diff --git a/cmd/bypass4netns/main.go b/cmd/bypass4netns/main.go index 32c2a6e..b30bdd8 100644 --- a/cmd/bypass4netns/main.go +++ b/cmd/bypass4netns/main.go @@ -59,6 +59,7 @@ func main() { handleC2cEnable := flag.Bool("handle-c2c-connections", false, "Handle connections between containers") tracerEnable := flag.Bool("tracer", false, "Enable connection tracer") multinodeEnable := flag.Bool("multinode", false, "Enable multinode communication") + disableBind := flag.Bool("disable-bind", false, "Disable bypassing bind") // Parse arguments flag.Parse() @@ -154,7 +155,7 @@ func main() { logrus.Infof("SocketPath: %s", socketFile) - handler := bypass4netns.NewHandler(socketFile, comSocketFile, strings.Replace(logFilePath, ".log", "-tracer.log", -1)) + handler := bypass4netns.NewHandler(socketFile, comSocketFile, strings.Replace(logFilePath, ".log", "-tracer.log", -1), *disableBind) subnets := []net.IPNet{} var subnetsAuto bool diff --git a/pkg/api/api.go b/pkg/api/api.go index 6870389..f2a7c38 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -13,6 +13,7 @@ type BypassSpec struct { LogFilePath string `json:"logFilePath"` PortMapping []PortSpec `json:"portMapping"` IgnoreSubnets []string `json:"ignoreSubnets"` // CIDR or "auto" + DisableBind bool `json:"disableBind"` } type PortSpec struct { diff --git a/pkg/bypass4netns/bypass4netns.go b/pkg/bypass4netns/bypass4netns.go index 44dea5a..769f0c6 100644 --- a/pkg/bypass4netns/bypass4netns.go +++ b/pkg/bypass4netns/bypass4netns.go @@ -411,7 +411,7 @@ func (h *notifHandler) registerSocket(pid int, sockfd int, syscallName string) ( defer syscall.Close(sockFdHost) sockDomain, sockType, sockProtocol, err := getSocketArgs(sockFdHost) - sock = newSocketStatus(pid, sockfd, sockDomain, sockType, sockProtocol) + sock = newSocketStatus(pid, sockfd, sockDomain, sockType, sockProtocol, h.disableBind) if err != nil { // non-socket fd is not bypassable sock.state = NotBypassable @@ -629,10 +629,12 @@ type Handler struct { // key is child port forwardingPorts map[int]ForwardPortMapping + + disableBind bool } // NewHandler creates new seccomp notif handler -func NewHandler(socketPath, comSocketPath, tracerAgentLogPath string) *Handler { +func NewHandler(socketPath, comSocketPath, tracerAgentLogPath string, disableBind bool) *Handler { handler := Handler{ socketPath: socketPath, comSocketPath: comSocketPath, @@ -640,6 +642,7 @@ func NewHandler(socketPath, comSocketPath, tracerAgentLogPath string) *Handler { ignoredSubnets: []net.IPNet{}, forwardingPorts: map[int]ForwardPortMapping{}, readyFd: -1, + disableBind: disableBind, } return &handler @@ -711,6 +714,8 @@ type notifHandler struct { // cache pidfd to reduce latency. key is pid. pidInfos map[int]pidInfo + + disableBind bool } type containerInterface struct { @@ -740,6 +745,7 @@ func (h *Handler) newNotifHandler(fd uintptr, state *specs.ContainerProcessState processes: map[int]*processStatus{}, memfds: map[int]int{}, pidInfos: map[int]pidInfo{}, + disableBind: h.disableBind, } notifHandler.nonBypassable = nonbypassable.New(h.ignoredSubnets) notifHandler.nonBypassableAutoUpdate = h.ignoredSubnetsAutoUpdate diff --git a/pkg/bypass4netns/socket.go b/pkg/bypass4netns/socket.go index 5b43111..05fe55d 100644 --- a/pkg/bypass4netns/socket.go +++ b/pkg/bypass4netns/socket.go @@ -81,10 +81,11 @@ type socketStatus struct { socketOptions []socketOption fcntlOptions []fcntlOption - logger *logrus.Entry + logger *logrus.Entry + disableBind bool } -func newSocketStatus(pid int, sockfd int, sockDomain, sockType, sockProto int) *socketStatus { +func newSocketStatus(pid int, sockfd int, sockDomain, sockType, sockProto int, disableBind bool) *socketStatus { return &socketStatus{ state: NotBypassed, pid: pid, @@ -95,6 +96,7 @@ func newSocketStatus(pid int, sockfd int, sockDomain, sockType, sockProto int) * socketOptions: []socketOption{}, fcntlOptions: []fcntlOption{}, logger: logrus.WithFields(logrus.Fields{"pid": pid, "sockfd": sockfd}), + disableBind: disableBind, } } @@ -166,14 +168,18 @@ func (ss *socketStatus) handleSysConnect(handler *notifHandler, ctx *context) { connectToLoopback := false connectToInterface := false connectToOtherBypassedContainer := false - fwdPort, ok := handler.forwardingPorts[int(destAddr.Port)] - if ok { - if destAddr.IP.IsLoopback() { - ss.logger.Infof("destination address %v is loopback and bypassed", destAddr) - connectToLoopback = true - } else if contIf, ok := handler.containerInterfaces[destAddr.String()]; ok && contIf.containerID == handler.state.State.ID { - ss.logger.Infof("destination address %v is interface's address and bypassed", destAddr) - connectToInterface = true + var fwdPort ForwardPortMapping + if !ss.disableBind { + var ok bool + fwdPort, ok = handler.forwardingPorts[int(destAddr.Port)] + if ok { + if destAddr.IP.IsLoopback() { + ss.logger.Infof("destination address %v is loopback and bypassed", destAddr) + connectToLoopback = true + } else if contIf, ok := handler.containerInterfaces[destAddr.String()]; ok && contIf.containerID == handler.state.State.ID { + ss.logger.Infof("destination address %v is interface's address and bypassed", destAddr) + connectToInterface = true + } } } @@ -301,6 +307,9 @@ func (ss *socketStatus) handleSysConnect(handler *notifHandler, ctx *context) { } func (ss *socketStatus) handleSysBind(pid int, handler *notifHandler, ctx *context) { + if ss.disableBind { + return + } sa, err := handler.readSockaddrFromProcess(pid, ctx.req.Data.Args[1], ctx.req.Data.Args[2]) if err != nil { ss.logger.Errorf("failed to read sockaddr from process: %q", err) diff --git a/pkg/bypass4netnsd/bypass4netnsd.go b/pkg/bypass4netnsd/bypass4netnsd.go index bf17c77..a73a9fc 100644 --- a/pkg/bypass4netnsd/bypass4netnsd.go +++ b/pkg/bypass4netnsd/bypass4netnsd.go @@ -87,6 +87,10 @@ func (d *Driver) StartBypass(spec *api.BypassSpec) (*api.BypassStatus, error) { b4nnArgs = append(b4nnArgs, fmt.Sprintf("--ignore=%s", subnet)) } + if spec.DisableBind { + b4nnArgs = append(b4nnArgs, "--disable-bind") + } + b4nnArgs = append(b4nnArgs, fmt.Sprintf("--com-socket=%s", d.ComSocketPath)) if d.HandleC2CEnable { b4nnArgs = append(b4nnArgs, "--handle-c2c-connections")