libnetwork/pasta: do not ignore ipv4 link local

Starting with pasta 2024_11_27.c0fbc7e there is new "local mode"[1] in pasta that defaults to setting up link local addresses in the netns when no suitable interface was found. this is done to fix the podman issue[2] where we fail to start in these cases which was a poor UX. Now the pasta change alone works fine for these users but there is one problem. Podman adds hosts entries for the container ip/name tuple and for the host.containers.internal. These entries are filtered out thus neither ipv4 or ipv6 bool was set and no addresses where added to IPAddresses. Thus podman had no info to add entries and just left them empty, while for most cases this is fine there might be a few users who expect host.containers.internal and the container name to resolve correctly. This commit changes the logic to only skip ipv6 link local addresses but allow ipv4 link local addresses. With that podman will add the proper entry. [1] https://archives.passt.top/passt-dev/[email protected]/ [2] containers/podman#24614 Signed-off-by: Paul Holzinger <[email protected]>
containers · Nov 27, 2024 · 0951858 · 0951858
1 parent 6ed8cc7
commit 0951858
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/libnetwork/pasta/pasta_linux.go b/libnetwork/pasta/pasta_linux.go
@@ -110,13 +110,25 @@ func Setup(opts *SetupOptions) (*SetupResult, error) {
 			return err
 		}
 		for _, addr := range addrs {
-			// make sure to skip localhost and other special addresses
-			if ipnet, ok := addr.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() {
-				result.IPAddresses = append(result.IPAddresses, ipnet.IP)
-				if !ipv4 && util.IsIPv4(ipnet.IP) {
+			// make sure to skip loopback and multicast addresses
+			if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() && !ipnet.IP.IsMulticast() {
+				if util.IsIPv4(ipnet.IP) {
+					result.IPAddresses = append(result.IPAddresses, ipnet.IP)
 					ipv4 = true
-				}
-				if !ipv6 && util.IsIPv6(ipnet.IP) {
+				} else if !ipnet.IP.IsLinkLocalUnicast() {
+					// Else must be ipv6, and
+					// also skip link local for ipv6 addresses. First even if you
+					// disable ipv6 support via pasta -4 the kernel will always
+					// assign a link local addresses to the tap interface. So that
+					// alone should not mean ipv6 is supported.
+					// Second ipv6 link local is special in that sense that each
+					// address alone is useless until you also specify the zone
+					// (interface) when trying to connect to it.
+					// Thus adding a ipv6 link local address to IPAddresses should
+					// not be done as podman uses this for the hosts entry. And
+					// given we cannot include the zone here in the net.IP type
+					// we ignore it instead.
+					result.IPAddresses = append(result.IPAddresses, ipnet.IP)
 					ipv6 = true
 				}
 			}