allow configuring hairpinning on default nomad bridge

client/allocrunner/network_manager_linux.go

@@ -173,7 +173,7 @@ func newNetworkConfigurator(log hclog.Logger, alloc *structs.Allocation, config
 
 	switch {
 	case netMode == "bridge":
-		c, err := newBridgeNetworkConfigurator(log, config.BridgeNetworkName, config.BridgeNetworkAllocSubnet, config.CNIPath, ignorePortMappingHostIP)
+		c, err := newBridgeNetworkConfigurator(log, config.BridgeNetworkName, config.BridgeNetworkAllocSubnet, config.CNIPath, ignorePortMappingHostIP, config.BridgeNetworkHairpin)
 		if err != nil {
 			return nil, err
 		}

client/allocrunner/networking_bridge_linux.go

@@ -35,15 +35,17 @@ type bridgeNetworkConfigurator struct {
 	cni         *cniNetworkConfigurator
 	allocSubnet string
 	bridgeName  string
+	hairpin     bool
 
 	logger hclog.Logger
 }
 
-func newBridgeNetworkConfigurator(log hclog.Logger, bridgeName, ipRange, cniPath string, ignorePortMappingHostIP bool) (*bridgeNetworkConfigurator, error) {
+func newBridgeNetworkConfigurator(log hclog.Logger, bridgeName, ipRange, cniPath string, ignorePortMappingHostIP bool, hairpin bool) (*bridgeNetworkConfigurator, error) {
 	b := &bridgeNetworkConfigurator{
 		bridgeName:  bridgeName,
 		allocSubnet: ipRange,
 		logger:      log,
+		hairpin:     hairpin,
 	}
 
 	if b.bridgeName == "" {
@@ -54,7 +56,7 @@ func newBridgeNetworkConfigurator(log hclog.Logger, bridgeName, ipRange, cniPath
 		b.allocSubnet = defaultNomadAllocSubnet
 	}
 
-	c, err := newCNINetworkConfiguratorWithConf(log, cniPath, bridgeNetworkAllocIfPrefix, ignorePortMappingHostIP, buildNomadBridgeNetConfig(b.bridgeName, b.allocSubnet))
+	c, err := newCNINetworkConfiguratorWithConf(log, cniPath, bridgeNetworkAllocIfPrefix, ignorePortMappingHostIP, buildNomadBridgeNetConfig(b.bridgeName, b.allocSubnet, b.hairpin))
 	if err != nil {
 		return nil, err
 	}
@@ -134,8 +136,8 @@ func (b *bridgeNetworkConfigurator) Teardown(ctx context.Context, alloc *structs
 	return b.cni.Teardown(ctx, alloc, spec)
 }
 
-func buildNomadBridgeNetConfig(bridgeName, subnet string) []byte {
-	return []byte(fmt.Sprintf(nomadCNIConfigTemplate, bridgeName, subnet, cniAdminChainName))
+func buildNomadBridgeNetConfig(bridgeName, subnet string, hairpin bool) []byte {
+	return []byte(fmt.Sprintf(nomadCNIConfigTemplate, bridgeName, hairpin, subnet, cniAdminChainName))
 }
 
 const nomadCNIConfigTemplate = `{
@@ -151,6 +153,7 @@ const nomadCNIConfigTemplate = `{
 			"ipMasq": true,
 			"isGateway": true,
 			"forceAddress": true,
+            "hairpinMode": %t,
 			"ipam": {
 				"type": "host-local",
 				"ranges": [

client/config/config.go

@@ -255,6 +255,10 @@ type Config struct {
 	// networking mode. This defaults to 'nomad' if not set
 	BridgeNetworkName string
 
+	// BridgeNetworkHairpin sets wether the bridge allows hairpining, that is allow clients
+	// to connect to their own IP. This defaults to false if not set
+	BridgeNetworkHairpin bool
+
 	// BridgeNetworkAllocSubnet is the IP subnet to use for address allocation
 	// for allocations in bridge networking mode. Subnet must be in CIDR
 	// notation

command/agent/agent.go

@@ -712,6 +712,7 @@ func convertClientConfig(agentConfig *Config) (*clientconfig.Config, error) {
 	conf.CNIPath = agentConfig.Client.CNIPath
 	conf.CNIConfigDir = agentConfig.Client.CNIConfigDir
 	conf.BridgeNetworkName = agentConfig.Client.BridgeNetworkName
+	conf.BridgeNetworkHairpin = agentConfig.Client.BridgeNetworkHairpin
 	conf.BridgeNetworkAllocSubnet = agentConfig.Client.BridgeNetworkSubnet
 
 	for _, hn := range agentConfig.Client.HostNetworks {

command/agent/config.go

@@ -300,6 +300,9 @@ type ClientConfig struct {
 	// bridge network mode
 	BridgeNetworkName string `hcl:"bridge_network_name"`
 
+	// BridgeNetworkHairpin sets wether to allow hairpinning on the bridge
+	BridgeNetworkHairpin bool `hcl:"bridge_network_hairpin"`
+
 	// BridgeNetworkSubnet is the subnet to allocate IP addresses from when
 	// creating allocations with bridge networking mode. This range is local to
 	// the host
@@ -988,6 +991,7 @@ func DevConfig(mode *devModeConfig) *Config {
 		DisableSandbox:   false,
 	}
 	conf.Client.BindWildcardDefaultHostNetwork = true
+	conf.Client.BridgeNetworkHairpin = false
 	conf.Client.NomadServiceDiscovery = helper.BoolToPtr(true)
 	conf.Telemetry.PrometheusMetrics = true
 	conf.Telemetry.PublishAllocationMetrics = true
@@ -1038,6 +1042,7 @@ func DefaultConfig() *Config {
 				DisableSandbox:   false,
 			},
 			BindWildcardDefaultHostNetwork: true,
+			BridgeNetworkHairpin:           false,
 			CNIPath:                        "/opt/cni/bin",
 			CNIConfigDir:                   "/opt/cni/config",
 			NomadServiceDiscovery:          helper.BoolToPtr(true),
@@ -1841,6 +1846,9 @@ func (a *ClientConfig) Merge(b *ClientConfig) *ClientConfig {
 	if b.BridgeNetworkName != "" {
 		result.BridgeNetworkName = b.BridgeNetworkName
 	}
+	if b.BridgeNetworkHairpin {
+		result.BridgeNetworkHairpin = true
+	}
 	if b.BridgeNetworkSubnet != "" {
 		result.BridgeNetworkSubnet = b.BridgeNetworkSubnet
 	}

website/content/docs/configuration/client.mdx

@@ -142,6 +142,9 @@ client {
 - `bridge_network_subnet` `(string: "172.26.64.0/20")` - Specifies the subnet
   which the client will use to allocate IP addresses from.
 
+- `bridge_network_hairpin` `(bool: false)` - Specifies wether the bridge should
+  allow hairpinning.
+
 - `artifact` <code>([Artifact](#artifact-parameters): varied)</code> -
   Specifies controls on the behavior of task
   [`artifact`](/docs/job-specification/artifact) stanzas.