From 5606f9226b520b19533308dbda0b2df64d375991 Mon Sep 17 00:00:00 2001 From: Aviram Hassan Date: Sat, 12 Oct 2024 10:46:17 +0300 Subject: [PATCH 1/5] Handle IPv4 in IPv6, fix regressions (#2829) * Handle IPv4 in IPv6, should help with regressions related to allowing AF_INET6 * .. * .. * .. * .. --- Cargo.lock | 2 +- changelog.d/2827.fixed.md | 1 + mirrord/layer/src/debugger_ports.rs | 2 +- mirrord/layer/src/socket.rs | 19 +++++++++++-------- mirrord/layer/src/socket/dns_selector.rs | 2 +- mirrord/layer/src/socket/ops.rs | 19 +++++++++++++------ mirrord/protocol/Cargo.toml | 2 +- mirrord/protocol/src/outgoing.rs | 5 +++++ 8 files changed, 34 insertions(+), 18 deletions(-) create mode 100644 changelog.d/2827.fixed.md diff --git a/Cargo.lock b/Cargo.lock index ba51684820c..495ef9a69ae 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4352,7 +4352,7 @@ dependencies = [ [[package]] name = "mirrord-protocol" -version = "1.11.0" +version = "1.11.1" dependencies = [ "actix-codec", "bincode", diff --git a/changelog.d/2827.fixed.md b/changelog.d/2827.fixed.md new file mode 100644 index 00000000000..392db10e2a2 --- /dev/null +++ b/changelog.d/2827.fixed.md @@ -0,0 +1 @@ +Handle IPv4 in IPv6, should help with regressions related to allowing AF_INET6 \ No newline at end of file diff --git a/mirrord/layer/src/debugger_ports.rs b/mirrord/layer/src/debugger_ports.rs index 2b2feb0aed6..fdabac20859 100644 --- a/mirrord/layer/src/debugger_ports.rs +++ b/mirrord/layer/src/debugger_ports.rs @@ -248,7 +248,7 @@ impl DebuggerPorts { /// Return whether the given [SocketAddr] is used by the debugger. pub fn contains(&self, addr: &SocketAddr) -> bool { let is_localhost = matches!( - addr.ip(), + addr.ip().to_canonical(), IpAddr::V4(Ipv4Addr::LOCALHOST) | IpAddr::V6(Ipv6Addr::LOCALHOST) ); if !is_localhost { diff --git a/mirrord/layer/src/socket.rs b/mirrord/layer/src/socket.rs index 945391c9bc2..189c71e2152 100644 --- a/mirrord/layer/src/socket.rs +++ b/mirrord/layer/src/socket.rs @@ -1,5 +1,7 @@ //! We implement each hook function in a safe function as much as possible, having the unsafe do the //! absolute minimum +//! Note the case of IPv6 in IPv4 which requires special care to do right +//! use std::{ collections::HashMap, net::{SocketAddr, ToSocketAddrs}, @@ -382,13 +384,13 @@ impl OutgoingSelector { // https://github.com/metalbear-co/mirrord/issues/2389 fixed and I don't have time to // fully understand or refactor, and the logic is sound (if it's loopback, just connect to // it) - if address.ip().is_loopback() { + if address.ip().to_canonical().is_loopback() { return Ok(address); } let cached = REMOTE_DNS_REVERSE_MAPPING .lock()? - .get(&address.ip()) + .get(&address.ip().to_canonical()) .cloned(); let Some(hostname) = cached else { return Ok(address); @@ -458,7 +460,7 @@ impl ProtocolAndAddressFilterExt for ProtocolAndAddressFilter { let _guard = DetourGuard::new(); match (name.as_str(), *port).to_socket_addrs() { - Ok(addresses) => addresses.map(|addr| addr.ip()).collect(), + Ok(addresses) => addresses.map(|addr| addr.ip().to_canonical()).collect(), Err(e) => { let as_string = e.to_string(); if as_string.contains("Temporary failure in name resolution") @@ -477,12 +479,13 @@ impl ProtocolAndAddressFilterExt for ProtocolAndAddressFilter { } }; - Ok(resolved_ips.into_iter().any(|ip| ip == address.ip())) + Ok(resolved_ips + .into_iter() + .any(|ip| ip == address.ip().to_canonical())) } - AddressFilter::Socket(addr) => { - Ok(addr.ip().is_unspecified() || addr.ip() == address.ip()) - } - AddressFilter::Subnet(net, _) => Ok(net.contains(&address.ip())), + AddressFilter::Socket(addr) => Ok(addr.ip().to_canonical().is_unspecified() + || addr.ip().to_canonical() == address.ip().to_canonical()), + AddressFilter::Subnet(net, _) => Ok(net.contains(&address.ip().to_canonical())), AddressFilter::Port(..) => Ok(true), } } diff --git a/mirrord/layer/src/socket/dns_selector.rs b/mirrord/layer/src/socket/dns_selector.rs index e83dbba2d9f..20c202ec8ae 100644 --- a/mirrord/layer/src/socket/dns_selector.rs +++ b/mirrord/layer/src/socket/dns_selector.rs @@ -33,7 +33,7 @@ impl DnsSelector { AddressFilter::Port(..) => true, AddressFilter::Name(filter_name, _) => filter_name == node, AddressFilter::Socket(filter_socket) => { - filter_socket.ip().is_unspecified() + filter_socket.ip().to_canonical().is_unspecified() || Some(filter_socket.ip()) == node.parse().ok() } AddressFilter::Subnet(filter_subnet, _) => { diff --git a/mirrord/layer/src/socket/ops.rs b/mirrord/layer/src/socket/ops.rs index e03569b102c..e6f92ff492d 100644 --- a/mirrord/layer/src/socket/ops.rs +++ b/mirrord/layer/src/socket/ops.rs @@ -154,7 +154,9 @@ fn bind_similar_address(sockfd: c_int, requested_address: &SocketAddr) -> Detour let addr = requested_address.ip(); let port = requested_address.port(); - let address = if addr.is_loopback() || addr.is_unspecified() { + let canonical_address = addr.to_canonical(); + + let address = if canonical_address.is_loopback() || canonical_address.is_unspecified() { *requested_address } else if addr.is_ipv4() { SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), port) @@ -253,7 +255,7 @@ pub(super) fn bind( // we don't use `is_localhost` here since unspecified means to listen // on all IPs. - if incoming_config.ignore_localhost && requested_address.ip().is_loopback() { + if incoming_config.ignore_localhost && requested_address.ip().to_canonical().is_loopback() { return Detour::Bypass(Bypass::IgnoreLocalhost(requested_port)); } @@ -564,7 +566,11 @@ pub(super) fn connect( ) -> Detour { let remote_address = SockAddr::try_from_raw(raw_address, address_length)?; let optional_ip_address = remote_address.as_socket(); - + let is_ipv4_in_ipv6 = remote_address + .as_socket() + .as_ref() + .map(|addr| addr.ip().to_canonical().is_ipv6()) + .unwrap_or(false); let unix_streams = crate::setup().remote_unix_streams(); trace!("in connect {:#?}", SOCKETS); @@ -581,7 +587,7 @@ pub(super) fn connect( .family() .map(|family| family as i32) .unwrap_or(-1); - if domain != libc::AF_INET && domain != libc::AF_UNIX { + if domain != libc::AF_INET && domain != libc::AF_UNIX && !is_ipv4_in_ipv6 { return Detour::Bypass(Bypass::Domain(domain)); } // I really hate it, but nix seems to really make this API bad :() @@ -603,8 +609,9 @@ pub(super) fn connect( return Detour::Success(connect_result); } - let ip = ip_address.ip(); - if ip.is_loopback() || ip.is_unspecified() { + let canonical_ip = ip_address.ip().to_canonical(); + + if canonical_ip.is_loopback() || canonical_ip.is_unspecified() { if let Some(result) = connect_to_local_address(sockfd, &user_socket_info, ip_address)? { // `result` here is always a success, as error and bypass are returned on the `?` // above. diff --git a/mirrord/protocol/Cargo.toml b/mirrord/protocol/Cargo.toml index b577a8fbe5b..c6e954f0f38 100644 --- a/mirrord/protocol/Cargo.toml +++ b/mirrord/protocol/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "mirrord-protocol" -version = "1.11.0" +version = "1.11.1" authors.workspace = true description.workspace = true documentation.workspace = true diff --git a/mirrord/protocol/src/outgoing.rs b/mirrord/protocol/src/outgoing.rs index dedfa099b7b..2614aac0052 100644 --- a/mirrord/protocol/src/outgoing.rs +++ b/mirrord/protocol/src/outgoing.rs @@ -83,6 +83,11 @@ impl TryFrom for SocketAddress { fn try_from(addr: OsSockAddr) -> Result { addr.as_socket() + .map(|mut socket_addr| { + // convert ipv4 in ipv6 to ipv4 + socket_addr.set_ip(socket_addr.ip().to_canonical()); + socket_addr + }) .map(SocketAddress::Ip) .or_else(|| { addr.as_pathname() From 184170fab5326c79fcab3c835a90c776b7b7ff3e Mon Sep 17 00:00:00 2001 From: Aviram Hassan Date: Sun, 13 Oct 2024 10:20:13 +0300 Subject: [PATCH 2/5] fix changelog (#2831) --- CHANGELOG.md | 28 +++++++++++++++++++++++++- Cargo.lock | 56 ++++++++++++++++++++++++++-------------------------- Cargo.toml | 2 +- 3 files changed, 56 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0644762e26..002686ed8c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,30 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang +## [3.120.0](https://github.com/metalbear-co/mirrord/tree/3.120.0) - 2024-10-13 + + +### Added + +- Added Kafka splitting feature. + [#2601](https://github.com/metalbear-co/mirrord/issues/2601) + + +### Changed + +- Add analytics about usage of experimental features +- Add option to have logs when running ext commands +- update dependencies + + +### Fixed + +- Fixed a bug where `all_of` and `any_of` HTTP filters were stealing all HTTP + traffic. [#2817](https://github.com/metalbear-co/mirrord/issues/2817) +- Handle IPv4 in IPv6, should help with regressions related to allowing + AF_INET6 [#2827](https://github.com/metalbear-co/mirrord/issues/2827) + + ## [3.119.1](https://github.com/metalbear-co/mirrord/tree/3.119.1) - 2024-10-09 @@ -41,7 +65,9 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang ``` mirrord port-forward [options] -R [remote_port:]local_port -f config_file.toml - ``` [#2609](https://github.com/metalbear-co/mirrord/issues/2609) + ``` + + [#2609](https://github.com/metalbear-co/mirrord/issues/2609) ### Changed diff --git a/Cargo.lock b/Cargo.lock index 495ef9a69ae..33a753ca13c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2354,7 +2354,7 @@ dependencies = [ [[package]] name = "fileops" -version = "3.119.1" +version = "3.120.0" dependencies = [ "libc", ] @@ -3373,7 +3373,7 @@ checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" [[package]] name = "issue1317" -version = "3.119.1" +version = "3.120.0" dependencies = [ "actix-web", "env_logger 0.11.5", @@ -3383,7 +3383,7 @@ dependencies = [ [[package]] name = "issue1776" -version = "3.119.1" +version = "3.120.0" dependencies = [ "errno 0.3.9", "libc", @@ -3392,7 +3392,7 @@ dependencies = [ [[package]] name = "issue1776portnot53" -version = "3.119.1" +version = "3.120.0" dependencies = [ "libc", "socket2", @@ -3400,14 +3400,14 @@ dependencies = [ [[package]] name = "issue1899" -version = "3.119.1" +version = "3.120.0" dependencies = [ "libc", ] [[package]] name = "issue2001" -version = "3.119.1" +version = "3.120.0" dependencies = [ "libc", ] @@ -3739,7 +3739,7 @@ checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "listen_ports" -version = "3.119.1" +version = "3.120.0" [[package]] name = "local-channel" @@ -3977,7 +3977,7 @@ checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1" [[package]] name = "mirrord" -version = "3.119.1" +version = "3.120.0" dependencies = [ "actix-codec", "clap", @@ -4032,7 +4032,7 @@ dependencies = [ [[package]] name = "mirrord-agent" -version = "3.119.1" +version = "3.120.0" dependencies = [ "actix-codec", "async-trait", @@ -4089,7 +4089,7 @@ dependencies = [ [[package]] name = "mirrord-analytics" -version = "3.119.1" +version = "3.120.0" dependencies = [ "assert-json-diff", "base64 0.22.1", @@ -4103,7 +4103,7 @@ dependencies = [ [[package]] name = "mirrord-auth" -version = "3.119.1" +version = "3.120.0" dependencies = [ "bcder", "chrono", @@ -4124,7 +4124,7 @@ dependencies = [ [[package]] name = "mirrord-config" -version = "3.119.1" +version = "3.120.0" dependencies = [ "bimap", "bitflags 2.6.0", @@ -4147,7 +4147,7 @@ dependencies = [ [[package]] name = "mirrord-config-derive" -version = "3.119.1" +version = "3.120.0" dependencies = [ "proc-macro2", "proc-macro2-diagnostics", @@ -4157,7 +4157,7 @@ dependencies = [ [[package]] name = "mirrord-console" -version = "3.119.1" +version = "3.120.0" dependencies = [ "bincode", "drain", @@ -4173,7 +4173,7 @@ dependencies = [ [[package]] name = "mirrord-intproxy" -version = "3.119.1" +version = "3.120.0" dependencies = [ "bytes", "futures", @@ -4200,7 +4200,7 @@ dependencies = [ [[package]] name = "mirrord-intproxy-protocol" -version = "3.119.1" +version = "3.120.0" dependencies = [ "bincode", "mirrord-protocol", @@ -4210,7 +4210,7 @@ dependencies = [ [[package]] name = "mirrord-kube" -version = "3.119.1" +version = "3.120.0" dependencies = [ "actix-codec", "async-stream", @@ -4240,7 +4240,7 @@ dependencies = [ [[package]] name = "mirrord-layer" -version = "3.119.1" +version = "3.120.0" dependencies = [ "actix-codec", "base64 0.22.1", @@ -4289,7 +4289,7 @@ dependencies = [ [[package]] name = "mirrord-layer-macro" -version = "3.119.1" +version = "3.120.0" dependencies = [ "proc-macro2", "quote", @@ -4298,7 +4298,7 @@ dependencies = [ [[package]] name = "mirrord-macros" -version = "3.119.1" +version = "3.120.0" dependencies = [ "proc-macro2", "proc-macro2-diagnostics", @@ -4308,7 +4308,7 @@ dependencies = [ [[package]] name = "mirrord-operator" -version = "3.119.1" +version = "3.120.0" dependencies = [ "base64 0.22.1", "bincode", @@ -4342,7 +4342,7 @@ dependencies = [ [[package]] name = "mirrord-progress" -version = "3.119.1" +version = "3.120.0" dependencies = [ "enum_dispatch", "indicatif", @@ -4376,7 +4376,7 @@ dependencies = [ [[package]] name = "mirrord-sip" -version = "3.119.1" +version = "3.120.0" dependencies = [ "apple-codesign", "object 0.36.5", @@ -4389,7 +4389,7 @@ dependencies = [ [[package]] name = "mirrord-vpn" -version = "3.119.1" +version = "3.120.0" dependencies = [ "futures", "ipnet", @@ -4719,7 +4719,7 @@ dependencies = [ [[package]] name = "outgoing" -version = "3.119.1" +version = "3.120.0" [[package]] name = "outref" @@ -5772,14 +5772,14 @@ dependencies = [ [[package]] name = "rust-bypassed-unix-socket" -version = "3.119.1" +version = "3.120.0" dependencies = [ "tokio", ] [[package]] name = "rust-e2e-fileops" -version = "3.119.1" +version = "3.120.0" dependencies = [ "libc", ] @@ -5795,7 +5795,7 @@ dependencies = [ [[package]] name = "rust-unix-socket-client" -version = "3.119.1" +version = "3.120.0" dependencies = [ "tokio", ] diff --git a/Cargo.toml b/Cargo.toml index d08f10edf2a..45a3ecaabb9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,7 +26,7 @@ resolver = "2" # latest commits on rustls suppress certificate verification [workspace.package] -version = "3.119.1" +version = "3.120.0" edition = "2021" license = "MIT" readme = "README.md" From 4d5c644b1d47d24d5dd04d6a8a226f6eeefdc080 Mon Sep 17 00:00:00 2001 From: Aviram Hassan Date: Mon, 14 Oct 2024 11:12:36 +0300 Subject: [PATCH 3/5] Update github actions dependencies (#2832) * Update github actions dependencies * .. * .. * .. --- .github/workflows/ci.yaml | 40 ++++++++++---------- changelog.d/+bump-github-actions.internal.md | 1 + 2 files changed, 20 insertions(+), 21 deletions(-) create mode 100644 changelog.d/+bump-github-actions.internal.md diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3fe2a7bc5ac..95b9bde868e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -144,7 +144,7 @@ jobs: if: ${{needs.changed_files.outputs.rs_changed == 'true' || needs.changed_files.outputs.ci_changed == 'true'}} steps: - uses: actions/checkout@v4 - - uses: arduino/setup-protoc@v1 + - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Otherwise the arguments to the setup-rust-toolchain action are ignored. @@ -154,8 +154,8 @@ jobs: toolchain: nightly-2024-04-15 components: rustfmt, clippy target: aarch64-unknown-linux-gnu,x86_64-unknown-linux-gnu - - uses: actions/setup-python@v3 # For http mirroring tests with Flask and FastAPI. - - run: pip3 install cargo-zigbuild # For http mirroring test with Flask. + - uses: actions/setup-python@v5 # For http mirroring tests with Flask and FastAPI. + - run: pip3 install --break-system-packages cargo-zigbuild # For http mirroring test with Flask. - run: cargo fmt --all -- --check # x64 - run: cargo-zigbuild clippy --lib --bins --all-features --target x86_64-unknown-linux-gnu --tests -- -Wclippy::indexing_slicing -D warnings @@ -188,7 +188,7 @@ jobs: RUSTDOCFLAGS: "--enable-index-page -Zunstable-options -Dwarnings" steps: - uses: actions/checkout@v4 - - uses: arduino/setup-protoc@v1 + - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - uses: actions-rust-lang/setup-rust-toolchain@v1 @@ -205,7 +205,7 @@ jobs: image: ghcr.io/metalbear-co/ci-agent-build:f8330d35a2a4b9132138f6fa9a3f3f80768c7c32 steps: - uses: actions/checkout@v4 - - uses: arduino/setup-protoc@v1 + - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: test @@ -217,7 +217,7 @@ jobs: if: ${{needs.changed_files.outputs.rs_changed == 'true' || needs.changed_files.outputs.ci_changed == 'true' || needs.changed_files.outputs.dockerfile_changed == 'true' }} steps: - uses: actions/checkout@v4 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-buildx-action@v3 - name: build and export uses: docker/build-push-action@v6 with: @@ -239,7 +239,7 @@ jobs: if: ${{needs.changed_files.outputs.rs_changed == 'true' || needs.changed_files.outputs.ci_changed == 'true' || needs.changed_files.outputs.dockerfile_changed == 'true' }} steps: - uses: actions/checkout@v4 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-buildx-action@v3 - name: build and export uses: docker/build-push-action@v6 with: @@ -288,10 +288,10 @@ jobs: with: node-version: 14 - run: npm install express # For http mirroring test with node. - - uses: actions/setup-python@v3 # For http mirroring tests with Flask and FastAPI. - - run: pip3 install flask fastapi uvicorn[standard] # For http mirroring test with Flask. + - uses: actions/setup-python@v5 # For http mirroring tests with Flask and FastAPI. + - run: pip3 install --break-system-packages flask fastapi uvicorn[standard] # For http mirroring test with Flask. # don't use "cache" for other Gos since it will try to overwrite and have bad results. - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "1.21" cache-dependency-path: tests/go-e2e/go.sum @@ -299,7 +299,7 @@ jobs: go version - run: | # Build Go test apps. ./scripts/build_go_apps.sh 21 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "1.22" cache: false @@ -307,7 +307,7 @@ jobs: go version - run: | # Build Go test apps. ./scripts/build_go_apps.sh 22 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "1.23" cache: false @@ -386,7 +386,7 @@ jobs: target: aarch64-apple-darwin toolchain: nightly-2024-04-15 - name: Install Protoc - uses: arduino/setup-protoc@v2 + uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: clippy x64 @@ -411,7 +411,7 @@ jobs: - run: | cd mirrord/layer/tests/apps/issue2058 rustc issue2058.rs --out-dir target - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "1.21" cache-dependency-path: tests/go-e2e/go.sum @@ -420,7 +420,7 @@ jobs: # don't use "cache" for other Gos since it will try to overwrite and have bad results. - run: | # Build Go test apps. ./scripts/build_go_apps.sh 21 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "1.22" cache: false @@ -428,7 +428,7 @@ jobs: go version - run: | # Build Go test apps. ./scripts/build_go_apps.sh 22 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@v5 with: go-version: "1.23" cache: false @@ -471,10 +471,8 @@ jobs: candidate: java version: 17.0.6-tem - run: java -version - - uses: actions/setup-python@v3 # For http mirroring tests with Flask and FastAPI. - - run: pip3 install flask # For http mirroring test with Flask. - - run: pip3 install fastapi # For http mirroring test with FastAPI. - - run: pip3 install uvicorn[standard] # For http mirroring test with FastAPI. + - uses: actions/setup-python@v5 # For http mirroring tests with Flask and FastAPI. + - run: pip3 install --break-system-packages flask fastapi uvicorn[standard] # For http mirroring test with Flask. - uses: actions/setup-node@v3 with: node-version: 18 @@ -559,7 +557,7 @@ jobs: if: ${{ needs.check_if_release_branch.outputs.release_branch == 'true' }} steps: - uses: actions/checkout@v4 - - uses: arduino/setup-protoc@v1 + - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - uses: actions-rust-lang/setup-rust-toolchain@v1 diff --git a/changelog.d/+bump-github-actions.internal.md b/changelog.d/+bump-github-actions.internal.md new file mode 100644 index 00000000000..0423a29756c --- /dev/null +++ b/changelog.d/+bump-github-actions.internal.md @@ -0,0 +1 @@ +Update github actions dependencies \ No newline at end of file From 04e33c6e15b350cf45af437f8ba72646bdcbe78e Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Mon, 14 Oct 2024 14:31:20 +0300 Subject: [PATCH 4/5] Disallow using IPv6 sockets with mirrord (#2837) * Revert "4f82caadbf6b00a6c51e36289021aff4526dfa6c" * Typo * Revert "5606f9226b520b19533308dbda0b2df64d375991" --- Cargo.lock | 2 +- changelog.d/2836.fixed.md | 1 + mirrord/layer/src/debugger_ports.rs | 2 +- mirrord/layer/src/error.rs | 7 +++++++ mirrord/layer/src/socket.rs | 19 ++++++++----------- mirrord/layer/src/socket/dns_selector.rs | 2 +- mirrord/layer/src/socket/ops.rs | 23 ++++++++++------------- mirrord/protocol/Cargo.toml | 2 +- mirrord/protocol/src/outgoing.rs | 5 ----- 9 files changed, 30 insertions(+), 33 deletions(-) create mode 100644 changelog.d/2836.fixed.md diff --git a/Cargo.lock b/Cargo.lock index 33a753ca13c..d9e130083b7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4352,7 +4352,7 @@ dependencies = [ [[package]] name = "mirrord-protocol" -version = "1.11.1" +version = "1.11.2" dependencies = [ "actix-codec", "bincode", diff --git a/changelog.d/2836.fixed.md b/changelog.d/2836.fixed.md new file mode 100644 index 00000000000..b02c553ce0b --- /dev/null +++ b/changelog.d/2836.fixed.md @@ -0,0 +1 @@ +Disallow using IPv6 sockets with mirrord. diff --git a/mirrord/layer/src/debugger_ports.rs b/mirrord/layer/src/debugger_ports.rs index fdabac20859..2b2feb0aed6 100644 --- a/mirrord/layer/src/debugger_ports.rs +++ b/mirrord/layer/src/debugger_ports.rs @@ -248,7 +248,7 @@ impl DebuggerPorts { /// Return whether the given [SocketAddr] is used by the debugger. pub fn contains(&self, addr: &SocketAddr) -> bool { let is_localhost = matches!( - addr.ip().to_canonical(), + addr.ip(), IpAddr::V4(Ipv4Addr::LOCALHOST) | IpAddr::V6(Ipv6Addr::LOCALHOST) ); if !is_localhost { diff --git a/mirrord/layer/src/error.rs b/mirrord/layer/src/error.rs index 406dd28ffdc..5bd0dd1b062 100644 --- a/mirrord/layer/src/error.rs +++ b/mirrord/layer/src/error.rs @@ -75,6 +75,9 @@ pub(crate) enum HookError { #[error("mirrord-layer: SIP patch failed with error `{0}`!")] FailedSipPatch(#[from] SipError), + #[error("mirrord-layer: IPv6 can't be used with mirrord")] + SocketUnsuportedIpv6, + // `From` implemented below, not with `#[from]` so that when new variants of // `SerializationError` are added, they are mapped into different variants of // `LayerError`. @@ -218,6 +221,9 @@ impl From for i64 { HookError::FileNotFound => { info!("mirrord file not found triggered") } + HookError::SocketUnsuportedIpv6 => { + info!("{fail}") + } HookError::ProxyError(ref err) => { graceful_exit!( r"Proxy error, connectivity issue or a bug. @@ -286,6 +292,7 @@ impl From for i64 { HookError::LocalFileCreation(_) => libc::EINVAL, #[cfg(target_os = "macos")] HookError::FailedSipPatch(_) => libc::EACCES, + HookError::SocketUnsuportedIpv6 => libc::EAFNOSUPPORT, HookError::UnsupportedSocketType => libc::EAFNOSUPPORT, HookError::BadPointer => libc::EFAULT, HookError::AddressAlreadyBound(_) => libc::EADDRINUSE, diff --git a/mirrord/layer/src/socket.rs b/mirrord/layer/src/socket.rs index 189c71e2152..945391c9bc2 100644 --- a/mirrord/layer/src/socket.rs +++ b/mirrord/layer/src/socket.rs @@ -1,7 +1,5 @@ //! We implement each hook function in a safe function as much as possible, having the unsafe do the //! absolute minimum -//! Note the case of IPv6 in IPv4 which requires special care to do right -//! use std::{ collections::HashMap, net::{SocketAddr, ToSocketAddrs}, @@ -384,13 +382,13 @@ impl OutgoingSelector { // https://github.com/metalbear-co/mirrord/issues/2389 fixed and I don't have time to // fully understand or refactor, and the logic is sound (if it's loopback, just connect to // it) - if address.ip().to_canonical().is_loopback() { + if address.ip().is_loopback() { return Ok(address); } let cached = REMOTE_DNS_REVERSE_MAPPING .lock()? - .get(&address.ip().to_canonical()) + .get(&address.ip()) .cloned(); let Some(hostname) = cached else { return Ok(address); @@ -460,7 +458,7 @@ impl ProtocolAndAddressFilterExt for ProtocolAndAddressFilter { let _guard = DetourGuard::new(); match (name.as_str(), *port).to_socket_addrs() { - Ok(addresses) => addresses.map(|addr| addr.ip().to_canonical()).collect(), + Ok(addresses) => addresses.map(|addr| addr.ip()).collect(), Err(e) => { let as_string = e.to_string(); if as_string.contains("Temporary failure in name resolution") @@ -479,13 +477,12 @@ impl ProtocolAndAddressFilterExt for ProtocolAndAddressFilter { } }; - Ok(resolved_ips - .into_iter() - .any(|ip| ip == address.ip().to_canonical())) + Ok(resolved_ips.into_iter().any(|ip| ip == address.ip())) } - AddressFilter::Socket(addr) => Ok(addr.ip().to_canonical().is_unspecified() - || addr.ip().to_canonical() == address.ip().to_canonical()), - AddressFilter::Subnet(net, _) => Ok(net.contains(&address.ip().to_canonical())), + AddressFilter::Socket(addr) => { + Ok(addr.ip().is_unspecified() || addr.ip() == address.ip()) + } + AddressFilter::Subnet(net, _) => Ok(net.contains(&address.ip())), AddressFilter::Port(..) => Ok(true), } } diff --git a/mirrord/layer/src/socket/dns_selector.rs b/mirrord/layer/src/socket/dns_selector.rs index 20c202ec8ae..e83dbba2d9f 100644 --- a/mirrord/layer/src/socket/dns_selector.rs +++ b/mirrord/layer/src/socket/dns_selector.rs @@ -33,7 +33,7 @@ impl DnsSelector { AddressFilter::Port(..) => true, AddressFilter::Name(filter_name, _) => filter_name == node, AddressFilter::Socket(filter_socket) => { - filter_socket.ip().to_canonical().is_unspecified() + filter_socket.ip().is_unspecified() || Some(filter_socket.ip()) == node.parse().ok() } AddressFilter::Subnet(filter_subnet, _) => { diff --git a/mirrord/layer/src/socket/ops.rs b/mirrord/layer/src/socket/ops.rs index e6f92ff492d..3be081f42d3 100644 --- a/mirrord/layer/src/socket/ops.rs +++ b/mirrord/layer/src/socket/ops.rs @@ -129,6 +129,10 @@ pub(super) fn socket(domain: c_int, type_: c_int, protocol: c_int) -> Detour Detour let addr = requested_address.ip(); let port = requested_address.port(); - let canonical_address = addr.to_canonical(); - - let address = if canonical_address.is_loopback() || canonical_address.is_unspecified() { + let address = if addr.is_loopback() || addr.is_unspecified() { *requested_address } else if addr.is_ipv4() { SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), port) @@ -255,7 +257,7 @@ pub(super) fn bind( // we don't use `is_localhost` here since unspecified means to listen // on all IPs. - if incoming_config.ignore_localhost && requested_address.ip().to_canonical().is_loopback() { + if incoming_config.ignore_localhost && requested_address.ip().is_loopback() { return Detour::Bypass(Bypass::IgnoreLocalhost(requested_port)); } @@ -566,11 +568,7 @@ pub(super) fn connect( ) -> Detour { let remote_address = SockAddr::try_from_raw(raw_address, address_length)?; let optional_ip_address = remote_address.as_socket(); - let is_ipv4_in_ipv6 = remote_address - .as_socket() - .as_ref() - .map(|addr| addr.ip().to_canonical().is_ipv6()) - .unwrap_or(false); + let unix_streams = crate::setup().remote_unix_streams(); trace!("in connect {:#?}", SOCKETS); @@ -587,7 +585,7 @@ pub(super) fn connect( .family() .map(|family| family as i32) .unwrap_or(-1); - if domain != libc::AF_INET && domain != libc::AF_UNIX && !is_ipv4_in_ipv6 { + if domain != libc::AF_INET && domain != libc::AF_UNIX { return Detour::Bypass(Bypass::Domain(domain)); } // I really hate it, but nix seems to really make this API bad :() @@ -609,9 +607,8 @@ pub(super) fn connect( return Detour::Success(connect_result); } - let canonical_ip = ip_address.ip().to_canonical(); - - if canonical_ip.is_loopback() || canonical_ip.is_unspecified() { + let ip = ip_address.ip(); + if ip.is_loopback() || ip.is_unspecified() { if let Some(result) = connect_to_local_address(sockfd, &user_socket_info, ip_address)? { // `result` here is always a success, as error and bypass are returned on the `?` // above. diff --git a/mirrord/protocol/Cargo.toml b/mirrord/protocol/Cargo.toml index c6e954f0f38..f05fc0835e3 100644 --- a/mirrord/protocol/Cargo.toml +++ b/mirrord/protocol/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "mirrord-protocol" -version = "1.11.1" +version = "1.11.2" authors.workspace = true description.workspace = true documentation.workspace = true diff --git a/mirrord/protocol/src/outgoing.rs b/mirrord/protocol/src/outgoing.rs index 2614aac0052..dedfa099b7b 100644 --- a/mirrord/protocol/src/outgoing.rs +++ b/mirrord/protocol/src/outgoing.rs @@ -83,11 +83,6 @@ impl TryFrom for SocketAddress { fn try_from(addr: OsSockAddr) -> Result { addr.as_socket() - .map(|mut socket_addr| { - // convert ipv4 in ipv6 to ipv4 - socket_addr.set_ip(socket_addr.ip().to_canonical()); - socket_addr - }) .map(SocketAddress::Ip) .or_else(|| { addr.as_pathname() From 2ad2a5aeaa96676a6bdc0f45999b517a9d9972fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Smolarek?= <34063647+Razz4780@users.noreply.github.com> Date: Mon, 14 Oct 2024 14:21:50 +0200 Subject: [PATCH 5/5] 3.120.1 (#2839) --- CHANGELOG.md | 13 +++++ Cargo.lock | 56 +++++++++---------- Cargo.toml | 2 +- changelog.d/+add-missing-analytics.changed.md | 1 - changelog.d/+bump-github-actions.internal.md | 1 - changelog.d/+update-dependencies.changed.md | 1 - changelog.d/2601.added.md | 1 - changelog.d/2817.fixed.md | 1 - changelog.d/2827.fixed.md | 1 - changelog.d/2836.fixed.md | 1 - 10 files changed, 42 insertions(+), 36 deletions(-) delete mode 100644 changelog.d/+add-missing-analytics.changed.md delete mode 100644 changelog.d/+bump-github-actions.internal.md delete mode 100644 changelog.d/+update-dependencies.changed.md delete mode 100644 changelog.d/2601.added.md delete mode 100644 changelog.d/2817.fixed.md delete mode 100644 changelog.d/2827.fixed.md delete mode 100644 changelog.d/2836.fixed.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 002686ed8c2..362ba2701a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,19 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang +## [3.120.1](https://github.com/metalbear-co/mirrord/tree/3.120.1) - 2024-10-14 + + +### Removed + +- Remove support for IPv6 sockets with mirrord. + [#2836](https://github.com/metalbear-co/mirrord/issues/2836) + + +### Internal + +- Update github actions dependencies + ## [3.120.0](https://github.com/metalbear-co/mirrord/tree/3.120.0) - 2024-10-13 diff --git a/Cargo.lock b/Cargo.lock index d9e130083b7..423700a28e3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2354,7 +2354,7 @@ dependencies = [ [[package]] name = "fileops" -version = "3.120.0" +version = "3.120.1" dependencies = [ "libc", ] @@ -3373,7 +3373,7 @@ checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" [[package]] name = "issue1317" -version = "3.120.0" +version = "3.120.1" dependencies = [ "actix-web", "env_logger 0.11.5", @@ -3383,7 +3383,7 @@ dependencies = [ [[package]] name = "issue1776" -version = "3.120.0" +version = "3.120.1" dependencies = [ "errno 0.3.9", "libc", @@ -3392,7 +3392,7 @@ dependencies = [ [[package]] name = "issue1776portnot53" -version = "3.120.0" +version = "3.120.1" dependencies = [ "libc", "socket2", @@ -3400,14 +3400,14 @@ dependencies = [ [[package]] name = "issue1899" -version = "3.120.0" +version = "3.120.1" dependencies = [ "libc", ] [[package]] name = "issue2001" -version = "3.120.0" +version = "3.120.1" dependencies = [ "libc", ] @@ -3739,7 +3739,7 @@ checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "listen_ports" -version = "3.120.0" +version = "3.120.1" [[package]] name = "local-channel" @@ -3977,7 +3977,7 @@ checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1" [[package]] name = "mirrord" -version = "3.120.0" +version = "3.120.1" dependencies = [ "actix-codec", "clap", @@ -4032,7 +4032,7 @@ dependencies = [ [[package]] name = "mirrord-agent" -version = "3.120.0" +version = "3.120.1" dependencies = [ "actix-codec", "async-trait", @@ -4089,7 +4089,7 @@ dependencies = [ [[package]] name = "mirrord-analytics" -version = "3.120.0" +version = "3.120.1" dependencies = [ "assert-json-diff", "base64 0.22.1", @@ -4103,7 +4103,7 @@ dependencies = [ [[package]] name = "mirrord-auth" -version = "3.120.0" +version = "3.120.1" dependencies = [ "bcder", "chrono", @@ -4124,7 +4124,7 @@ dependencies = [ [[package]] name = "mirrord-config" -version = "3.120.0" +version = "3.120.1" dependencies = [ "bimap", "bitflags 2.6.0", @@ -4147,7 +4147,7 @@ dependencies = [ [[package]] name = "mirrord-config-derive" -version = "3.120.0" +version = "3.120.1" dependencies = [ "proc-macro2", "proc-macro2-diagnostics", @@ -4157,7 +4157,7 @@ dependencies = [ [[package]] name = "mirrord-console" -version = "3.120.0" +version = "3.120.1" dependencies = [ "bincode", "drain", @@ -4173,7 +4173,7 @@ dependencies = [ [[package]] name = "mirrord-intproxy" -version = "3.120.0" +version = "3.120.1" dependencies = [ "bytes", "futures", @@ -4200,7 +4200,7 @@ dependencies = [ [[package]] name = "mirrord-intproxy-protocol" -version = "3.120.0" +version = "3.120.1" dependencies = [ "bincode", "mirrord-protocol", @@ -4210,7 +4210,7 @@ dependencies = [ [[package]] name = "mirrord-kube" -version = "3.120.0" +version = "3.120.1" dependencies = [ "actix-codec", "async-stream", @@ -4240,7 +4240,7 @@ dependencies = [ [[package]] name = "mirrord-layer" -version = "3.120.0" +version = "3.120.1" dependencies = [ "actix-codec", "base64 0.22.1", @@ -4289,7 +4289,7 @@ dependencies = [ [[package]] name = "mirrord-layer-macro" -version = "3.120.0" +version = "3.120.1" dependencies = [ "proc-macro2", "quote", @@ -4298,7 +4298,7 @@ dependencies = [ [[package]] name = "mirrord-macros" -version = "3.120.0" +version = "3.120.1" dependencies = [ "proc-macro2", "proc-macro2-diagnostics", @@ -4308,7 +4308,7 @@ dependencies = [ [[package]] name = "mirrord-operator" -version = "3.120.0" +version = "3.120.1" dependencies = [ "base64 0.22.1", "bincode", @@ -4342,7 +4342,7 @@ dependencies = [ [[package]] name = "mirrord-progress" -version = "3.120.0" +version = "3.120.1" dependencies = [ "enum_dispatch", "indicatif", @@ -4376,7 +4376,7 @@ dependencies = [ [[package]] name = "mirrord-sip" -version = "3.120.0" +version = "3.120.1" dependencies = [ "apple-codesign", "object 0.36.5", @@ -4389,7 +4389,7 @@ dependencies = [ [[package]] name = "mirrord-vpn" -version = "3.120.0" +version = "3.120.1" dependencies = [ "futures", "ipnet", @@ -4719,7 +4719,7 @@ dependencies = [ [[package]] name = "outgoing" -version = "3.120.0" +version = "3.120.1" [[package]] name = "outref" @@ -5772,14 +5772,14 @@ dependencies = [ [[package]] name = "rust-bypassed-unix-socket" -version = "3.120.0" +version = "3.120.1" dependencies = [ "tokio", ] [[package]] name = "rust-e2e-fileops" -version = "3.120.0" +version = "3.120.1" dependencies = [ "libc", ] @@ -5795,7 +5795,7 @@ dependencies = [ [[package]] name = "rust-unix-socket-client" -version = "3.120.0" +version = "3.120.1" dependencies = [ "tokio", ] diff --git a/Cargo.toml b/Cargo.toml index 45a3ecaabb9..4f69ffdb38e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,7 +26,7 @@ resolver = "2" # latest commits on rustls suppress certificate verification [workspace.package] -version = "3.120.0" +version = "3.120.1" edition = "2021" license = "MIT" readme = "README.md" diff --git a/changelog.d/+add-missing-analytics.changed.md b/changelog.d/+add-missing-analytics.changed.md deleted file mode 100644 index a2d12ac574b..00000000000 --- a/changelog.d/+add-missing-analytics.changed.md +++ /dev/null @@ -1 +0,0 @@ -Add analytics about usage of experimental features \ No newline at end of file diff --git a/changelog.d/+bump-github-actions.internal.md b/changelog.d/+bump-github-actions.internal.md deleted file mode 100644 index 0423a29756c..00000000000 --- a/changelog.d/+bump-github-actions.internal.md +++ /dev/null @@ -1 +0,0 @@ -Update github actions dependencies \ No newline at end of file diff --git a/changelog.d/+update-dependencies.changed.md b/changelog.d/+update-dependencies.changed.md deleted file mode 100644 index 3181f593ee0..00000000000 --- a/changelog.d/+update-dependencies.changed.md +++ /dev/null @@ -1 +0,0 @@ -update dependencies \ No newline at end of file diff --git a/changelog.d/2601.added.md b/changelog.d/2601.added.md deleted file mode 100644 index 57c69e07942..00000000000 --- a/changelog.d/2601.added.md +++ /dev/null @@ -1 +0,0 @@ -Added Kafka splitting feature. diff --git a/changelog.d/2817.fixed.md b/changelog.d/2817.fixed.md deleted file mode 100644 index 519361f9c08..00000000000 --- a/changelog.d/2817.fixed.md +++ /dev/null @@ -1 +0,0 @@ -Fixed a bug where `all_of` and `any_of` HTTP filters were stealing all HTTP traffic. \ No newline at end of file diff --git a/changelog.d/2827.fixed.md b/changelog.d/2827.fixed.md deleted file mode 100644 index 392db10e2a2..00000000000 --- a/changelog.d/2827.fixed.md +++ /dev/null @@ -1 +0,0 @@ -Handle IPv4 in IPv6, should help with regressions related to allowing AF_INET6 \ No newline at end of file diff --git a/changelog.d/2836.fixed.md b/changelog.d/2836.fixed.md deleted file mode 100644 index b02c553ce0b..00000000000 --- a/changelog.d/2836.fixed.md +++ /dev/null @@ -1 +0,0 @@ -Disallow using IPv6 sockets with mirrord.