From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=DsnUiUSu;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id BE8015A004C
	for <passt-dev@passt.top>; Wed, 25 Sep 2024 08:54:50 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202408; t=1727247278;
	bh=GaSGsUJ050uUZDXyvcy2Mm4fpB2VAUtK5iUfG1ZSFGQ=;
	h=From:To:Cc:Subject:Date:From;
	b=DsnUiUSu+Kc1D8lv+T9bvBbEKwiYyUFcqoKNteoV4uRyxuhBqn9Vjs+OAdXO6kxbN
	 Ji6+n79jfAwT57CqrBYnylsmnydaz9m5m+0he3eN+wRIR00fvyOplT6qvIJFH5cR3B
	 80hocLmMNY9EyGTDtxREsn8Ist69Bky+lD+rvjIIfUaxT9BHNaeDxbDInn1YyhmGv/
	 u6pyJZIBe6WtSHmdlt8noYnoqMWVABEzMR4QLoAaxcUB9P4WVUmtSKeSjH5uNivH47
	 9LucqoC5oRVAvXp+2tGPNEwv7JPPjoZ08aLOA1ENheOuA62WK5MYi776TuJSLv0YY3
	 uWp9dMGFT1N3A==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4XD6sp1tgqz4xPY; Wed, 25 Sep 2024 16:54:38 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH 0/2] Don't expose container loopback services to the host
Date: Wed, 25 Sep 2024 16:54:34 +1000
Message-ID: <20240925065436.2064995-1-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.46.1
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 3NV7IQECQPVIEYKMH5RSWI62BRO3SIKM
X-Message-ID-Hash: 3NV7IQECQPVIEYKMH5RSWI62BRO3SIKM
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240925065436.2064995-1-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/3NV7IQECQPVIEYKMH5RSWI62BRO3SIKM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

podman issue #24045 pointed out that pasta's spliced forwarding logic
can expose services within the namespace bound only to 127.0.0.1 or
::1 to the host.  However, the namespace probably expects those to
only be accessible to itself, so that's probably not what we want.

This changes our forwarding logic so as not to do this.  Note that the
podman tests will currently fail with this series, I've submitted
podman PR https://github.com/containers/podman/pull/24064 to fix that.

Link: https://github.com/containers/podman/issues/24045

David Gibson (2):
  test: Clarify test for spliced inbound transfers
  fwd: Direct inbound spliced forwards to the guest's external address

 fwd.c                | 24 +++++++++++++++---------
 test/passt_in_ns/tcp |  8 ++++----
 test/passt_in_ns/udp |  4 ++--
 test/pasta/tcp       | 16 ++++++++--------
 test/pasta/udp       |  8 ++++----
 5 files changed, 33 insertions(+), 27 deletions(-)

-- 
2.46.1