From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 6058E5A0082 for ; Thu, 17 Nov 2022 00:54:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668642851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yU5JzFh1hi5PAtJBBGOe4Taeaq5E7G6mQkUtvPiu7+s=; b=JyBAZyicLW010eZHrKB+/aXkCEpb+lM6CVwCSyINalQavzan5Aj9vgnztexT6iyJIgTc3o Bn7iga3/hJO9E4uL+uNoMi6dIPEA/g0UypyaAeBp9BEzxtBnmlp5tAjBUiFfP+HBpYLJDf FMNOmT/v2Sl1oI/VepkiBEOOspU5Ht8= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-449-a9fMd1NDM2KRcWtV8u-Hiw-1; Wed, 16 Nov 2022 18:54:08 -0500 X-MC-Unique: a9fMd1NDM2KRcWtV8u-Hiw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C9D2E38164CE; Wed, 16 Nov 2022 23:54:07 +0000 (UTC) Received: from maya.cloud.tilaa.com (ovpn-208-8.brq.redhat.com [10.40.208.8]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 683A8C1E87F; Wed, 16 Nov 2022 23:54:07 +0000 (UTC) Date: Thu, 17 Nov 2022 00:54:05 +0100 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH 16/32] tcp: Use the same sockets to listen for spliced and non-spliced connections Message-ID: <20221117005405.70227aba@elisabeth> In-Reply-To: <20221116044212.3876516-17-david@gibson.dropbear.id.au> References: <20221116044212.3876516-1-david@gibson.dropbear.id.au> <20221116044212.3876516-17-david@gibson.dropbear.id.au> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: NCFAP57TNHUNVPY2RJTR2ASCGTTRE5ZI X-Message-ID-Hash: NCFAP57TNHUNVPY2RJTR2ASCGTTRE5ZI X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 16 Nov 2022 15:41:56 +1100 David Gibson wrote: > In pasta mode, tcp_sock_init[46]() create separate sockets to listen for > spliced connections (these are bound to localhost) and non-spliced > connections (these are bound to the host address). This introduces a > subtle behavioural difference between pasta and passt: by default, pasta > will listen only on a single host address, whereas passt will listen on > all addresses (0.0.0.0 or ::). This also prevents us using some additional > optimizations that only work with the unspecified (0.0.0.0 or ::) address. > > However, it turns out we don't need to do this. We can splice a connection > if and only if it originates from the loopback address. Currently we > ensure this by having the "spliced" listening sockets listening only on > loopback. Instead, defer the decision about whether to splice a connection > until after accept(), by checking if the connection was made from the > loopback address. > > Signed-off-by: David Gibson > --- > tcp.c | 127 +++++++++++++-------------------------------------- > tcp_splice.c | 25 ++++++++-- > tcp_splice.h | 5 +- > 3 files changed, 55 insertions(+), 102 deletions(-) > > diff --git a/tcp.c b/tcp.c > index e66a82a..4065da7 100644 > --- a/tcp.c > +++ b/tcp.c > @@ -434,7 +434,6 @@ static const char *tcp_flag_str[] __attribute((__unused__)) = { > }; > > /* Listening sockets, used for automatic port forwarding in pasta mode only */ > -static int tcp_sock_init_lo [NUM_PORTS][IP_VERSIONS]; > static int tcp_sock_init_ext [NUM_PORTS][IP_VERSIONS]; > static int tcp_sock_ns [NUM_PORTS][IP_VERSIONS]; > > @@ -2851,21 +2850,31 @@ static void tcp_conn_from_sock(struct ctx *c, union epoll_ref ref, > socklen_t sl; > int s; > > + assert(ref.r.p.tcp.tcp.listen); > + assert(!ref.r.p.tcp.tcp.splice); > + > if (c->tcp.conn_count >= TCP_MAX_CONNS) > return; > > sl = sizeof(sa); > + /* FIXME: Workaround clang-tidy not realizing that accept4() > + * writes the socket address. See > + * https://github.com/llvm/llvm-project/issues/58992 > + */ > + memset(&sa, 0, sizeof(struct sockaddr_in6)); > s = accept4(ref.r.s, (struct sockaddr *)&sa, &sl, SOCK_NONBLOCK); Ah, interesting. That looks new by the way -- not even valgrind complained about this. > if (s < 0) > return; > > conn = tc + c->tcp.conn_count++; > > - if (ref.r.p.tcp.tcp.splice) > - tcp_splice_conn_from_sock(c, ref, &conn->splice, s); > - else > - tcp_tap_conn_from_sock(c, ref, &conn->tap, s, > - (struct sockaddr *)&sa, now); > + if (c->mode == MODE_PASTA && > + tcp_splice_conn_from_sock(c, ref, &conn->splice, > + s, (struct sockaddr *)&sa)) > + return; > + > + tcp_tap_conn_from_sock(c, ref, &conn->tap, s, > + (struct sockaddr *)&sa, now); > } > > /** > @@ -3018,47 +3027,16 @@ static void tcp_sock_init4(const struct ctx *c, const struct in_addr *addr, > { > in_port_t idx = port + c->tcp.fwd_in.delta[port]; > union tcp_epoll_ref tref = { .tcp.listen = 1, .tcp.index = idx }; > - bool spliced = false, tap = true; > int s; > > - if (c->mode == MODE_PASTA) { > - spliced = !addr || IN4_IS_ADDR_UNSPECIFIED(addr) || > - IN4_IS_ADDR_LOOPBACK(addr); > - > - if (!addr) > - addr = &c->ip4.addr; > - > - tap = !IN4_IS_ADDR_LOOPBACK(addr); > - } > - > - if (tap) { > - s = sock_l4(c, AF_INET, IPPROTO_TCP, addr, ifname, port, > - tref.u32); > - if (s >= 0) > - tcp_sock_set_bufsize(c, s); > - else > - s = -1; > - > - if (c->tcp.fwd_in.mode == FWD_AUTO) > - tcp_sock_init_ext[port][V4] = s; > - } > - > - if (spliced) { > - struct in_addr loopback = { htonl(INADDR_LOOPBACK) }; > - tref.tcp.splice = 1; > - > - addr = &loopback; > - > - s = sock_l4(c, AF_INET, IPPROTO_TCP, addr, ifname, port, > - tref.u32); > - if (s >= 0) > - tcp_sock_set_bufsize(c, s); > - else > - s = -1; > + s = sock_l4(c, AF_INET, IPPROTO_TCP, addr, ifname, port, tref.u32); > + if (s >= 0) > + tcp_sock_set_bufsize(c, s); > + else > + s = -1; > > - if (c->tcp.fwd_out.mode == FWD_AUTO) > - tcp_sock_init_lo[port][V4] = s; > - } > + if (c->tcp.fwd_in.mode == FWD_AUTO) > + tcp_sock_init_ext[port][V4] = s; > } > > /** > @@ -3075,47 +3053,16 @@ static void tcp_sock_init6(const struct ctx *c, > in_port_t idx = port + c->tcp.fwd_in.delta[port]; > union tcp_epoll_ref tref = { .tcp.listen = 1, .tcp.v6 = 1, > .tcp.index = idx }; > - bool spliced = false, tap = true; > int s; > > - if (c->mode == MODE_PASTA) { > - spliced = !addr || > - IN6_IS_ADDR_UNSPECIFIED(addr) || > - IN6_IS_ADDR_LOOPBACK(addr); > - > - if (!addr) > - addr = &c->ip6.addr; > - > - tap = !IN6_IS_ADDR_LOOPBACK(addr); > - } > - > - if (tap) { > - s = sock_l4(c, AF_INET6, IPPROTO_TCP, addr, ifname, port, > - tref.u32); > - if (s >= 0) > - tcp_sock_set_bufsize(c, s); > - else > - s = -1; > - > - if (c->tcp.fwd_in.mode == FWD_AUTO) > - tcp_sock_init_ext[port][V6] = s; > - } > - > - if (spliced) { > - tref.tcp.splice = 1; > - > - addr = &in6addr_loopback; > - > - s = sock_l4(c, AF_INET6, IPPROTO_TCP, addr, ifname, port, > - tref.u32); > - if (s >= 0) > - tcp_sock_set_bufsize(c, s); > - else > - s = -1; > + s = sock_l4(c, AF_INET6, IPPROTO_TCP, addr, ifname, port, tref.u32); > + if (s >= 0) > + tcp_sock_set_bufsize(c, s); > + else > + s = -1; > > - if (c->tcp.fwd_out.mode == FWD_AUTO) > - tcp_sock_init_lo[port][V6] = s; > - } > + if (c->tcp.fwd_in.mode == FWD_AUTO) > + tcp_sock_init_ext[port][V6] = s; > } > > /** > @@ -3144,7 +3091,7 @@ static void tcp_ns_sock_init4(const struct ctx *c, in_port_t port) > { > in_port_t idx = port + c->tcp.fwd_out.delta[port]; > union tcp_epoll_ref tref = { .tcp.listen = 1, .tcp.outbound = 1, > - .tcp.splice = 1, .tcp.index = idx }; > + .tcp.index = idx }; > struct in_addr loopback = { htonl(INADDR_LOOPBACK) }; > int s; > > @@ -3169,8 +3116,7 @@ static void tcp_ns_sock_init6(const struct ctx *c, in_port_t port) > { > in_port_t idx = port + c->tcp.fwd_out.delta[port]; > union tcp_epoll_ref tref = { .tcp.listen = 1, .tcp.outbound = 1, > - .tcp.splice = 1, .tcp.v6 = 1, > - .tcp.index = idx}; > + .tcp.v6 = 1, .tcp.index = idx}; Space missing here (from 14/32). > int s; > > assert(c->mode == MODE_PASTA); > @@ -3337,7 +3283,6 @@ int tcp_init(struct ctx *c) > memset(init_sock_pool6, 0xff, sizeof(init_sock_pool6)); > memset(ns_sock_pool4, 0xff, sizeof(ns_sock_pool4)); > memset(ns_sock_pool6, 0xff, sizeof(ns_sock_pool6)); > - memset(tcp_sock_init_lo, 0xff, sizeof(tcp_sock_init_lo)); > memset(tcp_sock_init_ext, 0xff, sizeof(tcp_sock_init_ext)); > memset(tcp_sock_ns, 0xff, sizeof(tcp_sock_ns)); > > @@ -3445,16 +3390,6 @@ static int tcp_port_rebind(void *arg) > close(tcp_sock_init_ext[port][V6]); > tcp_sock_init_ext[port][V6] = -1; > } > - > - if (tcp_sock_init_lo[port][V4] >= 0) { > - close(tcp_sock_init_lo[port][V4]); > - tcp_sock_init_lo[port][V4] = -1; > - } > - > - if (tcp_sock_init_lo[port][V6] >= 0) { > - close(tcp_sock_init_lo[port][V6]); > - tcp_sock_init_lo[port][V6] = -1; > - } > continue; > } > > diff --git a/tcp_splice.c b/tcp_splice.c > index 7007501..30d49d4 100644 > --- a/tcp_splice.c > +++ b/tcp_splice.c > @@ -502,19 +502,35 @@ static void tcp_splice_dir(struct tcp_splice_conn *conn, int ref_sock, > } > > /** > - * tcp_splice_conn_from_sock() - Initialize state for spliced connection > + * tcp_splice_conn_from_sock() - Attempt to init state for a spliced connection > * @c: Execution context > * @ref: epoll reference of listening socket > * @conn: connection structure to initialize > * @s: Accepted socket > + * @sa: Peer address of connection > * > + * Return: true if able to create a spliced connection, false otherwise > * #syscalls:pasta setsockopt > */ > -void tcp_splice_conn_from_sock(struct ctx *c, union epoll_ref ref, > - struct tcp_splice_conn *conn, int s) > +bool tcp_splice_conn_from_sock(struct ctx *c, union epoll_ref ref, > + struct tcp_splice_conn *conn, int s, > + const struct sockaddr *sa) > { > assert(c->mode == MODE_PASTA); > > + if (ref.r.p.tcp.tcp.v6) { > + const struct sockaddr_in6 *sa6 > + = (const struct sockaddr_in6 *)sa; Maybe you could split declaration and assignment here. > + if (!IN6_IS_ADDR_LOOPBACK(&sa6->sin6_addr)) > + return false; > + conn->flags = SPLICE_V6; > + } else { > + const struct sockaddr_in *sa4 = (const struct sockaddr_in *)sa; > + if (!IN4_IS_ADDR_LOOPBACK(&sa4->sin_addr)) > + return false; > + conn->flags = 0; > + } > + > if (setsockopt(s, SOL_TCP, TCP_QUICKACK, &((int){ 1 }), > sizeof(int))) { > trace("TCP (spliced): failed to set TCP_QUICKACK on %i", > @@ -524,11 +540,12 @@ void tcp_splice_conn_from_sock(struct ctx *c, union epoll_ref ref, > conn->c.spliced = true; > c->tcp.splice_conn_count++; > conn->a = s; > - conn->flags = ref.r.p.tcp.tcp.v6 ? SPLICE_V6 : 0; > > if (tcp_splice_new(c, conn, ref.r.p.tcp.tcp.index, > ref.r.p.tcp.tcp.outbound)) > conn_flag(c, conn, CLOSING); > + > + return true; > } > > /** > diff --git a/tcp_splice.h b/tcp_splice.h > index f9462ae..1a915dd 100644 > --- a/tcp_splice.h > +++ b/tcp_splice.h > @@ -10,8 +10,9 @@ struct tcp_splice_conn; > > void tcp_sock_handler_splice(struct ctx *c, union epoll_ref ref, > uint32_t events); > -void tcp_splice_conn_from_sock(struct ctx *c, union epoll_ref ref, > - struct tcp_splice_conn *conn, int s); > +bool tcp_splice_conn_from_sock(struct ctx *c, union epoll_ref ref, > + struct tcp_splice_conn *conn, int s, > + const struct sockaddr *sa); > void tcp_splice_init(struct ctx *c); > > #endif /* TCP_SPLICE_H */