lima icon indicating copy to clipboard operation
lima copied to clipboard

Published 20 hours ago verified publisher icon lima-vm

A configurable filter of iptables rules for port forwarding

Open ornew opened this issue 2 years ago • 1 comments

Description

I would like to extend this filter:

https://github.com/lima-vm/lima/blob/600f3421bc056f2bb3e69981d36412b5d31f8818/pkg/guestagent/iptables/iptables.go#L32

It's probably a process to prevent unintended port forwarding.

Usecase

My usecase is to access the NodePort service on Kubernetes run on lima.

Pod containers using hostPort are set up with a CNI-DN- * chain by CNI plugin, so automatic port forwarding works without any change.

However, actually using hostPort is painful. It makes replicas of pods will not work.

In a basic k8s configuration, using NodePort updates iptables.

For example, when exposing port 80 of nginx container with NodePort: 30010, just a related chain:

-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx-nodeport" -m tcp --dport 30010 -j KUBE-EXT-CGFVTWEXQTKV5QXW
-A KUBE-EXT-CGFVTWEXQTKV5QXW -m comment --comment "masquerade traffic for default/nginx-nodeport external destinations" -j KUBE-MARK-MASQ
-A KUBE-EXT-CGFVTWEXQTKV5QXW -j KUBE-SVC-CGFVTWEXQTKV5QXW
-A KUBE-SVC-CGFVTWEXQTKV5QXW ! -s 10.244.0.0/16 -d 10.102.188.3/32 -p tcp -m comment --comment "default/nginx-nodeport cluster IP" -m tcp --dport 8000 -j KUBE-MARK-MASQ
-A KUBE-SVC-CGFVTWEXQTKV5QXW -m comment --comment "default/nginx-nodeport -> 10.244.0.159:80" -j KUBE-SEP-4HC2IE63VSQQECKY
-A KUBE-SEP-4HC2IE63VSQQECKY -s 10.244.0.159/32 -m comment --comment "default/nginx-nodeport" -j KUBE-MARK-MASQ
-A KUBE-SEP-4HC2IE63VSQQECKY -p tcp -m comment --comment "default/nginx-nodeport" -m tcp -j DNAT --to-destination 10.244.0.159:80

In this case, automatic port forwarding does not work because the CNI-DN-* is not published. However, KUBE-NODEPORTS acts as a DNAT to the target port of the container. If this is included for the targets of port forwarding, we can achieve access to containers on kubernetes with port forwarding without interfering with the replication of pods running.

I find this very convenient. Would you please consider adding it to your hard-coded or making the rules you want to filter configurable? Thanks!

ornew avatar Jun 11 '22 16:06 ornew

I've confirmed that the hard-coded filter fixed on https://github.com/ornew/lima/commit/6c8aa18352027bec8af5185b784cb0aa1b343322 works correctly. I can open the PR if it's acceptable to you.

ornew avatar Jun 12 '22 07:06 ornew