diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2022-11-02 23:44:25 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-11-04 12:04:32 +0100 |
commit | 7656a6f8888237b9e23d63666e921528b6aaf950 (patch) | |
tree | 655d7f88ab30fac72f6502597431f72c018ba5ff /contrib/apparmor | |
parent | de93acbe7056e392ed759675e38ccc84eb1a56bf (diff) | |
download | passt-7656a6f8888237b9e23d63666e921528b6aaf950.tar passt-7656a6f8888237b9e23d63666e921528b6aaf950.tar.gz passt-7656a6f8888237b9e23d63666e921528b6aaf950.tar.bz2 passt-7656a6f8888237b9e23d63666e921528b6aaf950.tar.lz passt-7656a6f8888237b9e23d63666e921528b6aaf950.tar.xz passt-7656a6f8888237b9e23d63666e921528b6aaf950.tar.zst passt-7656a6f8888237b9e23d63666e921528b6aaf950.zip |
conf: Adjust netmask on mismatch between IPv4 address/netmask and gateway
Seen in a Google Compute Engine environment with a machine configured
via cloud-init-dhcp, while testing Podman integration for pasta: the
assigned address has a /32 netmask, and there's a default route,
which can be added on the host because there's another route, also
/32, pointing to the default gateway. For example, on the host:
ip -4 address add 10.156.0.2/32 dev eth0
ip -4 route add 10.156.0.1/32 dev eth0
ip -4 route add default via 10.156.0.1
This is not a valid configuration as far as I can tell: if the
address is configured as /32, it shouldn't be used to reach a gateway
outside its derived netmask. However, Linux allows that, and
everything works.
The problem comes when pasta --config-net sources address and default
route from the host, and it can't configure the route in the target
namespace because the gateway is invalid. That is, we would skip
configuring the first route in the example, which results in the
equivalent of doing:
ip -4 address add 10.156.0.2/32 dev eth0
ip -4 route add default via 10.156.0.1
where, at this point, 10.156.0.1 is unreachable, and hence invalid
as a gateway.
Sourcing more routes than just the default is doable, but probably
undesirable: pasta users want to provide connectivity to a container,
not reflect exactly whatever trickery is configured on the host.
Add a consistency check and an adjustment: if the configured default
gateway is not reachable, shrink the given netmask until we can reach
it.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/apparmor')
0 files changed, 0 insertions, 0 deletions