user May 2024

passt-user@passt.top

2 participants
2 discussions

passt: new version 2024_05_10.7288448 available
by Stefano Brivio 10 May '24

10 May '24

The new version with tag 2024_05_10.7288448 includes the following changes: 7288448 apparmor: allow read access on /tmp for pasta 7e6a606 tcp_splice: Set OUT_WAIT_ flag whenever pipe isn't emptied 1ba76c9 udp: Single buffer for IPv4, IPv6 headers and metadata d4598e1 udp: Use the same buffer for the L2 header for all frames 6170688 udp: Share payload buffers between IPv4 and IPv6 2d16946 udp: Explicitly set checksum in guest-bound UDP headers 6c4d26a udp: Combine initialisation of IPv4 and IPv6 iovs 3f9bd86 udp: Split tap-bound UDP packets into multiple buffers using io vector fcd9308 test: Allow sftp via vsock-ssh in tests eea5d3e tcp: Update tap specific header too in tcp_fill_headers[46]() 3559899 iov: Helper macro to construct iovs covering existing variables or fields 40f8b29 tap, tcp: (Re-)abstract TAP specific header handling 68d1b0a tcp: Simplify packet length calculation when preparing headers 5566386 treewide: Standardise variable names for various packet lengths 9e22c53 checksum: Make csum_ip4_header() take a host endian length 1095a7b treewide: Remove misleading and redundant endianness notes 5d37dab tap: Remove unused structs tap_msg, tap_l4_msg 34fb381 tap: Split tap specific and L2 (ethernet) headers c27ca91 checksum: Use proto_ipv6_header_psum() for ICMPv6 as well 76e3202 netlink: Fix iterations over nexthop objects https://passt.top/passt/log/?qt=range&q=2024_04_26.d03c4e2..2024_05_10.7288… Packages: - Alpine Linux: https://pkgs.alpinelinux.org/packages?name=passt - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Chimera: https://pkgs.chimera-linux.org/packages?name=passt - Debian tracker: https://tracker.debian.org/pkg/passt - Copr (CentOS Stream, EPEL, Fedora, Mageia): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/7434838/ permanent mirror: https://passt.top/builds/copr/0^20240510.g7288448/ - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Gentoo versions: https://packages.gentoo.org/packages/net-misc/passt - GNU Guix: https://packages.guix.gnu.org/packages/passt/ - openSUSE: https://build.opensuse.org/package/requests/Virtualization:containers/passt - Ubuntu tracker: https://launchpad.net/ubuntu/+source/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g7288448-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_7288448-1_all.deb -- Stefano

1 0

Guest namespace can access host ports via secondary interface addresses
by Kangjing Huang 10 May '24

10 May '24

Hi there, I was tweaking around pasta and its usage with podman, and I realized that from pasta guest namespaces it is possible to access host ports through the address of secondary interfaces on the host. Say I have two interfaces on host, with eth0 connecting to a gateway and eth1 connected to another LAN: > $ # On host > $ ifconfig eth0 > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 > ... > $ ifconfig eth1 > eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.110.1 netmask 255.255.255.0 broadcast 192.168.110.255 > ... > $ ip route > default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 1024 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 1024 > 192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.2 metric 1024 > 192.168.110.0/24 dev eth1 proto kernel scope link src 192.168.110.1 If there is some service started on host: > $ python -m http.server > Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... From a pasta namespace, it is impossible to access the host ports by the address of the main interface: > $ pasta --config-net > $ # Now in pasta namespace > $ curl 192.168.1.2:8000 > curl: (7) Failed to connect to 192.168.1.2 port 8000 after 0 ms: Couldn't connect to server However I found that it is possible to do so by the address of the secondary interface: > $ # In same pasta environment as above > $ curl 192.168.110.1:8000 > <!DOCTYPE HTML> > <html lang="en"> > ... Is this an expected behavior? I believe this is a security escape in the container context, since containerized services can gain access to unintended resources. Thanks, Chaser Huang -- Kangjing "Chaser" Huang

2 1

2024

2023

2022

2021

user May 2024