Make the ports listening inside the network namespace reachable
phantomcraft opened this issue · 1 comments
When I run a program which listen on an address, it's port are not fully reachable:
user@localhost:/dev/shm/socksns$ /home/user/.cargo/bin/socksns tcppm -l -i0.0.0.0 1053 1.1.1.1 53
220715202341.157 1053 00000 - 0.0.0.0:1053 0.0.0.0:0 0 0 0 Accepting connections [151546/3018610496]
220715202406.294 1053 00013 - 127.0.0.1:34805 1.1.1.1:53 0 0 0 1.1.1.1
220715202406.294 1053 00013 - 127.0.0.1:33807 1.1.1.1:53 0 0 0 1.1.1.1
root@localhost:/home/user# lsns | grep tcppm
4026533245 net 1 151546 user tcppm -l -i0.0.0.0 1053 1.1.1.1 53
4026533301 user 1 151546 user tcppm -l -i0.0.0.0 1053 1.1.1.1 53
root@localhost:/home/user# nsenter -t 151546 -n dig +tcp @127.0.0.1 -p 1053 t.co
;; communications error to 127.0.0.1#1053: end of file
;; communications error to 127.0.0.1#1053: end of file
This would be a nice feature because some programs need communication using listening ports.
I don't know if this is possible to implement, but if yes, it would be a very useful feature.
We'd need to proxy connections like we do now, but in the opposite direction. The user could specify using a CLI option what ports to forward through to the new namespace.
Since we can only enter the namespace when we first create it, we'd need to fork another process inside the namespace so that this process could make the connections to the wrapped program as needed. So the main process outside of the namespace would listen for connections, and when there's a new connection it would tell the forked process inside the namespace to make a new connection. The forked process would send the new socket back to the main process, and the main process would proxy data between the sockets.
I'm not sure when or if I'll have time to work on this, but a workaround is to combine socksns with socat (but this does require root). For example:
$ socksns python3 -m http.server
$ sudo socat tcp-listen:8000,fork,reuseaddr exec:'nsenter --net -t <python PID> socat STDIO "tcp-connect:127.0.0.1:8000"',nofork