Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rootlesskit for openSUSE:Factory checked in at 2026-06-23 17:36:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rootlesskit (Old) and /work/SRC/openSUSE:Factory/.rootlesskit.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rootlesskit" Tue Jun 23 17:36:04 2026 rev:17 rq:1361003 version:3.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rootlesskit/rootlesskit.changes 2026-05-06 19:18:12.601858516 +0200 +++ /work/SRC/openSUSE:Factory/.rootlesskit.new.1956/rootlesskit.changes 2026-06-23 17:36:41.561549869 +0200 @@ -1,0 +2,15 @@ +Mon Jun 22 05:09:35 UTC 2026 - Bharti Gautam <[email protected]> + +- Update to version 3.0.1: + * v3.0.1 + * CI: update test deps + * port/builtin: fix UDP forwarding for non-loopback clients (#592) + * net/gvisor-tap-vsock: allow 169.254.169.254 + * Build(deps): Bump golang.org/x/sys from 0.44.0 to 0.45.0 + * Build(deps): Bump github.com/containers/gvisor-tap-vsock + * docs/network.md: lxc-user-nic seems to work with detach-netns + * Build(deps): Bump golang.org/x/sys from 0.43.0 to 0.44.0 + * Build(deps): Bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 + * v3.0.0+dev + +------------------------------------------------------------------- Old: ---- rootlesskit-3.0.0.tar.gz New: ---- rootlesskit-3.0.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rootlesskit.spec ++++++ --- /var/tmp/diff_new_pack.BY3JRy/_old 2026-06-23 17:36:43.065602277 +0200 +++ /var/tmp/diff_new_pack.BY3JRy/_new 2026-06-23 17:36:43.065602277 +0200 @@ -17,7 +17,7 @@ Name: rootlesskit -Version: 3.0.0 +Version: 3.0.1 Release: 0 Summary: Linux-native fakeroot using user namespaces License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.BY3JRy/_old 2026-06-23 17:36:43.109603811 +0200 +++ /var/tmp/diff_new_pack.BY3JRy/_new 2026-06-23 17:36:43.113603950 +0200 @@ -4,7 +4,7 @@ <param name="url">https://github.com/rootless-containers/rootlesskit.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v3.0.0</param> + <param name="revision">v3.0.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.BY3JRy/_old 2026-06-23 17:36:43.145605065 +0200 +++ /var/tmp/diff_new_pack.BY3JRy/_new 2026-06-23 17:36:43.149605205 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/rootless-containers/rootlesskit.git</param> - <param name="changesrevision">01885f675def8cf9202791b7e3517cdad52bf837</param></service></servicedata> + <param name="changesrevision">260440d268ce4b506df7859be6baf845749c0be3</param></service></servicedata> (No newline at EOF) ++++++ rootlesskit-3.0.0.tar.gz -> rootlesskit-3.0.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/Dockerfile new/rootlesskit-3.0.1/Dockerfile --- old/rootlesskit-3.0.0/Dockerfile 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/Dockerfile 2026-05-27 11:33:09.000000000 +0200 @@ -1,10 +1,10 @@ ARG GO_VERSION=1.25 ARG UBUNTU_VERSION=24.04 ARG SHADOW_VERSION=4.17.4 -ARG SLIRP4NETNS_VERSION=v1.3.3 +ARG SLIRP4NETNS_VERSION=v1.3.4 ARG VPNKIT_VERSION=0.6.0 ARG PASST_VERSION=2026_01_20.386b5f5 -ARG DOCKER_VERSION=29.3.1 +ARG DOCKER_VERSION=29.5.2 ARG DOCKER_CHANNEL=stable FROM golang:${GO_VERSION}-alpine AS build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/README.md new/rootlesskit-3.0.1/README.md --- old/rootlesskit-3.0.0/README.md 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/README.md 2026-05-27 11:33:09.000000000 +0200 @@ -216,7 +216,7 @@ Port: --port-driver value port driver for non-host network. [none, implicit (for pasta), builtin, slirp4netns, gvisor-tap-vsock(experimental)] (default: "none") --publish value, -p value [ --publish value, -p value ] publish ports. e.g. "127.0.0.1:8080:80/tcp" - --source-ip-transparent preserve real client source IP using IP_TRANSPARENT (builtin port driver) (default: true) + --source-ip-transparent preserve real client source IP using IP_TRANSPARENT (builtin port driver, TCP only) (default: true) Process: --pidns create a PID namespace (default: false) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/cmd/rootlesskit/main.go new/rootlesskit-3.0.1/cmd/rootlesskit/main.go --- old/rootlesskit-3.0.0/cmd/rootlesskit/main.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/cmd/rootlesskit/main.go 2026-05-27 11:33:09.000000000 +0200 @@ -206,7 +206,7 @@ }, CategoryPort), Categorize(&cli.BoolFlag{ Name: "source-ip-transparent", - Usage: "preserve real client source IP using IP_TRANSPARENT (builtin port driver)", + Usage: "preserve real client source IP using IP_TRANSPARENT (builtin port driver, TCP only)", Value: true, }, CategoryPort), Categorize(&cli.BoolFlag{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/docs/network.md new/rootlesskit-3.0.1/docs/network.md --- old/rootlesskit-3.0.0/docs/network.md 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/docs/network.md 2026-05-27 11:33:09.000000000 +0200 @@ -190,7 +190,6 @@ * Less secure * Needs `/etc/lxc/lxc-usernet` configuration * No support for IPv6. -* No support for `--detach-netns` To use `lxc-user-nic`, you need to install `liblxc-common` package: ```console diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/docs/port.md new/rootlesskit-3.0.1/docs/port.md --- old/rootlesskit-3.0.0/docs/port.md 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/docs/port.md 2026-05-27 11:33:09.000000000 +0200 @@ -7,7 +7,7 @@ | `--port-driver` | Throughput | Source IP | Notes |----------------------|-------------|----------|------- | `slirp4netns` | 8.03 Gbps | Propagated | -| `builtin` | 29.9 Gbps | Propagated (since v3.0) | In the case of Rootless Docker, userland-proxy has to be disabled for propagating the source IP. +| `builtin` | 29.9 Gbps | Propagated for TCP (since v3.0) | Source IP propagation (`--source-ip-transparent`) applies to TCP only; UDP is not propagated. In the case of Rootless Docker, userland-proxy has to be disabled for propagating the source IP. | `implicit` | 37.6 Gbps | Propagated | Requires `pasta` network | `gvisor-tap-vsock` (Experimental) | 3.83 Gbps | Not propagated | Throughput is currently limited; see issue link below for improvement ideas. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/go.mod new/rootlesskit-3.0.1/go.mod --- old/rootlesskit-3.0.0/go.mod 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/go.mod 2026-05-27 11:33:09.000000000 +0200 @@ -3,9 +3,9 @@ go 1.25.0 require ( - github.com/Masterminds/semver/v3 v3.4.0 + github.com/Masterminds/semver/v3 v3.5.0 github.com/containernetworking/plugins v1.9.1 - github.com/containers/gvisor-tap-vsock v0.8.8 + github.com/containers/gvisor-tap-vsock v0.8.9 github.com/gofrs/flock v0.13.0 github.com/google/uuid v1.6.0 github.com/gorilla/mux v1.8.1 @@ -16,13 +16,13 @@ github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 github.com/urfave/cli/v2 v2.27.7 golang.org/x/sync v0.20.0 - golang.org/x/sys v0.43.0 + golang.org/x/sys v0.45.0 gotest.tools/v3 v3.5.2 ) require ( github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/apparentlymart/go-cidr v1.1.0 // indirect + github.com/apparentlymart/go-cidr v1.1.1 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect github.com/google/btree v1.1.3 // indirect github.com/google/go-cmp v0.7.0 // indirect @@ -33,10 +33,10 @@ github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect - golang.org/x/crypto v0.47.0 // indirect - golang.org/x/mod v0.32.0 // indirect - golang.org/x/net v0.49.0 // indirect + golang.org/x/crypto v0.50.0 // indirect + golang.org/x/mod v0.35.0 // indirect + golang.org/x/net v0.53.0 // indirect golang.org/x/time v0.13.0 // indirect - golang.org/x/tools v0.41.0 // indirect + golang.org/x/tools v0.43.0 // indirect gvisor.dev/gvisor v0.0.0-20240916094835-a174eb65023f // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/go.sum new/rootlesskit-3.0.1/go.sum --- old/rootlesskit-3.0.0/go.sum 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/go.sum 2026-05-27 11:33:09.000000000 +0200 @@ -1,16 +1,16 @@ -github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= -github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE= +github.com/Masterminds/semver/v3 v3.5.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= -github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= +github.com/apparentlymart/go-cidr v1.1.1 h1:oEEk8CE0HP0YpHxsegk/TaOtR2FLHdWv4p3eM4ceUwg= +github.com/apparentlymart/go-cidr v1.1.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEmnuFjskwo= github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4= github.com/containernetworking/plugins v1.9.1 h1:8oU6WsIsU3bpnNZuvHp74a6cE1MJwbj2P7s4/yTUNlA= github.com/containernetworking/plugins v1.9.1/go.mod h1:fj7kS55qg3o/RgS+WGsF3+ZxwIImMPusQZKzBpcSr4c= -github.com/containers/gvisor-tap-vsock v0.8.8 h1:5FznbOYMIuaCv8B6zQ7M6wjqP63Lasy0A6GpViEnjTg= -github.com/containers/gvisor-tap-vsock v0.8.8/go.mod h1:m/PzhZWAS6T9pCRH1fLkq2OqbEd6QEUZWjm3FS5F+CE= +github.com/containers/gvisor-tap-vsock v0.8.9 h1:6b7pqxFcKJ0EycBt1V4zPo3FQtgLLgs50AYkbFIb9eU= +github.com/containers/gvisor-tap-vsock v0.8.9/go.mod h1:OfqLraPkar5xMQcGbl9czDDSM6/xelt0HJpyB3es6v0= github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo= github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -87,33 +87,33 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= -golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= +golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= +golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= -golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= +golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= +golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= -golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= +golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA= +golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= -golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY= -golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww= +golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY= +golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY= +golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= -golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI= golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= -golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= +golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= +golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/network/gvisortapvsock/gvisortapvsock.go new/rootlesskit-3.0.1/pkg/network/gvisortapvsock/gvisortapvsock.go --- old/rootlesskit-3.0.0/pkg/network/gvisortapvsock/gvisortapvsock.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/network/gvisortapvsock/gvisortapvsock.go 2026-05-27 11:33:09.000000000 +0200 @@ -134,6 +134,8 @@ // and allows for easier debugging and identification of the gateway interface. GatewayMacAddress: "5a:94:ef:e4:0c:dd", DHCPStaticLeases: map[string]string{}, + // Allow 169.254.169.254, as in other network drivers + Ec2MetadataAccess: true, } if !d.disableHostLoopback { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/port/builtin/child/child.go new/rootlesskit-3.0.1/pkg/port/builtin/child/child.go --- old/rootlesskit-3.0.0/pkg/port/builtin/child/child.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/port/builtin/child/child.go 2026-05-27 11:33:09.000000000 +0200 @@ -147,7 +147,18 @@ var targetConn net.Conn var err error - if d.sourceIPTransparent && req.SourceIP != "" && req.SourcePort != 0 && (dialProto == "tcp" || dialProto == "udp") && !net.ParseIP(req.SourceIP).IsLoopback() { + // IP_TRANSPARENT source IP preservation is only supported for TCP. + // + // For UDP it cannot be made to work reliably: the in-netns server replies to + // the real (non-local) client address, and unlike TCP there is no per-flow + // accepted socket to carry the fwmark (no udp_fwmark_accept), so the reply's + // route and source address are selected at send time via the main table. The + // reply is therefore sent out the default route (e.g. the slirp4netns TAP) + // and never reaches the transparent socket, breaking UDP forwarding entirely + // for non-loopback clients (rootless-containers/rootlesskit#592). UDP falls + // back to the non-transparent path below, which works for all clients but + // does not preserve the client source IP. + if d.sourceIPTransparent && req.SourceIP != "" && req.SourcePort != 0 && dialProto == "tcp" && !net.ParseIP(req.SourceIP).IsLoopback() { d.routingSetup.Do(func() { d.routingReady = d.setupTransparentRouting() }) if !d.routingReady { d.routingWarn.Do(func() { @@ -250,17 +261,11 @@ // transparentDial dials targetAddr using IP_TRANSPARENT, binding to the given // source IP and port so the backend service sees the real client address. +// Only TCP is supported; see the comment in handleConnectRequest. func transparentDial(dialProto, targetAddr, sourceIP string, sourcePort int) (net.Conn, error) { - var localAddr net.Addr - switch dialProto { - case "tcp": - localAddr = &net.TCPAddr{IP: net.ParseIP(sourceIP), Port: sourcePort} - case "udp": - localAddr = &net.UDPAddr{IP: net.ParseIP(sourceIP), Port: sourcePort} - } dialer := net.Dialer{ Timeout: time.Second, - LocalAddr: localAddr, + LocalAddr: &net.TCPAddr{IP: net.ParseIP(sourceIP), Port: sourcePort}, Control: func(network, address string, c syscall.RawConn) error { var sockErr error if err := c.Control(func(fd uintptr) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/port/builtin/msg/msg.go new/rootlesskit-3.0.1/pkg/port/builtin/msg/msg.go --- old/rootlesskit-3.0.0/pkg/port/builtin/msg/msg.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/port/builtin/msg/msg.go 2026-05-27 11:33:09.000000000 +0200 @@ -82,17 +82,10 @@ ParentIP: spec.ParentIP, HostGatewayIP: hostGatewayIP(), } - switch a := sourceAddr.(type) { - case *net.TCPAddr: - if a != nil { - req.SourceIP = a.IP.String() - req.SourcePort = a.Port - } - case *net.UDPAddr: - if a != nil { - req.SourceIP = a.IP.String() - req.SourcePort = a.Port - } + // Source IP preservation (IP_TRANSPARENT) is only supported for TCP. + if tcpAddr, ok := sourceAddr.(*net.TCPAddr); ok && tcpAddr != nil { + req.SourceIP = tcpAddr.IP.String() + req.SourcePort = tcpAddr.Port } if _, err := lowlevelmsgutil.MarshalToWriter(c, &req); err != nil { return 0, err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/port/builtin/parent/udp/udp.go new/rootlesskit-3.0.1/pkg/port/builtin/parent/udp/udp.go --- old/rootlesskit-3.0.0/pkg/port/builtin/parent/udp/udp.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/port/builtin/parent/udp/udp.go 2026-05-27 11:33:09.000000000 +0200 @@ -24,9 +24,9 @@ udpp := &udpproxy.UDPProxy{ LogWriter: logWriter, Listener: c, - BackendDial: func(from *net.UDPAddr) (*net.UDPConn, error) { + BackendDial: func() (*net.UDPConn, error) { // get fd from the child as an SCM_RIGHTS cmsg - fd, err := msg.ConnectToChildWithRetry(socketPath, spec, 10, from) + fd, err := msg.ConnectToChildWithRetry(socketPath, spec, 10, nil) if err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/port/builtin/parent/udp/udpproxy/udp_proxy.go new/rootlesskit-3.0.1/pkg/port/builtin/parent/udp/udpproxy/udp_proxy.go --- old/rootlesskit-3.0.0/pkg/port/builtin/parent/udp/udpproxy/udp_proxy.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/port/builtin/parent/udp/udpproxy/udp_proxy.go 2026-05-27 11:33:09.000000000 +0200 @@ -49,7 +49,7 @@ type UDPProxy struct { LogWriter io.Writer Listener *net.UDPConn - BackendDial func(from *net.UDPAddr) (*net.UDPConn, error) + BackendDial func() (*net.UDPConn, error) connTrackTable connTrackMap connTrackLock sync.Mutex } @@ -108,7 +108,7 @@ proxy.connTrackLock.Lock() proxyConn, hit := proxy.connTrackTable[*fromKey] if !hit { - proxyConn, err = proxy.BackendDial(from) + proxyConn, err = proxy.BackendDial() if err != nil { fmt.Fprintf(proxy.LogWriter, "Can't proxy a datagram to udp: %v\n", err) proxy.connTrackLock.Unlock() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/port/testsuite/testsuite.go new/rootlesskit-3.0.1/pkg/port/testsuite/testsuite.go --- old/rootlesskit-3.0.0/pkg/port/testsuite/testsuite.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/port/testsuite/testsuite.go 2026-05-27 11:33:09.000000000 +0200 @@ -512,11 +512,25 @@ if err != nil { t.Fatal(err) } + defer conn.Close() clientAddr := conn.LocalAddr().String() if _, err := conn.Write([]byte("hello")); err != nil { t.Fatal(err) } - conn.Close() + // Verify the return path: the echoed reply must reach the client. This is + // the regression assertion for rootless-containers/rootlesskit#592, where + // UDP responses were lost for non-loopback clients. + if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil { + t.Fatal(err) + } + buf := make([]byte, 64) + n, err := conn.Read(buf) + if err != nil { + t.Fatalf("did not receive UDP echo reply (issue #592 return-path regression): %v", err) + } + if got := string(buf[:n]); got != "hello" { + t.Fatalf("unexpected UDP echo reply: %q", got) + } return clientAddr } @@ -652,8 +666,6 @@ echoCmd.Wait() - // Parse and verify: the echo server should see the client's non-loopback IP, - // not 127.0.0.1 or a hard-coded router address. clientHost, _, err := net.SplitHostPort(clientAddr) if err != nil { t.Fatalf("failed to parse client address %q: %v", clientAddr, err) @@ -663,8 +675,23 @@ t.Fatalf("failed to parse server-seen address %q: %v", serverSawAddr, err) } - if clientHost != serverHost { - t.Errorf("IP mismatch: client=%s, server saw=%s", clientHost, serverHost) + switch proto { + case "tcp": + // TCP preserves the real client source IP via IP_TRANSPARENT: the echo + // server must see the client's non-loopback IP, not 127.0.0.1 or a + // hard-coded router address. + if clientHost != serverHost { + t.Errorf("IP mismatch: client=%s, server saw=%s", clientHost, serverHost) + } + case "udp": + // UDP does not preserve the source IP: it falls back to the + // non-transparent path (see rootless-containers/rootlesskit#592 and the + // comment in pkg/port/builtin/child). The server therefore sees a + // loopback source, and the reply still reaches the client (verified by + // transparentUDPDialAndSend reading the echo above). + if clientHost == serverHost { + t.Errorf("expected UDP source IP not to be preserved, but server saw client IP %s", serverHost) + } } // Cleanup @@ -707,6 +734,13 @@ conn.WriteToUDP(buf[:n], from) } +// RunUDPTransparent exercises the source-ip-transparent code path for UDP. UDP +// does not actually support IP_TRANSPARENT (it falls back to the non-transparent +// path), so this is also the regression test for +// rootless-containers/rootlesskit#592: the client connects from a non-loopback +// address (which previously triggered the broken path) and the test asserts that +// the echo reply is delivered back to the client. Source IP preservation is +// intentionally not expected for UDP. func RunUDPTransparent(t *testing.T, pf func() port.ParentDriver) { t.Run("TestUDPTransparent", func(t *testing.T) { TestUDPTransparent(t, pf()) }) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rootlesskit-3.0.0/pkg/version/version.go new/rootlesskit-3.0.1/pkg/version/version.go --- old/rootlesskit-3.0.0/pkg/version/version.go 2026-04-09 21:00:30.000000000 +0200 +++ new/rootlesskit-3.0.1/pkg/version/version.go 2026-05-27 11:33:09.000000000 +0200 @@ -1,3 +1,3 @@ package version -const Version = "3.0.0" +const Version = "3.0.1" ++++++ vendor.tar.gz ++++++ ++++ 6966 lines of diff (skipped)
