libnetwork/resolvconf: filter out ipv6 link local

One thing I noticed in the recent aardvark-dns bug[1] that we copy link local nameservers into the container. This makes no sense as the link local address contains a zone (interface name/index) and cannot work without it. However a container by design will have a different interface name/index so the address can never work in the normal case. Only when we do share the host netns then we should keep it. [1] containers/aardvark-dns#537 Signed-off-by: Paul Holzinger <[email protected]>
containers · Nov 7, 2024 · d830bf8 · d830bf8
1 parent e522662
commit d830bf8
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/libnetwork/resolvconf/resolv_test.go b/libnetwork/resolvconf/resolv_test.go
@@ -122,6 +122,18 @@ func TestNew(t *testing.T) {
 			ipv6:        true,
 			want:        "nameserver 1.1.1.1\nnameserver fd::1\n",
 		},
+		{
+			name:        "ipv6 link local must always be filtered when netns is private",
+			baseContent: "nameserver 1.1.1.1\nnameserver fe80::1%eth1\nnameserver fd::1\n",
+			ipv6:        true,
+			want:        "nameserver 1.1.1.1\nnameserver fd::1\n",
+		},
+		{
+			name:        "ipv6 link local must not be filtered when netns is host",
+			baseContent: "nameserver 1.1.1.1\nnameserver fe80::1%eth1\nnameserver fd::1\n",
+			hostns:      true,
+			want:        "nameserver 1.1.1.1\nnameserver fe80::1%eth1\nnameserver fd::1\n",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/libnetwork/resolvconf/resolvconf.go b/libnetwork/resolvconf/resolvconf.go
@@ -32,11 +32,12 @@ var (
 	// ipLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
 	ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
 
-	localhostNSRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipLocalhost + `\s*\n*`)
-	nsIPv6Regexp      = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`)
-	nsRegexp          = regexp.Delayed(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`)
-	searchRegexp      = regexp.Delayed(`^\s*search\s*(([^\s]+\s*)*)$`)
-	optionsRegexp     = regexp.Delayed(`^\s*options\s*(([^\s]+\s*)*)$`)
+	localhostNSRegexp     = regexp.Delayed(`(?m)^nameserver\s+` + ipLocalhost + `\s*\n*`)
+	nsIPv6Regexp          = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`)
+	nsIPv6LinkLocalRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `%.*\s*\n*`)
+	nsRegexp              = regexp.Delayed(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`)
+	searchRegexp          = regexp.Delayed(`^\s*search\s*(([^\s]+\s*)*)$`)
+	optionsRegexp         = regexp.Delayed(`^\s*options\s*(([^\s]+\s*)*)$`)
 )
 
 // filterResolvDNS cleans up the config in resolvConf.  It has two main jobs:
@@ -54,6 +55,10 @@ func filterResolvDNS(resolvConf []byte, ipv6Enabled bool, netnsEnabled bool) []b
 	// if IPv6 is not enabled, also clean out any IPv6 address nameserver
 	if !ipv6Enabled {
 		cleanedResolvConf = nsIPv6Regexp.ReplaceAll(cleanedResolvConf, []byte{})
+	} else {
+		// If ipv6 is we still must remove any ipv6 link-local addresses as
+		// the zone will never match the interface name or index in the container.
+		cleanedResolvConf = nsIPv6LinkLocalRegexp.ReplaceAll(cleanedResolvConf, []byte{})
 	}
 	// if the resulting resolvConf has no more nameservers defined, add appropriate
 	// default DNS servers for IPv4 and (optionally) IPv6