[PATCH] udp: Fix port and address checks for DNS forwarder

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH] udp: Fix port and address checks for DNS forwarder
Date: Mon, 10 Oct 2022 10:21:09 +0200	[thread overview]
Message-ID: <20221010082109.830625-1-sbrivio@redhat.com> (raw)

First off, as we swap endianness for source ports in
udp_fill_data_v{4,6}(), we want host endianness, not network
endianness. It doesn't actually matter if we use htons() or ntohs()
here, but the current version is confusing.

In the IPv4 path, when we remap DNS answers, we already swapped the
endianness as needed for the source port: don't swap it again,
otherwise we'll not map DNS answers for IPv4.

In the IPv6 path, when we remap DNS answers, we want to check that
they came from our upstream DNS server, not the one configured via
--dns-forward (which doesn't even need to exist for this
functionality to work).
---
 udp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/udp.c b/udp.c
index cac9c65..4b201d3 100644
--- a/udp.c
+++ b/udp.c
@@ -678,7 +678,7 @@ static void udp_sock_fill_data_v4(const struct ctx *c, int n,
 	b->iph.tot_len = htons(ip_len);
 
 	src = ntohl(b->s_in.sin_addr.s_addr);
-	src_port = htons(b->s_in.sin_port);
+	src_port = ntohs(b->s_in.sin_port);
 
 	if (src >> IN_CLASSA_NSHIFT == IN_LOOPBACKNET ||
 	    src == INADDR_ANY || src == ntohl(c->ip4.addr_seen)) {
@@ -693,7 +693,7 @@ static void udp_sock_fill_data_v4(const struct ctx *c, int n,
 
 		bitmap_set(udp_act[V4][UDP_ACT_TAP], src_port);
 	} else if (c->ip4.dns_fwd &&
-		   src == ntohl(c->ip4.dns[0]) && ntohs(src_port) == 53) {
+		   src == htonl(c->ip4.dns[0]) && src_port == 53) {
 		b->iph.saddr = c->ip4.dns_fwd;
 	} else {
 		b->iph.saddr = b->s_in.sin_addr.s_addr;
@@ -795,7 +795,7 @@ static void udp_sock_fill_data_v6(const struct ctx *c, int n,
 
 		bitmap_set(udp_act[V6][UDP_ACT_TAP], src_port);
 	} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_fwd) &&
-		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns_fwd) && src_port == 53) {
+		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns[0]) && src_port == 53) {
 		b->ip6h.daddr = c->ip6.addr_seen;
 		b->ip6h.saddr = c->ip6.dns_fwd;
 	} else {
-- 
@@ -678,7 +678,7 @@ static void udp_sock_fill_data_v4(const struct ctx *c, int n,
 	b->iph.tot_len = htons(ip_len);
 
 	src = ntohl(b->s_in.sin_addr.s_addr);
-	src_port = htons(b->s_in.sin_port);
+	src_port = ntohs(b->s_in.sin_port);
 
 	if (src >> IN_CLASSA_NSHIFT == IN_LOOPBACKNET ||
 	    src == INADDR_ANY || src == ntohl(c->ip4.addr_seen)) {
@@ -693,7 +693,7 @@ static void udp_sock_fill_data_v4(const struct ctx *c, int n,
 
 		bitmap_set(udp_act[V4][UDP_ACT_TAP], src_port);
 	} else if (c->ip4.dns_fwd &&
-		   src == ntohl(c->ip4.dns[0]) && ntohs(src_port) == 53) {
+		   src == htonl(c->ip4.dns[0]) && src_port == 53) {
 		b->iph.saddr = c->ip4.dns_fwd;
 	} else {
 		b->iph.saddr = b->s_in.sin_addr.s_addr;
@@ -795,7 +795,7 @@ static void udp_sock_fill_data_v6(const struct ctx *c, int n,
 
 		bitmap_set(udp_act[V6][UDP_ACT_TAP], src_port);
 	} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_fwd) &&
-		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns_fwd) && src_port == 53) {
+		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns[0]) && src_port == 53) {
 		b->ip6h.daddr = c->ip6.addr_seen;
 		b->ip6h.saddr = c->ip6.dns_fwd;
 	} else {
-- 
2.35.1

next             reply	other threads:[~2022-10-10  8:21 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-10  8:21 Stefano Brivio [this message]
2022-10-11  0:05 ` [PATCH] udp: Fix port and address checks for DNS forwarder David Gibson

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:cac9c65 dfblob:4b201d3
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221010082109.830625-1-sbrivio@redhat.com \
    --to=sbrivio@redhat.com \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).