[PATCH] pasta: Strip RTA_PREFSRC when copying routes to the namespace

[PATCH] pasta: Strip RTA_PREFSRC when copying routes to the namespace

[David Gibson]

Host routes can include a preferred source address (RTA_PREFSRC), which
must be one of the host's addresses.  However when using pasta with -a the
namespace might be given a different address, not on the host.  This seems
to occur pretty routinely depending on the network configuration systems
in place on the host.

With --config-net we will try to copy host routes to the namespace.  If
one of those includes an RTA_PREFSRC, but the namespace doesn't have the
host address, this will fail with -EINVAL, causing pasta to fail.

Fix this by stripping off RTA_PREFSRC attributes from routes as we copy
them to the namespace.  This is by no means infallible, bit it should at
least handle common cases for the time being.

Link: https://bugs.passt.top/show_bug.cgi?id=71
Link: https://github.com/containers/podman/pull/19699#issuecomment-1688769287

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 netlink.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/netlink.c b/netlink.c
index f55f2c3..98f08e7 100644
--- a/netlink.c
+++ b/netlink.c
@@ -462,8 +462,21 @@ int nl_route_dup(int s_src, unsigned int ifi_src,
 
 		for (rta = RTM_RTA(rtm), na = RTM_PAYLOAD(nh); RTA_OK(rta, na);
 		     rta = RTA_NEXT(rta, na)) {
-			if (rta->rta_type == RTA_OIF)
+			if (rta->rta_type == RTA_OIF) {
+				/* The host obviously list's the host interface
+				 * id here, we need to change it to the
+				 * namespace's interface id
+				 */
 				*(unsigned int *)RTA_DATA(rta) = ifi_dst;
+			} else if (rta->rta_type == RTA_PREFSRC) {
+				/* Host routes might include a preferred source
+				 * address, which must be one of the host's
+				 * addresses.  However, with -a pasta will use a
+				 * different namespace address, making such a
+				 * route invalid in the namespace.  Strip off
+				 * RTA_PREFSRC attributes to avoid that. */
+				rta->rta_type = RTA_UNSPEC;
+			}
 		}
 	}
 
-- 
@@ -462,8 +462,21 @@ int nl_route_dup(int s_src, unsigned int ifi_src,
 
 		for (rta = RTM_RTA(rtm), na = RTM_PAYLOAD(nh); RTA_OK(rta, na);
 		     rta = RTA_NEXT(rta, na)) {
-			if (rta->rta_type == RTA_OIF)
+			if (rta->rta_type == RTA_OIF) {
+				/* The host obviously list's the host interface
+				 * id here, we need to change it to the
+				 * namespace's interface id
+				 */
 				*(unsigned int *)RTA_DATA(rta) = ifi_dst;
+			} else if (rta->rta_type == RTA_PREFSRC) {
+				/* Host routes might include a preferred source
+				 * address, which must be one of the host's
+				 * addresses.  However, with -a pasta will use a
+				 * different namespace address, making such a
+				 * route invalid in the namespace.  Strip off
+				 * RTA_PREFSRC attributes to avoid that. */
+				rta->rta_type = RTA_UNSPEC;
+			}
 		}
 	}
 
-- 
2.41.0

Re: [PATCH] pasta: Strip RTA_PREFSRC when copying routes to the namespace

[Stefano Brivio]

On Wed, 23 Aug 2023 17:03:38 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> Host routes can include a preferred source address (RTA_PREFSRC), which
> must be one of the host's addresses.  However when using pasta with -a the
> namespace might be given a different address, not on the host.  This seems
> to occur pretty routinely depending on the network configuration systems
> in place on the host.
> 
> With --config-net we will try to copy host routes to the namespace.  If
> one of those includes an RTA_PREFSRC, but the namespace doesn't have the
> host address, this will fail with -EINVAL, causing pasta to fail.
> 
> Fix this by stripping off RTA_PREFSRC attributes from routes as we copy
> them to the namespace.  This is by no means infallible, bit it should at
> least handle common cases for the time being.
> 
> Link: https://bugs.passt.top/show_bug.cgi?id=71
> Link: https://github.com/containers/podman/pull/19699#issuecomment-1688769287
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

Applied.

-- 
Stefano