From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202504 header.b=ossvriXV; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 1376B5A0008 for ; Mon, 14 Apr 2025 04:07:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202504; t=1744596472; bh=u+YBBua1AOcMhBbIxUDRiiQY7E74bCgAIBUkyxmVRl8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ossvriXVYDbnL+vzL4fLijp2p+iNULF/PKMqqYgp4IwNNr6CqQJ94EYYlUL5CjscQ vZGcK3F/lU14MrPe5zPYUfxc2zJEEJinA+T9oe4Qf7oRc953gRg1UBYehf7BpcdIA1 nDPB2aYt36X4Zpbhejlhvb2etHV6CNfdS7ammasQFMbf8rxvEJMfIDhvXZl+7riDNf XiCUbinhTp4Bmk4FtaldGuCMgQYIlmDtgD57qNll+gowwEwDrif68LVvaMqHg2JBm1 G3s2AMDHoUxTTbDtnGwJ5SwgDChauYBf0fvNFspV3DRJceGlaripp/8mQfwV/dagW2 v5v6az3QGKmxQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4ZbW084vJXz4wcd; Mon, 14 Apr 2025 12:07:52 +1000 (AEST) Date: Mon, 14 Apr 2025 12:07:44 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 2/2] conf: Honour --dns-forward for local resolver even with --no-map-gw Message-ID: References: <20250411091439.2943014-1-sbrivio@redhat.com> <20250411091439.2943014-3-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="sbvlDyTiVCE8qzR1" Content-Disposition: inline In-Reply-To: <20250411091439.2943014-3-sbrivio@redhat.com> Message-ID-Hash: PC4M2GD7523B7GXRBQRDY5MP5SAMS7RU X-Message-ID-Hash: PC4M2GD7523B7GXRBQRDY5MP5SAMS7RU X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Andrew Sayers , Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --sbvlDyTiVCE8qzR1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 11, 2025 at 11:14:39AM +0200, Stefano Brivio wrote: > If the first resolver listed in the host's /etc/resolv.conf is a > loopback address, and --no-map-gw is given, we automatically conclude > that the resolver is not reachable, discard it, and, if it's the only > nameserver listed in /etc/resolv.conf, we'll warn that we: >=20 > Couldn't get any nameserver address >=20 > However, this isn't true in a general case: the user might have passed > --dns-forward, and in that case, while we won't map the address of the > default gateway to the host, we're still supposed to map that > particular address. Otherwise, in this common Podman usage: >=20 > pasta --config-net --dns-forward 169.254.1.1 -t none -u none -T none -U= none --no-map-gw --netns /run/user/1000/netns/netns-c02a8d8f-6ee3-902e-33c= 5-317e0f24e0af --map-guest-addr 169.254.1.2 >=20 > and with a loopback address in /etc/resolv.conf, we'll unexpectedly > refuse to forward DNS queries: >=20 > # nslookup passt.top 169.254.1.1 > ;; connection timed out; no servers could be reached >=20 > To fix this, make an exception for --dns-forward: if &c->ip4.dns_match > or &c->ip6.dns_match are set in add_dns_resolv4() / add_dns_resolv6(), > use that address as guest-facing resolver. >=20 > We already set 'dns_host' to the address we found in /etc/resolv.conf, > that's correct in this case and it makes us forward queries as > expected. >=20 > I'm not changing the man page as the current description of > --dns-forward is already consistent with the new behaviour: there's no > described way in which --no-map-gw should affect it. >=20 > Reported-by: Andrew Sayers > Link: https://bugs.passt.top/show_bug.cgi?id=3D111 > Suggested-by: Paul Holzinger > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > conf.c | 30 ++++++++++++++++++++++-------- > 1 file changed, 22 insertions(+), 8 deletions(-) >=20 > diff --git a/conf.c b/conf.c > index 18ed11c..f942851 100644 > --- a/conf.c > +++ b/conf.c > @@ -431,12 +431,19 @@ static void add_dns_resolv4(struct ctx *c, struct i= n_addr *ns, unsigned *idx) > */ > if (IN4_IS_ADDR_LOOPBACK(ns) || > IN4_ARE_ADDR_EQUAL(ns, &c->ip4.map_host_loopback)) { > - if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) > - return; > + if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match)) { > + if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) > + return; /* Address unreachable */ > =20 > - *ns =3D c->ip4.map_host_loopback; > - if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match)) > + *ns =3D c->ip4.map_host_loopback; > c->ip4.dns_match =3D c->ip4.map_host_loopback; > + } else { > + /* No general host mapping, but requested for DNS > + * (--dns-forward and --no-map-gw): advertise resolver > + * address from --dns-forward, and map that to loopback > + */ > + *ns =3D c->ip4.dns_match; > + } > } > =20 > *idx +=3D add_dns4(c, ns, *idx); > @@ -459,12 +466,19 @@ static void add_dns_resolv6(struct ctx *c, struct i= n6_addr *ns, unsigned *idx) > */ > if (IN6_IS_ADDR_LOOPBACK(ns) || > IN6_ARE_ADDR_EQUAL(ns, &c->ip6.map_host_loopback)) { > - if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) > - return; > + if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match)) { > + if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) > + return; /* Address unreachable */ > =20 > - *ns =3D c->ip6.map_host_loopback; > - if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match)) > + *ns =3D c->ip6.map_host_loopback; > c->ip6.dns_match =3D c->ip6.map_host_loopback; > + } else { > + /* No general host mapping, but requested for DNS > + * (--dns-forward and --no-map-gw): advertise resolver > + * address from --dns-forward, and map that to loopback > + */ > + *ns =3D c->ip6.dns_match; > + } > } > =20 > *idx +=3D add_dns6(c, ns, *idx); --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --sbvlDyTiVCE8qzR1 Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmf8be8ACgkQzQJF27ox 2GdqJRAAh5F42RCQAU0eqrMoEsgbQBerQQFZzZp8XKl1d9al/YGnKG148U4ImVCu NrW6FSuc06ymQxOJWDeo/0ORNdnBe2QSUDoPNNchNFxU5Pql2k3T7AlGgntMBIt8 5ultdcAlGwGgoVeqMpoTGCLQPHvc8BUJOnn0S9J5zJ3TvMM8mP88IGvzkNuAB39T gPoTlF62AhQ8kT4mQ7N5N9HfC6y3asFdyfAM8YK4G+dGKZx+zP9TugNMLqnN6gu6 wSrs7UzPW5tBVYJIXi/0/aVX///B4bsNs1FHNxxzYtNnMo/KtEyJguULipZhi0jJ F0Pvr5DGBvpdtY2c6xQFM1p1Q/dMWmmnaAA4TzV136Ds7vIxVBrQlOsWkMRDbTWc iF+3WkC2ib7mbEOZh41cqBmEXuVZ8de8SohjyN0ibGwjHFBlEU9J4YM7a6ZxU+Pe xtRgBAut8FBsvtyOQHePZAQPMP8zDI/wtHS+01uB2OhkzlXtWLWbEERc1sUsqIxg WKzvwIXDwlfL7PoVIgEVOm3TM0o08+kRcHWvbAKEeI/8tlF8vfZYzgFPIFV0MEW5 z548TMZf96wEmDyORURNRx2Jn9eZd92QxMw3mXN0E+A9/jDlB3lszQe/pvMmkgcn v1oABCPhzgs1NIo+Hc9ggOGg200FEbXdIA3TTVwFowVOwxt+ko8= =1HYw -----END PGP SIGNATURE----- --sbvlDyTiVCE8qzR1--