Hi there,
I was tweaking around pasta and its usage with podman, and I realized
that from pasta guest namespaces it is possible to access host ports
through the address of secondary interfaces on the host.
Say I have two interfaces on host, with eth0 connecting to a gateway
and eth1 connected to another LAN:
> $ # On host
> $ ifconfig eth0
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
> ...
> $ ifconfig eth1
> eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.110.1 netmask 255.255.255.0 broadcast 192.168.110.255
> ...
> $ ip route
> default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 1024
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 1024
> 192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.2 metric 1024
> 192.168.110.0/24 dev eth1 proto kernel scope link src 192.168.110.1
If there is some service started on host:
> $ python -m http.server
> Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
From a pasta namespace, it is impossible to access the host ports by
the address of the main interface:
> $ pasta --config-net
> $ # Now in pasta namespace
> $ curl 192.168.1.2:8000
> curl: (7) Failed to connect to 192.168.1.2 port 8000 after 0 ms: Couldn't connect to server
However I found that it is possible to do so by the address of the
secondary interface:
> $ # In same pasta environment as above
> $ curl 192.168.110.1:8000
> <!DOCTYPE HTML>
> <html lang="en">
> ...
Is this an expected behavior? I believe this is a security escape in
the container context, since containerized services can gain access to
unintended resources.
Thanks,
Chaser Huang
--
Kangjing "Chaser" Huang
The new version with tag 2024_03_18.615d370 includes the following changes:
615d370 fedora: Switch license identifier to SPDX
d989eae udp: Translate source address of resolver only for DNS remapped queries
f919dc7 conf, netlink: Don't require a default route to start
f00b153 netlink: Don't try to get further datagrams in nl_route_dup() on NLMSG_DONE
d3eb0d7 tap: Rename tap_iov_{base,len}
4db947d tap: Implement tap_send() "slow path" in terms of fast path
1ebe787 tap: Simplify some casts in the tap "slow path" functions
2d0e008 tap: Extend tap_send_frames() to allow multi-buffer frames
f67238a passt, log: Call __openlog() earlier, log to stderr until we detach
3fe9878 pcap: Use clock_gettime() instead of gettimeofday()
0761f29 passt.1: --{no-,}dhcp-dns and --{no-,}dhcp-search don't take addresses
4d05ba2 conf: Warn if we can't advertise any nameserver via DHCP, NDP, or DHCPv6
4388163 conf: Handle addresses passed via --dns just like the ones from resolv.conf
b299942 tap: Capture only packets that are actually sent
413c159 udp: Use existing helper for UDP checksum on inbound IPv6 packets
ae69838 udp: Avoid unnecessary pointer in udp_update_hdr4()
b0419d1 udp: Re-order udp_update_hdr[46] for clarity and brevity
8a842e0 udp: Pass data length explicitly to to udp_update_hdr[46]
76571ae udp: Consistent port variable names in udp_update_hdr[46]
205b140 udp: Refactor udp_sock[46]_iov_init()
860d276 conf: Don't warn if nameservers were found, but won't be advertised
4779dfe icmp: Use 'flowside' epoll references for ping sockets
02cbdb0 icmp: Flow based error reporting
3af5e9f icmp: Store ping socket information in flow table
383a6f6 ip: Use regular htons() for non-constant protocol number in L2_BUF_IP4_PSUM
137ce01 iov: Improve documentation of iov_skip_bytes()
bb11d15 tcp: Introduce tcp_fill_headers4()/tcp_fill_headers6()
6b22e10 tap: make tap_update_mac() generic
7df624e checksum: introduce functions to compute the header part checksum for TCP/UDP
feb4900 checksum: use csum_ip4_header() in udp.c and tcp.c
e82b4fe udp: little cleanup in udp_update_hdrX() to prepare future changes
324bd46 util: move IP stuff from util.[ch] to ip.[ch]
e289d28 checksum: add csum_iov()
907621e checksum: align buffers
94502fa pcap: add pcap_iov()
3b9098a fwd: Rename port_fwd.[ch] and their contents
10376e7 port_fwd: Fix copypasta error in port_fwd_scan_udp() comments
f15be71 tap: Disallow loopback addresses on tap interface
3b59b97 tcp: Validate TCP endpoint addresses
dc9a5d7 tcp, tcp_splice: Parse listening socket epoll ref in tcp_listen_handler()
ee677e0 tcp_splice: Improve logic deciding when to splice
4c2d923 tcp_splice: Improve error reporting on connect path
f0e2a6b tcp_splice: Make tcp_splice_connect() create its own sockets
f4e5d73 tcp_splice: Merge tcp_splice_new() into its caller
04d3d02 tcp_splice: More specific variable names in new splice path
0f938c3 flow: Clarify flow entry life cycle, introduce uniform logging
d0550f9 tcp_splice: Don't use flow_trace() before setting flow type
80f9b61 tcp_splice: Simplify clean up logic
76c7e1d flow: Add helper to determine a flow's protocol
bb9bf0b tcp, udp: Don't precompute port remappings in epoll references
e196ead util: Allow IN4_IS_* macros to operate on untyped addresses
f6e6e8a inany: Introduce union sockaddr_inany
0cf6b2d inany: Provide more conveniently typed constants for special addresses
330b5db inany: Add inany_ntop() helper
d31277e inany: Helper to test for various address types
9a3fb5e tap: Use write_remainder() in tap_send_frames_passt()
dda7945 pcap: Handle short writes in pcap_frame()
8bdb088 util: Add write_remainder() helper
24410b3 pcap: Update pcap_frame() to take an iovec and offset
64b63d9 iov: Add helper to find skip over first n bytes of an io vector
2a6f8bc iov: add some functions to manage iovec
90f1d3b udp: Remove unnecessary test for unspecified addr_out
745fa38 udp: Fix incorrect usage of IPv6 state in IPv4 path
deea5a8 udp: Small streamline to udp_update_hdr4()
bc2d0d3 udp: Set pif in epoll reference for ephemeral host sockets
720d777 udp: Don't attempt to translate a 0.0.0.0 source address
bee61dd conf: If no interface with a default route was found, say it
925af4e Makefile: check for cppcheck's --check-level option in cppcheck target
15001b3 conf: set the log level much earlier
b087165 passt: make --quiet set the log level to warning
e5e6f29 tcp: Don't store errnos in socket pool
fe27ebc tcp, tcp_splice: Helpers for getting sockets from the pools
fbe81de tcp, tcp_splice: Issue warnings if unable to refill socket pool
554b3ae tcp: Stop on first error when refilling socket pools
af303fd tcp: Don't stop refilling socket pool if we find a filled entry
4e08d9b treewide: Use sa_family_t for address family variables
https://passt.top/passt/log/?qt=range&q=2024_02_20.1e6f92b..2024_03_18.615d…
Packages:
- Alpine Linux:
https://pkgs.alpinelinux.org/packages?name=passt
- Arch Linux:
https://www.archlinux.org/packages/extra/x86_64/passt/https://archlinuxarm.org/packages/aarch64/passthttps://archlinuxarm.org/packages/armv7h/passt
- Debian tracker:
https://tracker.debian.org/pkg/passt
- Copr (CentOS Stream, EPEL, Fedora, Mageia):
https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/7176272/
permanent mirror: https://passt.top/builds/copr/0^20240318.g615d370/
- Fedora updates:
https://bodhi.fedoraproject.org/updates/?packages=passt
- Gentoo versions:
https://packages.gentoo.org/packages/net-misc/passt
- GNU Guix:
https://packages.guix.gnu.org/packages/passt/
- Ubuntu tracker:
https://launchpad.net/ubuntu/+source/passt
- Void Linux:
https://voidlinux.org/packages/?q=passt
- Static builds:
- Package for other RPM-based distributions, x86_64 only:
https://passt.top/builds/latest/x86_64/passt-g615d370-1.x86_64.rpm
- x86_64 static binaries:
https://passt.top/builds/latest/x86_64/
- Debian package, from x86_64 static build:
https://passt.top/builds/latest/x86_64/passt_615d370-1_all.deb
--
Stefano