mirror of
https://github.com/containers/podman.git
synced 2025-05-20 16:47:39 +08:00
e88d8dbeae
The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
859 B
859 B
% podman-network-disconnect(1)
NAME
podman-network-disconnect - Disconnect a container from a network
SYNOPSIS
podman network disconnect [options] network container
DESCRIPTION
Disconnects a container from a network. A container can be disconnected from a network by name or by ID.
If all networks are disconnected from the container, it will behave like a container created with --network=none
and it will longer have network connectivity until a network is connected again.
OPTIONS
--force, -f
Force the container to disconnect from a network
EXAMPLE
Disconnect a container named web from a network called test.
podman network disconnect test web
SEE ALSO
podman(1), podman-network(1), podman-network-connect(1)
HISTORY
November 2020, Originally compiled by Brent Baude bbaude@redhat.com