[Bug 1917920] Re: magic-proxy broke with iptables 1.8.7-1ubuntu2
Dimitri John Ledkov
1917920 at bugs.launchpad.net
Tue Mar 9 19:53:06 UTC 2021
The nat fiddles are not visible inside the container network namespace.
Thus I am wondering if there is an odd interaction between namespace,
nftables based iptables vs legacy iptables. I.e. whilst the host is
configured using legacy iptables, maybe the lxd guests must be using
legacy iptables too.
I'll experiment to see if forcing to simply only use iptables-legacy
inside the lxd guest is good enough for now. Despite the hosts getting
upgraded to bionic. Cause it's only groovy that started to use nftables
based iptables.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1917920
Title:
magic-proxy broke with iptables 1.8.7-1ubuntu2
Status in launchpad-buildd:
New
Status in iptables package in Ubuntu:
New
Status in livecd-rootfs package in Ubuntu:
New
Status in lxd package in Ubuntu:
New
Bug description:
when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic
proxy stopped working in livecd-rootfs.
It does very simple thing:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner
daemon -j REDIRECT --to 8080
inside hirsute lxd container, with quite high privileges, in a bionic
VM, running 4.15 kernel.
With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound
connectivity the very first http networking command after the above
call would just hang indefinitely.
However, if one does this instead:
iptables -vv -t nat -S
iptables-legacy -vv -t nat -S
iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080
somehow magically everything starts to work fine.
weird.
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad-buildd/+bug/1917920/+subscriptions
More information about the foundations-bugs
mailing list