Reject vs Drop for proxy
sparshev opened this issue · 6 comments
Hello folks, I'm trying to modify softnet to allow VM's to only connect to host system without global net access (needed for image building). Do you know any way to Reject the packets instead of Dropping them?
I'm modifying:
Line 68 in 11910d8
Some(()) to None, and it's working, but the curl process waiting instead of immediately return error... Worrying it's some kind of virtualization framework limitation...Hello Sergei 👋
Do you know any way to Reject the packets instead of Dropping them?
As a quick work-around you can just remove the default route in the guest:
sudo route delete default
A proper way would be probably to return an ICMP message of type Destination Unreachable.
However, this feels to me as an out-of-scope functionality for the Softnet, because in the default usage scenario only a very limited number packets will be dropped and this should have no effect on normal operation.
Another alternative you can try is to use the Host networking here:
Line 24 in f5a1b1c
As a result of this, your guest machine will get no default route installed automatically via the DHCP.
Also note that when running host-only networking, the default network assigned to guests will be probably different to the one used for shared networking. In my case it was 192.168.128.0/24 instead of the 192.168.64.0/24.
Thank you @edigaryev ! Your suggestion to use Host instead of Shared works much better! I would try to prepare a simple change to have an ability to switch between host and shared network from tart (most probably env variables should work just fine).
And for sure it's up to you - but if softnet will be able to provide isolation of the VM networking on demand, that will be a great addition for Tart, because all the major virtualization solutions allows to choose between hostonly and NAT networks.
Hi @edigaryev , we're following "least privilege by default" principle so that will be great to have it available. If you want to change the defaults to "not private by default" - please make sure it's in the changelog with a huge warning and an option to enable it back, so the other folks will not suffer from security degradation (although probably will, but since the project is not that old - I think it's tolerable).
@rabits are you using --net-host specifically or just --net-softnet?
If it's the former, could you please explain your use-case a bit more, so we can better understand and devise/advise for an alternative.
Historical pre-text: the only reason currently have a --net-host flag in tart run is that there's no VZHostOnlyNetworkDeviceAttachment available in the Virtualization.Framework yet.
We anticipate that in the future Apple will make it available, and the Softnet won't be needed at all, so all the restrictions currently imposed by the Softnet won't be in place.
Oh, sorry, yeah we're using --net-host for tart-cli packer plugin. The reason for that - is to make the image building isolated (sandboxed) from any remote service but host controller machine to keep the build process reproducible with no accidental external dependencies and influence.