From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=reject dis=none) header.from=kngnt.org
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; secure) header.d=kpnmail.nl header.i=@kpnmail.nl header.a=rsa-sha256 header.s=kpnmail01 header.b=cBd8Tn7S;
	dkim=pass (2048-bit key; secure) header.d=kngnt.org header.i=@kngnt.org header.a=rsa-sha256 header.s=mail header.b=qisb/bDI;
	dkim-atps=neutral
Received: from ewsoutbound.kpnmail.nl (ewsoutbound.kpnmail.nl [195.121.94.185])
	by passt.top (Postfix) with ESMTPS id 5AAFB5A065C
	for <passt-user@passt.top>; Sun, 21 Dec 2025 16:32:24 +0100 (CET)
X-KPN-MessageId: a0bbc086-de82-11f0-ad1a-005056999439
Received: from smtp.kpnmail.nl (unknown [10.31.155.8])
	by ewsoutbound.so.kpn.org (Halon) with ESMTPS
	id a0bbc086-de82-11f0-ad1a-005056999439;
	Sun, 21 Dec 2025 16:35:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=kpnmail.nl; s=kpnmail01;
	h=content-type:mime-version:message-id:date:subject:to:from;
	bh=TGKQGwCeGgnQLCNEJdETkGzoiBKvj7s9e23iaAIv4kM=;
	b=cBd8Tn7S3ZirND80DcJHSOA/RU2A9nte7TIJ29a13cvEF7aefO1Qab+Q8/vJcWeQnEvWED3AHWHzc
	 urlQ4HhuXXICiNA/SE8acInYSjjt23iZwFailfOcPSK/mmNG8eoCgAWtbXIR9jZKvaKGzcD8AyMm7u
	 AaKuZZSysyq88f9E=
X-KPN-MID: 33|+X7/9R2baih1qjpbGpDHK2mDTOYpXsYvrsrBIwZYCxhwWrVeFjsNmroTTPlD0EO
 rjSC9NNvFwZ4PYDAWPyiMjErjTVD/rNmUobeQeLeAt5M=
X-KPN-VerifiedSender: No
X-CMASSUN: 33|yXqLgSWAwDlX4Noe4H2VPRiEs9MgHLlbS8i0CnIjqogDEjTTiyebzkxF//YmU9d
 4yOBngi8NRs6GIEiTHzSuqOsjv/OOXVuw7jBd6irKocc=
X-Originating-IP: 82.169.112.203
Received: from mail.kngnt.org (82-169-112-203.fixed.kpn.net [82.169.112.203])
	by smtp.kpnmail.nl (Halon) with ESMTPSA
	id 3f49ddd6-de82-11f0-9bf7-00505699d6e5;
	Sun, 21 Dec 2025 16:32:23 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kngnt.org; s=mail;
	t=1766331143;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=TGKQGwCeGgnQLCNEJdETkGzoiBKvj7s9e23iaAIv4kM=;
	b=qisb/bDI9gzOrTgRIlR0in2cpFIHeaj0k0eXobZAdHkBDl3mEMuvbHqY27wgPhX2MfOwrT
	k0z0TnILdftMlHvctSL6eb2gDhwzNIt9NmeGHamb5/cTldKOIZIaTYgeObt/Z7z83Tjmbe
	+jRuC82/7h+M2zXG0h/EtqDxSEB9LFP+kIRt4dzu/K0LhQ7/2/+UEKtEMg7PJ2NPiTNHB3
	Bu3asjz/WvEwXqK8Q5nQtPmaVIBM7FscbI11KWArOJLGkln3To+LAynrRzSUjE1RGXRQcK
	XNGNLpAO5cMbVCjHcR0qNxKfqfn5i+LfRaRoShDy6fsfVBaEmd2xcJtKCIRYSg==
From: Felix Rubio <felix@kngnt.org>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: Connecting back to the host through a dummy veth interface
Date: Sun, 21 Dec 2025 16:32:23 +0100
Message-ID: <2724792.Lt9SDvczpP@altair>
In-Reply-To: <20251221114722.2a613e94@elisabeth>
References: <176606116131.2775.3279769610610037541@maja> <5105334.31r3eYUQgx@altair>
 <20251221114722.2a613e94@elisabeth>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"
Message-ID-Hash: XMPCOKU3VMNNFQOQEPRR77NRREWB3VVN
X-Message-ID-Hash: XMPCOKU3VMNNFQOQEPRR77NRREWB3VVN
X-MailFrom: felix@kngnt.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-user@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/2724792.Lt9SDvczpP@altair/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/XMPCOKU3VMNNFQOQEPRR77NRREWB3VVN/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>

Something more: I see that pasta is binding to 0.0.0.0. This means that, while 
allows other pods to connect to the published port of a container through 
169.254.1.2, it also enables that port to be reachable from the network.

Is there any way to prevent that?

Regards!
Felix

On Sunday, 21 December 2025 11:47:22 Central European Standard Time Stefano 
Brivio wrote:
> On Sat, 20 Dec 2025 15:28:43 +0100
> 
> Felix Rubio <felix@kngnt.org> wrote:
> > Hey Stefano,
> > 
> > Thank you for your answer! I know I can run rootful containers, and that 
then
> > I can access the host's network ns. However, this exposes a number of
> > potential issues:
> > * In case the an attacker manages to break out of the container, gets root
> > * That enables connecting back to the host loopback, but then from that
> > container any service listening to the loopback can be reached as well.
> 
> Sure. That's the whole point behind pasta(1) and rootless containers
> with Podman / rootlesskit. I certainly won't be the one suggesting that
> you'd run anything as root. :)
> 
> > The reason for looking for a way of binding those services to 10.255.255.1 
(so
> > that only exposed services will be in that interface) and running fully
> > rootless, if works, provides a more secure system... in general.
> 
> Indeed.
> 
> > About the mapped ports, I am a bit lost: for what I have tested, running
> > rootless disables the possibility to connect back to the host, right?
> 
> Hah, I see now. No, that's not the case. You can run rootless
> containers and connect to the host from them, in two ways:
> 
> 1. disabled by default in Podman's pasta integration, not what you want:
>    via the loopback interface, see -U / -T in 'man pasta' and
>    --host-lo-to-ns-lo for the other way around.
> 
>    In that case, packets appear to be local (source address is
>    loopback) in the other namespace ("host" or initial namespace for
>    packets from a container, and container for packets from host).
> 
>    This gives you better throughput but making connections appear as if
>    they were local is risky (cf. CVE-2021-20199), so it's disabled by
>    default, and not what I'm suggesting (at least in general)
> 
> 2. what you get as default in Podman: using pasta's --map-guest-addr.
> 
>    The current description of this option in pasta(1) isn't great, hence
>    https://bugs.passt.top/show_bug.cgi?id=132, but the idea is that you
>    will reach the host from the container with a non-loopback address,
>    as if the connection was coming from another host (which should
>    represent the expected container usage).
> 
> So here's an example:
> 
> $ podman run --rm -ti -p 8089:80 traefik/whoami
> 2025/12/21 10:42:16 Starting up on port 80
> 
> [in another terminal]
> $ podman run --rm -ti fedora curl host.containers.internal:8089
> Hostname: ab94f49b5042
> IP: 127.0.0.1
> IP: ::1
> IP: **.***.*.***
> IP: ****:***:***:***::*
> IP: ****::****:****:****:****
> RemoteAddr: 169.254.1.2:46592
> GET / HTTP/1.1
> Host: host.containers.internal:8089
> User-Agent: curl/8.15.0
> Accept: */*
> 
> ...doesn't that work for you? Note that you'll need somewhat recent
> versions of pasta (>= 2024_08_21.1d6142f) and Podman (>= 5.3).


-- 
Felix Rubio