[Touch-packages] [Bug 1917920] Re: magic-proxy broke with iptables 1.8.7-1ubuntu2

Mon, 08 Mar 2021 22:05:54 -0800 

I tried to reproduce this in an up-to-date bionic VM as follows:

# inside the bionic VM
sudo snap install lxd
sudo lxd init # accept defauls
sudo lxc launch ubuntu-daily:hirsute hirsute
sudo lxc exec hirsute /bin/bash


# then inside the hirsute container install livecd-rootfs
apt update
apt install livecd-rootfs

# http works as expected with no changes
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working # works as expected with no iptables rule

# add iptables rule manually
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
           -j REDIRECT --to 8080

# now we expect it to fail as there is no magic-proxy running yet
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Failed

# start the magic-proxy manually
/usr/share/livecd-rootfs/magic-proxy  \
       --address="127.0.0.1"          \
       --port=8080                    \
       --run-as=daemon                \
       --cutoff-time=0                \
       --log-file=livecd.magic-proxy.log  \
       --pid-file=magic-proxy.pid     \
       --background                   \
       --setsid

# wget works as expected via the proxy
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working

# kill the proxy
killall magic-proxy

# fails again
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Failed

# remove iptables rule
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
           -j REDIRECT --to 8080

# works as normal
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1917920

Title:
  magic-proxy broke with iptables 1.8.7-1ubuntu2

Status in Launchpad itself:
  New
Status in iptables package in Ubuntu:
  New
Status in livecd-rootfs package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New

Bug description:
  when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic
  proxy stopped working in livecd-rootfs.

  It does very simple thing:

  iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner
  daemon -j REDIRECT --to 8080

  inside hirsute lxd container, with quite high privileges, in a bionic
  VM, running 4.15 kernel.

  With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound
  connectivity the very first http networking command after the above
  call would just hang indefinitely.

  However, if one does this instead:

  iptables -vv -t nat -S
  iptables-legacy -vv -t nat -S
  iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon 
-j REDIRECT --to 8080

  somehow magically everything starts to work fine.

  weird.

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1917920/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to