From 836095d242fcc8acdf701972cf1e9e96de1095d6 Mon Sep 17 00:00:00 2001 From: David Scott Date: Wed, 6 Feb 2019 20:53:54 +0000 Subject: [PATCH 1/2] Update CHANGES.md for v0.3.0 Signed-off-by: David Scott --- CHANGES.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 406c228fc..0844ef3c8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,29 @@ +### v0.3.0 (2019-02-06) + +* support multiplexing forwarded connections along one Hyper-V socket connection +* add Kubernetes controller for exposing ports +* go: move to go dep +* support building Linux static binaries (with musl) +* add a --gateway-forwards file for redirecting traffic to external services +* udp: prevent too many flows exhausting all fds on the system +* support forwarding to Unix domain sockets as well as TCP and UDP +* go: move vmnet to its own package +* test: add an nmap simulation test +* vpnkit-{9pmount,tap}-vsock: fix operation on newer kernels with AF\_VSOCK +* rename environment varible from DEBUG to VPNKIT\_DEBUG to avoid clashing with + other software +* tcp: disable keep-alives: they were causing a space leak +* http: HTTP/1.0 should default to Connection:close +* icmp: don't log parse failures +* ntp: remove the automatic NTP forward to localhost: use the --gateway-forwards + feature instead +* http: handle Connection:close +* http: consult the "localhost" names in the transparent proxy +* http: support both hostnames and IPs in excludes +* http: fix HTTP CONNECT +* http: respect authorization headers +* http: HEAD responses must not have bodies + ### v0.2.0 (2018-01-03) * add 9pmount-vsock and tap-vsock helper programs From ba63af536e0e69d46142e9bf89a8d30fc8068646 Mon Sep 17 00:00:00 2001 From: David Scott Date: Wed, 6 Feb 2019 21:25:38 +0000 Subject: [PATCH 2/2] Clarify that --host-ip 0.0.0.0 disables the feature Fixes #449 Signed-off-by: David Scott --- src/bin/main.ml | 2 +- src/hostnet/slirp.ml | 35 +++++++++++++++++++---------------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/src/bin/main.ml b/src/bin/main.ml index 15b5dda4f..af3a842ec 100644 --- a/src/bin/main.ml +++ b/src/bin/main.ml @@ -796,7 +796,7 @@ let gateway_ip = let host_ip = let doc = Arg.info ~doc: - "IP address which represents the host. Connections to this IP will be forwarded to localhost on the host." + "IP address which represents the host. Connections to this IP will be forwarded to localhost on the host. Use the value 0.0.0.0 to disable this feature." [ "host-ip" ] in Arg.(value & opt string (Ipaddr.V4.to_string Configuration.default_host_ip) doc) diff --git a/src/hostnet/slirp.ml b/src/hostnet/slirp.ml index 7262c31b7..8c95f3911 100644 --- a/src/hostnet/slirp.ml +++ b/src/hostnet/slirp.ml @@ -474,7 +474,7 @@ struct clock: Clock.t; endpoint: Endpoint.t; udp_nat: Udp_nat.t; - dns_ips: Ipaddr.V4.t list; + dns_ips: Ipaddr.t list; } (** Proxies connections to services on localhost on the host *) @@ -989,11 +989,11 @@ struct >>= fun switch -> (* Serve a static ARP table *) - let local_arp_table = [ - c.Configuration.lowest_ip, client_macaddr; - c.Configuration.gateway_ip, c.Configuration.server_macaddr; - c.Configuration.host_ip, c.Configuration.server_macaddr; - ] in + let local_arp_table = + (c.Configuration.lowest_ip, client_macaddr) + :: (c.Configuration.gateway_ip, c.Configuration.server_macaddr) + :: (if Ipaddr.V4.(compare unspecified c.Configuration.host_ip = 0) then [] else [ c.Configuration.host_ip, c.Configuration.server_macaddr]) + in Global_arp_ethif.connect switch >>= fun global_arp_ethif -> @@ -1155,7 +1155,11 @@ struct Global_arp.input arp (Cstruct.shift buf Ethif_wire.sizeof_ethernet) | Ok (Ethernet { payload = Ipv4 ({ dst; _ } as ipv4 ); _ }) -> (* For any new IP destination, create a stack to proxy for - the remote system *) + the remote system *) + let localhost_ips = + if Ipaddr.V4.(compare unspecified c.Configuration.host_ip) = 0 + then [] + else [ Ipaddr.V4 c.Configuration.host_ip ] in if dst = c.Configuration.gateway_ip then begin begin let open Lwt_result.Infix in @@ -1188,7 +1192,7 @@ struct end in Udp_nat.set_send_reply ~t:udp_nat ~send_reply; Gateway.create clock endpoint udp_nat [ c.Configuration.gateway_ip ] - c.Configuration.host_names [ Ipaddr.V4 c.Configuration.host_ip ] + c.Configuration.host_names localhost_ips end >>= function | Error e -> Log.err (fun f -> @@ -1200,13 +1204,13 @@ struct | Ok () -> () | Error e -> Log.err (fun f -> f "failed to read TCP/IP input: %a" pp_error e); - end else if dst = c.Configuration.host_ip then begin + end else if dst = c.Configuration.host_ip && Ipaddr.V4.(compare unspecified c.Configuration.host_ip <> 0) then begin begin let open Lwt_result.Infix in find_endpoint dst >>= fun endpoint -> Log.debug (fun f -> f "creating localhost TCP/IP proxy for %a" Ipaddr.V4.pp_hum dst); - Localhost.create clock endpoint udp_nat [ c.Configuration.host_ip ] + Localhost.create clock endpoint udp_nat localhost_ips end >>= function | Error e -> Log.err (fun f -> @@ -1225,7 +1229,7 @@ struct Log.debug (fun f -> f "create remote TCP/IP proxy for %a" Ipaddr.V4.pp_hum dst); Remote.create endpoint udp_nat icmp_nat - c.Configuration.host_names [ Ipaddr.V4 c.Configuration.host_ip ] + c.Configuration.host_names localhost_ips end >>= function | Error e -> Log.err (fun f -> @@ -1465,11 +1469,10 @@ struct Log.info (fun f -> f "Configuration %s" (Configuration.to_string c)); let global_arp_table : arp_table = { mutex = Lwt_mutex.create(); - table = [ - c.Configuration.gateway_ip, c.Configuration.server_macaddr; - c.Configuration.host_ip, c.Configuration.server_macaddr; - ]; - + table = + (c.Configuration.gateway_ip, c.Configuration.server_macaddr) + :: (if Ipaddr.V4.(compare unspecified c.Configuration.host_ip) = 0 then [] + else [c.Configuration.host_ip, c.Configuration.server_macaddr ]); } in let client_uuids : uuid_table = { mutex = Lwt_mutex.create();