containernetworking / plugins

52%

master: 55%

LAST BUILD ON BRANCH fix-portmap_nftables

branch: fix-portmap_nftables

CHANGE BRANCH

x

Reset

• fix-portmap_nftables
• add-aks-integration
• bridge-port-isolation
• bugfix/wrong_startrange
• bump-golang-ci
• bump-libcni
• codeql
• contact-info
• coryright-attribution
• deletevlaniface
• dependabot/docker/dot-github/actions/retest-action/alpine-3.18
• dependabot/docker/dot-github/actions/retest-action/alpine-3.19
• dependabot/docker/dot-github/actions/retest-action/alpine-3.20
• dependabot/docker/dot-github/actions/retest-action/alpine-3.21
• dependabot/docker/dot-github/actions/retest-action/alpine-3.22
• dependabot/docker/dot-github/actions/retest-action/alpine-3.23
• dependabot/github_actions/actions/checkout-4
• dependabot/github_actions/actions/checkout-5
• dependabot/github_actions/actions/checkout-6
• dependabot/github_actions/actions/setup-go-5
• dependabot/github_actions/actions/setup-go-6
• dependabot/github_actions/golangci/golangci-lint-action-4
• dependabot/github_actions/golangci/golangci-lint-action-5
• dependabot/github_actions/golangci/golangci-lint-action-6
• dependabot/github_actions/golangci/golangci-lint-action-9
• dependabot/go_modules/github.com/Microsoft/hcsshim-0.10.0
• dependabot/go_modules/github.com/Microsoft/hcsshim-0.11.0
• dependabot/go_modules/github.com/Microsoft/hcsshim-0.11.1
• dependabot/go_modules/github.com/Microsoft/hcsshim-0.9.10
• dependabot/go_modules/github.com/Microsoft/hcsshim-0.9.7
• dependabot/go_modules/github.com/Microsoft/hcsshim-0.9.9
• dependabot/go_modules/github.com/containerd/containerd-1.6.26
• dependabot/go_modules/github.com/coreos/go-iptables-0.7.0
• dependabot/go_modules/github.com/networkplumbing/go-nft-0.3.0
• dependabot/go_modules/github.com/networkplumbing/go-nft-0.4.0
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.11.0
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.12.0
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.12.1
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.13.0
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.13.1
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.8.3
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.8.4
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.9.0
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.9.1
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.9.4
• dependabot/go_modules/github.com/onsi/ginkgo/v2-2.9.7
• dependabot/go_modules/github.com/onsi/gomega-1.25.0
• dependabot/go_modules/github.com/onsi/gomega-1.26.0
• dependabot/go_modules/github.com/onsi/gomega-1.27.1
• dependabot/go_modules/github.com/onsi/gomega-1.27.10
• dependabot/go_modules/github.com/onsi/gomega-1.27.2
• dependabot/go_modules/github.com/onsi/gomega-1.27.3
• dependabot/go_modules/github.com/onsi/gomega-1.27.8
• dependabot/go_modules/github.com/onsi/gomega-1.27.9
• dependabot/go_modules/github.com/onsi/gomega-1.28.0
• dependabot/go_modules/github.com/onsi/gomega-1.30.0
• dependabot/go_modules/github.com/opencontainers/selinux-1.11.0
• dependabot/go_modules/golang-09a819dc01
• dependabot/go_modules/golang-0ff27c0dc8
• dependabot/go_modules/golang-103bedb26b
• dependabot/go_modules/golang-1eaf3aa819
• dependabot/go_modules/golang-29835453c6
• dependabot/go_modules/golang-2cb2537523
• dependabot/go_modules/golang-2d6cee5bad
• dependabot/go_modules/golang-2f005b8ca9
• dependabot/go_modules/golang-383d838611
• dependabot/go_modules/golang-439c5fc513
• dependabot/go_modules/golang-4dd97b104e
• dependabot/go_modules/golang-51f3cddb77
• dependabot/go_modules/golang-5c8df2ff5e
• dependabot/go_modules/golang-61257cff18
• dependabot/go_modules/golang-6263b2479d
• dependabot/go_modules/golang-6a70725da1
• dependabot/go_modules/golang-7e0ee1aacf
• dependabot/go_modules/golang-82cdb19fbc
• dependabot/go_modules/golang-82e3264b6f
• dependabot/go_modules/golang-8bfbea899d
• dependabot/go_modules/golang-8c40cefe07
• dependabot/go_modules/golang-8f3a99df9e
• dependabot/go_modules/golang-9b7ee4a467
• dependabot/go_modules/golang-a01909eac1
• dependabot/go_modules/golang-a90ed34d00
• dependabot/go_modules/golang-b1fd1a5525
• dependabot/go_modules/golang-b711640f48
• dependabot/go_modules/golang-c722575f0f
• dependabot/go_modules/golang-db9f2d353e
• dependabot/go_modules/golang-e423e5d544
• dependabot/go_modules/golang-e5a06e9046
• dependabot/go_modules/golang-efff583b38
• dependabot/go_modules/golang-f04424bbb8
• dependabot/go_modules/golang-f6d18035b1
• dependabot/go_modules/golang-fb115483cc
• dependabot/go_modules/golang-fd31490dbe
• dependabot/go_modules/golang.org/x/net-0.17.0
• dependabot/go_modules/golang.org/x/net-0.23.0
• dependabot/go_modules/golang.org/x/net-0.36.0
• dependabot/go_modules/golang.org/x/net-0.38.0
• dependabot/go_modules/golang.org/x/sys-0.10.0
• dependabot/go_modules/golang.org/x/sys-0.11.0
• dependabot/go_modules/golang.org/x/sys-0.13.0
• dependabot/go_modules/golang.org/x/sys-0.4.0
• dependabot/go_modules/golang.org/x/sys-0.5.0
• dependabot/go_modules/golang.org/x/sys-0.7.0
• dependabot/go_modules/golang.org/x/sys-0.8.0
• dependabot/go_modules/golang.org/x/sys-0.9.0
• dependabot/go_modules/google.golang.org/grpc-1.56.3
• dependabot/go_modules/google.golang.org/protobuf-1.33.0
• dhcp-daemon-terminate-iface-nonexist
• enable-vlan-uplink-interface
• fix
• fix-bw-nil
• fix-firewall-ci
• fix-integ-tests
• fix-unshare
• fix-windows-ginko
• fixdad
• fixglobalroutes
• fixvlantrunk
• go-1.25
• go-mod-separate
• go-mod-verify
• go1.24
• host-device
• increatetimeoutvrf
• ingress-same-bridge-isolate
• jell/per_if_sysctl
• jell/vlan-1
• jell/vlan-2
• keeponaddripv6
• macvlan/stop-setting-proxy-arp
• main
• master
• new-maintainers
• oif_rule
• refs/tags/v0.9.0
• refs/tags/v0.9.1
• refs/tags/v1.0.0
• refs/tags/v1.0.0-rc1
• refs/tags/v1.0.1
• refs/tags/v1.1.0
• refs/tags/v1.1.1
• refs/tags/v1.2.0
• refs/tags/v1.4.0
• refs/tags/v1.4.1
• refs/tags/v1.5.0
• refs/tags/v1.5.1
• release-1.1
• remove-bryan
• remove-release-sh2
• retry
• scorecard
• setpreservedefaultvlanfalse
• v0.8.2
• v0.8.3
• v0.8.4
• v0.8.5
• v0.8.6
• v0.8.7
• wip-remove-dup
• zerofix

Build # 19199087381

Build Type

Pull #1210

github

Committed by champtar

Commit Message

portmap: ensure nftables backend only intercept local traffic

portmap iptables backend uses `-m addrtype --dst-type LOCAL`
and a common chain (CNI-HOSTPORT-DNAT) for both hostPort and hostIP/hostPort.

Before this commit, nftables backend was using 2 separate chains,
`hostip_hostports` and `hostports`. The goal was to avoid using
`fib daddr type local` before we jump to `hostip_hostports`,
but this is a behavior change compared to iptables backend,
and a security issue (hostIP: 1.1.1.1 / hostPort: 53).
Also while switching from input to prerouting hook, we forgot to
add the fib lookup for `hostports`, rendering the nftables backend half broken.

To allow transparent upgrades and avoid running the fib lookup twice,
we use an intermediate chain (`hostports_all`)
```
chain hostports_all {
    jump hostip_hostports
    jump hostports
}
```

Long-term we want to remove `hostip_hostports`,
so all new rules are created in the `hostports` chain.

We can't use implicit chains (`jump { jump hostip_hostports; jump hostports }`)
as it's not supported by knftables.Fake yet.

Fixes 9296c5f80
Fixes 01a94e17c

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Pull Request Pull Request #1210: portmap: ensure nftables backend only intercept local traffic

Run Details

40 of 40 new or added lines in 1 file covered. (100.0%)

4920 of 9434 relevant lines covered (52.15%)

27.31 hits per line