From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id 7CF6B5A026A; Thu,  3 Nov 2022 00:04:43 +0100 (CET)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 1/3] conf: Consistency check between configured IPv4 netmask and gateway
Date: Thu,  3 Nov 2022 00:04:41 +0100
Message-Id: <20221102230443.377446-2-sbrivio@redhat.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20221102230443.377446-1-sbrivio@redhat.com>
References: <20221102230443.377446-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: KL2RJSCXPRNNOITR2SOT2A5IXKPBNP4S
X-Message-ID-Hash: KL2RJSCXPRNNOITR2SOT2A5IXKPBNP4S
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Holzinger <pholzing@redhat.com>, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <>
Archived-At: <https://archives.passt.top/passt-dev/20221102230443.377446-2-sbrivio@redhat.com/>
List-Archive: <>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Seen in a Google Compute Engine environment with a machine configured
via cloud-init-dhcp, while testing Podman integration for pasta: the
assigned address has a /32 netmask, and there's a default route,
which can be added on the host because there's another route, also
/32, pointing to the default gateway.

This is not a valid configuration as far as I can tell: if the
address is configured as /32, it shouldn't be used to reach a gateway
outside its derived netmask. However, Linux allows that, and
everything works.

The problem comes when pasta --config-net sources address and default
route from the host, and it can't configure the route in the target
namespace because the gateway is invalid.

Sourcing more routes than just the default is doable, but probably
undesirable: pasta users want to provide connectivity to a container,
not reflect exactly whatever trickery is configured on the host.

Add a consistency check: if the configured default gateway is not
reachable, shrink the given netmask until we can reach it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 conf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/conf.c b/conf.c
index 90214f5..5b88547 100644
--- a/conf.c
+++ b/conf.c
@@ -562,6 +562,10 @@ static unsigned int conf_ip4(unsigned int ifi,
 			ip4->mask = 0xffffffff;
 	}
 
+	/* Mask consistency check: ensure we can reach the default gateway */
+	while ((ip4->addr & ip4->mask) != (ip4->gw & ip4->mask))
+		ip4->mask = htonl(ntohl(ip4->mask) << 1);
+
 	memcpy(&ip4->addr_seen, &ip4->addr, sizeof(ip4->addr_seen));
 
 	if (MAC_IS_ZERO(mac))
-- 
2.35.1