passt: Relicense to GPL 2.0, or any later version
In practical terms, passt doesn't benefit from the additional
protection offered by the AGPL over the GPL, because it's not
suitable to be executed over a computer network.
Further, restricting the distribution under the version 3 of the GPL
wouldn't provide any practical advantage either, as long as the passt
codebase is concerned, and might cause unnecessary compatibility
dilemmas.
Change licensing terms to the GNU General Public License Version 2,
or any later version, with written permission from all current and
past contributors, namely: myself, David Gibson, Laine Stump, Andrea
Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian
Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-04-05 20:11:44 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
/* PASST - Plug A Simple Socket Transport
|
|
|
|
|
* for qemu/UNIX domain socket mode
|
|
|
|
|
*
|
|
|
|
|
* PASTA - Pack A Subtle Tap Abstraction
|
|
|
|
|
* for network namespace/tap device mode
|
|
|
|
|
*
|
|
|
|
|
* conf.c - Configuration settings and option parsing
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2020-2021 Red Hat GmbH
|
|
|
|
|
* Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
*/
|
|
|
|
|
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <arpa/inet.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <fcntl.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <getopt.h>
|
|
|
|
|
#include <string.h>
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <sched.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <limits.h>
|
2022-05-18 19:10:45 +02:00
|
|
|
#include <grp.h>
|
|
|
|
|
#include <pwd.h>
|
2023-03-21 04:54:59 +01:00
|
|
|
#include <unistd.h>
|
2023-03-08 04:00:22 +01:00
|
|
|
#include <signal.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <stdint.h>
|
2023-03-08 04:00:22 +01:00
|
|
|
#include <stdio.h>
|
2022-07-22 07:31:16 +02:00
|
|
|
#include <stdbool.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <syslog.h>
|
|
|
|
|
#include <time.h>
|
|
|
|
|
#include <netinet/in.h>
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <netinet/if_ether.h>
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
#include "util.h"
|
|
|
|
|
#include "passt.h"
|
2021-10-21 04:26:08 +02:00
|
|
|
#include "netlink.h"
|
2021-08-12 15:42:43 +02:00
|
|
|
#include "udp.h"
|
|
|
|
|
#include "tcp.h"
|
2021-10-11 12:01:31 +02:00
|
|
|
#include "pasta.h"
|
2022-06-24 04:17:30 +02:00
|
|
|
#include "lineread.h"
|
2022-09-12 14:24:03 +02:00
|
|
|
#include "isolation.h"
|
2022-09-24 09:53:15 +02:00
|
|
|
#include "log.h"
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
/**
|
|
|
|
|
* get_bound_ports() - Get maps of ports with bound sockets
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
* @ns: If set, set bitmaps for ports to tap/ns -- to init otherwise
|
|
|
|
|
* @proto: Protocol number (IPPROTO_TCP or IPPROTO_UDP)
|
|
|
|
|
*/
|
|
|
|
|
void get_bound_ports(struct ctx *c, int ns, uint8_t proto)
|
|
|
|
|
{
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
uint8_t *udp_map, *udp_excl, *tcp_map, *tcp_excl;
|
2021-09-27 05:24:30 +02:00
|
|
|
|
|
|
|
|
if (ns) {
|
2022-09-24 11:08:17 +02:00
|
|
|
udp_map = c->udp.fwd_in.f.map;
|
|
|
|
|
udp_excl = c->udp.fwd_out.f.map;
|
|
|
|
|
tcp_map = c->tcp.fwd_in.map;
|
|
|
|
|
tcp_excl = c->tcp.fwd_out.map;
|
2021-09-27 05:24:30 +02:00
|
|
|
} else {
|
2022-09-24 11:08:17 +02:00
|
|
|
udp_map = c->udp.fwd_out.f.map;
|
|
|
|
|
udp_excl = c->udp.fwd_in.f.map;
|
|
|
|
|
tcp_map = c->tcp.fwd_out.map;
|
|
|
|
|
tcp_excl = c->tcp.fwd_in.map;
|
2021-09-27 05:24:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (proto == IPPROTO_UDP) {
|
2022-09-24 11:08:16 +02:00
|
|
|
memset(udp_map, 0, PORT_BITMAP_SIZE);
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
procfs_scan_listen(c, IPPROTO_UDP, V4, ns, udp_map, udp_excl);
|
|
|
|
|
procfs_scan_listen(c, IPPROTO_UDP, V6, ns, udp_map, udp_excl);
|
2021-09-27 05:24:30 +02:00
|
|
|
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V4, ns, udp_map, udp_excl);
|
|
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V6, ns, udp_map, udp_excl);
|
2021-09-27 05:24:30 +02:00
|
|
|
} else if (proto == IPPROTO_TCP) {
|
2022-09-24 11:08:16 +02:00
|
|
|
memset(tcp_map, 0, PORT_BITMAP_SIZE);
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V4, ns, tcp_map, tcp_excl);
|
|
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V6, ns, tcp_map, tcp_excl);
|
2021-09-27 05:24:30 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
|
* struct get_bound_ports_ns_arg - Arguments for get_bound_ports_ns()
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
* @proto: Protocol number (IPPROTO_TCP or IPPROTO_UDP)
|
|
|
|
|
*/
|
|
|
|
|
struct get_bound_ports_ns_arg {
|
|
|
|
|
struct ctx *c;
|
|
|
|
|
uint8_t proto;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2021-09-27 05:24:30 +02:00
|
|
|
* get_bound_ports_ns() - Get maps of ports in namespace with bound sockets
|
2021-08-12 15:42:43 +02:00
|
|
|
* @arg: See struct get_bound_ports_ns_arg
|
|
|
|
|
*
|
|
|
|
|
* Return: 0
|
|
|
|
|
*/
|
|
|
|
|
static int get_bound_ports_ns(void *arg)
|
|
|
|
|
{
|
|
|
|
|
struct get_bound_ports_ns_arg *a = (struct get_bound_ports_ns_arg *)arg;
|
|
|
|
|
struct ctx *c = a->c;
|
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
if (!c->pasta_netns_fd || ns_enter(c))
|
2021-08-12 15:42:43 +02:00
|
|
|
return 0;
|
|
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
get_bound_ports(c, 1, a->proto);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
/**
|
|
|
|
|
* next_chunk - Return the next piece of a string delimited by a character
|
|
|
|
|
* @s: String to search
|
|
|
|
|
* @c: Delimiter character
|
|
|
|
|
*
|
2022-11-17 06:58:38 +01:00
|
|
|
* Return: If another @c is found in @s, returns a pointer to the
|
|
|
|
|
* character *after* the delimiter, if no further @c is in @s,
|
|
|
|
|
* return NULL
|
2022-09-28 06:33:12 +02:00
|
|
|
*/
|
|
|
|
|
static char *next_chunk(const char *s, char c)
|
|
|
|
|
{
|
|
|
|
|
char *sep = strchr(s, c);
|
|
|
|
|
return sep ? sep + 1 : NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* port_range - Represents a non-empty range of ports
|
|
|
|
|
* @first: First port number in the range
|
|
|
|
|
* @last: Last port number in the range (inclusive)
|
|
|
|
|
*
|
|
|
|
|
* Invariant: @last >= @first
|
|
|
|
|
*/
|
|
|
|
|
struct port_range {
|
|
|
|
|
in_port_t first, last;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* parse_port_range() - Parse a range of port numbers '<first>[-<last>]'
|
|
|
|
|
* @s: String to parse
|
|
|
|
|
* @endptr: Update to the character after the parsed range (similar to
|
|
|
|
|
* strtol() etc.)
|
|
|
|
|
* @range: Update with the parsed values on success
|
|
|
|
|
*
|
|
|
|
|
* Return: -EINVAL on parsing error, -ERANGE on out of range port
|
|
|
|
|
* numbers, 0 on success
|
|
|
|
|
*/
|
|
|
|
|
static int parse_port_range(const char *s, char **endptr,
|
|
|
|
|
struct port_range *range)
|
|
|
|
|
{
|
|
|
|
|
unsigned long first, last;
|
|
|
|
|
|
|
|
|
|
last = first = strtoul(s, endptr, 10);
|
|
|
|
|
if (*endptr == s) /* Parsed nothing */
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
if (**endptr == '-') { /* we have a last value too */
|
|
|
|
|
const char *lasts = *endptr + 1;
|
|
|
|
|
last = strtoul(lasts, endptr, 10);
|
|
|
|
|
if (*endptr == lasts) /* Parsed nothing */
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((last < first) || (last >= NUM_PORTS))
|
|
|
|
|
return -ERANGE;
|
|
|
|
|
|
|
|
|
|
range->first = first;
|
|
|
|
|
range->last = last;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
/**
|
|
|
|
|
* conf_ports() - Parse port configuration options, initialise UDP/TCP sockets
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
* @optname: Short option name, t, T, u, or U
|
|
|
|
|
* @optarg: Option argument (port specification)
|
2022-09-24 11:08:20 +02:00
|
|
|
* @fwd: Pointer to @port_fwd to be updated
|
2022-05-01 06:36:34 +02:00
|
|
|
*/
|
2023-02-15 09:24:32 +01:00
|
|
|
static void conf_ports(const struct ctx *c, char optname, const char *optarg,
|
|
|
|
|
struct port_fwd *fwd)
|
2021-08-12 15:42:43 +02:00
|
|
|
{
|
2022-07-13 08:05:01 +02:00
|
|
|
char addr_buf[sizeof(struct in6_addr)] = { 0 }, *addr = addr_buf;
|
2022-10-07 04:53:40 +02:00
|
|
|
char buf[BUFSIZ], *spec, *ifname = NULL, *p;
|
2023-02-16 01:29:55 +01:00
|
|
|
bool exclude_only = true, bound_one = false;
|
2022-09-24 11:08:16 +02:00
|
|
|
uint8_t exclude[PORT_BITMAP_SIZE] = { 0 };
|
2022-05-01 06:36:34 +02:00
|
|
|
sa_family_t af = AF_UNSPEC;
|
2023-03-08 13:21:19 +01:00
|
|
|
int ret;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "none")) {
|
2022-09-24 11:08:20 +02:00
|
|
|
if (fwd->mode)
|
2023-02-15 09:24:32 +01:00
|
|
|
goto mode_conflict;
|
|
|
|
|
|
2022-09-24 11:08:20 +02:00
|
|
|
fwd->mode = FWD_NONE;
|
2023-02-15 09:24:32 +01:00
|
|
|
return;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "auto")) {
|
2023-02-15 09:24:32 +01:00
|
|
|
if (fwd->mode)
|
|
|
|
|
goto mode_conflict;
|
|
|
|
|
|
|
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("'auto' port forwarding is only allowed for pasta");
|
|
|
|
|
|
2022-09-24 11:08:20 +02:00
|
|
|
fwd->mode = FWD_AUTO;
|
2023-02-15 09:24:32 +01:00
|
|
|
return;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "all")) {
|
2022-09-28 06:33:20 +02:00
|
|
|
unsigned i;
|
2022-05-01 06:36:34 +02:00
|
|
|
|
2023-02-15 09:24:32 +01:00
|
|
|
if (fwd->mode)
|
|
|
|
|
goto mode_conflict;
|
|
|
|
|
|
|
|
|
|
if (c->mode != MODE_PASST)
|
|
|
|
|
die("'all' port forwarding is only allowed for passt");
|
|
|
|
|
|
2022-09-24 11:08:20 +02:00
|
|
|
fwd->mode = FWD_ALL;
|
|
|
|
|
memset(fwd->map, 0xff, PORT_EPHEMERAL_MIN / 8);
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
|
for (i = 0; i < PORT_EPHEMERAL_MIN; i++) {
|
2023-02-16 01:29:55 +01:00
|
|
|
if (optname == 't') {
|
2023-03-08 13:21:19 +01:00
|
|
|
ret = tcp_sock_init(c, AF_UNSPEC, NULL, NULL,
|
|
|
|
|
i);
|
|
|
|
|
if (ret == -ENFILE || ret == -EMFILE)
|
|
|
|
|
goto enfile;
|
|
|
|
|
if (!ret)
|
2023-02-16 01:29:55 +01:00
|
|
|
bound_one = true;
|
|
|
|
|
} else if (optname == 'u') {
|
2023-03-08 13:21:19 +01:00
|
|
|
ret = udp_sock_init(c, 0, AF_UNSPEC, NULL, NULL,
|
|
|
|
|
i);
|
|
|
|
|
if (ret == -ENFILE || ret == -EMFILE)
|
|
|
|
|
goto enfile;
|
|
|
|
|
if (!ret)
|
2023-02-16 01:29:55 +01:00
|
|
|
bound_one = true;
|
|
|
|
|
}
|
2022-05-01 06:36:34 +02:00
|
|
|
}
|
|
|
|
|
|
2023-02-16 01:29:55 +01:00
|
|
|
if (!bound_one)
|
|
|
|
|
goto bind_fail;
|
|
|
|
|
|
2023-02-15 09:24:32 +01:00
|
|
|
return;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
2022-09-24 11:08:20 +02:00
|
|
|
if (fwd->mode > FWD_SPEC)
|
2023-02-15 09:24:32 +01:00
|
|
|
die("Specific ports cannot be specified together with all/none/auto");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-24 11:08:20 +02:00
|
|
|
fwd->mode = FWD_SPEC;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
strncpy(buf, optarg, sizeof(buf) - 1);
|
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
if ((spec = strchr(buf, '/'))) {
|
|
|
|
|
*spec = 0;
|
|
|
|
|
spec++;
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
|
if (optname != 't' && optname != 'u')
|
|
|
|
|
goto bad;
|
|
|
|
|
|
2022-10-07 04:53:40 +02:00
|
|
|
if ((ifname = strchr(buf, '%'))) {
|
|
|
|
|
if (spec - ifname >= IFNAMSIZ - 1)
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
*ifname = 0;
|
|
|
|
|
ifname++;
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-27 19:35:26 +02:00
|
|
|
if (ifname == buf + 1) /* Interface without address */
|
|
|
|
|
addr = NULL;
|
|
|
|
|
else if (inet_pton(AF_INET, buf, addr))
|
2022-05-01 06:36:34 +02:00
|
|
|
af = AF_INET;
|
|
|
|
|
else if (inet_pton(AF_INET6, buf, addr))
|
|
|
|
|
af = AF_INET6;
|
|
|
|
|
else
|
|
|
|
|
goto bad;
|
|
|
|
|
} else {
|
2022-07-13 08:05:01 +02:00
|
|
|
spec = buf;
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
|
addr = NULL;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
/* Mark all exclusions first, they might be given after base ranges */
|
|
|
|
|
p = spec;
|
2021-08-12 15:42:43 +02:00
|
|
|
do {
|
2022-09-28 06:33:12 +02:00
|
|
|
struct port_range xrange;
|
2022-09-28 06:33:20 +02:00
|
|
|
unsigned i;
|
2022-07-13 08:05:01 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if (*p != '~') {
|
|
|
|
|
/* Not an exclude range, parse later */
|
|
|
|
|
exclude_only = false;
|
|
|
|
|
continue;
|
2022-07-13 08:05:01 +02:00
|
|
|
}
|
conf: Don't pass leading ~ to parse_port_range() on exclusions
Commit 84fec4e998b6 ("Clean up parsing of port ranges") drops the
strspn() call before the parsing of excluded port ranges, because now
we're checking against any stray characters at every step.
However, that also has the effect of passing ~ as first character to
the new parse_port_range(), which makes no sense: we already checked
that ~ is the first character before the call, so skip it.
Alona reported this output:
Invalid port specifier ~15000,~15001,~15006,~15008,~15020,~15021,~15090
while the whole specifier is indeed valid.
Reported-by: Alona Paz <alkaplan@redhat.com>
Fixes: 84fec4e998b6 ("Clean up parsing of port ranges")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-24 14:37:22 +02:00
|
|
|
p++;
|
2022-07-13 08:05:01 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if (parse_port_range(p, &p, &xrange))
|
|
|
|
|
goto bad;
|
|
|
|
|
if ((*p != '\0') && (*p != ',')) /* Garbage after the range */
|
2022-07-13 08:05:01 +02:00
|
|
|
goto bad;
|
|
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
for (i = xrange.first; i <= xrange.last; i++) {
|
|
|
|
|
if (bitmap_isset(exclude, i))
|
|
|
|
|
goto overlap;
|
2022-07-13 08:05:01 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
bitmap_set(exclude, i);
|
2022-07-13 08:05:01 +02:00
|
|
|
}
|
2022-09-28 06:33:12 +02:00
|
|
|
} while ((p = next_chunk(p, ',')));
|
2022-07-13 08:05:01 +02:00
|
|
|
|
|
|
|
|
if (exclude_only) {
|
2022-09-28 06:33:20 +02:00
|
|
|
unsigned i;
|
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
for (i = 0; i < PORT_EPHEMERAL_MIN; i++) {
|
|
|
|
|
if (bitmap_isset(exclude, i))
|
|
|
|
|
continue;
|
|
|
|
|
|
2022-09-24 11:08:20 +02:00
|
|
|
bitmap_set(fwd->map, i);
|
2022-07-13 08:05:01 +02:00
|
|
|
|
2023-02-16 01:29:55 +01:00
|
|
|
if (optname == 't') {
|
2023-03-08 13:21:19 +01:00
|
|
|
ret = tcp_sock_init(c, af, addr, ifname, i);
|
|
|
|
|
if (ret == -ENFILE || ret == -EMFILE)
|
|
|
|
|
goto enfile;
|
|
|
|
|
if (!ret)
|
2023-02-16 01:29:55 +01:00
|
|
|
bound_one = true;
|
|
|
|
|
} else if (optname == 'u') {
|
2023-03-08 13:21:19 +01:00
|
|
|
ret = udp_sock_init(c, 0, af, addr, ifname, i);
|
|
|
|
|
if (ret == -ENFILE || ret == -EMFILE)
|
|
|
|
|
goto enfile;
|
|
|
|
|
if (!ret)
|
2023-02-16 01:29:55 +01:00
|
|
|
bound_one = true;
|
2023-02-16 19:46:36 +01:00
|
|
|
} else {
|
|
|
|
|
/* No way to check in advance for -T and -U */
|
|
|
|
|
bound_one = true;
|
2023-02-16 01:29:55 +01:00
|
|
|
}
|
2022-07-13 08:05:01 +02:00
|
|
|
}
|
|
|
|
|
|
2023-02-16 01:29:55 +01:00
|
|
|
if (!bound_one)
|
|
|
|
|
goto bind_fail;
|
|
|
|
|
|
2023-02-15 09:24:32 +01:00
|
|
|
return;
|
2022-07-13 08:05:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now process base ranges, skipping exclusions */
|
|
|
|
|
p = spec;
|
|
|
|
|
do {
|
2022-09-28 06:33:12 +02:00
|
|
|
struct port_range orig_range, mapped_range;
|
2022-09-28 06:33:20 +02:00
|
|
|
unsigned i;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if (*p == '~')
|
|
|
|
|
/* Exclude range, already parsed */
|
|
|
|
|
continue;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if (parse_port_range(p, &p, &orig_range))
|
2021-08-12 15:42:43 +02:00
|
|
|
goto bad;
|
|
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if (*p == ':') { /* There's a range to map to as well */
|
|
|
|
|
if (parse_port_range(p + 1, &p, &mapped_range))
|
2021-08-12 15:42:43 +02:00
|
|
|
goto bad;
|
2022-09-28 06:33:12 +02:00
|
|
|
if ((mapped_range.last - mapped_range.first) !=
|
|
|
|
|
(orig_range.last - orig_range.first))
|
2021-08-12 15:42:43 +02:00
|
|
|
goto bad;
|
2022-09-28 06:33:12 +02:00
|
|
|
} else {
|
|
|
|
|
mapped_range = orig_range;
|
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if ((*p != '\0') && (*p != ',')) /* Garbage after the ranges */
|
|
|
|
|
goto bad;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
for (i = orig_range.first; i <= orig_range.last; i++) {
|
|
|
|
|
if (bitmap_isset(fwd->map, i))
|
|
|
|
|
goto overlap;
|
2022-07-13 08:05:01 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
if (bitmap_isset(exclude, i))
|
|
|
|
|
continue;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
bitmap_set(fwd->map, i);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-09-28 06:33:12 +02:00
|
|
|
fwd->delta[i] = mapped_range.first - orig_range.first;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2023-02-16 01:29:55 +01:00
|
|
|
if (optname == 't') {
|
2023-03-08 13:21:19 +01:00
|
|
|
ret = tcp_sock_init(c, af, addr, ifname, i);
|
|
|
|
|
if (ret == -ENFILE || ret == -EMFILE)
|
|
|
|
|
goto enfile;
|
|
|
|
|
if (!ret)
|
2023-02-16 01:29:55 +01:00
|
|
|
bound_one = true;
|
|
|
|
|
} else if (optname == 'u') {
|
2023-03-08 13:21:19 +01:00
|
|
|
ret = udp_sock_init(c, 0, af, addr, ifname, i);
|
|
|
|
|
if (ret == -ENFILE || ret == -EMFILE)
|
|
|
|
|
goto enfile;
|
|
|
|
|
if (!ret)
|
2023-02-16 01:29:55 +01:00
|
|
|
bound_one = true;
|
2023-02-16 19:46:36 +01:00
|
|
|
} else {
|
|
|
|
|
/* No way to check in advance for -T and -U */
|
|
|
|
|
bound_one = true;
|
2023-02-16 01:29:55 +01:00
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
2022-09-28 06:33:12 +02:00
|
|
|
} while ((p = next_chunk(p, ',')));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2023-02-16 01:29:55 +01:00
|
|
|
if (!bound_one)
|
|
|
|
|
goto bind_fail;
|
|
|
|
|
|
2023-02-15 09:24:32 +01:00
|
|
|
return;
|
2023-03-08 13:21:19 +01:00
|
|
|
enfile:
|
|
|
|
|
die("Can't open enough sockets for port specifier: %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
bad:
|
2023-02-15 09:24:32 +01:00
|
|
|
die("Invalid port specifier %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
overlap:
|
2023-02-15 09:24:32 +01:00
|
|
|
die("Overlapping port specifier %s", optarg);
|
|
|
|
|
mode_conflict:
|
|
|
|
|
die("Port forwarding mode '%s' conflicts with previous mode", optarg);
|
2023-02-16 01:29:55 +01:00
|
|
|
bind_fail:
|
|
|
|
|
die("Failed to bind any port for '-%c %s', exiting", optname, optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
2023-02-23 14:32:30 +01:00
|
|
|
/**
|
|
|
|
|
* add_dns4() - Possibly add the IPv4 address of a DNS resolver to configuration
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
* @addr: Address found in /etc/resolv.conf
|
|
|
|
|
* @conf: Pointer to reference of current entry in array of IPv4 resolvers
|
|
|
|
|
*/
|
|
|
|
|
static void add_dns4(struct ctx *c, struct in_addr *addr, struct in_addr **conf)
|
|
|
|
|
{
|
|
|
|
|
/* Guest or container can only access local addresses via redirect */
|
|
|
|
|
if (IN4_IS_ADDR_LOOPBACK(addr)) {
|
|
|
|
|
if (!c->no_map_gw) {
|
|
|
|
|
**conf = c->ip4.gw;
|
|
|
|
|
(*conf)++;
|
conf, udp: Allow any loopback address to be used as resolver
Andrea reports that with a Fedora 37 guest running on a Fedora 37
host, both using systemd-resolved, with passt connecting them,
running with default options, DNS queries don't work.
systemd-resolved on the host is reachable only at the loopback
address 127.0.0.53.
We advertise the default gateway address to the guest as resolver,
because our local address is of course unreachable from there, which
means we see DNS queries directed to the default gateway, and we
redirect them to 127.0.0.1. However, systemd-resolved doesn't answer
on 127.0.0.1.
To fix this, set @dns_match to the address of the default gateway,
unless a different resolver address is explicitly configured, so that
we know we explicitly have to map DNS queries, in this case, to the
address of the local resolver.
This means that in udp_tap_handler() we need to check, first, if
the destination address of packets matches @dns_match: even if it's
the address of the local gateway, we want to map that to a specific
address, which isn't necessarily 127.0.0.1.
Do the same for IPv6 for consistency, even though IPv6 defines a
single loopback address.
Reported-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-02-23 17:41:47 +01:00
|
|
|
|
|
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match))
|
|
|
|
|
c->ip4.dns_match = c->ip4.gw;
|
2023-02-23 14:32:30 +01:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
**conf = *addr;
|
|
|
|
|
(*conf)++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_host))
|
|
|
|
|
c->ip4.dns_host = *addr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* add_dns6() - Possibly add the IPv6 address of a DNS resolver to configuration
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
* @addr: Address found in /etc/resolv.conf
|
|
|
|
|
* @conf: Pointer to reference of current entry in array of IPv6 resolvers
|
|
|
|
|
*/
|
|
|
|
|
static void add_dns6(struct ctx *c,
|
|
|
|
|
struct in6_addr *addr, struct in6_addr **conf)
|
|
|
|
|
{
|
|
|
|
|
/* Guest or container can only access local addresses via redirect */
|
|
|
|
|
if (IN6_IS_ADDR_LOOPBACK(addr)) {
|
|
|
|
|
if (!c->no_map_gw) {
|
|
|
|
|
memcpy(*conf, &c->ip6.gw, sizeof(**conf));
|
|
|
|
|
(*conf)++;
|
conf, udp: Allow any loopback address to be used as resolver
Andrea reports that with a Fedora 37 guest running on a Fedora 37
host, both using systemd-resolved, with passt connecting them,
running with default options, DNS queries don't work.
systemd-resolved on the host is reachable only at the loopback
address 127.0.0.53.
We advertise the default gateway address to the guest as resolver,
because our local address is of course unreachable from there, which
means we see DNS queries directed to the default gateway, and we
redirect them to 127.0.0.1. However, systemd-resolved doesn't answer
on 127.0.0.1.
To fix this, set @dns_match to the address of the default gateway,
unless a different resolver address is explicitly configured, so that
we know we explicitly have to map DNS queries, in this case, to the
address of the local resolver.
This means that in udp_tap_handler() we need to check, first, if
the destination address of packets matches @dns_match: even if it's
the address of the local gateway, we want to map that to a specific
address, which isn't necessarily 127.0.0.1.
Do the same for IPv6 for consistency, even though IPv6 defines a
single loopback address.
Reported-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-02-23 17:41:47 +01:00
|
|
|
|
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match))
|
|
|
|
|
memcpy(&c->ip6.dns_match, addr, sizeof(*addr));
|
2023-02-23 14:32:30 +01:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
memcpy(*conf, addr, sizeof(**conf));
|
|
|
|
|
(*conf)++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_host))
|
|
|
|
|
c->ip6.dns_host = *addr;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
|
* get_dns() - Get nameserver addresses from local /etc/resolv.conf
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
*/
|
|
|
|
|
static void get_dns(struct ctx *c)
|
|
|
|
|
{
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
struct in6_addr *dns6 = &c->ip6.dns[0], dns6_tmp;
|
|
|
|
|
struct in_addr *dns4 = &c->ip4.dns[0], dns4_tmp;
|
2021-10-14 01:21:29 +02:00
|
|
|
int dns4_set, dns6_set, dnss_set, dns_set, fd;
|
conf: Split the notions of read DNS addresses and offered ones
With --dns-forward, if the host has a loopback address configured as
DNS server, we should actually use it to forward queries, but, if
--no-map-gw is passed, we shouldn't offer the same address via DHCP,
NDP and DHCPv6, because it's not going to be reachable.
Problematic configuration:
* systemd-resolved configuring the usual 127.0.0.53 on the host: we
read that from /etc/resolv.conf
* --dns-forward specified with an unrelated address, for example
198.51.100.1
We still want to forward queries to 127.0.0.53, if we receive one
directed to 198.51.100.1, so we can't drop 127.0.0.53 from our list:
we want to use it for forwarding. At the same time, we shouldn't
offer 127.0.0.53 to the guest or container either.
With this change, I'm only covering the case of automatically
configured DNS servers from /etc/resolv.conf. We could extend this to
addresses configured with command-line options, but I don't really
see a likely use case at this point.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-11-02 23:52:38 +01:00
|
|
|
struct fqdn *s = c->dns_search;
|
2022-06-24 04:17:30 +02:00
|
|
|
struct lineread resolvconf;
|
|
|
|
|
int line_len;
|
|
|
|
|
char *line, *p, *end;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-11-04 04:10:35 +01:00
|
|
|
dns4_set = !c->ifi4 || !IN4_IS_ADDR_UNSPECIFIED(dns4);
|
2022-07-22 07:31:17 +02:00
|
|
|
dns6_set = !c->ifi6 || !IN6_IS_ADDR_UNSPECIFIED(dns6);
|
2021-08-12 15:42:43 +02:00
|
|
|
dnss_set = !!*s->n || c->no_dns_search;
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
dns_set = (dns4_set && dns6_set) || c->no_dns;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
if (dns_set && dnss_set)
|
|
|
|
|
return;
|
|
|
|
|
|
2022-03-27 13:10:26 +02:00
|
|
|
if ((fd = open("/etc/resolv.conf", O_RDONLY | O_CLOEXEC)) < 0)
|
2021-08-12 15:42:43 +02:00
|
|
|
goto out;
|
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
lineread_init(&resolvconf, fd);
|
|
|
|
|
while ((line_len = lineread_get(&resolvconf, &line)) > 0) {
|
|
|
|
|
if (!dns_set && strstr(line, "nameserver ") == line) {
|
|
|
|
|
p = strrchr(line, ' ');
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!p)
|
|
|
|
|
continue;
|
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
end = strpbrk(line, "%\n");
|
2021-08-12 15:42:43 +02:00
|
|
|
if (end)
|
|
|
|
|
*end = 0;
|
|
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
if (!dns4_set &&
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
dns4 - &c->ip4.dns[0] < ARRAY_SIZE(c->ip4.dns) - 1
|
2023-02-23 14:32:30 +01:00
|
|
|
&& inet_pton(AF_INET, p + 1, &dns4_tmp))
|
|
|
|
|
add_dns4(c, &dns4_tmp, &dns4);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
if (!dns6_set &&
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
dns6 - &c->ip6.dns[0] < ARRAY_SIZE(c->ip6.dns) - 1
|
2023-02-23 14:32:30 +01:00
|
|
|
&& inet_pton(AF_INET6, p + 1, &dns6_tmp))
|
|
|
|
|
add_dns6(c, &dns6_tmp, &dns6);
|
2022-06-24 04:17:30 +02:00
|
|
|
} else if (!dnss_set && strstr(line, "search ") == line &&
|
2021-08-12 15:42:43 +02:00
|
|
|
s == c->dns_search) {
|
2022-06-24 04:17:30 +02:00
|
|
|
end = strpbrk(line, "\n");
|
2021-08-12 15:42:43 +02:00
|
|
|
if (end)
|
|
|
|
|
*end = 0;
|
|
|
|
|
|
2022-09-28 06:33:26 +02:00
|
|
|
/* cppcheck-suppress strtokCalled */
|
2022-06-24 04:17:30 +02:00
|
|
|
if (!strtok(line, " \t"))
|
2021-10-19 19:18:04 +02:00
|
|
|
continue;
|
|
|
|
|
|
2021-09-26 23:22:31 +02:00
|
|
|
while (s - c->dns_search < ARRAY_SIZE(c->dns_search) - 1
|
2022-09-28 06:33:26 +02:00
|
|
|
/* cppcheck-suppress strtokCalled */
|
2021-09-26 23:22:31 +02:00
|
|
|
&& (p = strtok(NULL, " \t"))) {
|
2021-08-12 15:42:43 +02:00
|
|
|
strncpy(s->n, p, sizeof(c->dns_search[0]));
|
|
|
|
|
s++;
|
2021-09-26 23:22:31 +02:00
|
|
|
*s->n = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
if (line_len < 0)
|
|
|
|
|
warn("Error reading /etc/resolv.conf: %s", strerror(errno));
|
2021-10-14 01:21:29 +02:00
|
|
|
close(fd);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
out:
|
2022-07-22 07:31:18 +02:00
|
|
|
if (!dns_set && dns4 == c->ip4.dns && dns6 == c->ip6.dns)
|
2021-08-12 15:42:43 +02:00
|
|
|
warn("Couldn't get any nameserver address");
|
|
|
|
|
}
|
|
|
|
|
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
/**
|
2022-09-12 14:24:04 +02:00
|
|
|
* conf_netns_opt() - Parse --netns option
|
2022-08-26 06:58:38 +02:00
|
|
|
* @netns: buffer of size PATH_MAX, updated with netns path
|
|
|
|
|
* @arg: --netns argument
|
|
|
|
|
*/
|
2023-02-15 09:24:35 +01:00
|
|
|
static void conf_netns_opt(char *netns, const char *arg)
|
2022-08-26 06:58:38 +02:00
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!strchr(arg, '/')) {
|
|
|
|
|
/* looks like a netns name */
|
|
|
|
|
ret = snprintf(netns, PATH_MAX, "%s/%s", NETNS_RUN_DIR, arg);
|
|
|
|
|
} else {
|
|
|
|
|
/* otherwise assume it's a netns path */
|
|
|
|
|
ret = snprintf(netns, PATH_MAX, "%s", arg);
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-15 09:24:35 +01:00
|
|
|
if (ret <= 0 || ret > PATH_MAX)
|
|
|
|
|
die("Network namespace name/path %s too long");
|
2022-08-26 06:58:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2022-09-12 14:24:04 +02:00
|
|
|
* conf_pasta_ns() - Validate all pasta namespace options
|
|
|
|
|
* @netns_only: Don't use userns, may be updated
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
* @userns: buffer of size PATH_MAX, initially contains --userns
|
|
|
|
|
* argument (may be empty), updated with userns path
|
2022-08-26 06:58:38 +02:00
|
|
|
* @netns: buffer of size PATH_MAX, initial contains --netns
|
|
|
|
|
* argument (may be empty), updated with netns path
|
2022-09-12 14:24:04 +02:00
|
|
|
* @optind: Index of first non-option argument
|
|
|
|
|
* @argc: Number of arguments
|
|
|
|
|
* @argv: Command line arguments
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
*/
|
2023-02-15 09:24:33 +01:00
|
|
|
static void conf_pasta_ns(int *netns_only, char *userns, char *netns,
|
|
|
|
|
int optind, int argc, char *argv[])
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
{
|
2023-02-15 09:24:33 +01:00
|
|
|
if (*netns_only && *userns)
|
|
|
|
|
die("Both --userns and --netns-only given");
|
2022-08-26 06:58:38 +02:00
|
|
|
|
2023-02-15 09:24:33 +01:00
|
|
|
if (*netns && optind != argc)
|
|
|
|
|
die("Both --netns and PID or command given");
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
|
2022-09-12 14:24:04 +02:00
|
|
|
if (optind + 1 == argc) {
|
|
|
|
|
char *endptr;
|
|
|
|
|
long pidval;
|
|
|
|
|
|
|
|
|
|
pidval = strtol(argv[optind], &endptr, 10);
|
|
|
|
|
if (!*endptr) {
|
|
|
|
|
/* Looks like a pid */
|
2023-02-15 09:24:33 +01:00
|
|
|
if (pidval < 0 || pidval > INT_MAX)
|
|
|
|
|
die("Invalid PID %s", argv[optind]);
|
2022-09-12 14:24:04 +02:00
|
|
|
|
|
|
|
|
snprintf(netns, PATH_MAX, "/proc/%ld/ns/net", pidval);
|
|
|
|
|
if (!*userns)
|
|
|
|
|
snprintf(userns, PATH_MAX, "/proc/%ld/ns/user",
|
|
|
|
|
pidval);
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
}
|
2022-09-12 14:24:04 +02:00
|
|
|
}
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
|
2022-09-12 14:24:04 +02:00
|
|
|
/* Attaching to a netns/PID, with no userns given */
|
|
|
|
|
if (*netns && !*userns)
|
|
|
|
|
*netns_only = 1;
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
}
|
|
|
|
|
|
2022-11-04 04:10:33 +01:00
|
|
|
/** conf_ip4_prefix() - Parse an IPv4 prefix length or netmask
|
|
|
|
|
* @arg: Netmask in dotted decimal or prefix length
|
|
|
|
|
*
|
|
|
|
|
* Return: Validated prefix length on success, -1 on failure
|
|
|
|
|
*/
|
|
|
|
|
static int conf_ip4_prefix(const char *arg)
|
|
|
|
|
{
|
|
|
|
|
struct in_addr mask;
|
|
|
|
|
unsigned long len;
|
|
|
|
|
|
|
|
|
|
if (inet_pton(AF_INET, arg, &mask)) {
|
|
|
|
|
in_addr_t hmask = ntohl(mask.s_addr);
|
|
|
|
|
len = __builtin_popcount(hmask);
|
|
|
|
|
if ((hmask << len) != 0)
|
|
|
|
|
return -1;
|
|
|
|
|
} else {
|
|
|
|
|
errno = 0;
|
|
|
|
|
len = strtoul(optarg, NULL, 0);
|
|
|
|
|
if (len > 32 || errno)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return len;
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
/**
|
2022-07-22 07:31:17 +02:00
|
|
|
* conf_ip4() - Verify or detect IPv4 support, get relevant addresses
|
|
|
|
|
* @ifi: Host interface to attempt (0 to determine one)
|
2022-07-22 07:31:18 +02:00
|
|
|
* @ip4: IPv4 context (will be written)
|
|
|
|
|
* @mac: MAC address to use (written if unset)
|
2022-07-22 07:31:17 +02:00
|
|
|
*
|
|
|
|
|
* Return: Interface index for IPv4, or 0 on failure.
|
2021-10-11 12:01:31 +02:00
|
|
|
*/
|
2022-07-22 07:31:18 +02:00
|
|
|
static unsigned int conf_ip4(unsigned int ifi,
|
|
|
|
|
struct ip4_ctx *ip4, unsigned char *mac)
|
2021-10-11 12:01:31 +02:00
|
|
|
{
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi)
|
|
|
|
|
ifi = nl_get_ext_if(AF_INET);
|
2022-07-22 07:31:13 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi) {
|
|
|
|
|
warn("No external routable interface for IPv4");
|
|
|
|
|
return 0;
|
2022-07-22 07:31:13 +02:00
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-11-04 04:10:35 +01:00
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&ip4->gw))
|
netlink: Add functionality to copy routes from outer namespace
Instead of just fetching the default gateway and configuring a single
equivalent route in the target namespace, on 'pasta --config-net', it
might be desirable in some cases to copy the whole set of routes
corresponding to a given output interface.
For instance, in:
https://github.com/containers/podman/issues/18539
IPv4 Default Route Does Not Propagate to Pasta Containers on Hetzner VPSes
configuring the default gateway won't work without a gateway-less
route (specifying the output interface only), because the default
gateway is, somewhat dubiously, not on the same subnet as the
container.
This is a similar case to the one covered by commit 7656a6f88882
("conf: Adjust netmask on mismatch between IPv4 address/netmask and
gateway"), and I'm not exactly proud of that workaround.
We also have:
https://bugs.passt.top/show_bug.cgi?id=49
pasta does not work with tap-style interface
for which, eventually, we should be able to configure a gateway-less
route in the target namespace.
Introduce different operation modes for nl_route(), including a new
NL_DUP one, not exposed yet, which simply parrots back to the kernel
the route dump for a given interface from the outer namespace, fixing
up flags and interface indices on the way, and requesting to add the
same routes in the target namespace, on the interface we manage.
For n routes we want to duplicate, send n identical netlink requests
including the full dump: routes might depend on each other and the
kernel processes RTM_NEWROUTE messages sequentially, not atomically,
and repeating the full dump naturally resolves dependencies without
the need to actually calculate them.
I'm not kidding, it actually works pretty well.
Link: https://github.com/containers/podman/issues/18539
Link: https://bugs.passt.top/show_bug.cgi?id=49
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-05-14 13:49:43 +02:00
|
|
|
nl_route(NL_GET, ifi, 0, AF_INET, &ip4->gw);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-11-04 04:10:35 +01:00
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&ip4->addr))
|
2022-11-04 04:10:33 +01:00
|
|
|
nl_addr(0, ifi, AF_INET, &ip4->addr, &ip4->prefix_len, NULL);
|
2021-10-19 09:01:27 +02:00
|
|
|
|
2022-11-04 04:10:33 +01:00
|
|
|
if (!ip4->prefix_len) {
|
2023-05-14 15:22:00 +02:00
|
|
|
in_addr_t addr = ntohl(ip4->addr.s_addr);
|
2022-11-04 04:10:35 +01:00
|
|
|
if (IN_CLASSA(addr))
|
2022-11-04 04:10:33 +01:00
|
|
|
ip4->prefix_len = (32 - IN_CLASSA_NSHIFT);
|
2022-11-04 04:10:35 +01:00
|
|
|
else if (IN_CLASSB(addr))
|
2022-11-04 04:10:33 +01:00
|
|
|
ip4->prefix_len = (32 - IN_CLASSB_NSHIFT);
|
2022-11-04 04:10:35 +01:00
|
|
|
else if (IN_CLASSC(addr))
|
2022-11-04 04:10:33 +01:00
|
|
|
ip4->prefix_len = (32 - IN_CLASSC_NSHIFT);
|
2022-07-22 07:31:17 +02:00
|
|
|
else
|
2022-11-04 04:10:33 +01:00
|
|
|
ip4->prefix_len = 32;
|
2022-07-22 07:31:17 +02:00
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
memcpy(&ip4->addr_seen, &ip4->addr, sizeof(ip4->addr_seen));
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (MAC_IS_ZERO(mac))
|
|
|
|
|
nl_link(0, ifi, mac, 0, 0);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-11-04 04:10:35 +01:00
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&ip4->gw) ||
|
|
|
|
|
IN4_IS_ADDR_UNSPECIFIED(&ip4->addr) ||
|
|
|
|
|
MAC_IS_ZERO(mac))
|
2022-07-22 07:31:17 +02:00
|
|
|
return 0;
|
2021-10-19 09:01:27 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
return ifi;
|
|
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
/**
|
|
|
|
|
* conf_ip6() - Verify or detect IPv6 support, get relevant addresses
|
|
|
|
|
* @ifi: Host interface to attempt (0 to determine one)
|
2022-07-22 07:31:18 +02:00
|
|
|
* @ip6: IPv6 context (will be written)
|
|
|
|
|
* @mac: MAC address to use (written if unset)
|
2022-07-22 07:31:17 +02:00
|
|
|
*
|
|
|
|
|
* Return: Interface index for IPv6, or 0 on failure.
|
|
|
|
|
*/
|
2022-07-22 07:31:18 +02:00
|
|
|
static unsigned int conf_ip6(unsigned int ifi,
|
|
|
|
|
struct ip6_ctx *ip6, unsigned char *mac)
|
2022-07-22 07:31:17 +02:00
|
|
|
{
|
|
|
|
|
int prefix_len = 0;
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi)
|
|
|
|
|
ifi = nl_get_ext_if(AF_INET6);
|
2022-07-22 07:31:14 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi) {
|
|
|
|
|
warn("No external routable interface for IPv6");
|
|
|
|
|
return 0;
|
2021-10-11 12:01:31 +02:00
|
|
|
}
|
|
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&ip6->gw))
|
netlink: Add functionality to copy routes from outer namespace
Instead of just fetching the default gateway and configuring a single
equivalent route in the target namespace, on 'pasta --config-net', it
might be desirable in some cases to copy the whole set of routes
corresponding to a given output interface.
For instance, in:
https://github.com/containers/podman/issues/18539
IPv4 Default Route Does Not Propagate to Pasta Containers on Hetzner VPSes
configuring the default gateway won't work without a gateway-less
route (specifying the output interface only), because the default
gateway is, somewhat dubiously, not on the same subnet as the
container.
This is a similar case to the one covered by commit 7656a6f88882
("conf: Adjust netmask on mismatch between IPv4 address/netmask and
gateway"), and I'm not exactly proud of that workaround.
We also have:
https://bugs.passt.top/show_bug.cgi?id=49
pasta does not work with tap-style interface
for which, eventually, we should be able to configure a gateway-less
route in the target namespace.
Introduce different operation modes for nl_route(), including a new
NL_DUP one, not exposed yet, which simply parrots back to the kernel
the route dump for a given interface from the outer namespace, fixing
up flags and interface indices on the way, and requesting to add the
same routes in the target namespace, on the interface we manage.
For n routes we want to duplicate, send n identical netlink requests
including the full dump: routes might depend on each other and the
kernel processes RTM_NEWROUTE messages sequentially, not atomically,
and repeating the full dump naturally resolves dependencies without
the need to actually calculate them.
I'm not kidding, it actually works pretty well.
Link: https://github.com/containers/podman/issues/18539
Link: https://bugs.passt.top/show_bug.cgi?id=49
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-05-14 13:49:43 +02:00
|
|
|
nl_route(NL_GET, ifi, 0, AF_INET6, &ip6->gw);
|
2022-07-22 07:31:17 +02:00
|
|
|
|
|
|
|
|
nl_addr(0, ifi, AF_INET6,
|
2022-07-22 07:31:18 +02:00
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&ip6->addr) ? &ip6->addr : NULL,
|
|
|
|
|
&prefix_len, &ip6->addr_ll);
|
2022-07-22 07:31:17 +02:00
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
memcpy(&ip6->addr_seen, &ip6->addr, sizeof(ip6->addr));
|
|
|
|
|
memcpy(&ip6->addr_ll_seen, &ip6->addr_ll, sizeof(ip6->addr_ll));
|
2022-07-22 07:31:17 +02:00
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (MAC_IS_ZERO(mac))
|
|
|
|
|
nl_link(0, ifi, mac, 0, 0);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&ip6->gw) ||
|
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&ip6->addr) ||
|
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&ip6->addr_ll) ||
|
|
|
|
|
MAC_IS_ZERO(mac))
|
2022-07-22 07:31:17 +02:00
|
|
|
return 0;
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
return ifi;
|
2021-10-11 12:01:31 +02:00
|
|
|
}
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
|
* usage() - Print usage and exit
|
|
|
|
|
* @name: Executable name
|
|
|
|
|
*/
|
|
|
|
|
static void usage(const char *name)
|
|
|
|
|
{
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta")) {
|
2022-08-26 06:58:38 +02:00
|
|
|
info("Usage: %s [OPTION]... [COMMAND] [ARGS]...", name);
|
|
|
|
|
info(" %s [OPTION]... PID", name);
|
|
|
|
|
info(" %s [OPTION]... --netns [PATH|NAME]", name);
|
2021-08-12 15:42:43 +02:00
|
|
|
info("");
|
2022-08-26 06:58:38 +02:00
|
|
|
info("Without PID or --netns, run the given command or a");
|
|
|
|
|
info("default shell in a new network and user namespace, and");
|
|
|
|
|
info("connect it via pasta.");
|
2021-08-12 15:42:43 +02:00
|
|
|
} else {
|
|
|
|
|
info("Usage: %s [OPTION]...", name);
|
|
|
|
|
}
|
|
|
|
|
info("");
|
|
|
|
|
|
2022-10-10 10:35:47 +02:00
|
|
|
|
2022-10-26 16:48:42 +02:00
|
|
|
info( " -d, --debug Be verbose");
|
2022-03-15 00:59:09 +01:00
|
|
|
info( " --trace Be extra verbose, implies --debug");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -q, --quiet Don't print informational messages");
|
|
|
|
|
info( " -f, --foreground Don't run in background");
|
|
|
|
|
info( " default: run in background if started from a TTY");
|
|
|
|
|
info( " -e, --stderr Log to stderr too");
|
|
|
|
|
info( " default: log to system logger only if started from a TTY");
|
2022-10-06 14:51:04 +02:00
|
|
|
info( " -l, --log-file PATH Log (only) to given file");
|
|
|
|
|
info( " --log-size BYTES Maximum size of log file");
|
|
|
|
|
info( " default: 1 MiB");
|
2022-09-12 14:24:00 +02:00
|
|
|
info( " --runas UID|UID:GID Run as given UID, GID, which can be");
|
|
|
|
|
info( " numeric, or login and group names");
|
2022-05-18 19:10:45 +02:00
|
|
|
info( " default: drop to user \"nobody\"");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -h, --help Display this help message and exit");
|
2022-10-10 10:35:47 +02:00
|
|
|
info( " --version Show version and exit");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta")) {
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -I, --ns-ifname NAME namespace interface name");
|
|
|
|
|
info( " default: same interface name as external one");
|
|
|
|
|
} else {
|
|
|
|
|
info( " -s, --socket PATH UNIX domain socket path");
|
|
|
|
|
info( " default: probe free path starting from "
|
|
|
|
|
UNIX_SOCK_PATH, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-17 19:49:34 +01:00
|
|
|
info( " -F, --fd FD Use FD as pre-opened connected socket");
|
2022-08-26 06:58:32 +02:00
|
|
|
info( " -p, --pcap FILE Log tap-facing traffic to pcap file");
|
2021-10-14 12:17:47 +02:00
|
|
|
info( " -P, --pid FILE Write own PID to the given file");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -m, --mtu MTU Assign MTU via DHCP/NDP");
|
2021-09-07 11:19:57 +02:00
|
|
|
info( " a zero value disables assignment");
|
|
|
|
|
info( " default: 65520: maximum 802.3 MTU minus 802.3 header");
|
|
|
|
|
info( " length, rounded to 32 bits (IPv4 words)");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -a, --address ADDR Assign IPv4 or IPv6 address ADDR");
|
|
|
|
|
info( " can be specified zero to two times (for IPv4 and IPv6)");
|
|
|
|
|
info( " default: use addresses from interface with default route");
|
|
|
|
|
info( " -n, --netmask MASK Assign IPv4 MASK, dot-decimal or bits");
|
|
|
|
|
info( " default: netmask from matching address on the host");
|
|
|
|
|
info( " -M, --mac-addr ADDR Use source MAC address ADDR");
|
|
|
|
|
info( " default: MAC address from interface with default route");
|
|
|
|
|
info( " -g, --gateway ADDR Pass IPv4 or IPv6 address as gateway");
|
|
|
|
|
info( " default: gateway from interface with default route");
|
|
|
|
|
info( " -i, --interface NAME Interface for addresses and routes");
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
info( " default: from --outbound-if4 and --outbound-if6, if any");
|
|
|
|
|
info( " otherwise interface with first default route");
|
|
|
|
|
info( " -o, --outbound ADDR Bind to address as outbound source");
|
|
|
|
|
info( " can be specified zero to two times (for IPv4 and IPv6)");
|
|
|
|
|
info( " default: use source address from routing tables");
|
|
|
|
|
info( " --outbound-if4 NAME Bind to outbound interface for IPv4");
|
|
|
|
|
info( " default: use interface from default route");
|
|
|
|
|
info( " --outbound-if6 NAME Bind to outbound interface for IPv6");
|
|
|
|
|
info( " default: use interface from default route");
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info( " -D, --dns ADDR Use IPv4 or IPv6 address as DNS");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " can be specified multiple times");
|
|
|
|
|
info( " a single, empty option disables DNS information");
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info( " default: don't use any addresses");
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
|
|
|
|
info( " default: use addresses from /etc/resolv.conf");
|
|
|
|
|
|
|
|
|
|
info( " -S, --search LIST Space-separated list, search domains");
|
|
|
|
|
info( " a single, empty option disables the DNS search list");
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info( " default: don't use any search list");
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
|
|
|
|
info( " default: use search list from /etc/resolv.conf");
|
|
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
if (strstr(name, "pasta"))
|
2022-10-11 00:41:47 +02:00
|
|
|
info(" --dhcp-dns \tPass DNS list via DHCP/DHCPv6/NDP");
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
else
|
2022-10-11 00:41:47 +02:00
|
|
|
info(" --no-dhcp-dns No DNS list in DHCP/DHCPv6/NDP");
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
|
|
|
|
|
if (strstr(name, "pasta"))
|
2022-10-11 00:41:47 +02:00
|
|
|
info(" --dhcp-search Pass list via DHCP/DHCPv6/NDP");
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
else
|
2022-10-11 00:41:47 +02:00
|
|
|
info(" --no-dhcp-search No list in DHCP/DHCPv6/NDP");
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
|
|
|
|
|
info( " --dns-forward ADDR Forward DNS queries sent to ADDR");
|
|
|
|
|
info( " can be specified zero to two times (for IPv4 and IPv6)");
|
|
|
|
|
info( " default: don't forward DNS queries");
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " --no-tcp Disable TCP protocol handler");
|
|
|
|
|
info( " --no-udp Disable UDP protocol handler");
|
|
|
|
|
info( " --no-icmp Disable ICMP/ICMPv6 protocol handler");
|
|
|
|
|
info( " --no-dhcp Disable DHCP server");
|
|
|
|
|
info( " --no-ndp Disable NDP responses");
|
|
|
|
|
info( " --no-dhcpv6 Disable DHCPv6 server");
|
|
|
|
|
info( " --no-ra Disable router advertisements");
|
2021-10-14 05:26:37 +02:00
|
|
|
info( " --no-map-gw Don't map gateway address to host");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -4, --ipv4-only Enable IPv4 operation only");
|
|
|
|
|
info( " -6, --ipv6-only Enable IPv6 operation only");
|
|
|
|
|
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
2021-09-29 16:11:06 +02:00
|
|
|
goto pasta_opts;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-10-07 04:01:56 +02:00
|
|
|
info( " -1, --one-off Quit after handling one single client");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t, --tcp-ports SPEC TCP port forwarding to guest");
|
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
|
info( " SPEC can be:");
|
|
|
|
|
info( " 'none': don't forward any ports");
|
|
|
|
|
info( " 'all': forward all unbound, non-ephemeral ports");
|
2021-08-19 19:46:01 +02:00
|
|
|
info( " a comma-separated list, optionally ranged with '-'");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " and optional target ports after ':', with optional");
|
2022-10-07 04:53:40 +02:00
|
|
|
info( " address specification suffixed by '/' and optional");
|
|
|
|
|
info( " interface prefixed by '%%'. Ranges can be reduced by");
|
|
|
|
|
info( " excluding ports or ranges prefixed by '~'");
|
2022-07-13 08:05:01 +02:00
|
|
|
info( " Examples:");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t 22 Forward local port 22 to 22 on guest");
|
|
|
|
|
info( " -t 22:23 Forward local port 22 to 23 on guest");
|
|
|
|
|
info( " -t 22,25 Forward ports 22, 25 to ports 22, 25");
|
|
|
|
|
info( " -t 22-80 Forward ports 22 to 80");
|
|
|
|
|
info( " -t 22-80:32-90 Forward ports 22 to 80 to");
|
|
|
|
|
info( " corresponding port numbers plus 10");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to guest");
|
2022-07-13 08:05:01 +02:00
|
|
|
info( " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25");
|
|
|
|
|
info( " -t ~25 Forward all ports except for 25");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " default: none");
|
|
|
|
|
info( " -u, --udp-ports SPEC UDP port forwarding to guest");
|
|
|
|
|
info( " SPEC is as described for TCP above");
|
|
|
|
|
info( " default: none");
|
|
|
|
|
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
pasta_opts:
|
2022-10-07 04:53:40 +02:00
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t, --tcp-ports SPEC TCP port forwarding to namespace");
|
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
|
info( " SPEC can be:");
|
|
|
|
|
info( " 'none': don't forward any ports");
|
|
|
|
|
info( " 'auto': forward all ports currently bound in namespace");
|
2021-08-19 19:46:01 +02:00
|
|
|
info( " a comma-separated list, optionally ranged with '-'");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " and optional target ports after ':', with optional");
|
2022-10-07 04:53:40 +02:00
|
|
|
info( " address specification suffixed by '/' and optional");
|
|
|
|
|
info( " interface prefixed by '%%'. Examples:");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t 22 Forward local port 22 to port 22 in netns");
|
|
|
|
|
info( " -t 22:23 Forward local port 22 to port 23");
|
|
|
|
|
info( " -t 22,25 Forward ports 22, 25 to ports 22, 25");
|
|
|
|
|
info( " -t 22-80 Forward ports 22 to 80");
|
|
|
|
|
info( " -t 22-80:32-90 Forward ports 22 to 80 to");
|
|
|
|
|
info( " corresponding port numbers plus 10");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to namespace");
|
2022-07-13 08:05:01 +02:00
|
|
|
info( " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25");
|
|
|
|
|
info( " -t ~25 Forward all bound ports except for 25");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " default: auto");
|
|
|
|
|
info( " IPv6 bound ports are also forwarded for IPv4");
|
|
|
|
|
info( " -u, --udp-ports SPEC UDP port forwarding to namespace");
|
|
|
|
|
info( " SPEC is as described for TCP above");
|
|
|
|
|
info( " default: auto");
|
2021-09-07 11:28:57 +02:00
|
|
|
info( " IPv6 bound ports are also forwarded for IPv4");
|
|
|
|
|
info( " unless specified, with '-t auto', UDP ports with numbers");
|
|
|
|
|
info( " corresponding to forwarded TCP port numbers are");
|
|
|
|
|
info( " forwarded too");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -T, --tcp-ns SPEC TCP port forwarding to init namespace");
|
|
|
|
|
info( " SPEC is as described above");
|
|
|
|
|
info( " default: auto");
|
|
|
|
|
info( " -U, --udp-ns SPEC UDP port forwarding to init namespace");
|
|
|
|
|
info( " SPEC is as described above");
|
|
|
|
|
info( " default: auto");
|
2021-09-29 16:11:06 +02:00
|
|
|
info( " --userns NSPATH Target user namespace to join");
|
2022-08-26 06:58:38 +02:00
|
|
|
info( " --netns PATH|NAME Target network namespace to join");
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
info( " --netns-only Don't join existing user namespace");
|
2021-09-29 16:11:06 +02:00
|
|
|
info( " implied if PATH or NAME are given without --userns");
|
2022-10-07 05:01:21 +02:00
|
|
|
info( " --no-netns-quit Don't quit if filesystem-bound target");
|
|
|
|
|
info( " network namespace is deleted");
|
2021-10-11 12:01:31 +02:00
|
|
|
info( " --config-net Configure tap interface in namespace");
|
2023-05-14 15:04:38 +02:00
|
|
|
info( " --no-copy-routes DEPRECATED:");
|
|
|
|
|
info( " Don't copy all routes to namespace");
|
2021-10-11 12:01:31 +02:00
|
|
|
info( " --ns-mac-addr ADDR Set MAC address on tap interface");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-26 07:23:21 +01:00
|
|
|
/**
|
|
|
|
|
* conf_print() - Print fundamental configuration parameters
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
*/
|
|
|
|
|
static void conf_print(const struct ctx *c)
|
2021-08-12 15:42:43 +02:00
|
|
|
{
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
char buf4[INET_ADDRSTRLEN], buf6[INET6_ADDRSTRLEN], ifn[IFNAMSIZ];
|
2021-08-12 15:42:43 +02:00
|
|
|
int i;
|
|
|
|
|
|
2023-03-07 19:23:18 +01:00
|
|
|
info("Template interface: %s%s%s%s%s",
|
|
|
|
|
c->ifi4 ? if_indextoname(c->ifi4, ifn) : "",
|
|
|
|
|
c->ifi4 ? " (IPv4)" : "",
|
|
|
|
|
(c->ifi4 && c->ifi6) ? ", " : "",
|
|
|
|
|
c->ifi6 ? if_indextoname(c->ifi6, ifn) : "",
|
|
|
|
|
c->ifi6 ? " (IPv6)" : "");
|
|
|
|
|
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
if (*c->ip4.ifname_out || *c->ip6.ifname_out) {
|
|
|
|
|
info("Outbound interface: %s%s%s%s%s",
|
|
|
|
|
*c->ip4.ifname_out ? c->ip4.ifname_out : "",
|
|
|
|
|
*c->ip4.ifname_out ? " (IPv4)" : "",
|
|
|
|
|
(*c->ip4.ifname_out && *c->ip6.ifname_out) ? ", " : "",
|
|
|
|
|
*c->ip6.ifname_out ? c->ip6.ifname_out : "",
|
|
|
|
|
*c->ip6.ifname_out ? " (IPv6)" : "");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) ||
|
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) {
|
|
|
|
|
info("Outbound address: %s%s%s",
|
|
|
|
|
IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) ? "" :
|
|
|
|
|
inet_ntop(AF_INET, &c->ip4.addr_out, buf4, sizeof(buf4)),
|
|
|
|
|
(!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
|
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) ? ", " : "",
|
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) ? "" :
|
|
|
|
|
inet_ntop(AF_INET6, &c->ip6.addr_out, buf6, sizeof(buf6)));
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-22 07:31:12 +02:00
|
|
|
if (c->mode == MODE_PASTA)
|
|
|
|
|
info("Namespace interface: %s", c->pasta_ifn);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-07-22 07:31:14 +02:00
|
|
|
info("MAC:");
|
|
|
|
|
info(" host: %02x:%02x:%02x:%02x:%02x:%02x",
|
|
|
|
|
c->mac[0], c->mac[1], c->mac[2],
|
|
|
|
|
c->mac[3], c->mac[4], c->mac[5]);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (c->ifi4) {
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!c->no_dhcp) {
|
2022-11-09 18:35:17 +01:00
|
|
|
uint32_t mask;
|
|
|
|
|
|
|
|
|
|
mask = htonl(0xffffffff << (32 - c->ip4.prefix_len));
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
info("DHCP:");
|
|
|
|
|
info(" assign: %s",
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_ntop(AF_INET, &c->ip4.addr, buf4, sizeof(buf4)));
|
2021-08-12 15:42:43 +02:00
|
|
|
info(" mask: %s",
|
2022-11-04 04:10:33 +01:00
|
|
|
inet_ntop(AF_INET, &mask, buf4, sizeof(buf4)));
|
2021-08-12 15:42:43 +02:00
|
|
|
info(" router: %s",
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_ntop(AF_INET, &c->ip4.gw, buf4, sizeof(buf4)));
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
for (i = 0; !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns[i]); i++) {
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS:");
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
inet_ntop(AF_INET, &c->ip4.dns[i], buf4, sizeof(buf4));
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info(" %s", buf4);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; *c->dns_search[i].n; i++) {
|
|
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS search list:");
|
|
|
|
|
info(" %s", c->dns_search[i].n);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (c->ifi6) {
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!c->no_ndp && !c->no_dhcpv6)
|
|
|
|
|
info("NDP/DHCPv6:");
|
|
|
|
|
else if (!c->no_ndp)
|
|
|
|
|
info("DHCPv6:");
|
|
|
|
|
else if (!c->no_dhcpv6)
|
|
|
|
|
info("NDP:");
|
|
|
|
|
else
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
goto dns6;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
info(" assign: %s",
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_ntop(AF_INET6, &c->ip6.addr, buf6, sizeof(buf6)));
|
2021-08-12 15:42:43 +02:00
|
|
|
info(" router: %s",
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_ntop(AF_INET6, &c->ip6.gw, buf6, sizeof(buf6)));
|
2021-10-10 01:09:25 +02:00
|
|
|
info(" our link-local: %s",
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_ntop(AF_INET6, &c->ip6.addr_ll, buf6, sizeof(buf6)));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
dns6:
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
for (i = 0; !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns[i]); i++) {
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS:");
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_ntop(AF_INET6, &c->ip6.dns[i], buf6, sizeof(buf6));
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info(" %s", buf6);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; *c->dns_search[i].n; i++) {
|
|
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS search list:");
|
|
|
|
|
info(" %s", c->dns_search[i].n);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-18 19:10:45 +02:00
|
|
|
/**
|
|
|
|
|
* conf_runas() - Handle --runas: look up desired UID and GID
|
|
|
|
|
* @opt: Passed option value
|
|
|
|
|
* @uid: User ID, set on return if valid
|
|
|
|
|
* @gid: Group ID, set on return if valid
|
|
|
|
|
*
|
|
|
|
|
* Return: 0 on success, negative error code on failure
|
|
|
|
|
*/
|
2022-09-28 06:33:18 +02:00
|
|
|
static int conf_runas(char *opt, unsigned int *uid, unsigned int *gid)
|
2022-05-18 19:10:45 +02:00
|
|
|
{
|
2022-09-28 06:33:18 +02:00
|
|
|
const char *uopt, *gopt = NULL;
|
|
|
|
|
char *sep = strchr(opt, ':');
|
|
|
|
|
char *endptr;
|
2022-05-18 19:10:45 +02:00
|
|
|
|
2022-09-28 06:33:18 +02:00
|
|
|
if (sep) {
|
|
|
|
|
*sep = '\0';
|
|
|
|
|
gopt = sep + 1;
|
|
|
|
|
}
|
|
|
|
|
uopt = opt;
|
2022-05-18 19:10:45 +02:00
|
|
|
|
2022-09-28 06:33:18 +02:00
|
|
|
*gid = *uid = strtol(uopt, &endptr, 0);
|
|
|
|
|
if (*endptr) {
|
|
|
|
|
#ifndef GLIBC_NO_STATIC_NSS
|
|
|
|
|
/* Not numeric, look up as a username */
|
|
|
|
|
struct passwd *pw;
|
|
|
|
|
/* cppcheck-suppress getpwnamCalled */
|
|
|
|
|
if (!(pw = getpwnam(uopt)) || !(*uid = pw->pw_uid))
|
2022-05-18 19:10:45 +02:00
|
|
|
return -ENOENT;
|
2022-09-28 06:33:18 +02:00
|
|
|
*gid = pw->pw_gid;
|
|
|
|
|
#else
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2022-05-18 19:10:45 +02:00
|
|
|
|
2022-09-28 06:33:18 +02:00
|
|
|
if (!gopt)
|
2022-05-18 19:10:45 +02:00
|
|
|
return 0;
|
|
|
|
|
|
2022-09-28 06:33:18 +02:00
|
|
|
*gid = strtol(gopt, &endptr, 0);
|
|
|
|
|
if (*endptr) {
|
|
|
|
|
#ifndef GLIBC_NO_STATIC_NSS
|
|
|
|
|
/* Not numeric, look up as a group name */
|
|
|
|
|
struct group *gr;
|
|
|
|
|
/* cppcheck-suppress getgrnamCalled */
|
|
|
|
|
if (!(gr = getgrnam(gopt)))
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
*gid = gr->gr_gid;
|
|
|
|
|
#else
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2022-05-18 19:10:45 +02:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-12 14:24:01 +02:00
|
|
|
/**
|
|
|
|
|
* conf_ugid() - Determine UID and GID to run as
|
|
|
|
|
* @runas: --runas option, may be NULL
|
|
|
|
|
* @uid: User ID, set on success
|
|
|
|
|
* @gid: Group ID, set on success
|
|
|
|
|
*/
|
2023-02-15 09:24:34 +01:00
|
|
|
static void conf_ugid(char *runas, uid_t *uid, gid_t *gid)
|
2022-09-12 14:24:01 +02:00
|
|
|
{
|
|
|
|
|
/* If user has specified --runas, that takes precedence... */
|
|
|
|
|
if (runas) {
|
2023-02-15 09:24:34 +01:00
|
|
|
if (conf_runas(runas, uid, gid))
|
|
|
|
|
die("Invalid --runas option: %s", runas);
|
|
|
|
|
return;
|
2022-09-12 14:24:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ...otherwise default to current user and group... */
|
|
|
|
|
*uid = geteuid();
|
|
|
|
|
*gid = getegid();
|
|
|
|
|
|
|
|
|
|
/* ...as long as it's not root... */
|
|
|
|
|
if (*uid)
|
2023-02-15 09:24:34 +01:00
|
|
|
return;
|
2022-09-12 14:24:01 +02:00
|
|
|
|
|
|
|
|
/* ...or at least not root in the init namespace... */
|
2023-05-21 14:47:07 +02:00
|
|
|
if (!ns_is_init())
|
2023-02-15 09:24:34 +01:00
|
|
|
return;
|
2022-09-12 14:24:01 +02:00
|
|
|
|
|
|
|
|
/* ...otherwise use nobody:nobody */
|
|
|
|
|
warn("Don't run as root. Changing to nobody...");
|
2022-09-28 06:33:18 +02:00
|
|
|
{
|
2022-09-12 14:24:01 +02:00
|
|
|
#ifndef GLIBC_NO_STATIC_NSS
|
2022-09-28 06:33:18 +02:00
|
|
|
struct passwd *pw;
|
|
|
|
|
/* cppcheck-suppress getpwnamCalled */
|
|
|
|
|
pw = getpwnam("nobody");
|
|
|
|
|
if (!pw) {
|
|
|
|
|
perror("getpwnam");
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
|
}
|
2022-09-12 14:24:01 +02:00
|
|
|
|
2022-09-28 06:33:18 +02:00
|
|
|
*uid = pw->pw_uid;
|
|
|
|
|
*gid = pw->pw_gid;
|
2022-09-12 14:24:01 +02:00
|
|
|
#else
|
2022-09-28 06:33:18 +02:00
|
|
|
/* Common value for 'nobody', not really specified */
|
|
|
|
|
*uid = *gid = 65534;
|
2022-09-12 14:24:01 +02:00
|
|
|
#endif
|
2022-09-28 06:33:18 +02:00
|
|
|
}
|
2022-09-12 14:24:01 +02:00
|
|
|
}
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
|
* conf() - Process command-line arguments and set configuration
|
|
|
|
|
* @c: Execution context
|
|
|
|
|
* @argc: Argument count
|
|
|
|
|
* @argv: Options, plus target PID for pasta mode
|
|
|
|
|
*/
|
|
|
|
|
void conf(struct ctx *c, int argc, char **argv)
|
|
|
|
|
{
|
2022-09-12 14:24:07 +02:00
|
|
|
int netns_only = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
struct option options[] = {
|
|
|
|
|
{"debug", no_argument, NULL, 'd' },
|
2021-10-07 04:07:59 +02:00
|
|
|
{"quiet", no_argument, NULL, 'q' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"foreground", no_argument, NULL, 'f' },
|
2022-01-27 16:42:19 +01:00
|
|
|
{"stderr", no_argument, NULL, 'e' },
|
2022-10-06 14:51:04 +02:00
|
|
|
{"log-file", required_argument, NULL, 'l' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"help", no_argument, NULL, 'h' },
|
|
|
|
|
{"socket", required_argument, NULL, 's' },
|
2022-11-17 19:49:34 +01:00
|
|
|
{"fd", required_argument, NULL, 'F' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"ns-ifname", required_argument, NULL, 'I' },
|
2022-08-26 06:58:32 +02:00
|
|
|
{"pcap", required_argument, NULL, 'p' },
|
2021-10-14 12:17:47 +02:00
|
|
|
{"pid", required_argument, NULL, 'P' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"mtu", required_argument, NULL, 'm' },
|
|
|
|
|
{"address", required_argument, NULL, 'a' },
|
|
|
|
|
{"netmask", required_argument, NULL, 'n' },
|
|
|
|
|
{"mac-addr", required_argument, NULL, 'M' },
|
|
|
|
|
{"gateway", required_argument, NULL, 'g' },
|
|
|
|
|
{"interface", required_argument, NULL, 'i' },
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
{"outbound", required_argument, NULL, 'o' },
|
2022-08-26 06:58:33 +02:00
|
|
|
{"dns", required_argument, NULL, 'D' },
|
|
|
|
|
{"search", required_argument, NULL, 'S' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"no-tcp", no_argument, &c->no_tcp, 1 },
|
|
|
|
|
{"no-udp", no_argument, &c->no_udp, 1 },
|
|
|
|
|
{"no-icmp", no_argument, &c->no_icmp, 1 },
|
|
|
|
|
{"no-dhcp", no_argument, &c->no_dhcp, 1 },
|
|
|
|
|
{"no-dhcpv6", no_argument, &c->no_dhcpv6, 1 },
|
|
|
|
|
{"no-ndp", no_argument, &c->no_ndp, 1 },
|
|
|
|
|
{"no-ra", no_argument, &c->no_ra, 1 },
|
2021-10-14 05:26:37 +02:00
|
|
|
{"no-map-gw", no_argument, &c->no_map_gw, 1 },
|
2022-07-22 07:31:16 +02:00
|
|
|
{"ipv4-only", no_argument, NULL, '4' },
|
|
|
|
|
{"ipv6-only", no_argument, NULL, '6' },
|
2022-10-07 04:01:56 +02:00
|
|
|
{"one-off", no_argument, NULL, '1' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"tcp-ports", required_argument, NULL, 't' },
|
|
|
|
|
{"udp-ports", required_argument, NULL, 'u' },
|
|
|
|
|
{"tcp-ns", required_argument, NULL, 'T' },
|
|
|
|
|
{"udp-ns", required_argument, NULL, 'U' },
|
2021-09-29 16:11:06 +02:00
|
|
|
{"userns", required_argument, NULL, 2 },
|
2022-08-26 06:58:38 +02:00
|
|
|
{"netns", required_argument, NULL, 3 },
|
2022-09-12 14:24:07 +02:00
|
|
|
{"netns-only", no_argument, &netns_only, 1 },
|
2021-10-11 12:01:31 +02:00
|
|
|
{"ns-mac-addr", required_argument, NULL, 4 },
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
{"dhcp-dns", no_argument, NULL, 5 },
|
|
|
|
|
{"no-dhcp-dns", no_argument, NULL, 6 },
|
|
|
|
|
{"dhcp-search", no_argument, NULL, 7 },
|
|
|
|
|
{"no-dhcp-search", no_argument, NULL, 8 },
|
|
|
|
|
{"dns-forward", required_argument, NULL, 9 },
|
2022-02-18 16:12:11 +01:00
|
|
|
{"no-netns-quit", no_argument, NULL, 10 },
|
2022-03-15 00:59:09 +01:00
|
|
|
{"trace", no_argument, NULL, 11 },
|
2022-05-18 19:10:45 +02:00
|
|
|
{"runas", required_argument, NULL, 12 },
|
2022-10-06 14:51:04 +02:00
|
|
|
{"log-size", required_argument, NULL, 13 },
|
2022-10-10 10:35:47 +02:00
|
|
|
{"version", no_argument, NULL, 14 },
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
{"outbound-if4", required_argument, NULL, 15 },
|
|
|
|
|
{"outbound-if6", required_argument, NULL, 16 },
|
2023-05-14 14:14:29 +02:00
|
|
|
{"config-net", no_argument, NULL, 17 },
|
2023-05-14 15:04:38 +02:00
|
|
|
{"no-copy-routes", no_argument, NULL, 18 },
|
2021-08-12 15:42:43 +02:00
|
|
|
{ 0 },
|
|
|
|
|
};
|
|
|
|
|
struct get_bound_ports_ns_arg ns_ports_arg = { .c = c };
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
char userns[PATH_MAX] = { 0 }, netns[PATH_MAX] = { 0 };
|
2022-07-22 07:31:16 +02:00
|
|
|
bool v4_only = false, v6_only = false;
|
2022-10-06 14:51:04 +02:00
|
|
|
char *runas = NULL, *logfile = NULL;
|
2022-07-22 07:31:18 +02:00
|
|
|
struct in6_addr *dns6 = c->ip6.dns;
|
2021-08-12 15:42:43 +02:00
|
|
|
struct fqdn *dnss = c->dns_search;
|
2022-11-04 04:10:35 +01:00
|
|
|
struct in_addr *dns4 = c->ip4.dns;
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
unsigned int ifi4 = 0, ifi6 = 0;
|
2022-10-06 12:55:03 +02:00
|
|
|
const char *optstring;
|
2022-11-04 04:10:33 +01:00
|
|
|
int name, ret, b, i;
|
2022-10-06 14:51:04 +02:00
|
|
|
size_t logsize = 0;
|
2022-09-12 14:24:01 +02:00
|
|
|
uid_t uid;
|
|
|
|
|
gid_t gid;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-10-06 12:55:03 +02:00
|
|
|
if (c->mode == MODE_PASTA) {
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
c->no_dhcp_dns = c->no_dhcp_dns_search = 1;
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
optstring = "dqfel:hF:I:p:P:m:a:n:M:g:i:o:D:S:46t:u:T:U:";
|
2022-10-06 12:55:03 +02:00
|
|
|
} else {
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
optstring = "dqfel:hs:F:p:P:m:a:n:M:g:i:o:D:S:461t:u:";
|
2022-10-06 12:55:03 +02:00
|
|
|
}
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
|
2022-09-24 11:08:17 +02:00
|
|
|
c->tcp.fwd_in.mode = c->tcp.fwd_out.mode = 0;
|
|
|
|
|
c->udp.fwd_in.f.mode = c->udp.fwd_out.f.mode = 0;
|
2022-09-24 11:08:16 +02:00
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
do {
|
|
|
|
|
name = getopt_long(argc, argv, optstring, options, NULL);
|
|
|
|
|
|
|
|
|
|
switch (name) {
|
|
|
|
|
case -1:
|
|
|
|
|
case 0:
|
|
|
|
|
break;
|
2021-09-29 16:11:06 +02:00
|
|
|
case 2:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--userns is for pasta mode only");
|
2021-09-29 16:11:06 +02:00
|
|
|
|
|
|
|
|
ret = snprintf(userns, sizeof(userns), "%s", optarg);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (ret <= 0 || ret >= (int)sizeof(userns))
|
|
|
|
|
die("Invalid userns: %s", optarg);
|
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
break;
|
2022-08-26 06:58:38 +02:00
|
|
|
case 3:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--netns is for pasta mode only");
|
2022-08-26 06:58:38 +02:00
|
|
|
|
2023-02-15 09:24:35 +01:00
|
|
|
conf_netns_opt(netns, optarg);
|
2022-08-26 06:58:38 +02:00
|
|
|
break;
|
2021-10-11 12:01:31 +02:00
|
|
|
case 4:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--ns-mac-addr is for pasta mode only");
|
2021-10-11 12:01:31 +02:00
|
|
|
|
|
|
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
|
|
|
|
errno = 0;
|
2022-01-30 02:59:12 +01:00
|
|
|
b = strtol(optarg + (intptr_t)i * 3, NULL, 16);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (b < 0 || b > UCHAR_MAX || errno)
|
|
|
|
|
die("Invalid MAC address: %s", optarg);
|
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
c->mac_guest[i] = b;
|
|
|
|
|
}
|
|
|
|
|
break;
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
case 5:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--dhcp-dns is for pasta mode only");
|
|
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
c->no_dhcp_dns = 0;
|
|
|
|
|
break;
|
|
|
|
|
case 6:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASST)
|
|
|
|
|
die("--no-dhcp-dns is for passt mode only");
|
|
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
c->no_dhcp_dns = 1;
|
|
|
|
|
break;
|
|
|
|
|
case 7:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--dhcp-search is for pasta mode only");
|
|
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
c->no_dhcp_dns_search = 0;
|
|
|
|
|
break;
|
|
|
|
|
case 8:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASST)
|
|
|
|
|
die("--no-dhcp-search is for passt mode only");
|
|
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
c->no_dhcp_dns_search = 1;
|
|
|
|
|
break;
|
|
|
|
|
case 9:
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match) &&
|
|
|
|
|
inet_pton(AF_INET6, optarg, &c->ip6.dns_match) &&
|
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match) &&
|
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->ip6.dns_match))
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
break;
|
|
|
|
|
|
conf, udp: Drop mostly duplicated dns_send arrays, rename related fields
Given that we use just the first valid DNS resolver address
configured, or read from resolv.conf(5) on the host, to forward DNS
queries to, in case --dns-forward is used, we don't need to duplicate
dns[] to dns_send[]:
- rename dns_send[] back to dns[]: those are the resolvers we
advertise to the guest/container
- for forwarding purposes, instead of dns[], use a single field (for
each protocol version): dns_host
- and rename dns_fwd to dns_match, so that it's clear this is the
address we are matching DNS queries against, to decide if they need
to be forwarded
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2022-11-10 20:30:03 +01:00
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match) &&
|
|
|
|
|
inet_pton(AF_INET, optarg, &c->ip4.dns_match) &&
|
|
|
|
|
!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match) &&
|
|
|
|
|
!IN4_IS_ADDR_BROADCAST(&c->ip4.dns_match) &&
|
|
|
|
|
!IN4_IS_ADDR_LOOPBACK(&c->ip4.dns_match))
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
break;
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Invalid DNS forwarding address: %s", optarg);
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
break;
|
2022-02-18 16:12:11 +01:00
|
|
|
case 10:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--no-netns-quit is for pasta mode only");
|
|
|
|
|
|
2022-02-18 16:12:11 +01:00
|
|
|
c->no_netns_quit = 1;
|
|
|
|
|
break;
|
2022-03-15 00:59:09 +01:00
|
|
|
case 11:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->trace)
|
|
|
|
|
die("Multiple --trace options given");
|
2022-03-15 00:59:09 +01:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->quiet)
|
|
|
|
|
die("Either --trace or --quiet");
|
2022-03-15 00:59:09 +01:00
|
|
|
|
2022-10-26 16:48:42 +02:00
|
|
|
c->trace = c->debug = 1;
|
2022-03-15 00:59:09 +01:00
|
|
|
break;
|
2022-05-18 19:10:45 +02:00
|
|
|
case 12:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (runas)
|
|
|
|
|
die("Multiple --runas options given");
|
2022-05-18 19:10:45 +02:00
|
|
|
|
2022-09-12 14:24:01 +02:00
|
|
|
runas = optarg;
|
2022-05-18 19:10:45 +02:00
|
|
|
break;
|
2022-10-06 14:51:04 +02:00
|
|
|
case 13:
|
2023-02-15 09:24:31 +01:00
|
|
|
if (logsize)
|
|
|
|
|
die("Multiple --log-size options given");
|
2022-10-06 14:51:04 +02:00
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
logsize = strtol(optarg, NULL, 0);
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (logsize < LOGFILE_SIZE_MIN || errno)
|
|
|
|
|
die("Invalid --log-size: %s", optarg);
|
|
|
|
|
|
2022-10-06 14:51:04 +02:00
|
|
|
break;
|
2022-10-10 10:35:47 +02:00
|
|
|
case 14:
|
|
|
|
|
fprintf(stdout,
|
|
|
|
|
c->mode == MODE_PASST ? "passt " : "pasta ");
|
|
|
|
|
fprintf(stdout, VERSION_BLOB);
|
|
|
|
|
exit(EXIT_SUCCESS);
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
case 15:
|
|
|
|
|
if (*c->ip4.ifname_out)
|
|
|
|
|
die("Redundant outbound interface: %s", optarg);
|
|
|
|
|
|
|
|
|
|
ret = snprintf(c->ip4.ifname_out,
|
|
|
|
|
sizeof(c->ip4.ifname_out), "%s", optarg);
|
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->ip4.ifname_out))
|
|
|
|
|
die("Invalid interface name: %s", optarg);
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
case 16:
|
|
|
|
|
if (*c->ip6.ifname_out)
|
|
|
|
|
die("Redundant outbound interface: %s", optarg);
|
|
|
|
|
|
|
|
|
|
ret = snprintf(c->ip6.ifname_out,
|
|
|
|
|
sizeof(c->ip6.ifname_out), "%s", optarg);
|
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->ip6.ifname_out))
|
|
|
|
|
die("Invalid interface name: %s", optarg);
|
|
|
|
|
|
2023-05-14 14:14:29 +02:00
|
|
|
break;
|
|
|
|
|
case 17:
|
|
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--config-net is for pasta mode only");
|
|
|
|
|
|
|
|
|
|
c->pasta_conf_ns = 1;
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
break;
|
2023-05-14 15:04:38 +02:00
|
|
|
case 18:
|
|
|
|
|
if (c->mode != MODE_PASTA)
|
|
|
|
|
die("--no-copy-routes is for pasta mode only");
|
|
|
|
|
|
|
|
|
|
warn("--no-copy-routes will be dropped soon");
|
|
|
|
|
c->no_copy_routes = 1;
|
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'd':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->debug)
|
|
|
|
|
die("Multiple --debug options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->quiet)
|
|
|
|
|
die("Either --debug or --quiet");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
c->debug = 1;
|
|
|
|
|
break;
|
2022-01-27 16:42:19 +01:00
|
|
|
case 'e':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (logfile)
|
|
|
|
|
die("Can't log to both file and stderr");
|
2022-10-06 14:51:04 +02:00
|
|
|
|
2023-03-08 03:47:45 +01:00
|
|
|
if (c->force_stderr)
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Multiple --stderr options given");
|
2022-01-27 16:42:19 +01:00
|
|
|
|
2023-03-08 03:47:45 +01:00
|
|
|
c->force_stderr = 1;
|
2022-01-27 16:42:19 +01:00
|
|
|
break;
|
2022-10-06 14:51:04 +02:00
|
|
|
case 'l':
|
2023-03-08 03:47:45 +01:00
|
|
|
if (c->force_stderr)
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Can't log to both stderr and file");
|
2022-10-06 14:51:04 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (logfile)
|
|
|
|
|
die("Multiple --log-file options given");
|
2022-10-06 14:51:04 +02:00
|
|
|
|
|
|
|
|
logfile = optarg;
|
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'q':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->quiet)
|
|
|
|
|
die("Multiple --quiet options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->debug)
|
|
|
|
|
die("Either --debug or --quiet");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
c->quiet = 1;
|
|
|
|
|
break;
|
|
|
|
|
case 'f':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->foreground)
|
|
|
|
|
die("Multiple --foreground options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
c->foreground = 1;
|
|
|
|
|
break;
|
|
|
|
|
case 's':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (*c->sock_path)
|
|
|
|
|
die("Multiple --socket options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-04-05 12:33:31 +02:00
|
|
|
ret = snprintf(c->sock_path, UNIX_SOCK_MAX - 1, "%s",
|
2021-08-12 15:42:43 +02:00
|
|
|
optarg);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->sock_path))
|
|
|
|
|
die("Invalid socket path: %s", optarg);
|
|
|
|
|
|
2022-11-17 19:49:34 +01:00
|
|
|
break;
|
|
|
|
|
case 'F':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->fd_tap >= 0)
|
|
|
|
|
die("Multiple --fd options given");
|
2022-11-17 19:49:34 +01:00
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
c->fd_tap = strtol(optarg, NULL, 0);
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->fd_tap < 0 || errno)
|
|
|
|
|
die("Invalid --fd: %s", optarg);
|
2022-11-17 19:49:34 +01:00
|
|
|
|
|
|
|
|
c->one_off = true;
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'I':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (*c->pasta_ifn)
|
|
|
|
|
die("Multiple --ns-ifname options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-04-05 12:33:31 +02:00
|
|
|
ret = snprintf(c->pasta_ifn, IFNAMSIZ - 1, "%s",
|
2021-08-12 15:42:43 +02:00
|
|
|
optarg);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (ret <= 0 || ret >= IFNAMSIZ - 1)
|
|
|
|
|
die("Invalid interface name: %s", optarg);
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'p':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (*c->pcap)
|
|
|
|
|
die("Multiple --pcap options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
ret = snprintf(c->pcap, sizeof(c->pcap), "%s", optarg);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pcap))
|
|
|
|
|
die("Invalid pcap path: %s", optarg);
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
2021-10-14 12:17:47 +02:00
|
|
|
case 'P':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (*c->pid_file)
|
|
|
|
|
die("Multiple --pid options given");
|
2021-10-14 12:17:47 +02:00
|
|
|
|
|
|
|
|
ret = snprintf(c->pid_file, sizeof(c->pid_file), "%s",
|
|
|
|
|
optarg);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pid_file))
|
|
|
|
|
die("Invalid PID file: %s", optarg);
|
|
|
|
|
|
2021-10-14 12:17:47 +02:00
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'm':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mtu)
|
|
|
|
|
die("Multiple --mtu options given");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
c->mtu = strtol(optarg, NULL, 0);
|
2021-09-07 11:19:57 +02:00
|
|
|
|
|
|
|
|
if (!c->mtu) {
|
|
|
|
|
c->mtu = -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (c->mtu < ETH_MIN_MTU || c->mtu > (int)ETH_MAX_MTU ||
|
2023-02-15 09:24:31 +01:00
|
|
|
errno)
|
|
|
|
|
die("Invalid MTU: %s", optarg);
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'a':
|
2022-07-22 07:31:18 +02:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr) &&
|
|
|
|
|
inet_pton(AF_INET6, optarg, &c->ip6.addr) &&
|
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr) &&
|
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->ip6.addr) &&
|
|
|
|
|
!IN6_IS_ADDR_V4MAPPED(&c->ip6.addr) &&
|
|
|
|
|
!IN6_IS_ADDR_V4COMPAT(&c->ip6.addr) &&
|
|
|
|
|
!IN6_IS_ADDR_MULTICAST(&c->ip6.addr))
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
|
2022-11-04 04:10:35 +01:00
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr) &&
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_pton(AF_INET, optarg, &c->ip4.addr) &&
|
2022-11-04 04:10:35 +01:00
|
|
|
!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr) &&
|
|
|
|
|
!IN4_IS_ADDR_BROADCAST(&c->ip4.addr) &&
|
|
|
|
|
!IN4_IS_ADDR_LOOPBACK(&c->ip4.addr) &&
|
|
|
|
|
!IN4_IS_ADDR_MULTICAST(&c->ip4.addr))
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Invalid address: %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'n':
|
2022-11-04 04:10:33 +01:00
|
|
|
c->ip4.prefix_len = conf_ip4_prefix(optarg);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->ip4.prefix_len < 0)
|
|
|
|
|
die("Invalid netmask: %s", optarg);
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'M':
|
|
|
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
|
|
|
|
errno = 0;
|
2022-01-30 02:59:12 +01:00
|
|
|
b = strtol(optarg + (intptr_t)i * 3, NULL, 16);
|
2023-02-15 09:24:31 +01:00
|
|
|
if (b < 0 || b > UCHAR_MAX || errno)
|
|
|
|
|
die("Invalid MAC address: %s", optarg);
|
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
c->mac[i] = b;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case 'g':
|
2023-05-14 15:04:38 +02:00
|
|
|
if (c->mode == MODE_PASTA)
|
|
|
|
|
c->no_copy_routes = 1;
|
|
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) &&
|
|
|
|
|
inet_pton(AF_INET6, optarg, &c->ip6.gw) &&
|
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) &&
|
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->ip6.gw))
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
|
2022-11-04 04:10:35 +01:00
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.gw) &&
|
2022-07-22 07:31:18 +02:00
|
|
|
inet_pton(AF_INET, optarg, &c->ip4.gw) &&
|
2022-11-04 04:10:35 +01:00
|
|
|
!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.gw) &&
|
|
|
|
|
!IN4_IS_ADDR_BROADCAST(&c->ip4.gw) &&
|
|
|
|
|
!IN4_IS_ADDR_LOOPBACK(&c->ip4.gw))
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Invalid gateway address: %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'i':
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
if (ifi4 || ifi6)
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Redundant interface: %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
if (!(ifi4 = ifi6 = if_nametoindex(optarg)))
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Invalid interface name %s: %s", optarg,
|
2021-10-11 12:01:31 +02:00
|
|
|
strerror(errno));
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
case 'o':
|
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) &&
|
|
|
|
|
inet_pton(AF_INET6, optarg, &c->ip6.addr_out) &&
|
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) &&
|
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->ip6.addr_out) &&
|
|
|
|
|
!IN6_IS_ADDR_V4MAPPED(&c->ip6.addr_out) &&
|
|
|
|
|
!IN6_IS_ADDR_V4COMPAT(&c->ip6.addr_out) &&
|
|
|
|
|
!IN6_IS_ADDR_MULTICAST(&c->ip6.addr_out))
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
|
|
|
|
|
inet_pton(AF_INET, optarg, &c->ip4.addr_out) &&
|
|
|
|
|
!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
|
|
|
|
|
!IN4_IS_ADDR_BROADCAST(&c->ip4.addr_out) &&
|
|
|
|
|
!IN4_IS_ADDR_MULTICAST(&c->ip4.addr_out))
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
die("Invalid or redundant outbound address: %s",
|
|
|
|
|
optarg);
|
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'D':
|
2022-08-26 06:58:33 +02:00
|
|
|
if (!strcmp(optarg, "none")) {
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->no_dns)
|
|
|
|
|
die("Redundant DNS options");
|
2022-08-26 06:58:33 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (dns4 - c->ip4.dns || dns6 - c->ip6.dns)
|
|
|
|
|
die("Conflicting DNS options");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
c->no_dns = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->no_dns)
|
|
|
|
|
die("Conflicting DNS options");
|
2022-08-26 06:58:33 +02:00
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (dns4 - &c->ip4.dns[0] < ARRAY_SIZE(c->ip4.dns) &&
|
2021-08-12 15:42:43 +02:00
|
|
|
inet_pton(AF_INET, optarg, dns4)) {
|
|
|
|
|
dns4++;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-22 07:31:18 +02:00
|
|
|
if (dns6 - &c->ip6.dns[0] < ARRAY_SIZE(c->ip6.dns) &&
|
2021-08-12 15:42:43 +02:00
|
|
|
inet_pton(AF_INET6, optarg, dns6)) {
|
|
|
|
|
dns6++;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Cannot use DNS address %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case 'S':
|
2022-08-26 06:58:33 +02:00
|
|
|
if (!strcmp(optarg, "none")) {
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->no_dns_search)
|
|
|
|
|
die("Redundant DNS search options");
|
2022-08-26 06:58:33 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (dnss != c->dns_search)
|
|
|
|
|
die("Conflicting DNS search options");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
c->no_dns_search = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->no_dns_search)
|
|
|
|
|
die("Conflicting DNS search options");
|
2022-08-26 06:58:33 +02:00
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (dnss - c->dns_search < ARRAY_SIZE(c->dns_search)) {
|
|
|
|
|
ret = snprintf(dnss->n, sizeof(*c->dns_search),
|
|
|
|
|
"%s", optarg);
|
|
|
|
|
dnss++;
|
|
|
|
|
|
|
|
|
|
if (ret > 0 &&
|
|
|
|
|
ret < (int)sizeof(*c->dns_search))
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
die("Cannot use DNS search domain %s", optarg);
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case '4':
|
2022-07-22 07:31:16 +02:00
|
|
|
v4_only = true;
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
|
case '6':
|
2022-07-22 07:31:16 +02:00
|
|
|
v6_only = true;
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
2022-10-07 04:01:56 +02:00
|
|
|
case '1':
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->mode != MODE_PASST)
|
|
|
|
|
die("--one-off is for passt mode only");
|
2022-10-07 04:01:56 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (c->one_off)
|
|
|
|
|
die("Redundant --one-off option");
|
2022-10-07 04:01:56 +02:00
|
|
|
|
|
|
|
|
c->one_off = true;
|
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 't':
|
|
|
|
|
case 'u':
|
|
|
|
|
case 'T':
|
|
|
|
|
case 'U':
|
2022-05-01 06:36:34 +02:00
|
|
|
/* Handle these later, once addresses are configured */
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
2021-10-20 00:05:11 +02:00
|
|
|
case '?':
|
|
|
|
|
case 'h':
|
|
|
|
|
default:
|
|
|
|
|
usage(argv[0]);
|
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
} while (name != -1);
|
|
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (v4_only && v6_only)
|
|
|
|
|
die("Options ipv4-only and ipv6-only are mutually exclusive");
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
|
2023-02-15 09:24:31 +01:00
|
|
|
if (*c->sock_path && c->fd_tap >= 0)
|
|
|
|
|
die("Options --socket and --fd are mutually exclusive");
|
2022-11-17 19:49:34 +01:00
|
|
|
|
2023-05-14 15:04:38 +02:00
|
|
|
if (c->mode == MODE_PASTA && c->no_copy_routes && !c->pasta_conf_ns)
|
|
|
|
|
die("Option --no-copy-routes needs --config-net");
|
|
|
|
|
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
if (!ifi4 && *c->ip4.ifname_out)
|
|
|
|
|
ifi4 = if_nametoindex(c->ip4.ifname_out);
|
|
|
|
|
|
|
|
|
|
if (!ifi6 && *c->ip6.ifname_out)
|
|
|
|
|
ifi6 = if_nametoindex(c->ip6.ifname_out);
|
|
|
|
|
|
2023-02-15 09:24:34 +01:00
|
|
|
conf_ugid(runas, &uid, &gid);
|
2022-09-12 14:24:01 +02:00
|
|
|
|
2022-10-06 14:51:04 +02:00
|
|
|
if (logfile) {
|
|
|
|
|
logfile_init(c->mode == MODE_PASST ? "passt" : "pasta",
|
|
|
|
|
logfile, logsize);
|
|
|
|
|
}
|
|
|
|
|
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
nl_sock_init(c, false);
|
|
|
|
|
if (!v6_only)
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
c->ifi4 = conf_ip4(ifi4, &c->ip4, c->mac);
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
if (!v4_only)
|
conf, icmp, tcp, udp: Add options to bind to outbound address and interface
I didn't notice earlier: libslirp (and slirp4netns) supports binding
outbound sockets to specific IPv4 and IPv6 addresses, to force the
source addresse selection. If we want to claim feature parity, we
should implement that as well.
Further, Podman supports specifying outbound interfaces as well, but
this is simply done by resolving the primary address for an interface
when the network back-end is started. However, since kernel version
5.7, commit c427bfec18f2 ("net: core: enable SO_BINDTODEVICE for
non-root users"), we can actually bind to a specific interface name,
which doesn't need to be validated in advance.
Implement -o / --outbound ADDR to bind to IPv4 and IPv6 addresses,
and --outbound-if4 and --outbound-if6 to bind IPv4 and IPv6 sockets
to given interfaces.
Given that it probably makes little sense to select addresses and
routes from interfaces different than the ones given for outbound
sockets, also assign those as "template" interfaces, by default,
unless explicitly overridden by '-i'.
For ICMP and UDP, we call sock_l4() to open outbound sockets, as we
already needed to bind to given ports or echo identifiers, and we
can bind() a socket only once: there, pass address (if any) and
interface (if any) for the existing bind() and setsockopt() calls.
For TCP, in general, we wouldn't otherwise bind sockets. Add a
specific helper to do that.
For UDP outbound sockets, we need to know if the final destination
of the socket is a loopback address, before we decide whether it
makes sense to bind the socket at all: move the block mangling the
address destination before the creation of the socket in the IPv4
path. This was already the case for the IPv6 path.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2023-03-08 03:29:51 +01:00
|
|
|
c->ifi6 = conf_ip6(ifi6, &c->ip6, c->mac);
|
|
|
|
|
if ((!c->ifi4 && !c->ifi6) ||
|
|
|
|
|
(*c->ip4.ifname_out && !c->ifi4) ||
|
|
|
|
|
(*c->ip6.ifname_out && !c->ifi6))
|
2023-02-15 09:24:31 +01:00
|
|
|
die("External interface not usable");
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
|
|
|
|
|
/* Inbound port options can be parsed now (after IPv4/IPv6 settings) */
|
|
|
|
|
optind = 1;
|
|
|
|
|
do {
|
|
|
|
|
struct port_fwd *fwd;
|
|
|
|
|
|
|
|
|
|
name = getopt_long(argc, argv, optstring, options, NULL);
|
|
|
|
|
|
|
|
|
|
if ((name == 't' && (fwd = &c->tcp.fwd_in)) ||
|
|
|
|
|
(name == 'u' && (fwd = &c->udp.fwd_in.f))) {
|
2023-02-15 09:24:32 +01:00
|
|
|
conf_ports(c, name, optarg, fwd);
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
}
|
|
|
|
|
} while (name != -1);
|
|
|
|
|
|
2023-02-15 09:24:33 +01:00
|
|
|
if (c->mode == MODE_PASTA)
|
|
|
|
|
conf_pasta_ns(&netns_only, userns, netns, optind, argc, argv);
|
|
|
|
|
else if (optind != argc)
|
2023-02-15 09:24:36 +01:00
|
|
|
die("Extra non-option argument: %s", argv[optind]);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-10-14 06:25:34 +02:00
|
|
|
isolate_user(uid, gid, !netns_only, userns, c->mode);
|
2022-09-12 14:24:07 +02:00
|
|
|
|
2022-02-23 10:51:46 +01:00
|
|
|
if (c->pasta_conf_ns)
|
|
|
|
|
c->no_ra = 1;
|
|
|
|
|
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
if (c->mode == MODE_PASTA) {
|
|
|
|
|
if (*netns) {
|
2022-09-12 14:24:07 +02:00
|
|
|
pasta_open_ns(c, netns);
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
} else {
|
2022-10-14 06:25:36 +02:00
|
|
|
pasta_start_ns(c, uid, gid,
|
|
|
|
|
argc - optind, argv + optind);
|
More deterministic detection of whether argument is a PID, PATH or NAME
pasta takes as its only non-option argument either a PID to attach to the
namespaces of, a PATH to a network namespace or a NAME of a network
namespace (relative to /run/netns). Currently to determine which it is
we try all 3 in that order, and if anything goes wrong we move onto the
next.
This has the potential to cause very confusing failure modes. e.g. if the
argument is intended to be a network namespace name, but a (non-namespace)
file of the same name exists in the current directory.
Make behaviour more predictable by choosing how to treat the argument based
only on the argument's contents, not anything else on the system:
- If it's a decimal integer treat it as a PID
- Otherwise, if it has no '/' characters, treat it as a netns name
(ip-netns doesn't allow '/' in netns names)
- Otherwise, treat it as a netns path
If you want to open a persistent netns in the current directory, you can
use './netns'.
This also allows us to split the parsing of the PID|PATH|NAME option from
the actual opening of the namespaces. In turn that allows us to put the
opening of existing namespaces next to the opening of new namespaces in
pasta_start_ns. That makes the logical flow easier to follow and will
enable later cleanups.
Caveats:
- The separation of functions mean we will always generate the basename
and dirname for the netns_quit system, even when using PID namespaces.
This is pointless, since the netns_quit system doesn't work for non
persistent namespaces, but is harmless.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2022-08-26 06:58:37 +02:00
|
|
|
}
|
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
if (c->mode == MODE_PASTA)
|
|
|
|
|
nl_sock_init(c, true);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
/* ...and outbound port options now that namespaces are set up. */
|
2022-05-01 06:36:34 +02:00
|
|
|
optind = 1;
|
|
|
|
|
do {
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
struct port_fwd *fwd;
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
|
name = getopt_long(argc, argv, optstring, options, NULL);
|
|
|
|
|
|
conf: Bind inbound ports with CAP_NET_BIND_SERVICE before isolate_user()
Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
the target user namespace as we isolate the process, which means
we're unable to bind to low ports at that point.
Bind inbound ports, and only those, before isolate_user(). Keep the
handling of outbound ports (for pasta mode only) after the setup of
the namespace, because that's where we'll bind them.
To this end, initialise the netlink socket for the init namespace
before isolate_user() as well, as we actually need to know the
addresses of the upstream interface before binding ports, in case
they're not explicitly passed by the user.
As we now call nl_sock_init() twice, checking its return code from
conf() twice looks a bit heavy: make it exit(), instead, as we
can't do much if we don't have netlink sockets.
While at it:
- move the v4_only && v6_only options check just after the first
option processing loop, as this is more strictly related to
option parsing proper
- update the man page, explaining that CAP_NET_BIND_SERVICE is
*not* the preferred way to bind ports, because passt and pasta
can be abused to allow other processes to make effective usage
of it. Add a note about the recommended sysctl instead
- simplify nl_sock_init_do() now that it's called once for each
case
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-10-13 18:21:27 +02:00
|
|
|
if ((name == 'T' && (fwd = &c->tcp.fwd_out)) ||
|
|
|
|
|
(name == 'U' && (fwd = &c->udp.fwd_out.f))) {
|
2023-02-15 09:24:32 +01:00
|
|
|
conf_ports(c, name, optarg, fwd);
|
2022-05-01 06:36:34 +02:00
|
|
|
}
|
|
|
|
|
} while (name != -1);
|
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->ifi4)
|
2021-10-11 12:01:31 +02:00
|
|
|
c->no_dhcp = 1;
|
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->ifi6) {
|
2021-10-11 12:01:31 +02:00
|
|
|
c->no_ndp = 1;
|
|
|
|
|
c->no_dhcpv6 = 1;
|
2021-09-07 11:19:57 +02:00
|
|
|
}
|
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (!c->mtu)
|
|
|
|
|
c->mtu = ROUND_DOWN(ETH_MAX_MTU - ETH_HLEN, sizeof(uint32_t));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
get_dns(c);
|
|
|
|
|
|
2022-07-22 07:31:12 +02:00
|
|
|
if (!*c->pasta_ifn) {
|
|
|
|
|
if (c->ifi4)
|
|
|
|
|
if_indextoname(c->ifi4, c->pasta_ifn);
|
|
|
|
|
else
|
|
|
|
|
if_indextoname(c->ifi6, c->pasta_ifn);
|
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASTA) {
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
c->proc_net_tcp[V4][0] = c->proc_net_tcp[V4][1] = -1;
|
|
|
|
|
c->proc_net_tcp[V6][0] = c->proc_net_tcp[V6][1] = -1;
|
|
|
|
|
c->proc_net_udp[V4][0] = c->proc_net_udp[V4][1] = -1;
|
|
|
|
|
c->proc_net_udp[V6][0] = c->proc_net_udp[V6][1] = -1;
|
|
|
|
|
|
2022-09-24 11:08:17 +02:00
|
|
|
if (!c->tcp.fwd_in.mode || c->tcp.fwd_in.mode == FWD_AUTO) {
|
|
|
|
|
c->tcp.fwd_in.mode = FWD_AUTO;
|
2021-08-12 15:42:43 +02:00
|
|
|
ns_ports_arg.proto = IPPROTO_TCP;
|
|
|
|
|
NS_CALL(get_bound_ports_ns, &ns_ports_arg);
|
|
|
|
|
}
|
2022-09-24 11:08:17 +02:00
|
|
|
if (!c->udp.fwd_in.f.mode || c->udp.fwd_in.f.mode == FWD_AUTO) {
|
|
|
|
|
c->udp.fwd_in.f.mode = FWD_AUTO;
|
2021-08-12 15:42:43 +02:00
|
|
|
ns_ports_arg.proto = IPPROTO_UDP;
|
|
|
|
|
NS_CALL(get_bound_ports_ns, &ns_ports_arg);
|
|
|
|
|
}
|
2022-09-24 11:08:17 +02:00
|
|
|
if (!c->tcp.fwd_out.mode || c->tcp.fwd_out.mode == FWD_AUTO) {
|
|
|
|
|
c->tcp.fwd_out.mode = FWD_AUTO;
|
2021-09-27 05:24:30 +02:00
|
|
|
get_bound_ports(c, 0, IPPROTO_TCP);
|
|
|
|
|
}
|
2022-09-24 11:08:17 +02:00
|
|
|
if (!c->udp.fwd_out.f.mode || c->udp.fwd_out.f.mode == FWD_AUTO) {
|
|
|
|
|
c->udp.fwd_out.f.mode = FWD_AUTO;
|
2021-09-27 05:24:30 +02:00
|
|
|
get_bound_ports(c, 0, IPPROTO_UDP);
|
|
|
|
|
}
|
2022-09-24 11:08:16 +02:00
|
|
|
} else {
|
2022-09-24 11:08:17 +02:00
|
|
|
if (!c->tcp.fwd_in.mode)
|
|
|
|
|
c->tcp.fwd_in.mode = FWD_NONE;
|
|
|
|
|
if (!c->tcp.fwd_out.mode)
|
|
|
|
|
c->tcp.fwd_out.mode = FWD_NONE;
|
|
|
|
|
if (!c->udp.fwd_in.f.mode)
|
|
|
|
|
c->udp.fwd_in.f.mode = FWD_NONE;
|
|
|
|
|
if (!c->udp.fwd_out.f.mode)
|
|
|
|
|
c->udp.fwd_out.f.mode = FWD_NONE;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
2022-02-18 00:19:10 +01:00
|
|
|
if (!c->quiet)
|
|
|
|
|
conf_print(c);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|