diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2024-10-18 12:35:56 +1100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2024-10-18 20:28:03 +0200 |
| commit | b4dace8f462b346ae2135af1f8d681a99a849a5f (patch) | |
| tree | 2c15016a302582cad72c37ec1bfe5f541b5c555d /log.c | |
| parent | 58e6d685995f7b1068357a00e2618627d17fa8f5 (diff) | |
| download | passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.tar passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.tar.gz passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.tar.bz2 passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.tar.lz passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.tar.xz passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.tar.zst passt-b4dace8f462b346ae2135af1f8d681a99a849a5f.zip | |
fwd: Direct inbound spliced forwards to the guest's external address
In pasta mode, where addressing permits we "splice" connections, forwarding
directly from host socket to guest/container socket without any L2 or L3
processing. This gives us a very large performance improvement when it's
possible.
Since the traffic is from a local socket within the guest, it will go over
the guest's 'lo' interface, and accordingly we set the guest side address
to be the loopback address. However this has a surprising side effect:
sometimes guests will run services that are only supposed to be used within
the guest and are therefore bound to only 127.0.0.1 and/or ::1. pasta's
forwarding exposes those services to the host, which isn't generally what
we want.
Correct this by instead forwarding inbound "splice" flows to the guest's
external address.
Link: https://github.com/containers/podman/issues/24045
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'log.c')
0 files changed, 0 insertions, 0 deletions