netlink: Strip nexthop identifiers when duplicating routes

If routing daemons set up host routes, for example FRR via OSPF as in the reported issue, they might add nexthop identifiers (not objects) that are generally not valid in the target namespace. Strip them off as well, otherwise we'll get EINVAL from the kernel. Link: https://github.com/containers/podman/issues/22960 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2024-11-05 20:31:11 +00:00 · 2024-06-18 08:17:51 +02:00 · 2024-06-18 08:17:51 +02:00 · 62de6140d9
commit 62de6140d9
parent 1544a43863
1 changed files with 16 additions and 7 deletions
--- a/netlink.c
+++ b/netlink.c
@ -600,13 +600,22 @@ int nl_route_dup(int s_src, unsigned int ifi_src,
 				if (discard)
 					break;
-			} else if (rta->rta_type == RTA_PREFSRC) {
+			} else if (rta->rta_type == RTA_PREFSRC ||
-				/* Host routes might include a preferred source
+				   rta->rta_type == RTA_NH_ID) {
-				 * address, which must be one of the host's
+				/* Strip RTA_PREFSRC attributes: host routes
-				 * addresses.  However, with -a pasta will use a
+				 * might include a preferred source address,
-				 * different namespace address, making such a
+				 * which must be one of the host's addresses.
-				 * route invalid in the namespace.  Strip off
+				 * However, with -a, pasta will use a different
-				 * RTA_PREFSRC attributes to avoid that. */
+				 * namespace address, making such a route
 				 * invalid in the namespace.
 				 *
 				 * Strip RTA_NH_ID attributes: host routes set
 				 * up via routing protocols (e.g. OSPF) might
 				 * contain a nexthop ID (and not nexthop
 				 * objects, which are taken care of in the
 				 * RTA_MULTIPATH case above) that's not valid
 				 * in the target namespace.
 				 */
 				rta->rta_type = RTA_UNSPEC;
 			}
 		}