Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Localhost server access #68

Merged
merged 11 commits into from
Nov 25, 2024
Merged

Localhost server access #68

merged 11 commits into from
Nov 25, 2024

Conversation

Aptimex
Copy link
Collaborator

@Aptimex Aptimex commented Nov 19, 2024

Add ability to access the 127.0.0.1 IP of a Server. --localhost-ip argument is available for configure and add server commands to specify an IP that will be DNAT'ed (via userspace iptables) to 127.0.0.1.

  • Only works for IPv4 because RFC (and implementations) effectively disallows DNAT to the IPv6 loopback ::1.
  • Doesn't work for UDP packets, not sure why. In testing they were received as expected by the localhost listener, but replies were not received by the Client.
  • Didn't test with ICMP because I can't imagine anyone would ever really need to ping localhost.

Other changes:

  • Updated gvisor (and related dependencies) to a slightly newer version that supports necessary iptables stuff.
  • Updated Golang version requirement to use some new features.
  • API requests (like ones generated by status) now ignore proxy environment variables because trying to use a proxy will always break the request.

@Aptimex Aptimex requested a review from luker983 November 19, 2024 22:31
@Aptimex Aptimex linked an issue Nov 19, 2024 that may be closed by this pull request
Copy link
Collaborator

@luker983 luker983 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not immediately obvious to me why UDP is failing, but we do some strange things in the UDP handler that could cause the packet to not be properly processed through the DNAT rule in the reverse direction correctly.

The cool thing about this type of 1:1 address mapping is that you don't even really need a NAT table that keeps track of all the connections, you can just rewrite all destination addresses from addrA to addrB and the opposite on the return.

You might need to implement your own target for that though. I think that would work for ICMP, UDP, and ipv6. If the netstack dropping packets with ::1 in them is an issue, you could even move the rewriting to the transport handlers, but would be nice if we could avoid that.

src/cmd/serve.go Outdated Show resolved Hide resolved
src/cmd/serve.go Outdated Show resolved Hide resolved
src/cmd/serve.go Show resolved Hide resolved
@Aptimex
Copy link
Collaborator Author

Aptimex commented Nov 21, 2024

The cool thing about this type of 1:1 address mapping is that you don't even really need a NAT table that keeps track of all the connections, you can just rewrite all destination addresses from addrA to addrB and the opposite on the return.
You might need to implement your own target for that though.

Based on the code for the DNAT target, writing a custom target (possibly two of them, one for each direction) to do this looks pretty involved. Seems like it requires accessing non-exported variables and/or methods to modify those addresses: https://github.com/google/gvisor/blob/71bcc96c6e38b22e1aaf51863cde5b20f59e4617/pkg/tcpip/stack/iptables_targets.go#L324

Might consider looking into it more as a future improvement. IPv4 TCP should cover most use cases in the meantime.

@Aptimex Aptimex merged commit 21e6aba into main Nov 25, 2024
3 checks passed
@fragtion
Copy link

fragtion commented Jan 5, 2025

  • Didn't test with ICMP because I can't imagine anyone would ever really need to ping localhost.

ICMP would really be nice. Not because "localhost" is being pinged (even if it is), but to easily test reachability from the opposite endpoint. UDP too, of course, could hopefully be fixed/completed soon? :)

  1. Is there a way to change the interface and peer IP for relay network in serve config file (particularly when using --simple mode)? It seems it can only be changed with env (ie: WIRETAP_RELAY_INTERFACE_IPV4=172.17.0.1 WIRETAP_RELAY_INTERFACE_LOCALHOSTIP=172.17.0.1 WIRETAP_RELAY_PEER_ALLOWED=172.17.0.0/16 wiretap serve --simple).

Thnx!

@Aptimex
Copy link
Collaborator Author

Aptimex commented Jan 6, 2025

You can ping either the Server host's normal assigned IP or the IP of one of the Server's Wiretap interfaces to check if the Server is reachable from the Client. Or use Wiretap's status command.

UDP localhost access will probably not be added any time in the near future, I think it's going to take a fair amount of work to figure out why it's not already working and how to fix it.


If you run configure -H (note the capital letter) it will show you the arguments you can use to change those values, which will be reflected in the generated config files. If you need additional help with this question please open a separate issue about it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Localhost access to server
3 participants