-
-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: FIREWALL_INPUT_PORTS not respected for IPv6 in dual-stack cluster #2524
Comments
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
|
Thanks for the detailed report! The ip6tables rules:
should take care of allowing input traffic on the port 8080. It's more of an ip route/rule problem, especially with the error
Asking all this, since, despite the role here, I'm probably not the network wizard ™️ either 😄 ! |
Thanks for the quick reply! I think many would call what you do wizardry 😉 kubectl exec podinfo -c gluetun -- ip route show table all
default via 169.254.1.1 dev eth0 table 200
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 169.254.1.1 dev eth0
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.0.18
128.0.0.0/1 via 10.8.0.1 dev tun0
146.70.193.130 via 169.254.1.1 dev eth0
169.254.1.1 dev eth0 scope link
local 10.8.0.18 dev tun0 table local proto kernel scope host src 10.8.0.18
broadcast 10.8.255.255 dev tun0 table local proto kernel scope link src 10.8.0.18
local 10.42.0.46 dev eth0 table local proto kernel scope host src 10.42.0.46
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
default via fe80::ecee:eeff:feee:eeee dev eth0 table 200 metric 1024 pref medium
2001:cafe:42::2e dev eth0 proto kernel metric 256 pref medium
::/2 dev tun0 metric 1024 pref medium
4000::/2 dev tun0 metric 1024 pref medium
8000::/2 dev tun0 metric 1024 pref medium
fdda:d0d0:cafe:1194::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
c000::/2 dev tun0 metric 1024 pref medium
default via fe80::ecee:eeff:feee:eeee dev eth0 metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:cafe:42::2e dev eth0 table local proto kernel metric 0 pref medium
local fdda:d0d0:cafe:1194::1010 dev tun0 table local proto kernel metric 0 pref medium
local fe80::3888:f051:77bc:7ee8 dev tun0 table local proto kernel metric 0 pref medium
local fe80::94cd:caff:feed:2fc dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium kubectl exec podinfo -c gluetun -- ip -6 route show table all
default via fe80::ecee:eeff:feee:eeee dev eth0 table 200 metric 1024 pref medium
2001:cafe:42::2e dev eth0 proto kernel metric 256 pref medium
::/2 dev tun0 metric 1024 pref medium
4000::/2 dev tun0 metric 1024 pref medium
8000::/2 dev tun0 metric 1024 pref medium
fdda:d0d0:cafe:1194::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
c000::/2 dev tun0 metric 1024 pref medium
default via fe80::ecee:eeff:feee:eeee dev eth0 metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:cafe:42::2e dev eth0 table local proto kernel metric 0 pref medium
local fdda:d0d0:cafe:1194::1010 dev tun0 table local proto kernel metric 0 pref medium
local fe80::3888:f051:77bc:7ee8 dev tun0 table local proto kernel metric 0 pref medium
local fe80::94cd:caff:feed:2fc dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium kubectl exec podinfo -c gluetun -- ip rule list
0: from all lookup local
98: from all to 169.254.1.1 lookup main
100: from 10.42.0.46 lookup 200
32766: from all lookup main
32767: from all lookup default kubectl exec podinfo -c gluetun -- ip -6 rule list
0: from all lookup local
98: from all to 2001:cafe:42::2e lookup main
98: from all to fe80::/64 lookup main
100: from 2001:cafe:42::2e lookup 200
32766: from all lookup main The default route seems to be missing in the IPv6 rules, could that be the issue? |
Is this urgent?
No
Host OS
Fedora 40
CPU arch
x86_64
VPN service provider
Mullvad
What are you using to run the container
Kubernetes
What is the version of Gluetun
Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)
What's the problem 🤔
First off, thank you for all your hard work on this project. I've been using it for a long time in other configurations and it's been incredibly helpful ❤️
Regarding my issue:
I'm trying to run gluetun in a dual-stack k3s cluster.
In this setup pods are assigned two IPs (one IPv4, one IPv6) from the ranges
2001:cafe:42::/64
10.42.0.0/24
Curling the pod via IPv4 delivers a correct response:
Curling via IPv6 yields "no route to host":
After removing the gluetun container I'm able to reach the pod correctly via IPv6, so we can rule out a host networking issue. If I remove
FIREWALL_INPUT_PORTS
the IPv4 curl just hangs, so it's definitely working there.Some additional information from the pod (I'm not a networking wizard so don't know if this will be helpful to you ^^):
kubectl exec podinfo -c gluetun -- ip -6 route 2001:cafe:42::2b dev eth0 proto kernel metric 256 pref medium ::/2 dev tun0 metric 1024 pref medium 4000::/2 dev tun0 metric 1024 pref medium 8000::/2 dev tun0 metric 1024 pref medium fdda:d0d0:cafe:1194::/64 dev tun0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev tun0 proto kernel metric 256 pref medium c000::/2 dev tun0 metric 1024 pref medium default via fe80::ecee:eeff:feee:eeee dev eth0 metric 1024 pref medium
kubectl exec podinfo -c gluetun -- ip6tables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 2001:cafe:42::2b/128 -i eth0 -j ACCEPT -A INPUT -d fe80::/64 -i eth0 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 8080 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT -A OUTPUT -s 2001:cafe:42::2b/128 -d 2001:cafe:42::2b/128 -o eth0 -j ACCEPT -A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT -A OUTPUT -s 2001:cafe:42::2b/128 -d fe80::/64 -o eth0 -j ACCEPT -A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT
Thank you in advance for your help 🙂
Please let me know if you need any more information.
Best regards
Luis
Share your logs (at least 10 lines)
Share your configuration
The text was updated successfully, but these errors were encountered: