From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by passt.top (Postfix, from userid 1000) id 7CF6B5A026A; Thu, 3 Nov 2022 00:04:43 +0100 (CET) From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH 1/3] conf: Consistency check between configured IPv4 netmask and gateway Date: Thu, 3 Nov 2022 00:04:41 +0100 Message-Id: <20221102230443.377446-2-sbrivio@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221102230443.377446-1-sbrivio@redhat.com> References: <20221102230443.377446-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: KL2RJSCXPRNNOITR2SOT2A5IXKPBNP4S X-Message-ID-Hash: KL2RJSCXPRNNOITR2SOT2A5IXKPBNP4S X-MailFrom: sbrivio@passt.top X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Paul Holzinger , David Gibson X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: <> Archived-At: List-Archive: <> List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Seen in a Google Compute Engine environment with a machine configured via cloud-init-dhcp, while testing Podman integration for pasta: the assigned address has a /32 netmask, and there's a default route, which can be added on the host because there's another route, also /32, pointing to the default gateway. This is not a valid configuration as far as I can tell: if the address is configured as /32, it shouldn't be used to reach a gateway outside its derived netmask. However, Linux allows that, and everything works. The problem comes when pasta --config-net sources address and default route from the host, and it can't configure the route in the target namespace because the gateway is invalid. Sourcing more routes than just the default is doable, but probably undesirable: pasta users want to provide connectivity to a container, not reflect exactly whatever trickery is configured on the host. Add a consistency check: if the configured default gateway is not reachable, shrink the given netmask until we can reach it. Signed-off-by: Stefano Brivio --- conf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conf.c b/conf.c index 90214f5..5b88547 100644 --- a/conf.c +++ b/conf.c @@ -562,6 +562,10 @@ static unsigned int conf_ip4(unsigned int ifi, ip4->mask = 0xffffffff; } + /* Mask consistency check: ensure we can reach the default gateway */ + while ((ip4->addr & ip4->mask) != (ip4->gw & ip4->mask)) + ip4->mask = htonl(ntohl(ip4->mask) << 1); + memcpy(&ip4->addr_seen, &ip4->addr, sizeof(ip4->addr_seen)); if (MAC_IS_ZERO(mac)) -- 2.35.1