-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Localhost server access #68
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not immediately obvious to me why UDP is failing, but we do some strange things in the UDP handler that could cause the packet to not be properly processed through the DNAT rule in the reverse direction correctly.
The cool thing about this type of 1:1 address mapping is that you don't even really need a NAT table that keeps track of all the connections, you can just rewrite all destination addresses from addrA
to addrB
and the opposite on the return.
You might need to implement your own target for that though. I think that would work for ICMP, UDP, and ipv6. If the netstack dropping packets with ::1 in them is an issue, you could even move the rewriting to the transport handlers, but would be nice if we could avoid that.
Based on the code for the DNAT target, writing a custom target (possibly two of them, one for each direction) to do this looks pretty involved. Seems like it requires accessing non-exported variables and/or methods to modify those addresses: https://github.com/google/gvisor/blob/71bcc96c6e38b22e1aaf51863cde5b20f59e4617/pkg/tcpip/stack/iptables_targets.go#L324 Might consider looking into it more as a future improvement. IPv4 TCP should cover most use cases in the meantime. |
ICMP would really be nice. Not because "localhost" is being pinged (even if it is), but to easily test reachability from the opposite endpoint. UDP too, of course, could hopefully be fixed/completed soon? :)
Thnx! |
You can ping either the Server host's normal assigned IP or the IP of one of the Server's Wiretap interfaces to check if the Server is reachable from the Client. Or use Wiretap's UDP localhost access will probably not be added any time in the near future, I think it's going to take a fair amount of work to figure out why it's not already working and how to fix it. If you run |
Add ability to access the 127.0.0.1 IP of a Server.
--localhost-ip
argument is available forconfigure
andadd server
commands to specify an IP that will be DNAT'ed (via userspaceiptables
) to 127.0.0.1.::1
.Other changes:
status
) now ignore proxy environment variables because trying to use a proxy will always break the request.