NotificationsYou must be signed in to change notification settings
Fork18.9k
Star71.2k

Commit2faf258

authored

Merge pull request#51616 from akerouanton/fix-51591

libnet/pms/nat: don't bind IPv6 ports if not supported by port driver

2 parents9a84135 +310aa92 commit2faf258Copy full SHA for 2faf258

File tree

4 files changed

+81

-33

lines changed

daemon/libnetwork
- drivers/bridge
  - port_mapping_linux_test.go
- internal/rlkclient
  - rootlesskit_client_linux.go
- portmappers/nat
  - mapper_linux.go
- portmapper
  - proxy_linux.go

4 files changed

+81

-33

lines changed

`‎daemon/libnetwork/drivers/bridge/port_mapping_linux_test.go‎`

Lines changed: 29 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ func TestAddPortMappings(t *testing.T) {`
`220`	`220`	`enableProxybool`
`221`	`221`	`hairpinbool`
`222`	`222`	`busyPortIPv4int`
`223`		`-rootlessbool`
	`223`	`+newPDCfunc() nat.PortDriverClient`
`224`	`224`	`hostAddrs []string`
`225`	`225`	`noProxy6To4bool`
`226`	`226`
`@@ -667,14 +667,29 @@ func TestAddPortMappings(t *testing.T) {`
`667`	`667`	`{PortBinding: types.PortBinding{Proto:types.TCP,Port:80}},`
`668`	`668`	`},`
`669`	`669`	`enableProxy:true,`
`670`		`-rootless:true,`
	`670`	`+newPDC:func() nat.PortDriverClient {returnnewMockPortDriverClient(true) },`
`671`	`671`	`expPBs: []types.PortBinding{`
`672`	`672`	`{Proto:types.TCP,IP:ctrIP4.IP,Port:22,HostIP:net.IPv4zero,HostPort:firstEphemPort},`
`673`	`673`	`{Proto:types.TCP,IP:ctrIP6.IP,Port:22,HostIP:net.IPv6zero,HostPort:firstEphemPort},`
`674`	`674`	`{Proto:types.TCP,IP:ctrIP4.IP,Port:80,HostIP:net.IPv4zero,HostPort:firstEphemPort+1},`
`675`	`675`	`{Proto:types.TCP,IP:ctrIP6.IP,Port:80,HostIP:net.IPv6zero,HostPort:firstEphemPort+1},`
`676`	`676`	`},`
`677`	`677`	`},`
	`678`	`+{`
	`679`	`+name:"rootless, ipv6 not supported",`
	`680`	`+epAddrV4:ctrIP4,`
	`681`	`+epAddrV6:ctrIP6,`
	`682`	`+cfg: []portmapperapi.PortBindingReq{`
	`683`	`+{PortBinding: types.PortBinding{Proto:types.TCP,Port:22}},`
	`684`	`+{PortBinding: types.PortBinding{Proto:types.TCP,Port:80}},`
	`685`	`+},`
	`686`	`+enableProxy:true,`
	`687`	`+newPDC:func() nat.PortDriverClient {returnnewMockPortDriverClient(false) },`
	`688`	`+expPBs: []types.PortBinding{`
	`689`	`+{Proto:types.TCP,IP:ctrIP4.IP,Port:22,HostIP:net.IPv4zero,HostPort:firstEphemPort},`
	`690`	`+{Proto:types.TCP,IP:ctrIP4.IP,Port:80,HostIP:net.IPv4zero,HostPort:firstEphemPort+1},`
	`691`	`+},`
	`692`	`+},`
`678`	`693`	`{`
`679`	`694`	`name:"rootless without proxy",`
`680`	`695`	`epAddrV4:ctrIP4,`
`@@ -683,8 +698,8 @@ func TestAddPortMappings(t *testing.T) {`
`683`	`698`	`{PortBinding: types.PortBinding{Proto:types.TCP,Port:22}},`
`684`	`699`	`{PortBinding: types.PortBinding{Proto:types.TCP,Port:80}},`
`685`	`700`	`},`
`686`		`-rootless:true,`
`687`		`-hairpin:true,`
	`701`	`+newPDC:func() nat.PortDriverClient {returnnewMockPortDriverClient(true) },`
	`702`	`+hairpin:true,`
`688`	`703`	`expPBs: []types.PortBinding{`
`689`	`704`	`{Proto:types.TCP,IP:ctrIP4.IP,Port:22,HostIP:net.IPv4zero,HostPort:firstEphemPort},`
`690`	`705`	`{Proto:types.TCP,IP:ctrIP6.IP,Port:22,HostIP:net.IPv6zero,HostPort:firstEphemPort},`
`@@ -745,8 +760,8 @@ func TestAddPortMappings(t *testing.T) {`
`745`	`760`	`}`
`746`	`761`
`747`	`762`	`varpdc nat.PortDriverClient`
`748`		`-iftc.rootless {`
`749`		`-pdc=newMockPortDriverClient()`
	`763`	`+iftc.newPDC!=nil {`
	`764`	`+pdc=tc.newPDC()`
`750`	`765`	`}`
`751`	`766`
`752`	`767`	`pms:=&drvregistry.PortMappers{}`
`@@ -780,7 +795,7 @@ func TestAddPortMappings(t *testing.T) {`
`780`	`795`	`n.firewallerNetwork=fwn`
`781`	`796`
`782`	`797`	`expChildIP:=func(hostIP net.IP) net.IP {`
`783`		`-if!tc.rootless {`
	`798`	`+ifpdc==nil {`
`784`	`799`	`returnhostIP`
`785`	`800`	`}`
`786`	`801`	`ifhostIP.To4()==nil {`
`@@ -938,16 +953,21 @@ func (p mockPortDriverPort) String() string {`
`938`	`953`
`939`	`954`	`typemockPortDriverClientstruct {`
`940`	`955`	`openPortsmap[mockPortDriverPort]bool`
	`956`	`+supportV6bool`
`941`	`957`	`}`
`942`	`958`
`943`		`-funcnewMockPortDriverClient()*mockPortDriverClient {`
	`959`	`+funcnewMockPortDriverClient(supportV6bool)*mockPortDriverClient {`
`944`	`960`	`return&mockPortDriverClient{`
`945`	`961`	`openPorts:map[mockPortDriverPort]bool{},`
	`962`	`+supportV6:supportV6,`
`946`	`963`	`}`
`947`	`964`	`}`
`948`	`965`
`949`		`-func (c*mockPortDriverClient)ChildHostIP(hostIP netip.Addr) netip.Addr {`
	`966`	`+func (c*mockPortDriverClient)ChildHostIP(protostring,hostIP netip.Addr) netip.Addr {`
`950`	`967`	`ifhostIP.Is6() {`
	`968`	`+if!c.supportV6 {`
	`969`	`+return netip.Addr{}`
	`970`	`+}`
`951`	`971`	`returnnetip.IPv6Loopback()`
`952`	`972`	`}`
`953`	`973`	`returnnetip.MustParseAddr("127.0.0.1")`

`‎daemon/libnetwork/internal/rlkclient/rootlesskit_client_linux.go‎`

Lines changed: 27 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -75,14 +75,38 @@ func NewPortDriverClient(ctx context.Context) (*PortDriverClient, error) {`
`75`	`75`	`returnpdc,nil`
`76`	`76`	`}`
`77`	`77`
	`78`	`+// proto normalizes the protocol to match what the rootlesskit API expects.`
	`79`	`+func (c*PortDriverClient)proto(protostring,hostIP netip.Addr)string {`
	`80`	`+// proto is like "tcp", but we need to convert it to "tcp4" or "tcp6" explicitly`
	`81`	`+// for libnetwork >= 20201216`
	`82`	`+//`
	`83`	`+// See https://github.com/moby/libnetwork/pull/2604/files#diff-8fa48beed55dd033bf8e4f8c40b31cf69d0b2cc5d4bb53cde8594670ea6c938aR20`
	`84`	`+// See also https://github.com/rootless-containers/rootlesskit/issues/231`
	`85`	`+apiProto:=proto`
	`86`	`+if!strings.HasSuffix(apiProto,"4")&&!strings.HasSuffix(apiProto,"6") {`
	`87`	`+ifhostIP.Is6() {`
	`88`	`+apiProto+="6"`
	`89`	`+}else {`
	`90`	`+apiProto+="4"`
	`91`	`+}`
	`92`	`+}`
	`93`	`+returnapiProto`
	`94`	`+}`
	`95`	`+`
`78`	`96`	`// ChildHostIP returns the address that must be used in the child network`
`79`	`97`	`// namespace in place of hostIP, a host IP address. In particular, port`
`80`	`98`	`// mappings from host IP addresses, and DNAT rules, must use this child`
`81`		`-// address in place of the real host address.`
`82`		`-func (c*PortDriverClient)ChildHostIP(hostIP netip.Addr) netip.Addr {`
	`99`	`+// address in place of the real host address. It may return an invalid`
	`100`	`+// netip.Addr if the proto and IP family aren't supported.`
	`101`	`+func (c*PortDriverClient)ChildHostIP(protostring,hostIP netip.Addr) netip.Addr {`
`83`	`102`	`ifc==nil {`
`84`	`103`	`returnhostIP`
`85`	`104`	`}`
	`105`	`+if_,ok:=c.protos[c.proto(proto,hostIP)];!ok {`
	`106`	`+// This happens when apiProto="tcp6", portDriverName="slirp4netns",`
	`107`	`+// because "slirp4netns" port driver does not support listening on IPv6 yet.`
	`108`	`+return netip.Addr{}`
	`109`	`+}`
`86`	`110`	`ifc.childIP.IsValid() {`
`87`	`111`	`returnc.childIP`
`88`	`112`	`}`
`@@ -117,20 +141,8 @@ func (c *PortDriverClient) AddPort(`
`117`	`141`	`ifc==nil {`
`118`	`142`	`returnfunc()error {returnnil },nil`
`119`	`143`	`}`
`120`		`-// proto is like "tcp", but we need to convert it to "tcp4" or "tcp6" explicitly`
`121`		`-// for libnetwork >= 20201216`
`122`		`-//`
`123`		`-// See https://github.com/moby/libnetwork/pull/2604/files#diff-8fa48beed55dd033bf8e4f8c40b31cf69d0b2cc5d4bb53cde8594670ea6c938aR20`
`124`		`-// See also https://github.com/rootless-containers/rootlesskit/issues/231`
`125`		`-apiProto:=proto`
`126`		`-if!strings.HasSuffix(apiProto,"4")&&!strings.HasSuffix(apiProto,"6") {`
`127`		`-ifhostIP.Is6() {`
`128`		`-apiProto+="6"`
`129`		`-}else {`
`130`		`-apiProto+="4"`
`131`		`-}`
`132`		`-}`
`133`	`144`
	`145`	`+apiProto:=c.proto(proto,hostIP)`
`134`	`146`	`if_,ok:=c.protos[apiProto];!ok {`
`135`	`147`	`// This happens when apiProto="tcp6", portDriverName="slirp4netns",`
`136`	`148`	`// because "slirp4netns" port driver does not support listening on IPv6 yet.`

`‎daemon/libnetwork/portmapper/proxy_linux.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -135,6 +135,7 @@ func StartProxy(pb types.PortBinding,`
`135`	`135`	`returnnil`
`136`	`136`	`}`
`137`	`137`	`stopped.Store(true)`
	`138`	`+log.G(context.Background()).WithField("pb",pb).Debug("Stopping userland proxy")`
`138`	`139`	`iferr:=cmd.Process.Signal(os.Interrupt);err!=nil {`
`139`	`140`	`returnerr`
`140`	`141`	`}`

`‎daemon/libnetwork/portmappers/nat/mapper_linux.go‎`

Lines changed: 24 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,19 +6,21 @@ import (`
`6`	`6`	`"fmt"`
`7`	`7`	`"net"`
`8`	`8`	`"net/netip"`
	`9`	`+"slices"`
`9`	`10`	`"strconv"`
`10`	`11`
`11`	`12`	`"github.com/containerd/log"`
`12`	`13`	`"github.com/moby/moby/v2/daemon/libnetwork/internal/rlkclient"`
`13`	`14`	`"github.com/moby/moby/v2/daemon/libnetwork/portallocator"`
`14`	`15`	`"github.com/moby/moby/v2/daemon/libnetwork/portmapperapi"`
`15`	`16`	`"github.com/moby/moby/v2/daemon/libnetwork/types"`
	`17`	`+"github.com/moby/moby/v2/internal/sliceutil"`
`16`	`18`	`)`
`17`	`19`
`18`	`20`	`constdriverName="nat"`
`19`	`21`
`20`	`22`	`typePortDriverClientinterface {`
`21`		`-ChildHostIP(hostIP netip.Addr) netip.Addr`
	`23`	`+ChildHostIP(protostring,hostIP netip.Addr) netip.Addr`
`22`	`24`	`AddPort(ctx context.Context,protostring,hostIP,childIP netip.Addr,hostPortint) (func()error,error)`
`23`	`25`	`}`
`24`	`26`
`@@ -73,12 +75,18 @@ func (pm PortMapper) MapPorts(ctx context.Context, cfg []portmapperapi.PortBindi`
`73`	`75`	`}`
`74`	`76`	`}()`
`75`	`77`
`76`		`-addrs:=make([]net.IP,0,len(cfg))`
`77`		`-fori:=rangecfg {`
`78`		`-cfg[i]=setChildHostIP(pm.pdc,cfg[i])`
`79`		`-addrs=append(addrs,cfg[i].ChildHostIP)`
	`78`	`+fori:=len(cfg)-1;i>=0;i-- {`
	`79`	`+varsupportedbool`
	`80`	`+ifcfg[i],supported=setChildHostIP(pm.pdc,cfg[i]);!supported {`
	`81`	`+cfg=slices.Delete(cfg,i,i+1)`
	`82`	`+continue`
	`83`	`+}`
`80`	`84`	`}`
`81`	`85`
	`86`	`+addrs:=sliceutil.Map(cfg,func(req portmapperapi.PortBindingReq) net.IP {`
	`87`	`+returnreq.ChildHostIP`
	`88`	`+})`
	`89`	`+`
`82`	`90`	`pa:=portallocator.NewOSAllocator()`
`83`	`91`	`allocatedPort,socks,err:=pa.RequestPortsInRange(addrs,proto,int(hostPort),int(hostPortEnd))`
`84`	`92`	`iferr!=nil {`
`@@ -127,14 +135,21 @@ func (pm PortMapper) UnmapPorts(ctx context.Context, pbs []portmapperapi.PortBin`
`127`	`135`	`returnerrors.Join(errs...)`
`128`	`136`	`}`
`129`	`137`
`130`		`-funcsetChildHostIP(pdcPortDriverClient,req portmapperapi.PortBindingReq) portmapperapi.PortBindingReq {`
	`138`	`+// setChildHostIP returns a modified PortBindingReq that contains the IP`
	`139`	`+// address that should be used for port allocation, firewall rules, etc. It`
	`140`	`+// returns false when the PortBindingReq isn't supported by the PortDriverClient.`
	`141`	`+funcsetChildHostIP(pdcPortDriverClient,req portmapperapi.PortBindingReq) (portmapperapi.PortBindingReq,bool) {`
`131`	`142`	`ifpdc==nil {`
`132`	`143`	`req.ChildHostIP=req.HostIP`
`133`		`-returnreq`
	`144`	`+returnreq,true`
`134`	`145`	`}`
`135`	`146`	`hip,_:=netip.AddrFromSlice(req.HostIP)`
`136`		`-req.ChildHostIP=pdc.ChildHostIP(hip.Unmap()).AsSlice()`
`137`		`-returnreq`
	`147`	`+chip:=pdc.ChildHostIP(req.Proto.String(),hip.Unmap())`
	`148`	`+if!chip.IsValid() {`
	`149`	`+returnreq,false`
	`150`	`+}`
	`151`	`+req.ChildHostIP=chip.AsSlice()`
	`152`	`+returnreq,true`
`138`	`153`	`}`
`139`	`154`
`140`	`155`	`// configPortDriver passes the port binding's details to rootlesskit, and updates the`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2faf258

File tree

4 files changed

4 files changed

`‎daemon/libnetwork/drivers/bridge/port_mapping_linux_test.go‎`

`‎daemon/libnetwork/internal/rlkclient/rootlesskit_client_linux.go‎`

`‎daemon/libnetwork/portmapper/proxy_linux.go‎`

`‎daemon/libnetwork/portmappers/nat/mapper_linux.go‎`

0 commit comments