diff options
author | openshift-merge-bot[bot] <148852131+openshift-merge-bot[bot]@users.noreply.github.com> | 2024-09-25 20:33:27 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-09-25 20:33:27 +0000 |
commit | d805bc7369e13553d1df4eb7de62874fe43033ee (patch) | |
tree | 156873f11557d36e7ee42422ed4aecc2601118cf | |
parent | cebebc70daec7010c4005798a7958b3b6be7151d (diff) | |
parent | b497d6bfa6b37d21aa08fb2f9c396bf22b52a8f5 (diff) |
Merge pull request #1080 from Luap99/dns-dnat
iptables/nftables: add dns dnat rule first
-rw-r--r-- | src/firewall/nft.rs | 24 | ||||
-rw-r--r-- | src/firewall/varktables/types.rs | 10 | ||||
-rw-r--r-- | test/100-bridge-iptables.bats | 8 | ||||
-rw-r--r-- | test/250-bridge-nftables.bats | 3 |
4 files changed, 31 insertions, 14 deletions
diff --git a/src/firewall/nft.rs b/src/firewall/nft.rs index 4bef596..6759d96 100644 --- a/src/firewall/nft.rs +++ b/src/firewall/nft.rs @@ -592,12 +592,22 @@ impl firewall::FirewallDriver for Nftables { match ip { IpAddr::V4(_) => { if setup_portfw.container_ip_v4.is_some() { - batch.add(make_dns_dnat_rule(ip, setup_portfw.dns_port)); + // rule should be first so it is ordered before the normal contianer DNAT, + // thus use insert over the normal add + batch.add_cmd(schema::NfCmd::Insert(make_dns_dnat_rule( + ip, + setup_portfw.dns_port, + ))); } } IpAddr::V6(_) => { if setup_portfw.container_ip_v6.is_some() { - batch.add(make_dns_dnat_rule(ip, setup_portfw.dns_port)); + // rule should be first so it is ordered before the normal contianer DNAT, + // thus use insert over the normal add + batch.add_cmd(schema::NfCmd::Insert(make_dns_dnat_rule( + ip, + setup_portfw.dns_port, + ))); } } } @@ -1048,8 +1058,10 @@ fn get_dnat_rules_for_addr_family( /// Make a DNAT rule to allow DNS traffic to a DNS server on a non-standard port (53 -> actual port). fn make_dns_dnat_rule(dns_ip: &IpAddr, dns_port: u16) -> schema::NfListObject { - make_rule( - DNATCHAIN, + let rule = schema::Rule::new( + types::NfFamily::INet, + TABLENAME.to_string(), + DNATCHAIN.to_string(), vec![ get_ip_match(dns_ip, "daddr", stmt::Operator::EQ), stmt::Statement::Match(stmt::Match { @@ -1083,7 +1095,9 @@ fn make_dns_dnat_rule(dns_ip: &IpAddr, dns_port: u16) -> schema::NfListObject { flags: None, })), ], - ) + ); + + schema::NfListObject::Rule(rule) } /// Create a statement to jump to the given target diff --git a/src/firewall/varktables/types.rs b/src/firewall/varktables/types.rs index 80f7023..f161df4 100644 --- a/src/firewall/varktables/types.rs +++ b/src/firewall/varktables/types.rs @@ -525,13 +525,15 @@ pub fn get_port_forwarding_chains<'a>( } netavark_hostport_dn_chain.create = true; for proto in ["udp", "tcp"] { - netavark_hostport_dn_chain.build_rule(VarkRule::new( - format!( + netavark_hostport_dn_chain.build_rule(VarkRule { + rule: format!( "-j {} -d {} -p {} --dport {} --to-destination {}:{}", DNAT, dns_ip, proto, 53, ip_value, pfwd.dns_port ), - Some(TeardownPolicy::OnComplete), - )); + // rule should be first otherwise another container might hijack all 53 traffic to itself + position: Some(1), + td_policy: Some(TeardownPolicy::OnComplete), + }); } } } diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats index e835926..7f8f0bc 100644 --- a/test/100-bridge-iptables.bats +++ b/test/100-bridge-iptables.bats @@ -319,11 +319,11 @@ fw_driver=iptables # check iptables run_in_host_netns iptables -t nat -S NETAVARK-HOSTPORT-DNAT - assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns forward rule" - assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns tcp forward rule" + assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns forward rule" + assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns tcp forward rule" run_in_host_netns ip6tables -t nat -S NETAVARK-HOSTPORT-DNAT - assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p udp -m udp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6 dns forward rule" - assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p tcp -m tcp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6 dns tcp forward rule" + assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p udp -m udp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6 dns forward rule" + assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p tcp -m tcp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6 dns tcp forward rule" # check aardvark config and running run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1" diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats index 31e1091..02ea2f0 100644 --- a/test/250-bridge-nftables.bats +++ b/test/250-bridge-nftables.bats @@ -317,7 +317,8 @@ export NETAVARK_FW=nftables # check nftables run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT - assert "${lines[2]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule" + assert "${lines[2]}" =~ "ip6 daddr fd10:88:a::1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip6 to \[fd10:88:a::1\]:$dns_port" "DNS forward rule ip6" + assert "${lines[3]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule ip4" # check aardvark config and running run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1" |