[PATCH v2 1/3] conf: Consistency check between configured IPv4 netmask and gateway

[Stefano Brivio <sbrivio@redhat.com>]

Seen in a Google Compute Engine environment with a machine configured
via cloud-init-dhcp, while testing Podman integration for pasta: the
assigned address has a /32 netmask, and there's a default route,
which can be added on the host because there's another route, also
/32, pointing to the default gateway. For example, on the host:

  ip -4 address add 10.156.0.2/32 dev eth0
  ip -4 route add 10.156.0.1/32 dev eth0
  ip -4 route add default via 10.156.0.1

This is not a valid configuration as far as I can tell: if the
address is configured as /32, it shouldn't be used to reach a gateway
outside its derived netmask. However, Linux allows that, and
everything works.

The problem comes when pasta --config-net sources address and default
route from the host, and it can't configure the route in the target
namespace because the gateway is invalid. That is, we would skip
configuring the first route in the example, which results in the
equivalent of doing:

  ip -4 address add 10.156.0.2/32 dev eth0
  ip -4 route add default via 10.156.0.1

where, at this point, 10.156.0.1 is unreachable, and hence invalid
as a gateway.

Sourcing more routes than just the default is doable, but probably
undesirable: pasta users want to provide connectivity to a container,
not reflect exactly whatever trickery is configured on the host.

Add a consistency check: if the configured default gateway is not
reachable, shrink the given netmask until we can reach it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 conf.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/conf.c b/conf.c
index f5099a7..1576744 100644
--- a/conf.c
+++ b/conf.c
@@ -584,6 +584,20 @@ static unsigned int conf_ip4(unsigned int ifi,
 			ip4->prefix_len = 32;
 	}
 
+	/* We might get an address with a netmask that makes the default
+	 * gateway unreachable, and in that case we would fail to configure
+	 * the default route, with --config-net, or presumably a DHCP client
+	 * in the guest or container would face the same issue.
+	 *
+	 * The host might have another route, to the default gateway itself,
+	 * fixing the situation, but we only read default routes.
+	 *
+	 * Fix up the mask to allow reaching the default gateway from our
+	 * configured address, if needed.
+	 */
+	while ((ip4->addr & ip4->mask) != (ip4->gw & ip4->mask))
+		ip4->mask = htonl(ntohl(ip4->mask) << 1);
+
 	memcpy(&ip4->addr_seen, &ip4->addr, sizeof(ip4->addr_seen));
 
 	if (MAC_IS_ZERO(mac))
-- 
@@ -584,6 +584,20 @@ static unsigned int conf_ip4(unsigned int ifi,
 			ip4->prefix_len = 32;
 	}
 
+	/* We might get an address with a netmask that makes the default
+	 * gateway unreachable, and in that case we would fail to configure
+	 * the default route, with --config-net, or presumably a DHCP client
+	 * in the guest or container would face the same issue.
+	 *
+	 * The host might have another route, to the default gateway itself,
+	 * fixing the situation, but we only read default routes.
+	 *
+	 * Fix up the mask to allow reaching the default gateway from our
+	 * configured address, if needed.
+	 */
+	while ((ip4->addr & ip4->mask) != (ip4->gw & ip4->mask))
+		ip4->mask = htonl(ntohl(ip4->mask) << 1);
+
 	memcpy(&ip4->addr_seen, &ip4->addr, sizeof(ip4->addr_seen));
 
 	if (MAC_IS_ZERO(mac))
-- 
2.35.1