conf, pasta: With --config-net, copy all routes by default

Use the newly-introduced NL_DUP mode for nl_route() to copy all the
routes associated to the template interface in the outer namespace,
unless --no-copy-routes (also implied by -g) is given.

This option is introduced as deprecated right away: it's not expected
to be of any use, but it's helpful to keep it around for a while to
debug any suspected issue with this change.

Otherwise, we can't use default gateways which are not, address-wise,
on the same subnet as the container, as reported by Callum.

Reported-by: Callum Parsey <callum@neoninteger.au>
Link: https://github.com/containers/podman/issues/18539
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Stefano Brivio 2023-05-14 15:04:38 +02:00
parent 468f19a852
commit da54641f14
4 changed files with 38 additions and 3 deletions

16
conf.c
View file

@ -923,6 +923,8 @@ pasta_opts:
info( " --no-netns-quit Don't quit if filesystem-bound target"); info( " --no-netns-quit Don't quit if filesystem-bound target");
info( " network namespace is deleted"); info( " network namespace is deleted");
info( " --config-net Configure tap interface in namespace"); info( " --config-net Configure tap interface in namespace");
info( " --no-copy-routes DEPRECATED:");
info( " Don't copy all routes to namespace");
info( " --ns-mac-addr ADDR Set MAC address on tap interface"); info( " --ns-mac-addr ADDR Set MAC address on tap interface");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
@ -1198,6 +1200,7 @@ void conf(struct ctx *c, int argc, char **argv)
{"outbound-if4", required_argument, NULL, 15 }, {"outbound-if4", required_argument, NULL, 15 },
{"outbound-if6", required_argument, NULL, 16 }, {"outbound-if6", required_argument, NULL, 16 },
{"config-net", no_argument, NULL, 17 }, {"config-net", no_argument, NULL, 17 },
{"no-copy-routes", no_argument, NULL, 18 },
{ 0 }, { 0 },
}; };
struct get_bound_ports_ns_arg ns_ports_arg = { .c = c }; struct get_bound_ports_ns_arg ns_ports_arg = { .c = c };
@ -1362,6 +1365,13 @@ void conf(struct ctx *c, int argc, char **argv)
c->pasta_conf_ns = 1; c->pasta_conf_ns = 1;
break; break;
case 18:
if (c->mode != MODE_PASTA)
die("--no-copy-routes is for pasta mode only");
warn("--no-copy-routes will be dropped soon");
c->no_copy_routes = 1;
break;
case 'd': case 'd':
if (c->debug) if (c->debug)
die("Multiple --debug options given"); die("Multiple --debug options given");
@ -1510,6 +1520,9 @@ void conf(struct ctx *c, int argc, char **argv)
} }
break; break;
case 'g': case 'g':
if (c->mode == MODE_PASTA)
c->no_copy_routes = 1;
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) && if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) &&
inet_pton(AF_INET6, optarg, &c->ip6.gw) && inet_pton(AF_INET6, optarg, &c->ip6.gw) &&
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) && !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) &&
@ -1644,6 +1657,9 @@ void conf(struct ctx *c, int argc, char **argv)
if (*c->sock_path && c->fd_tap >= 0) if (*c->sock_path && c->fd_tap >= 0)
die("Options --socket and --fd are mutually exclusive"); die("Options --socket and --fd are mutually exclusive");
if (c->mode == MODE_PASTA && c->no_copy_routes && !c->pasta_conf_ns)
die("Option --no-copy-routes needs --config-net");
if (!ifi4 && *c->ip4.ifname_out) if (!ifi4 && *c->ip4.ifname_out)
ifi4 = if_nametoindex(c->ip4.ifname_out); ifi4 = if_nametoindex(c->ip4.ifname_out);

15
passt.1
View file

@ -546,6 +546,21 @@ NAME are given as target), do not exit once the network namespace is deleted.
Configure networking in the namespace: set up addresses and routes as configured Configure networking in the namespace: set up addresses and routes as configured
or sourced from the host, and bring up the tap interface. or sourced from the host, and bring up the tap interface.
.TP
.BR \-\-no-copy-routes " " (DEPRECATED)
With \-\-config-net, do not copy all the routes associated to the interface we
derive addresses and routes from: set up only the default gateway. Implied by
-g, \-\-gateway.
Default is to copy all the routing entries from the interface in the outer
namespace to the target namespace, translating the output interface attribute to
the outbound interface in the namespace.
Note that this configuration option is \fBdeprecated\fR and will be removed in a
future version. It is not expected to be of any use, and it simply reflects a
legacy behaviour. If you have any use for this, refer to \fBREPORTING BUGS\fR
below.
.TP .TP
.BR \-\-ns-mac-addr " " \fIaddr .BR \-\-ns-mac-addr " " \fIaddr
Configure MAC address \fIaddr\fR on the tap interface in the namespace. Configure MAC address \fIaddr\fR on the tap interface in the namespace.

View file

@ -181,7 +181,8 @@ struct ip6_ctx {
* @ip6: IPv6 configuration * @ip6: IPv6 configuration
* @pasta_ifn: Name of namespace interface for pasta * @pasta_ifn: Name of namespace interface for pasta
* @pasta_ifn: Index of namespace interface for pasta * @pasta_ifn: Index of namespace interface for pasta
* @pasta_conf_ns: Configure namespace interface after creating it * @pasta_conf_ns: Configure namespace after creating it
* @no_copy_routes: Don't copy all routes when configuring target namespace
* @no_tcp: Disable TCP operation * @no_tcp: Disable TCP operation
* @tcp: Context for TCP protocol handler * @tcp: Context for TCP protocol handler
* @no_tcp: Disable UDP operation * @no_tcp: Disable UDP operation
@ -240,6 +241,7 @@ struct ctx {
char pasta_ifn[IF_NAMESIZE]; char pasta_ifn[IF_NAMESIZE];
unsigned int pasta_ifi; unsigned int pasta_ifi;
int pasta_conf_ns; int pasta_conf_ns;
int no_copy_routes;
int no_tcp; int no_tcp;
struct tcp_ctx tcp; struct tcp_ctx tcp;

View file

@ -273,12 +273,14 @@ void pasta_ns_conf(struct ctx *c)
nl_link(1, 1 /* lo */, MAC_ZERO, 1, 0); nl_link(1, 1 /* lo */, MAC_ZERO, 1, 0);
if (c->pasta_conf_ns) { if (c->pasta_conf_ns) {
enum nl_op op_routes = c->no_copy_routes ? NL_SET : NL_DUP;
nl_link(1, c->pasta_ifi, c->mac_guest, 1, c->mtu); nl_link(1, c->pasta_ifi, c->mac_guest, 1, c->mtu);
if (c->ifi4) { if (c->ifi4) {
nl_addr(1, c->pasta_ifi, AF_INET, &c->ip4.addr, nl_addr(1, c->pasta_ifi, AF_INET, &c->ip4.addr,
&c->ip4.prefix_len, NULL); &c->ip4.prefix_len, NULL);
nl_route(NL_SET, c->ifi4, c->pasta_ifi, AF_INET, nl_route(op_routes, c->ifi4, c->pasta_ifi, AF_INET,
&c->ip4.gw); &c->ip4.gw);
} }
@ -286,7 +288,7 @@ void pasta_ns_conf(struct ctx *c)
int prefix_len = 64; int prefix_len = 64;
nl_addr(1, c->pasta_ifi, AF_INET6, &c->ip6.addr, nl_addr(1, c->pasta_ifi, AF_INET6, &c->ip6.addr,
&prefix_len, NULL); &prefix_len, NULL);
nl_route(NL_SET, c->ifi6, c->pasta_ifi, AF_INET6, nl_route(op_routes, c->ifi6, c->pasta_ifi, AF_INET6,
&c->ip6.gw); &c->ip6.gw);
} }
} else { } else {