From e88d8dbeae2aebd2d816f16a21891764163afcd4 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 30 Jul 2021 14:33:08 +0200 Subject: fix rootless port forwarding with network dis-/connect The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger --- .../rootlesskit/pkg/port/builtin/parent/parent.go | 10 ++++++++-- .../rootlesskit/pkg/port/builtin/parent/tcp/tcp.go | 7 +++++-- .../rootlesskit/pkg/port/builtin/parent/udp/udp.go | 3 ++- vendor/modules.txt | 2 +- 4 files changed, 16 insertions(+), 6 deletions(-) (limited to 'vendor') diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go index 2895a8f07..abd2c5e2c 100644 --- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go +++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/parent.go @@ -12,6 +12,7 @@ import ( "strings" "sync" "syscall" + "time" "github.com/pkg/errors" @@ -140,8 +141,13 @@ func (d *driver) AddPort(ctx context.Context, spec port.Spec) (*port.Status, err } routineStopCh := make(chan struct{}) routineStop := func() error { - close(routineStopCh) - return nil // FIXME + routineStopCh <- struct{}{} + select { + case <-routineStopCh: + case <-time.After(5 * time.Second): + return errors.New("stop timeout after 5 seconds") + } + return nil } switch spec.Proto { case "tcp", "tcp4", "tcp6": diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/tcp/tcp.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/tcp/tcp.go index 7a7a167f1..dcc1068f0 100644 --- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/tcp/tcp.go +++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/tcp/tcp.go @@ -12,7 +12,7 @@ import ( "github.com/rootless-containers/rootlesskit/pkg/port/builtin/msg" ) -func Run(socketPath string, spec port.Spec, stopCh <-chan struct{}, logWriter io.Writer) error { +func Run(socketPath string, spec port.Spec, stopCh chan struct{}, logWriter io.Writer) error { ln, err := net.Listen(spec.Proto, net.JoinHostPort(spec.ParentIP, strconv.Itoa(spec.ParentPort))) if err != nil { fmt.Fprintf(logWriter, "listen: %v\n", err) @@ -31,7 +31,10 @@ func Run(socketPath string, spec port.Spec, stopCh <-chan struct{}, logWriter io } }() go func() { - defer ln.Close() + defer func() { + ln.Close() + close(stopCh) + }() for { select { case c, ok := <-newConns: diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udp.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udp.go index 0080dd22c..f20721bcc 100644 --- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udp.go +++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udp.go @@ -13,7 +13,7 @@ import ( "github.com/rootless-containers/rootlesskit/pkg/port/builtin/parent/udp/udpproxy" ) -func Run(socketPath string, spec port.Spec, stopCh <-chan struct{}, logWriter io.Writer) error { +func Run(socketPath string, spec port.Spec, stopCh chan struct{}, logWriter io.Writer) error { addr, err := net.ResolveUDPAddr(spec.Proto, net.JoinHostPort(spec.ParentIP, strconv.Itoa(spec.ParentPort))) if err != nil { return err @@ -51,6 +51,7 @@ func Run(socketPath string, spec port.Spec, stopCh <-chan struct{}, logWriter io case <-stopCh: // udpp.Close closes ln as well udpp.Close() + close(stopCh) return } } diff --git a/vendor/modules.txt b/vendor/modules.txt index c89582328..ee4f9f25e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -558,7 +558,7 @@ github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util # github.com/rivo/uniseg v0.2.0 github.com/rivo/uniseg -# github.com/rootless-containers/rootlesskit v0.14.2 +# github.com/rootless-containers/rootlesskit v0.14.3 github.com/rootless-containers/rootlesskit/pkg/api github.com/rootless-containers/rootlesskit/pkg/msgutil github.com/rootless-containers/rootlesskit/pkg/port -- cgit v1.2.3-54-g00ecf