From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=CMb/hYP9; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 40A2F5A004C for ; Tue, 01 Oct 2024 08:25:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202408; t=1727763903; bh=ictY1m6EW1Jqwwq3wi4ImE1hHDQGzhyL9r3bTC19xI0=; h=From:To:Cc:Subject:Date:From; b=CMb/hYP9Q4Ibp4HmuccyzXQPm3Oru/GUzcFWBBFwXok/nlYfXSLWrfNv2Ii8b6N7f B7SoVy/jCdGnAR5Ia9ocXAwT/kxX5VO/r/MFTa1ov2G5axzRL6a7nVmzj/1ZAtyT1X IpsPhCPbhbIaAavKvGq5WvWsIfuccjlxl8vW3wj/Se4MyRfDtlrqNj7J4mummeCX6R qcQbGvZTpREPawMvAx35LKoyJ7sg2oxuh2gt5xjCKAQGxlo/4cuwJFhum8o7UxYBhp zqwuiEegjZZbaSwqXiajmU6doLz4FvqLf12RN+3INDO/0TTL5yHQEaJeKDjKTzJlAW gX4OrT8jPNE0A== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4XHnwv5qT6z4x4c; Tue, 1 Oct 2024 16:25:03 +1000 (AEST) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH v2 0/4] Don't expose container loopback services to the host Date: Tue, 1 Oct 2024 16:24:58 +1000 Message-ID: <20241001062502.1345449-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.46.2 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: SIJHTTP4FTJJOBCGXY6Q24GRJKY62ITT X-Message-ID-Hash: SIJHTTP4FTJJOBCGXY6Q24GRJKY62ITT X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: podman issue #24045 pointed out that pasta's spliced forwarding logic can expose services within the namespace bound only to 127.0.0.1 or ::1 to the host. However, the namespace probably expects those to only be accessible to itself, so that's probably not what we want. This changes our forwarding logic so as not to do this. Note that the podman tests will currently fail with this series, I've submitted podman PR https://github.com/containers/podman/pull/24064 to fix that. Link: https://github.com/containers/podman/issues/24045 Changes since v1: * Add --host-lo-to-ns-lo option to preserve the old behaviour * Clarify the new behaviour in the man page * Add some extra patches making some other corrections to the man page David Gibson (4): passt.1: Mark --stderr as deprecated more prominently passt.1: Clarify and update "Handling of local addresses" section test: Clarify test for spliced inbound transfers fwd: Direct inbound spliced forwards to the guest's external address conf.c | 9 ++++++ fwd.c | 31 +++++++++++++----- passt.1 | 75 +++++++++++++++++++++++++++----------------- passt.h | 1 + test/passt_in_ns/tcp | 8 ++--- test/passt_in_ns/udp | 4 +-- test/pasta/tcp | 16 +++++----- test/pasta/udp | 8 ++--- 8 files changed, 97 insertions(+), 55 deletions(-) -- 2.46.2