git clone against firewall

git clone against firewall

[Sebastian Pipping]

hello!


with a firewall blocking outgoing connections to port 9418 a

  git clone git://...

of git 1.6.6 seems to never return, i.e. loop forever.  in my rather
automated environment (gentoo's tool layman calling git) this behavior
is rather troublesome - i need some kind of abort-and-error instead:
what i'm trying to do is loop over a number of clone URL alternatives of
the same repository like ..

  git://git.overlays.gentoo.org/dev/dberkholz.git
  http://git.overlays.gentoo.org/gitroot/dev/dberkholz.git
  git+ssh://git@git.overlays.gentoo.org/dev/dberkholz.git

.. and stop at the first clone that returns without error.

are there means to make git fail in such a case or to apply a timout?
if not please consider adding a related commandline option to git-clone.

thank you.



sebastian

Re: git clone against firewall

[Junio C Hamano]

Sebastian Pipping <webmaster@hartwork.org> writes:

> with a firewall blocking outgoing connections to port 9418 a
>
>   git clone git://...
>
> of git 1.6.6 seems to never return, i.e. loop forever.  in my rather
> automated environment (gentoo's tool layman calling git) this behavior
> is rather troublesome - i need some kind of abort-and-error instead:
> what i'm trying to do is loop over a number of clone URL alternatives of
> the same repository like ..
>
>   git://git.overlays.gentoo.org/dev/dberkholz.git

What do you exactly mean by "blocking"?

In my environment at work, there is a firewall and I immedately get this:

    $ git clone git://git.overlays.gentoo.org/dev/dberkholz.git/
    Initialized empty Git repository in /var/tmp/dberkholz/.git/
    fatal: Unable to look up git.overlays.gentoo.org (port 9418) (Name or service not known)

as my environment is quite isolated (it is not just a "NAT with selective
port blocking").

I am guessing that you can resolve the hostname in your environment
(i.e. you configured your NAT to let DNS go directly outside).  What
happens when you try the following?

    $ telnet git.overlays.gentoo.org 9418

Do you get:

    Trying 66.219.59.40...
    telnet: Unable to connect to remote host: Connection refused

If you get something like:

    Trying 66.219.59.40...
    Connected to pelican.gentoo.org.
    Escape character is '^]'.

then I don't think you are blocked, and if that is the case, there is not
much we can do about it.

I think your firewall can help, though, by not pretending to be allowing
the connection and then blocking you halfway.

Re: git clone against firewall

[Sebastian Pipping]

On 01/15/10 19:17, Junio C Hamano wrote:
> What do you exactly mean by "blocking"?

I chose "BLOCK always" as action for that port in my home router
(Netgear ProSafe 802.11g) config.  No idea how it's exactly doing that.


> I am guessing that you can resolve the hostname in your environment
> (i.e. you configured your NAT to let DNS go directly outside).

Name resolution works, yes.


> What
> happens when you try the following?
> 
>     $ telnet git.overlays.gentoo.org 9418
> 
> Do you get:
> 
>     Trying 66.219.59.40...
>     telnet: Unable to connect to remote host: Connection refused
> 
> If you get something like:
> 
>     Trying 66.219.59.40...
>     Connected to pelican.gentoo.org.
>     Escape character is '^]'.
> 
> then I don't think you are blocked, and if that is the case, there is not
> much we can do about it.

I get a loop/freeze on

  Trying 66.219.59.40...

nothing more.  Can you deduce from that, what's happening?


> I think your firewall can help, though, by not pretending to be allowing
> the connection and then blocking you halfway.

I'm afraid I cannot configure that.



Sebastian

Re: git clone against firewall

[Sebastian Pipping]

On 01/15/10 20:12, Sebastian Pipping wrote:
> I get a loop/freeze on
> 
>   Trying 66.219.59.40...
> 
> nothing more.  Can you deduce from that, what's happening?

Wait, it actually times out:

  # date ; telnet git.overlays.gentoo.org 9418 ; date
  Fr 15. Jan 20:14:01 CET 2010
  Trying 66.219.59.40...
  telnet: Unable to connect to remote host: Connection timed out
  Fr 15. Jan 20:17:10 CET 2010



Sebastian

Re: git clone against firewall

[Andreas Schwab]

Sebastian Pipping <webmaster@hartwork.org> writes:

> I get a loop/freeze on
>
>   Trying 66.219.59.40...
>
> nothing more.  Can you deduce from that, what's happening?

So your firewall is dropping the packets on the floor.  Not much that
can be done about that.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: git clone against firewall

[Sebastian Pipping]

On 01/15/10 20:30, Andreas Schwab wrote:
> Sebastian Pipping <webmaster@hartwork.org> writes:
> 
>> I get a loop/freeze on
>>
>>   Trying 66.219.59.40...
>>
>> nothing more.  Can you deduce from that, what's happening?
> 
> So your firewall is dropping the packets on the floor.

I see.


> Not much that
> can be done about that.

My problem actually is not the dropping but that git doesn't stop
trying.  I actually want it to fail.



Sebastian

Re: git clone against firewall

[Andreas Krey]

On Fri, 15 Jan 2010 20:33:37 +0000, Sebastian Pipping wrote:
...
> > Not much that
> > can be done about that.
> 
> My problem actually is not the dropping but that git doesn't stop
> trying.  I actually want it to fail.

It does. After the usual network timeout, which unfortunately is
a few minutes, and thus not really useful for trying several
machines:

  74.43.91.xxx[0: 74.43.91.xxx]: errno=Connection timed out
  fatal: unable to connect a socket (Connection timed out)

Andreas

Re: git clone against firewall

[Sebastian Pipping]

On 01/16/10 00:03, Andreas Krey wrote:
> It does. After the usual network timeout, which unfortunately is
> a few minutes, and thus not really useful for trying several
> machines:

I would like to a ask for a timeout-after-n-seconds option then.

Thanks in advance!



Sebastian