From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) by passt.top (Postfix) with ESMTPS id 55E445A0323 for ; Fri, 10 May 2024 05:13:27 +0200 (CEST) Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-de60a51fe21so1576393276.0 for ; Thu, 09 May 2024 20:13:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715310806; x=1715915606; darn=passt.top; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=rNdTP6/gwL3PehOLACtzbh5L+vgjxsrq7yyMdVzxFy4=; b=EaG5pbKnjtdU4bF+aZSEDMVrMsoOE90TRZAEZKkFA/T+U7x3U1JCbXf0YYHDilBkNt pD5xszy4qWI58WQg8mSlU8JHMG5nYfRx/Q5g1RQPbrvKcNfg8TEiAMgFt1PzJOsFX2Mt WPRdBvxZfpLQBu1M9tddOFOxiEfM0PHEvVkCXk7v6ai+vUlSk3NsalNM7LaRGplfV10g TlOq0sv2MciOKNCpEmdlyZXVGD1YsG7kGaE9h6hZUQNyOBYBTtooxhHMvkdTO2iXi/Wi d9PYLuLGF/Muy0gPWHpxhYLKDCx5d8yV3xUNPRPFUX9CcIDCSmGxy08CyZAPA4BTGgmP HcAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715310806; x=1715915606; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=rNdTP6/gwL3PehOLACtzbh5L+vgjxsrq7yyMdVzxFy4=; b=OJM7nfDYJ4MS8ba7Cc7/c66FjAadMyB+bGoaLzx8WVQ4F1uynAMznLbGFxEtjlrZcN V5K61GXqwKkvwxSCrSSDJpm9Dr+pqRVMdpWHFRFSFGRsMIIv8yZmN31vd8vrSTY3PE+Y MXAc8IwnU/4JLnNeCIYkLQAvhLCJmTUFdiDFMEE+sXjokoohgjy+q/9h+zrI34F1+rPt 0T2v1AB9hguQM3XmMkyD+fC1lLey2y6nAL/VIjLwqHsknE2HNgYtzDd4wmj9u2a4mbX8 YXGG77Wzh1jAR5BDXxbNGLgFaWCQpRPF/CtYQvkY+OD+K+M7IcAl0sf9vFp+rZ4w9exp VE7w== X-Gm-Message-State: AOJu0Yx9//HLJQKPC74tjHqStxAXIBS5YlwnDTZ2fY5HNtoY2ZO4b/pm E85AQbUVouKe3E9Z23eoTE453d7w06lqc1yih25sBT571aKhNLmk1TcLtRePJUtbTPqkoiKDWBv sQfPfmmMoPhTToIda/zwrCaz88vJoDOIitw== X-Google-Smtp-Source: AGHT+IGEBLUkYJMsGjOj8WgR9mKcoN6glqgzr4WlKDkVHxHtRzUNM+iWftG2FgZ6VfpgARSBMcIowjPrhQTbTRvhiHE= X-Received: by 2002:a05:6902:1009:b0:dbd:8f9:a71 with SMTP id 3f1490d57ef6-dee4f359eafmr1842879276.28.1715310805644; Thu, 09 May 2024 20:13:25 -0700 (PDT) MIME-Version: 1.0 From: Kangjing Huang Date: Thu, 9 May 2024 23:13:09 -0400 Message-ID: Subject: Guest namespace can access host ports via secondary interface addresses To: passt-user@passt.top Content-Type: text/plain; charset="UTF-8" Message-ID-Hash: ZZMUYOEKL6B3TGCOPWQNTHHG7XVWM26Q X-Message-ID-Hash: ZZMUYOEKL6B3TGCOPWQNTHHG7XVWM26Q X-MailFrom: huangkangjing@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi there, I was tweaking around pasta and its usage with podman, and I realized that from pasta guest namespaces it is possible to access host ports through the address of secondary interfaces on the host. Say I have two interfaces on host, with eth0 connecting to a gateway and eth1 connected to another LAN: > $ # On host > $ ifconfig eth0 > eth0: flags=4163 mtu 1500 > inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 > ... > $ ifconfig eth1 > eth1: flags=4163 mtu 1500 > inet 192.168.110.1 netmask 255.255.255.0 broadcast 192.168.110.255 > ... > $ ip route > default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 1024 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 1024 > 192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.2 metric 1024 > 192.168.110.0/24 dev eth1 proto kernel scope link src 192.168.110.1 If there is some service started on host: > $ python -m http.server > Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... >From a pasta namespace, it is impossible to access the host ports by the address of the main interface: > $ pasta --config-net > $ # Now in pasta namespace > $ curl 192.168.1.2:8000 > curl: (7) Failed to connect to 192.168.1.2 port 8000 after 0 ms: Couldn't connect to server However I found that it is possible to do so by the address of the secondary interface: > $ # In same pasta environment as above > $ curl 192.168.110.1:8000 > > > ... Is this an expected behavior? I believe this is a security escape in the container context, since containerized services can gain access to unintended resources. Thanks, Chaser Huang -- Kangjing "Chaser" Huang