Skip to content

Commit 3ca92f8

Browse files
committed
Strip HostIP from port mappings in pasta mode
Fixes: https://redhat.atlassian.net/browse/RUN-2214 Fixes: podman-container-tools/podman#8193 Fixes: https://redhat.atlassian.net/browse/RUN-3587 Signed-off-by: Jan Rodák <hony.com@seznam.cz>
1 parent 7167fba commit 3ca92f8

2 files changed

Lines changed: 33 additions & 15 deletions

File tree

common/libnetwork/netavark/network.go

Lines changed: 21 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,11 @@ type netavarkNetwork struct {
7171

7272
// rootlessNetns is used for the rootless network setup/teardown
7373
rootlessNetns *rootlessnetns.Netns
74+
75+
// rootlessPortForwarder is "pasta" or "rootlessport" (from containers.conf).
76+
// When "pasta", HostIP is stripped from port mappings before passing to
77+
// netavark because pasta's splice changes the destination IP.
78+
rootlessPortForwarder string
7479
}
7580

7681
type InitConfig struct {
@@ -145,21 +150,22 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
145150
}
146151

147152
n := &netavarkNetwork{
148-
networkConfigDir: conf.NetworkConfigDir,
149-
networkRunDir: conf.NetworkRunDir,
150-
netavarkBinary: conf.NetavarkBinary,
151-
aardvarkBinary: conf.AardvarkBinary,
152-
networkRootless: useRootlessNetns,
153-
ipamDBPath: filepath.Join(conf.NetworkRunDir, "ipam.db"),
154-
firewallDriver: conf.Config.Network.FirewallDriver,
155-
defaultNetwork: defaultNetworkName,
156-
defaultSubnet: defaultNet,
157-
defaultsubnetPools: defaultSubnetPools,
158-
dnsBindPort: conf.Config.Network.DNSBindPort,
159-
pluginDirs: conf.Config.Network.NetavarkPluginDirs.Get(),
160-
lock: lock,
161-
syslog: conf.Syslog,
162-
rootlessNetns: netns,
153+
networkConfigDir: conf.NetworkConfigDir,
154+
networkRunDir: conf.NetworkRunDir,
155+
netavarkBinary: conf.NetavarkBinary,
156+
aardvarkBinary: conf.AardvarkBinary,
157+
networkRootless: useRootlessNetns,
158+
ipamDBPath: filepath.Join(conf.NetworkRunDir, "ipam.db"),
159+
firewallDriver: conf.Config.Network.FirewallDriver,
160+
defaultNetwork: defaultNetworkName,
161+
defaultSubnet: defaultNet,
162+
defaultsubnetPools: defaultSubnetPools,
163+
dnsBindPort: conf.Config.Network.DNSBindPort,
164+
pluginDirs: conf.Config.Network.NetavarkPluginDirs.Get(),
165+
lock: lock,
166+
syslog: conf.Syslog,
167+
rootlessNetns: netns,
168+
rootlessPortForwarder: conf.Config.Network.RootlessPortForwarder,
163169
}
164170

165171
return n, nil

common/libnetwork/netavark/run.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,18 @@ func (n *netavarkNetwork) getCommonNetavarkOptions(needPlugin bool) []string {
162162
}
163163

164164
func (n *netavarkNetwork) convertNetOpts(opts types.NetworkOptions) (*netavarkOptions, bool, error) {
165+
// In pasta mode, strip HostIP from port mappings. Pasta handles host-side
166+
// address binding; netavark only needs DNAT rules inside the netns without
167+
// "ip daddr" constraints (pasta's splice changes the destination IP).
168+
if n.rootlessPortForwarder == "pasta" && n.networkRootless && len(opts.PortMappings) > 0 {
169+
stripped := make([]types.PortMapping, len(opts.PortMappings))
170+
copy(stripped, opts.PortMappings)
171+
for i := range stripped {
172+
stripped[i].HostIP = ""
173+
}
174+
opts.PortMappings = stripped
175+
}
176+
165177
netavarkOptions := netavarkOptions{
166178
NetworkOptions: opts,
167179
Networks: make(map[string]*types.Network, len(opts.Networks)),

0 commit comments

Comments
 (0)