net/pasta: control inbound traffic

robertswiecki · robertswiecki · commit 624ddc6356e2 · 2025-11-23T15:12:01.000+01:00
diff --git a/cmdline.cc b/cmdline.cc
@@ -535,7 +535,8 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->iface_vs_mo = "private";
 	nsjconf->disable_tsc = false;
 	nsjconf->forward_signals = false;
-	nsjconf->use_pasta = false;
+	nsjconf->user_net.use_pasta = false;
+	nsjconf->user_net.inbound = false;
 	nsjconf->user_net.ip = "10.0.0.2";
 	nsjconf->user_net.mask = "255.255.255.0";
 	nsjconf->user_net.gw = "10.0.0.1";
@@ -757,7 +758,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 			addEnv(nsjconf.get(), optarg);
 			break;
 		case 0x709:
-			nsjconf->use_pasta = true;
+			nsjconf->user_net.use_pasta = true;
 			break;
 		case 'u': {
 			std::vector<std::string> subopts = util::strSplit(optarg, ':');
diff --git a/config.cc b/config.cc
@@ -285,7 +285,8 @@ static bool parseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) {
 	nsjconf->forward_signals = njc.forward_signals();
 
 	if (njc.has_user_net()) {
-		nsjconf->use_pasta = njc.user_net().enable();
+		nsjconf->user_net.use_pasta = njc.user_net().enable();
+		nsjconf->user_net.inbound = njc.user_net().inbound();
 		nsjconf->user_net.ip = njc.user_net().ip();
 		nsjconf->user_net.mask = njc.user_net().mask();
 		nsjconf->user_net.gw = njc.user_net().gw();
diff --git a/config.proto b/config.proto
@@ -277,13 +277,14 @@ message NsJailConfig {
 
 	message UserNet {
 		optional bool enable = 1 [default = false];
-		optional string ip = 2 [default = "10.0.0.2"];
-		optional string mask = 3 [default = "255.255.255.0"];
-		optional string gw = 4 [default = "10.0.0.1"];
-		optional string ip6 = 5 [default = "fc00::2"];
-		optional string mask6 = 6 [default = "64"];
-		optional string gw6 = 7 [default = "fc00::1"];
-		optional string ns_iface = 8 [default = "eth0"];
+		optional bool inbound = 2 [default = false];
+		optional string ip = 3 [default = "10.0.0.2"];
+		optional string mask = 4 [default = "255.255.255.0"];
+		optional string gw = 5 [default = "10.0.0.1"];
+		optional string ip6 = 6 [default = "fc00::2"];
+		optional string mask6 = 7 [default = "64"];
+		optional string gw6 = 8 [default = "fc00::1"];
+		optional string ns_iface = 9 [default = "eth0"];
 	}
 	optional UserNet user_net = 96;
 }
diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg
@@ -63,6 +63,7 @@ clone_newcgroup: true
 
 user_net {
         enable: true
+	inbound: true
 }
 
 uidmap {
diff --git a/configs/znc-with-net.cfg b/configs/znc-with-net.cfg
@@ -30,6 +30,7 @@ rlimit_nofile: 128
 clone_newnet: true
 user_net {
 	enable: true
+	inbound: true
 }
 
 mount {
diff --git a/net.cc b/net.cc
@@ -191,7 +191,14 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 		argv.push_back("-f");
 		argv.push_back("-q");
 
-		if (!nsjconf->user_net.ip.empty()) {
+		if (!nsjconf->user_net.inbound) {
+			argv.push_back("-t");
+			argv.push_back("none");
+		}
+
+		if (nsjconf->user_net.ip.empty()) {
+			argv.push_back("-6");
+		} else {
 			argv.push_back("-a");
 			argv.push_back(nsjconf->user_net.ip.c_str());
 			if (!nsjconf->user_net.mask.empty()) {
@@ -204,7 +211,9 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 			}
 		}
 
-		if (!nsjconf->user_net.ip6.empty()) {
+		if (nsjconf->user_net.ip6.empty()) {
+			argv.push_back("-4");
+		} else {
 			argv.push_back("-a");
 			argv.push_back(nsjconf->user_net.ip6.c_str());
 
@@ -214,10 +223,6 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 			}
 		}
 
-		if (nsjconf->user_net.ip6.empty()) {
-			argv.push_back("-4");
-		}
-
 		if (!nsjconf->user_net.nsiface.empty()) {
 			argv.push_back("-I");
 			argv.push_back(nsjconf->user_net.nsiface.c_str());
@@ -253,7 +258,7 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 }
 
 bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
-	if (nsjconf->use_pasta) {
+	if (nsjconf->user_net.use_pasta) {
 		if (!nsjconf->clone_newnet) {
 			LOG_E("Support for User-Mode Networking requested (pasta) but CLONE_NEWNET "
 			      "is not enabled");
diff --git a/nsjail.h b/nsjail.h
@@ -148,8 +148,9 @@ struct nsjconf_t {
 	std::string iface_vs_mo;
 	bool disable_tsc;
 	bool forward_signals;
-	bool use_pasta;
 	struct {
+		bool use_pasta;
+		bool inbound;
 		std::string ip;
 		std::string mask;
 		std::string gw;

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ clone_newcgroup: true`
`63`	`63`
`64`	`64`	`user_net {`
`65`	`65`	`enable: true`
	`66`	`+ inbound: true`
`66`	`67`	`}`
`67`	`68`
`68`	`69`	`uidmap {`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ rlimit_nofile: 128`
`30`	`30`	`clone_newnet: true`
`31`	`31`	`user_net {`
`32`	`32`	`enable: true`
	`33`	`+ inbound: true`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`mount {`