From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=EbD60aPo; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 95E3A5A065C for ; Sun, 21 Dec 2025 11:47:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1766314048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cD8g1ZoveEmHEPvYIC7C686SyCps9wtcDDJcRzNeMxs=; b=EbD60aPogPdkTa0vuj7crR/teNHd9h1hRFSJomCNd9rS2AlrNEuJVq96W8KSojXpPhXGPa ssWB7vbGSbJ22lblgR3NTUv7T0DFUtcnvW9YlyTWzQZDrUq5pM0zvYwoyWAAS7IgJWYAfr 5k2FwRXDl7IK7TiH/7XXc++LwRlXM+0= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-589-CCOMDcY1NE28X1A3bjw1Kg-1; Sun, 21 Dec 2025 05:47:26 -0500 X-MC-Unique: CCOMDcY1NE28X1A3bjw1Kg-1 X-Mimecast-MFC-AGG-ID: CCOMDcY1NE28X1A3bjw1Kg_1766314046 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-4775f51ce36so28047685e9.1 for ; Sun, 21 Dec 2025 02:47:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766314046; x=1766918846; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cD8g1ZoveEmHEPvYIC7C686SyCps9wtcDDJcRzNeMxs=; b=ksDjxXhlAPZaxuCInZ4nVc75Uor+6S3w64ktirg0okp8YC0VNlWRYh3rLgGKVrXKpi mbAtqQbKbPyLpWXDcTEB++tLAXky3la0RTCbq3ivCT+Q/oYd9DEkD/0uRctnKQYEDCxN +9GC/6cRVOJgBjex9x8qTVIPL0KycVOXGemgcJ1k7i1YxYHx6zG6T54MOz8Ed/df/AFL qFc6wKt8dBusFAY12z/YifxIGavyEBcz8B+zCXOqfxpscCsSNDA4IzML7PZSqlHxRS3v lNGFUaj8bFxwxLc4l0NEGh50Qmh/HXT3cK7kfm2abYDasIVLtvGz7hzg9GL1e2r3XFeh qNMg== X-Gm-Message-State: AOJu0Yx/S9mUk1HHFHMUCm8tcJ+smFHo2RuvhMhdalR+AfmflMcprbjH mZ9n39o55aTh0O55EIC8OQIhcnrUFPojuMSI4gCAvoqJrrb4rW7WE9Nm6x2eIRI3LdboaYeT+PL F9IBAL85eDVPXoRazVov+fsRuSX4ritTYOlO/I/dbotUMOMNasNiIq6E= X-Gm-Gg: AY/fxX6Yu8hg22KqSeU2eZqdwIikX9MyqmJ+y5YqJeykfKmSrCXPuPI8CsypkAHjnQA BOFWAUBrd1DNjHLdft4RauFpixn5jE+InWXscbwd3Nqt5mjSuVFz4qj7qx2ZZTmO3bv7qWozDcJ KVKgv6Ti7vn207ZekfA7/GZhnLMM6Bps+7QbBxx4fODxjFfJCZyzekAuh+2hy+hUNvXsF6JKlb/ 6ncnlP0HUCfzIyx1E5pA7udgXebG1heKSAx5IFJG18ZgbCqKSBWNbvek7Y04rnH+LUTbkLpOb15 e5UxdWWKHCaixPiKONOz+hh+u69YY18TH+8EX2W4ycl+pY7LDR57J5MM2LwwMh0ayD1iQwdCsCp LgQOjdQF9btQAZ/nI1x3F X-Received: by 2002:a5d:588c:0:b0:42b:2a09:2e55 with SMTP id ffacd0b85a97d-4324e45d3famr7354913f8f.0.1766314045584; Sun, 21 Dec 2025 02:47:25 -0800 (PST) X-Google-Smtp-Source: AGHT+IH6FUqLG2hQkeWhgGQsJvC65H7Elbxcs6IQtzU/RZfr7/HqD4CznBT2zYLj2Yyn6eUJb+IfOw== X-Received: by 2002:a5d:588c:0:b0:42b:2a09:2e55 with SMTP id ffacd0b85a97d-4324e45d3famr7354900f8f.0.1766314045075; Sun, 21 Dec 2025 02:47:25 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea8311fsm15754441f8f.28.2025.12.21.02.47.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Dec 2025 02:47:24 -0800 (PST) Date: Sun, 21 Dec 2025 11:47:22 +0100 From: Stefano Brivio To: Felix Rubio Subject: Re: Connecting back to the host through a dummy veth interface Message-ID: <20251221114722.2a613e94@elisabeth> In-Reply-To: <5105334.31r3eYUQgx@altair> References: <176606116131.2775.3279769610610037541@maja> <20251220151224.1cc7c5cc@elisabeth> <5105334.31r3eYUQgx@altair> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: k5N5YkxjJ9c45IX6P4FCvgvjBJNIEZnad16MXYFfUqY_1766314046 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: WQT5BFKYMTWBSJIINV34FTQ6HROBK5JB X-Message-ID-Hash: WQT5BFKYMTWBSJIINV34FTQ6HROBK5JB X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Sat, 20 Dec 2025 15:28:43 +0100 Felix Rubio wrote: > Hey Stefano, > > Thank you for your answer! I know I can run rootful containers, and that then > I can access the host's network ns. However, this exposes a number of > potential issues: > * In case the an attacker manages to break out of the container, gets root > * That enables connecting back to the host loopback, but then from that > container any service listening to the loopback can be reached as well. Sure. That's the whole point behind pasta(1) and rootless containers with Podman / rootlesskit. I certainly won't be the one suggesting that you'd run anything as root. :) > The reason for looking for a way of binding those services to 10.255.255.1 (so > that only exposed services will be in that interface) and running fully > rootless, if works, provides a more secure system... in general. Indeed. > About the mapped ports, I am a bit lost: for what I have tested, running > rootless disables the possibility to connect back to the host, right? Hah, I see now. No, that's not the case. You can run rootless containers and connect to the host from them, in two ways: 1. disabled by default in Podman's pasta integration, not what you want: via the loopback interface, see -U / -T in 'man pasta' and --host-lo-to-ns-lo for the other way around. In that case, packets appear to be local (source address is loopback) in the other namespace ("host" or initial namespace for packets from a container, and container for packets from host). This gives you better throughput but making connections appear as if they were local is risky (cf. CVE-2021-20199), so it's disabled by default, and not what I'm suggesting (at least in general) 2. what you get as default in Podman: using pasta's --map-guest-addr. The current description of this option in pasta(1) isn't great, hence https://bugs.passt.top/show_bug.cgi?id=132, but the idea is that you will reach the host from the container with a non-loopback address, as if the connection was coming from another host (which should represent the expected container usage). So here's an example: $ podman run --rm -ti -p 8089:80 traefik/whoami 2025/12/21 10:42:16 Starting up on port 80 [in another terminal] $ podman run --rm -ti fedora curl host.containers.internal:8089 Hostname: ab94f49b5042 IP: 127.0.0.1 IP: ::1 IP: **.***.*.*** IP: ****:***:***:***::* IP: ****::****:****:****:**** RemoteAddr: 169.254.1.2:46592 GET / HTTP/1.1 Host: host.containers.internal:8089 User-Agent: curl/8.15.0 Accept: */* ...doesn't that work for you? Note that you'll need somewhat recent versions of pasta (>= 2024_08_21.1d6142f) and Podman (>= 5.3). -- Stefano