Add pesto support for dynamic port forwarding via pasta control socket

Fixes: https://redhat.atlassian.net/browse/RUN-2214
Fixes: containers/podman#8193
Fixes: https://redhat.atlassian.net/browse/RUN-3587

Signed-off-by: Jan Rodák <hony.com@seznam.cz>

Author: Honny1

common/libnetwork/internal/rootlessnetns/netns_linux.go

@@ -40,6 +40,11 @@ const (
 	// rootlessNetNsConnPidFile is the name of the rootless netns slirp4netns/pasta pid file.
 	rootlessNetNsConnPidFile = "rootless-netns-conn.pid"
 
+	// pestoSocketFile is the name of the UNIX domain socket file used by
+	// pesto to communicate with the running pasta instance. Pasta is started
+	// with "-c <socketPath>" to enable this control channel.
+	pestoSocketFile = "pasta.sock"
+
 	tmpfs          = "tmpfs"
 	none           = "none"
 	resolvConfName = "resolv.conf"
@@ -197,11 +202,12 @@ func (n *Netns) cleanup() error {
 
 func (n *Netns) setupPasta(nsPath string) error {
 	pidPath := n.getPath(rootlessNetNsConnPidFile)
+	socketPath := n.getPath(pestoSocketFile)
 
 	pastaOpts := pasta.SetupOptions{
 		Config:       n.config,
 		Netns:        nsPath,
-		ExtraOptions: []string{"--pid", pidPath},
+		ExtraOptions: []string{"--pid", pidPath, "-c", socketPath},
 	}
 	res, err := pasta.Setup(&pastaOpts)
 	if err != nil {
@@ -235,9 +241,10 @@ func (n *Netns) setupPasta(nsPath string) error {
 	}
 
 	n.info = &types.RootlessNetnsInfo{
-		IPAddresses:   res.IPAddresses,
-		DnsForwardIps: res.DNSForwardIPs,
-		MapGuestIps:   res.MapGuestAddrIPs,
+		IPAddresses:     res.IPAddresses,
+		DnsForwardIps:   res.DNSForwardIPs,
+		MapGuestIps:     res.MapGuestAddrIPs,
+		PestoSocketPath: socketPath,
 	}
 	if err := n.serializeInfo(); err != nil {
 		return wrapError("serialize info", err)

common/libnetwork/pasta/pesto_linux.go

@@ -0,0 +1,139 @@
+// Pesto client for dynamic port forwarding on a running pasta instance.
+//
+// Pesto updates pasta's forwarding table via a UNIX domain socket (-c).
+// Used by rootless bridge networking: pesto replaces the full table with
+// the aggregate ports of all running bridge containers on each change.
+//
+// Limitations:
+//   - Full table replacement only (no incremental add/delete yet)
+//   - IPv4 only (netavark DNAT is IPv4; IPv6 bindings cause RST)
+//   - TCP and UDP only (SCTP is silently skipped)
+//   - Brief forwarding gap during replacement with many containers
+
+package pasta
+
+import (
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"go.podman.io/common/libnetwork/types"
+	"go.podman.io/common/pkg/config"
+)
+
+// TODO: When pesto gains --add, --clear, --delete flags, switch from full
+// table replacement to incremental updates.
+
+const PestoBinaryName = "pesto"
+
+// PestoSetupPorts adds port forwarding rules for a container to the shared
+// pasta instance. allPorts must include ports from all bridge containers
+// (including the new one) because pesto replaces the entire table.
+func PestoSetupPorts(conf *config.Config, socketPath string, allPorts []types.PortMapping) error {
+	if socketPath == "" {
+		return errors.New("pesto control socket not available")
+	}
+	logrus.Debugf("pesto: setting up port forwarding (%d total port mappings)", len(allPorts))
+	return pestoReplacePorts(conf, socketPath, allPorts)
+}
+
+// PestoTeardownPorts removes a container's port forwarding from the shared
+// pasta instance. remainingPorts should include ports from all bridge
+// containers EXCEPT the one being torn down.
+func PestoTeardownPorts(conf *config.Config, socketPath string, remainingPorts []types.PortMapping) error {
+	if socketPath == "" {
+		return nil
+	}
+	logrus.Debugf("pesto: tearing down port forwarding (%d remaining port mappings)", len(remainingPorts))
+	return pestoReplacePorts(conf, socketPath, remainingPorts)
+}
+
+// pestoReplacePorts invokes pesto to replace the forwarding table on the
+// running pasta instance reachable via socketPath. ports contains the full
+// set of port mappings that should be active after the call.
+func pestoReplacePorts(conf *config.Config, socketPath string, ports []types.PortMapping) error {
+	pestoPath, err := conf.FindHelperBinary(PestoBinaryName, true)
+	if err != nil {
+		return fmt.Errorf("could not find pesto binary: %w", err)
+	}
+
+	args := portMappingsToPestoArgs(ports)
+	args = append(args, socketPath)
+
+	logrus.Debugf("pesto arguments: %s", strings.Join(args, " "))
+
+	out, err := exec.Command(pestoPath, args...).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("pesto failed: %w\noutput: %s", err, string(out))
+	}
+	if len(out) > 0 {
+		logrus.Debugf("pesto output: %s", strings.TrimSpace(string(out)))
+	}
+	return nil
+}
+
+// portMappingsToPestoArgs converts PortMappings into pesto CLI arguments.
+//
+// Pesto only forwards traffic from the host into the rootless netns. This
+// does NOT perform DNAT to the container. Netavark handles that inside the
+// netns. Therefore each mapping uses HostPort as both source and destination
+// (e.g. "-t 0.0.0.0/8080") so traffic arrives at the port netavark expects.
+func portMappingsToPestoArgs(ports []types.PortMapping) []string {
+	var args []string
+
+	hasTCP := false
+	hasUDP := false
+
+	for _, p := range ports {
+		// Netavark's DNAT rules use "dnat ip to" which only matches IPv4.
+		// Restrict pesto to the correct address family so pasta doesn't
+		// accept IPv6 connections that can't be DNAT'd (which causes RST).
+		addr := "0.0.0.0/"
+		if p.HostIP != "" {
+			if strings.Contains(p.HostIP, ":") {
+				addr = "[" + p.HostIP + "]/"
+			} else {
+				addr = p.HostIP + "/"
+			}
+		}
+
+		for protocol := range strings.SplitSeq(p.Protocol, ",") {
+			var flag string
+			switch protocol {
+			case "tcp":
+				flag = "-t"
+				hasTCP = true
+			case "udp":
+				flag = "-u"
+				hasUDP = true
+			default:
+				logrus.Warnf("pesto: unsupported protocol %q, skipping", protocol)
+				continue
+			}
+
+			portRange := p.Range
+			if portRange == 0 {
+				portRange = 1
+			}
+
+			var arg string
+			if portRange == 1 {
+				arg = fmt.Sprintf("%s%d", addr, p.HostPort)
+			} else {
+				arg = fmt.Sprintf("%s%d-%d", addr, p.HostPort, p.HostPort+portRange-1)
+			}
+			args = append(args, flag, arg)
+		}
+	}
+
+	if !hasTCP {
+		args = append(args, "-t", "none")
+	}
+	if !hasUDP {
+		args = append(args, "-u", "none")
+	}
+
+	return args
+}

common/libnetwork/pasta/pesto_linux_test.go

@@ -0,0 +1,156 @@
+package pasta
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"go.podman.io/common/libnetwork/types"
+)
+
+func Test_portMappingsToPestoArgs(t *testing.T) {
+	tests := []struct {
+		name  string
+		ports []types.PortMapping
+		want  []string
+	}{
+		{
+			name:  "no ports appends none for both protocols",
+			ports: nil,
+			want:  []string{"-t", "none", "-u", "none"},
+		},
+		{
+			name:  "empty slice same as nil",
+			ports: []types.PortMapping{},
+			want:  []string{"-t", "none", "-u", "none"},
+		},
+		{
+			name: "single tcp port defaults to 0.0.0.0",
+			ports: []types.PortMapping{
+				{HostPort: 8080, ContainerPort: 80, Protocol: "tcp", Range: 1},
+			},
+			want: []string{"-t", "0.0.0.0/8080", "-u", "none"},
+		},
+		{
+			name: "single udp port",
+			ports: []types.PortMapping{
+				{HostPort: 53, ContainerPort: 53, Protocol: "udp", Range: 1},
+			},
+			want: []string{"-u", "0.0.0.0/53", "-t", "none"},
+		},
+		{
+			name: "tcp and udp port",
+			ports: []types.PortMapping{
+				{HostPort: 80, ContainerPort: 80, Protocol: "tcp", Range: 1},
+				{HostPort: 53, ContainerPort: 53, Protocol: "udp", Range: 1},
+			},
+			want: []string{"-t", "0.0.0.0/80", "-u", "0.0.0.0/53"},
+		},
+		{
+			name: "dual protocol on single mapping",
+			ports: []types.PortMapping{
+				{HostPort: 80, ContainerPort: 80, Protocol: "tcp,udp", Range: 1},
+			},
+			want: []string{"-t", "0.0.0.0/80", "-u", "0.0.0.0/80"},
+		},
+		{
+			name: "port range expands to host port range",
+			ports: []types.PortMapping{
+				{HostPort: 8000, ContainerPort: 80, Protocol: "tcp", Range: 5},
+			},
+			want: []string{"-t", "0.0.0.0/8000-8004", "-u", "none"},
+		},
+		{
+			name: "range of zero treated as single port",
+			ports: []types.PortMapping{
+				{HostPort: 80, ContainerPort: 80, Protocol: "tcp", Range: 0},
+			},
+			want: []string{"-t", "0.0.0.0/80", "-u", "none"},
+		},
+		{
+			name: "range of two",
+			ports: []types.PortMapping{
+				{HostPort: 3000, ContainerPort: 3000, Protocol: "tcp", Range: 2},
+			},
+			want: []string{"-t", "0.0.0.0/3000-3001", "-u", "none"},
+		},
+		{
+			name: "explicit IPv4 host IP",
+			ports: []types.PortMapping{
+				{HostIP: "127.0.0.1", HostPort: 443, ContainerPort: 443, Protocol: "tcp", Range: 1},
+			},
+			want: []string{"-t", "127.0.0.1/443", "-u", "none"},
+		},
+		{
+			name: "IPv6 host IP gets brackets",
+			ports: []types.PortMapping{
+				{HostIP: "::1", HostPort: 8080, ContainerPort: 80, Protocol: "tcp", Range: 1},
+			},
+			want: []string{"-t", "[::1]/8080", "-u", "none"},
+		},
+		{
+			name: "full-form IPv6 host IP",
+			ports: []types.PortMapping{
+				{HostIP: "fd00::1", HostPort: 80, ContainerPort: 80, Protocol: "udp", Range: 1},
+			},
+			want: []string{"-u", "[fd00::1]/80", "-t", "none"},
+		},
+		{
+			name: "multiple tcp ports",
+			ports: []types.PortMapping{
+				{HostPort: 80, ContainerPort: 80, Protocol: "tcp", Range: 1},
+				{HostPort: 443, ContainerPort: 443, Protocol: "tcp", Range: 1},
+			},
+			want: []string{"-t", "0.0.0.0/80", "-t", "0.0.0.0/443", "-u", "none"},
+		},
+		{
+			name: "unsupported protocol is skipped",
+			ports: []types.PortMapping{
+				{HostPort: 80, ContainerPort: 80, Protocol: "sctp", Range: 1},
+			},
+			want: []string{"-t", "none", "-u", "none"},
+		},
+		{
+			name: "unsupported protocol mixed with valid",
+			ports: []types.PortMapping{
+				{HostPort: 80, ContainerPort: 80, Protocol: "tcp", Range: 1},
+				{HostPort: 90, ContainerPort: 90, Protocol: "sctp", Range: 1},
+			},
+			want: []string{"-t", "0.0.0.0/80", "-u", "none"},
+		},
+		{
+			name: "explicit host IP on udp",
+			ports: []types.PortMapping{
+				{HostIP: "10.0.0.1", HostPort: 3000, ContainerPort: 3000, Protocol: "udp", Range: 1},
+			},
+			want: []string{"-u", "10.0.0.1/3000", "-t", "none"},
+		},
+		{
+			name: "container port does not appear in args",
+			ports: []types.PortMapping{
+				{HostPort: 9090, ContainerPort: 3000, Protocol: "tcp", Range: 1},
+			},
+			want: []string{"-t", "0.0.0.0/9090", "-u", "none"},
+		},
+		{
+			name: "host IP with range",
+			ports: []types.PortMapping{
+				{HostIP: "10.0.0.1", HostPort: 3000, ContainerPort: 3000, Protocol: "udp", Range: 3},
+			},
+			want: []string{"-u", "10.0.0.1/3000-3002", "-t", "none"},
+		},
+		{
+			name: "range with dual protocol",
+			ports: []types.PortMapping{
+				{HostPort: 5000, ContainerPort: 5000, Protocol: "tcp,udp", Range: 3},
+			},
+			want: []string{"-t", "0.0.0.0/5000-5002", "-u", "0.0.0.0/5000-5002"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := portMappingsToPestoArgs(tt.ports)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

common/libnetwork/types/network.go

@@ -361,6 +361,9 @@ type RootlessNetnsInfo struct {
 	DnsForwardIps []string
 	// MapGuestIps should be used for the host.containers.internal entry when set
 	MapGuestIps []string
+	// PestoSocketPath is the path to the pasta control socket for dynamic
+	// port forwarding via pesto. Empty when pasta was started without -c.
+	PestoSocketPath string
 }
 
 // FilterFunc can be passed to NetworkList to filter the networks.