-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong firewalld rule generated when publishing ports on specified ip #881
Comments
Thanks for the report, yes this looks like a valid bug. |
@mheon can this be scoped up into your firewalld work ? |
This is definitely part of the remaining work for firewalld |
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 15, 2024
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 15, 2024
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 15, 2024
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 15, 2024
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Feb 15, 2024
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 17, 2025
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. This requires two new zones: one in which the actual port forward occurs, and one to allow traffic to 127.0.0.1 to be masqeuraded so we can talk to the container from localhost. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 17, 2025
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. This requires two new zones: one in which the actual port forward occurs, and one to allow traffic to 127.0.0.1 to be masqeuraded so we can talk to the container from localhost. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/netavark
that referenced
this issue
Jan 17, 2025
There are two major changes here. Firstly, this adds proper support for port forwarding from localhost via a new policy accepting traffic from HOST. This is the last bit we were missing from the original port-forwarding implementation. This requires two new zones: one in which the actual port forward occurs, and one to allow traffic to 127.0.0.1 to be masqeuraded so we can talk to the container from localhost. Secondly, this fixes a bug where we generated incorrect rules when port-forwarding from a single IP. Instead of doing standard port-forwarding rules, those need rich rules. This was reported as containers#881. There are also some small code cleanups in how we handle setting up and tearing down port forwarding. It's still rather ugly, but at least a little better than it was before. Fixes containers#881 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When specifying
-p 10.52.0.2:1111:1111
to podman, my intention was to forward traffic coming from10.52.0.2:1111
tocontainer:1111
. While when using firewalld as backend, the generated rule iswhich will forward any traffic to port 1111 to
10.52.0.2:1111
I think in this case, we should use rich rule in
netavark_portfwd
zone likeinstead of the forward-ports rule.
reproduce
The text was updated successfully, but these errors were encountered: