From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=KCDqDH25; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id BD74F5A004E for ; Fri, 18 Oct 2024 21:06:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1729278374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oHGA9E4C8U8YFPLKFjASZ6ZKbeTbU823DmZUed+ymAM=; b=KCDqDH251GG03UbJcp7yQCCoUzxtNe4r8HjZLuMDQgko+Y6Mcugsikl1cRx8Zn0T3bEV/9 h0M9YGpES1FrkB7JudNgKD+sNYvM3nKOlfuOiQFFIuakACEg+4W7hXbC3EiqpYOLv9XmeK w8x505QC9Ln28dPmSI4vzmx3pm+Fd+M= Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-659-s-y3F3i6O0KKviQivn2xlQ-1; Fri, 18 Oct 2024 15:06:13 -0400 X-MC-Unique: s-y3F3i6O0KKviQivn2xlQ-1 Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-20c92707255so28976845ad.1 for ; Fri, 18 Oct 2024 12:06:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729278372; x=1729883172; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=oHGA9E4C8U8YFPLKFjASZ6ZKbeTbU823DmZUed+ymAM=; b=JwIuHv49Eeg4BFslqpBJouUx448GRMsb+KCBjY6OM1EfCoHmJyo0DXaeTMkazc62D2 iwssPdJjeIQldXAZvI1DtWy+AzD0eZzjtQBUNIa0l6B/NiwBfpzftpDbRcYsIPIlPEkS Jx2TbWGlK1xkyD3h8cWvb12HjDTcdhqzMtC8+R0YPYvm9FLtMYJhMcXjsSDlQ2WTe2qr qcR3ZJ0K5KBJGteObFRQ1X99vVvNH+ZrYSimFtqRo9PjlDwBwVv3pCYTlmGhiL8YN+oF 9geZzyAby1ru2U1FBmA9Nu0X13c2we62AUBbhv0EONVlS95Y+jcNfCi6vEtG3Fntxzo6 jTBA== X-Gm-Message-State: AOJu0Yx1cXm8D7fmFdPfcEsvKHW7/0X0YRFVTiOYG2l9FVYY/dgSAskM 8/FEC6XdWnOjQ0jKAOalAnAQ5MTj8J5qnwEBLbcUgj/x78iCtXgV43u3y+IpaHBzODuf9JdncKF TD0lNOQMUODehwzqCW1BEo3Swz55l/9k/JyB1hVSFu9HI9AF9S1zczweuvQ== X-Received: by 2002:a17:902:f64f:b0:20c:7796:5e76 with SMTP id d9443c01a7336-20e5a78e13cmr40992525ad.18.1729278372016; Fri, 18 Oct 2024 12:06:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH2prbWYHEdZtMAUkW62Q5vBqce1wjUTc9fJzcbBHKYNXEV37Ol1SZ6fPueQ3KeNf1uPfUtVw== X-Received: by 2002:a17:902:f64f:b0:20c:7796:5e76 with SMTP id d9443c01a7336-20e5a78e13cmr40992265ad.18.1729278371562; Fri, 18 Oct 2024 12:06:11 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20e5a8d66cbsm16042915ad.141.2024.10.18.12.06.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Oct 2024 12:06:11 -0700 (PDT) Date: Fri, 18 Oct 2024 21:06:07 +0200 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH v5 0/7] Don't expose container loopback services to the host Message-ID: <20241018210607.510399a4@elisabeth> In-Reply-To: <20241018013556.1266295-1-david@gibson.dropbear.id.au> References: <20241018013556.1266295-1-david@gibson.dropbear.id.au> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: WUI7QZEPIFNSD5QMTKB2ISGXPF24UJ4X X-Message-ID-Hash: WUI7QZEPIFNSD5QMTKB2ISGXPF24UJ4X X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri, 18 Oct 2024 12:35:49 +1100 David Gibson wrote: > podman issue #24045 pointed out that pasta's spliced forwarding logic > can expose services within the namespace bound only to 127.0.0.1 or > ::1 to the host. However, the namespace probably expects those to > only be accessible to itself, so that's probably not what we want. > > This changes our forwarding logic so as not to do this. Note that the > podman tests will currently fail with this series, I've submitted > podman PR https://github.com/containers/podman/pull/24064 to fix that. > > Link: https://github.com/containers/podman/issues/24045 > > Changes since v4: > * Handled a few cases where we need to wait for DAD which were missed > in v4. > * Fix a grammar error in comment > Changes since v3: > * Added several extra patches working around failures on Debian, > because its dhclient-script doesn't wait for DAD to complete > Changes since v2: > * Add new field do structure comment > Changes since v1: > * Add --host-lo-to-ns-lo option to preserve the old behaviour > * Clarify the new behaviour in the man page > * Add some extra patches making some other corrections to the man > page > > David Gibson (7): > arp: Fix a handful of small warts > test: Explicitly wait for DAD to complete on SLAAC addresses > test: Wait for DAD on DHCPv6 addresses > passt.1: Mark --stderr as deprecated more prominently > passt.1: Clarify and update "Handling of local addresses" section > test: Clarify test for spliced inbound transfers > fwd: Direct inbound spliced forwards to the guest's external address Applied. -- Stefano