
8ac0ebe
Compare
There are two major changes here.
Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation.
Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as #881.
There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before.
Fixes #881