diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2025-02-03 09:22:10 +0100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2025-02-09 08:17:06 +0100 |
| commit | a3d142a6f64d89fffe26634e158dedd55fa31e7b (patch) | |
| tree | 97fda9a39cef0cf422c382f557cb1e13e1252e26 /util.c | |
| parent | 864be475d9db58c93540eb883ecf656c3eff861f (diff) | |
| download | passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.tar passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.tar.gz passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.tar.bz2 passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.tar.lz passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.tar.xz passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.tar.zst passt-a3d142a6f64d89fffe26634e158dedd55fa31e7b.zip | |
conf: Don't map DNS traffic to host, if host gateway is a resolver
This should be a relatively common case and I'm a bit surprised it's
been broken since I added the "gateway mapping" functionality, but it
doesn't happen with Podman, and not with systemd-resolved or similar
local proxies, and also not with servers where typically the gateway
is just a router and not a DNS resolver. That could be the reason why
nobody noticed until now.
By default, we'll map the address of the default gateway, in
containers and guests, to represent "the host", so that we have a
well-defined way to reach the host. Say:
0.0029: NAT to host 127.0.0.1: 192.168.100.1
But if the host gateway is also a DNS resolver:
0.0029: DNS:
0.0029: 192.168.100.1
then we'll send DNS queries directed to it to the host instead:
0.0372: Flow 0 (INI): TAP [192.168.100.157]:41892 -> [192.168.100.1]:53 => ?
0.0372: Flow 0 (TGT): INI -> TGT
0.0373: Flow 0 (TGT): TAP [192.168.100.157]:41892 -> [192.168.100.1]:53 => HOST [0.0.0.0]:41892 -> [127.0.0.1]:53
0.0373: Flow 0 (UDP flow): TGT -> TYPED
0.0373: Flow 0 (UDP flow): TAP [192.168.100.157]:41892 -> [192.168.100.1]:53 => HOST [0.0.0.0]:41892 -> [127.0.0.1]:53
0.0373: Flow 0 (UDP flow): Side 0 hash table insert: bucket: 31049
0.0374: Flow 0 (UDP flow): TYPED -> ACTIVE
0.0374: Flow 0 (UDP flow): TAP [192.168.100.157]:41892 -> [192.168.100.1]:53 => HOST [0.0.0.0]:41892 -> [127.0.0.1]:53
which doesn't quite work, of course:
0.0374: pasta: epoll event on UDP reply socket 95 (events: 0x00000008)
0.0374: ICMP error on UDP socket 95: Connection refused
unless the host is a resolver itself... but then we wouldn't find the
address of the gateway in its /etc/resolv.conf, presumably.
Fix this by making an exception for DNS traffic: if the default
gateway is a resolver, match on DNS traffic going to the default
gateway, and explicitly forward it to the configured resolver.
Reported-by: Prafulla Giri <prafulla.giri@protonmail.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'util.c')
0 files changed, 0 insertions, 0 deletions