diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2024-03-15 15:17:08 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2024-03-18 08:57:40 +0100 |
commit | d989eae308c2ea2032fc91cc04fb02dffe4a4b63 (patch) | |
tree | 61f6fb7738b54a5509cf4bf6241017b7be6bcc67 /contrib | |
parent | f919dc7a4b1ced7e80d790a654900415e1d6250e (diff) | |
download | passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.tar passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.tar.gz passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.tar.bz2 passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.tar.lz passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.tar.xz passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.tar.zst passt-d989eae308c2ea2032fc91cc04fb02dffe4a4b63.zip |
udp: Translate source address of resolver only for DNS remapped queries
Paul reports that if pasta is configured with --dns-forward, and the
container queries a resolver which is configured on the host directly,
without using the address given for --dns-forward, we'll translate
the source address of the response pretending it's coming from the
address passed as --dns-forward, and the client will discard the
reply.
That is,
$ cat /etc/resolv.conf
198.51.100.1
$ pasta --config-net --dns-forward 192.0.2.1 nslookup passt.top
will not work, because we change the source address of the reply from
198.51.100.1 to 192.0.2.1. But the client contacted 198.51.100.1, and
it's from that address that it expects an answer.
Add a PORT_DNS_FWD flag for tap-facing ports, which is triggered by
activity in the opposite direction as the other flags. If the
tap-facing port was seen sending a DNS query that was remapped, we'll
remap the source address of the response, otherwise we'll leave it
unaffected.
Reported-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'contrib')
0 files changed, 0 insertions, 0 deletions