1519173946 Q * any0n Remote host closed the connection
1519174034 J * any0n ~k@8VQAABIRN.tor-irc.dnsbl.oftc.net
1519174122 Q * click charon.oftc.net liquid.oftc.net
1519174122 Q * _Shiva_ charon.oftc.net liquid.oftc.net
1519174122 Q * Guy- charon.oftc.net liquid.oftc.net
1519174122 Q * PowerKe charon.oftc.net liquid.oftc.net
1519174122 Q * Jb_boin charon.oftc.net liquid.oftc.net
1519174122 Q * mnemoc charon.oftc.net liquid.oftc.net
1519174122 Q * BlackPanx charon.oftc.net liquid.oftc.net
1519174122 Q * Long_yanG charon.oftc.net liquid.oftc.net
1519174122 Q * guerby_ charon.oftc.net liquid.oftc.net
1519174122 Q * DLange charon.oftc.net liquid.oftc.net
1519174122 Q * karasz charon.oftc.net liquid.oftc.net
1519174122 Q * bzed charon.oftc.net liquid.oftc.net
1519174219 J * click click@ice.vcon.no
1519174219 J * Long_yanG ~long@15255.s.t4vps.eu
1519174219 J * guerby_ ~guerby@ip165.tetaneutral.net
1519174219 J * PowerKe ~tom@84-198-153-149.access.telenet.be
1519174219 J * Guy- ~korn@elan.rulez.org
1519174219 J * bzed ~bzed@bzed.netop.oftc.net
1519174219 J * karasz ~karasz@00015555.user.oftc.net
1519174219 J * Jb_boin ~dedior@proxad.eu
1519174219 J * DLange ~DLange@dlange.user.oftc.net
1519174219 J * BlackPanx ~black@93-103-10-34.static.t-2.net
1519174219 J * mnemoc ~amery@kwa.jpi.io
1519174219 J * _Shiva_ shiva@whatcha.looking.at
1519198773 N * Bertl_zZ Bertl
1519198780 M * Bertl morning folks!
1519200065 M * Ghislain1 hi bertl
1519200441 M * Ghislain1 i dont know if you saw i have found a leakage of ip in the guests
1519200467 M * Ghislain1 https://pastebin.com/raw/2Mr5htfn  seems to come from ip route
1519200483 M * Ghislain1 the guest see the main ip on the interface
1519200641 M * Ghislain1 i tried to find in the ip  source code where it gets it but could not find it
1519200848 M * Bertl check with 'strace -fF' where ip route list gets the information from
1519200935 M * Bertl but actually, what is the 'leak'?
1519200975 J * nikolay ~nikolay@external.oldum.net
1519200987 M * Bertl 213.246.51.145 seems to be assigned to the guest and the default route seems fine to me as well
1519201270 M * Ghislain1 when i use facter it list the 2 ip
1519201286 M * Ghislain1 the 145 is the host one not the guest one
1519201295 M * Ghislain1 the guest runs on .208
1519201340 M * Ghislain1 so in ideal it should not see the 245 no ?
1519201427 M * Ghislain1 why the ip route shows "unicast 213.246.51.0/24 dev eth0  proto kernel  scope link  src 213.246.51.145" the src with the ip of the host here
1519201483 M * Bertl so why is it listed as 'address' in the guest config?
1519201525 M * Ghislain1 that's facter that detects it, this is the output of facter.networking
1519201537 M * Ghislain1 i eman facter networking
1519201560 M * Ghislain1 https://puppet.com/docs/facter/3.10/index.html
1519201564 M * Bertl aha, so it is not assigned to the guest in any way?
1519201577 M * Ghislain1 in the code it seems it comes from /bin/ip request htat it finds it
1519201581 M * Ghislain1 no
1519201606 M * Ghislain1 the guest has its own ip, the host another one the 145
1519201615 M * Bertl okay, then check 'ip route list' with strace and see where the 213.246.51.145 comes from
1519201642 M * Bertl note that it might be necessary to have that route if it is the only one which applies to 213.246.51.208
1519201656 M * Bertl otherwise you will disable networking for that IP completely
1519201891 M * Ghislain1 https://pastebin.com/raw/yTzpXqgu, yes this is the route but this seems odd that it detects it as an ip
1519201903 M * Ghislain1 i dont see a call that reads this ip
1519201936 M * Ghislain1 it does a getsockname on itself
1519201961 M * Ghislain1 and reads /proc/net/unix but there is no route info there
1519202129 M * Ghislain1 the facter output is odd because the host ip appears in added address on eth0 but it also appears as an ipv6 which it is not
1519202143 M * Bertl it's the SIOCGIFNAME
1519202350 M * Bertl the routing information comes from the NETLINK socket
1519202378 M * Bertl I'm curious why your guest is allowed to create a raw socket
1519202392 M * Bertl socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = 3
1519202476 M * Bertl what kernel is that?
1519202494 M * Ghislain1 https://pastebin.com/raw/4NBmwjeB  4.9.80-vs2.3.9.7aq
1519202629 M * Bertl what's state_admin ?
1519202641 M * Ghislain1 i dont know at all
1519202658 M * Ghislain1 i created this list by taking the defaults one used when putting nothing
1519202665 M * Ghislain1 and adding the one i needed
1519202701 M * Ghislain1 i will remove them and restart the guest
1519202770 M * Bertl daniel_hozac: btw, the links from the flower page end up on the wiki as it seems
1519202777 M * Ghislain1 but it was 10 years ago, never touched them since :)
1519202783 M * Bertl daniel_hozac: (e.g. cflags or so)
1519202845 M * Ghislain1 same thing with empty cflags and such
1519202887 M * Ghislain1 so this could be that a capabilities is not limited for raw sockets?
1519202928 M * Bertl it's probably designed that way but I'm checking now
1519203461 M * Ghislain1 netcap say i have full capabilities
1519203576 M * Ghislain1 but ip addr add fails
1519203631 M * Ghislain1 CAP_NET_RAW   perhaps this is a new one ?
1519203762 M * Ghislain1 not its not
1519206253 Q * nikolay Ping timeout: 480 seconds
1519207621 M * Ghislain1 seems that guest have this capabilities by default. not sure if this is really needed for basic guest operations
1519208040 J * nikolay ~nikolay@external.oldum.net
1519209043 M * Bertl https://gist.github.com/cl4u2/5204374
1519209059 M * Bertl can you test if this reports similar information?
1519210720 M * Bertl  off for now ... bbl
1519210721 N * Bertl Bertl_oO
1519211261 M * Ghislain1 yes i will try it, sorry phone calls etc...
1519211351 M * Ghislain1 https://pastebin.com/raw/nAeZzeWV
1519211536 M * Ghislain1 https://pastebin.com/rvRM3FQc
1519211597 Q * Ghislain1 Quit: Leaving.
1519211632 J * Ghislain ~ghislain@adsl1.aqueos.com
1519219942 Q * Aiken Remote host closed the connection
1519226810 J * obeardly ~obeardly@12.153.3.34
1519229561 Q * nikolay Quit: Leaving
1519231768 J * LongyanG ~long@15255.s.t4vps.eu
1519231838 Q * Long_yanG Ping timeout: 480 seconds
1519238838 Q * zerick Quit: No Ping reply in 180 seconds.
1519238950 J * zerick ~zerick@irc.quassel.zerick.io
1519244231 M * Guy- Ghislain, Bertl_oO: ping needs cap_net_raw -- if you remove it from a guest, the guest won't be able to use ping anymore
1519244242 M * Guy- I think it's sensible to grant cap_net_raw by default
1519244257 J * Aiken ~Aiken@2001:44b8:2168:1000:b26e:bfff:fe2a:b951
1519244289 M * Bertl_oO there is an exception for icmp sockets for this reason
1519244318 M * Bertl_oO besides ping is one of the worst tools to check connectivity nowadays :)
1519244360 M * Guy- that's a fair point, but it's still one of the most basic network diagnostic tools
1519244368 M * Bertl_oO anyway, the problem is not the raw netlink socket the problem is the data extracted from the kernel this way
1519244434 M * Guy- I think this is expected behaviour if the guest doesn't have its own network namespace
1519244477 M * Guy- just "ip ro sh" will reveal a number of host IPs if the host has any routes with "src ip.add.re.ss"
1519244493 M * Guy- ("ip ro sh" in the guest will reveal host IPs)
1519244516 M * Guy- otoh, isolation could probably be improved further?
1519244561 M * Guy- it's unclear what the "right" behaviour would be
1519244654 M * Guy- perhaps the kernel could be instructed to hide all routes not tagged with a specific realm from the guest?
1519244933 M * Bertl_oO the routes are never tagged with a guest nid
1519244951 M * AlexanderS The "specific realm" should be, that routes with a src address not assigned to the guest, shouldn't be visible. There shouldn't be a case were this would be required, or am I missing something? 
1519244960 M * Bertl_oO but it should be doable to hide routes with source IPs not belonging to the guest
1519244974 M * Bertl_oO yes, exactly
1519245024 M * Bertl_oO the only problem so far is that I haven't found the location where the information is assembled yet :)
1519245061 M * Bertl_oO so if you know where the NETLINK_ROUTE datagrams are assembled, please let me know :)
1519245216 M * Bertl_oO ntw, network namespaces have a special netlink_capable capability ... we could do the same
1519245301 M * Guy- Bertl_oO: "realm" is a tag you can attach to routes, and it could be abused/co-opted for vserver (it's rarely used otherwise)
1519245358 M * Guy- if you hide routes with source IPs not belonging to the guest, all my guests will lose internet connectivity :)
1519245380 M * Bertl_oO the routing would still work, just the routes would not be shown
1519245398 M * Guy- ah
1519245403 M * Bertl_oO and if you set up your routes properly (i.e. without src IPs from the host) you would also see the right ones
1519245434 M * Guy- yes, just hiding them from "ip ro sh" output would work
1519248886 M * Aiken a case for netns? Which playing with is on my todo now I have a newer kernel.
1519248925 M * Aiken after reading that I had a look and from a quest I see the hosts ipv4 and nothing I recognize from the host with ipv6
1519257094 M * Bertl_oO  off to bed now ... have a good one everyone!
1519257095 N * Bertl_oO Bertl_zZ