-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating restriction file sometimes doesn't work, restrictions variable not updated #368
Comments
Here’s my guess… @erebe, I am a newbie at Rust. I think that the problem is that the variable ‘restrictions’ is not created as mutable (I think the fix is to make it mutable, for example: let mut restrictions). |
Hello, Thanks for reporting the issue ;-) I think I understand where the problem is coming from, it is the same mistake I made when you reported the issue with the logs ever increasing on tunnel rejection. For now, the update/use of the new reloaded restrictions is done only once at the beginning of a new TCP connections. And in your case you seem to have a reverse proxy in front of wstunnel that multiplex/reuse the TCP connections. So you end-up in the situation where the restrictions file is reloaded, but never updated for new requests that re-use the existing connections. I will provide a fix next week regarding this, to update the restrictions before each request and not only at the beginning of the new tcp connections. |
Ah, that makes sense, we're using an nginx ingress in kubernetes between wstunnel client and server, so yes makes sense that it is hiding some information. Thanks again for your very speedy response and analysis. |
instead of only once per conections, to avoid using a stale restriction config when multiple request arrive on the same tcp stream.
It should be fixed in the latest release https://github.com/erebe/wstunnel/releases/tag/v10.1.5 |
Will test today :-) Thanks |
Fix looks good 💯 👍👍👍👍👍👍. Thank you |
Awesome, thank you for reporting the issue ;) |
Describe the bug
Updating restriction file sometimes doesn't work, restrictions variable not updated
To Reproduce
We are running wstunnel in kubernetes. We're using a configmap which contains the restrictions file, and updating it using:
kubectl edit cm .....
We've added extra logging in mod.rs:
extra_debug.patch
We see that this logging is printing out the updated restrictions file.
But later in validate_tunnel (to which we've also added some extra logging), the OLD restrictions file contents being printed out and used, resulting in the tunnel connection being rejected.
Expected behavior
When the restrictions file is updated wstunnel should start checking new connections against the updated restrictions file.
Your wstunnel setup
Paste your logs of wstunnel, started with
--log-lvl=DEBUG
, and with thecommand line used
In the logs below with our extra debug, you see:
YAML file content: Mapping {"restrictions": Sequence [Mapping {"name": String("lv-encode"), "description": String("This is the config for lv-encode"), "match": Sequence [TaggedValue { tag: !PathPrefix, value: String("^990988e604e64195$") }], "allow": Sequence [TaggedValue { tag: !ReverseTunnel, value: Mapping {"protocol": Sequence [String("Tcp")], "port": Sequence [Number(49152)]} }]}]}
SNIP
2024-10-11T16:13:14.638326Z WARN cnx{peer="[::ffff:10.244.0.43]:44506"}:tunnel{forwarded_for="10.244.0.1" id="01927c5a-fe3f-7a30-89e8-2e9d351cc696" remote="[::]:49152"}: wstunnel::tunnel::server::utils: Restrictions: RestrictionsRules { restrictions: [] }
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: