public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 27/32] tcp: NAT IPv4-mapped IPv6 addresses like IPv4 addresses
Date: Thu, 17 Nov 2022 16:59:03 +1100	[thread overview]
Message-ID: <20221117055908.2782981-28-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20221117055908.2782981-1-david@gibson.dropbear.id.au>

passt usually doesn't NAT, but it does do so for the remapping of the
gateway address to refer to the host.  Currently we perform this NAT with
slightly different rules on both IPv4 addresses and IPv6 addresses, but not
on IPv4-mapped IPv6 addresses.  This means we won't correctly handle the
case of an IPv4 connection over an IPv6 socket, which is possible on Linux
(and probably other platforms).

Refactor tcp_conn_from_sock() to perform the NAT after converting either
address family into an inany_addr, so IPv4 and and IPv4-mapped addresses
have the same representation.

With two new helpers this lets us remove the IPv4 and IPv6 specific paths
from tcp_conn_from_sock().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 inany.h | 30 ++++++++++++++++++++++++--
 tcp.c   | 67 ++++++++++++++++++++++++++-------------------------------
 2 files changed, 59 insertions(+), 38 deletions(-)

diff --git a/inany.h b/inany.h
index 03e3e3f..52d43f2 100644
--- a/inany.h
+++ b/inany.h
@@ -30,11 +30,11 @@ union inany_addr {
  *
  * Return: IPv4 address if @addr is IPv4, NULL otherwise
  */
-static inline const struct in_addr *inany_v4(const union inany_addr *addr)
+static inline struct in_addr *inany_v4(const union inany_addr *addr)
 {
 	if (!IN6_IS_ADDR_V4MAPPED(&addr->a6))
 		return NULL;
-	return &addr->v4mapped.a4;
+	return (struct in_addr *)&addr->v4mapped.a4;
 }
 
 /** inany_equals - Compare two IPv[46] addresses
@@ -66,3 +66,29 @@ static inline void inany_from_af(union inany_addr *aa, int af, const void *addr)
 		assert(0);
 	}
 }
+
+/** inany_from_sockaddr - Extract IPv[46] address and port number from sockaddr
+ * @aa:		Pointer to store IPv[46] address
+ * @port:	Pointer to store port number, host order
+ * @addr:	struct sockaddr_in (IPv4) or struct sockaddr_in6 (IPv6)
+ */
+static inline void inany_from_sockaddr(union inany_addr *aa, in_port_t *port,
+				       const void *addr)
+{
+	const struct sockaddr *sa = (const struct sockaddr *)addr;
+
+	if (sa->sa_family == AF_INET6) {
+		struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *)sa;
+
+		inany_from_af(aa, AF_INET6, &sa6->sin6_addr);
+		*port = ntohs(sa6->sin6_port);
+	} else if (sa->sa_family == AF_INET) {
+		struct sockaddr_in *sa4 = (struct sockaddr_in *)sa;
+
+		inany_from_af(aa, AF_INET, &sa4->sin_addr);
+		*port = ntohs(sa4->sin_port);
+	} else {
+		/* Not valid to call with other address families */
+		assert(0);
+	}
+}
diff --git a/tcp.c b/tcp.c
index 7d5ac6c..59c1a93 100644
--- a/tcp.c
+++ b/tcp.c
@@ -2724,6 +2724,34 @@ static void tcp_connect_finish(struct ctx *c, struct tcp_tap_conn *conn)
 	conn_flag(c, conn, ACK_FROM_TAP_DUE);
 }
 
+/**
+ * tcp_snat_inbound() - Translate source address for inbound data if needed
+ * @c:		Execution context
+ * @addr:	Source address of inbound packet/connection
+ */
+static void tcp_snat_inbound(const struct ctx *c, union inany_addr *addr)
+{
+	struct in_addr *addr4 = inany_v4(addr);
+
+	if (addr4) {
+		if (IN4_IS_ADDR_LOOPBACK(addr4) ||
+		    IN4_IS_ADDR_UNSPECIFIED(addr4) ||
+		    IN4_ARE_ADDR_EQUAL(addr4, &c->ip4.addr_seen))
+			*addr4 = c->ip4.gw;
+	} else {
+		struct in6_addr *addr6 = &addr->a6;
+
+		if (IN6_IS_ADDR_LOOPBACK(addr6) ||
+		    IN6_ARE_ADDR_EQUAL(addr6, &c->ip6.addr_seen) ||
+		    IN6_ARE_ADDR_EQUAL(addr6, &c->ip6.addr)) {
+			if (IN6_IS_ADDR_LINKLOCAL(&c->ip6.gw))
+				*addr6 = c->ip6.gw;
+			else
+				*addr6 = c->ip6.addr_ll;
+		}
+	}
+}
+
 /**
  * tcp_tap_conn_from_sock() - Initialize state for non-spliced connection
  * @c:		Execution context
@@ -2744,43 +2772,10 @@ static void tcp_tap_conn_from_sock(struct ctx *c, union epoll_ref ref,
 	conn->ws_to_tap = conn->ws_from_tap = 0;
 	conn_event(c, conn, SOCK_ACCEPTED);
 
-	if (sa->sa_family == AF_INET6) {
-		struct sockaddr_in6 sa6;
-
-		memcpy(&sa6, sa, sizeof(sa6));
+	inany_from_sockaddr(&conn->addr, &conn->sock_port, sa);
+	conn->tap_port = ref.r.p.tcp.tcp.index;
 
-		if (IN6_IS_ADDR_LOOPBACK(&sa6.sin6_addr) ||
-		    IN6_ARE_ADDR_EQUAL(&sa6.sin6_addr, &c->ip6.addr_seen) ||
-		    IN6_ARE_ADDR_EQUAL(&sa6.sin6_addr, &c->ip6.addr)) {
-			struct in6_addr *src;
-
-			if (IN6_IS_ADDR_LINKLOCAL(&c->ip6.gw))
-				src = &c->ip6.gw;
-			else
-				src = &c->ip6.addr_ll;
-
-			memcpy(&sa6.sin6_addr, src, sizeof(*src));
-		}
-
-		inany_from_af(&conn->addr, AF_INET6, &sa6.sin6_addr);
-
-		conn->sock_port = ntohs(sa6.sin6_port);
-		conn->tap_port = ref.r.p.tcp.tcp.index;
-	} else {
-		struct sockaddr_in sa4;
-
-		memcpy(&sa4, sa, sizeof(sa4));
-
-		if (IN4_IS_ADDR_LOOPBACK(&sa4.sin_addr) ||
-		    IN4_IS_ADDR_UNSPECIFIED(&sa4.sin_addr) ||
-		    IN4_ARE_ADDR_EQUAL(&sa4.sin_addr, &c->ip4.addr_seen))
-			sa4.sin_addr = c->ip4.gw;
-
-		inany_from_af(&conn->addr, AF_INET, &sa4.sin_addr);
-
-		conn->sock_port = ntohs(sa4.sin_port);
-		conn->tap_port = ref.r.p.tcp.tcp.index;
-	}
+	tcp_snat_inbound(c, &conn->addr);
 
 	tcp_seq_init(c, conn, now);
 	tcp_hash_insert(c, conn);
-- 
@@ -2724,6 +2724,34 @@ static void tcp_connect_finish(struct ctx *c, struct tcp_tap_conn *conn)
 	conn_flag(c, conn, ACK_FROM_TAP_DUE);
 }
 
+/**
+ * tcp_snat_inbound() - Translate source address for inbound data if needed
+ * @c:		Execution context
+ * @addr:	Source address of inbound packet/connection
+ */
+static void tcp_snat_inbound(const struct ctx *c, union inany_addr *addr)
+{
+	struct in_addr *addr4 = inany_v4(addr);
+
+	if (addr4) {
+		if (IN4_IS_ADDR_LOOPBACK(addr4) ||
+		    IN4_IS_ADDR_UNSPECIFIED(addr4) ||
+		    IN4_ARE_ADDR_EQUAL(addr4, &c->ip4.addr_seen))
+			*addr4 = c->ip4.gw;
+	} else {
+		struct in6_addr *addr6 = &addr->a6;
+
+		if (IN6_IS_ADDR_LOOPBACK(addr6) ||
+		    IN6_ARE_ADDR_EQUAL(addr6, &c->ip6.addr_seen) ||
+		    IN6_ARE_ADDR_EQUAL(addr6, &c->ip6.addr)) {
+			if (IN6_IS_ADDR_LINKLOCAL(&c->ip6.gw))
+				*addr6 = c->ip6.gw;
+			else
+				*addr6 = c->ip6.addr_ll;
+		}
+	}
+}
+
 /**
  * tcp_tap_conn_from_sock() - Initialize state for non-spliced connection
  * @c:		Execution context
@@ -2744,43 +2772,10 @@ static void tcp_tap_conn_from_sock(struct ctx *c, union epoll_ref ref,
 	conn->ws_to_tap = conn->ws_from_tap = 0;
 	conn_event(c, conn, SOCK_ACCEPTED);
 
-	if (sa->sa_family == AF_INET6) {
-		struct sockaddr_in6 sa6;
-
-		memcpy(&sa6, sa, sizeof(sa6));
+	inany_from_sockaddr(&conn->addr, &conn->sock_port, sa);
+	conn->tap_port = ref.r.p.tcp.tcp.index;
 
-		if (IN6_IS_ADDR_LOOPBACK(&sa6.sin6_addr) ||
-		    IN6_ARE_ADDR_EQUAL(&sa6.sin6_addr, &c->ip6.addr_seen) ||
-		    IN6_ARE_ADDR_EQUAL(&sa6.sin6_addr, &c->ip6.addr)) {
-			struct in6_addr *src;
-
-			if (IN6_IS_ADDR_LINKLOCAL(&c->ip6.gw))
-				src = &c->ip6.gw;
-			else
-				src = &c->ip6.addr_ll;
-
-			memcpy(&sa6.sin6_addr, src, sizeof(*src));
-		}
-
-		inany_from_af(&conn->addr, AF_INET6, &sa6.sin6_addr);
-
-		conn->sock_port = ntohs(sa6.sin6_port);
-		conn->tap_port = ref.r.p.tcp.tcp.index;
-	} else {
-		struct sockaddr_in sa4;
-
-		memcpy(&sa4, sa, sizeof(sa4));
-
-		if (IN4_IS_ADDR_LOOPBACK(&sa4.sin_addr) ||
-		    IN4_IS_ADDR_UNSPECIFIED(&sa4.sin_addr) ||
-		    IN4_ARE_ADDR_EQUAL(&sa4.sin_addr, &c->ip4.addr_seen))
-			sa4.sin_addr = c->ip4.gw;
-
-		inany_from_af(&conn->addr, AF_INET, &sa4.sin_addr);
-
-		conn->sock_port = ntohs(sa4.sin_port);
-		conn->tap_port = ref.r.p.tcp.tcp.index;
-	}
+	tcp_snat_inbound(c, &conn->addr);
 
 	tcp_seq_init(c, conn, now);
 	tcp_hash_insert(c, conn);
-- 
2.38.1


  parent reply	other threads:[~2022-11-17  5:59 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-17  5:58 [PATCH v2 00/32] Use dual stack sockets to listen for inbound TCP connections David Gibson
2022-11-17  5:58 ` [PATCH v2 01/32] clang-tidy: Suppress warning about assignments in if statements David Gibson
2022-11-17  5:58 ` [PATCH v2 02/32] style: Minor corrections to function comments David Gibson
2022-11-17  5:58 ` [PATCH v2 03/32] tcp_splice: #include tcp_splice.h in tcp_splice.c David Gibson
2022-11-17  5:58 ` [PATCH v2 04/32] tcp: Remove unused TCP_MAX_SOCKS constant David Gibson
2022-11-17  5:58 ` [PATCH v2 05/32] tcp: Better helpers for converting between connection pointer and index David Gibson
2022-11-17  5:58 ` [PATCH v2 06/32] tcp_splice: Helpers for converting from index to/from tcp_splice_conn David Gibson
2022-11-17  5:58 ` [PATCH v2 07/32] tcp: Move connection state structures into a shared header David Gibson
2022-11-17  5:58 ` [PATCH v2 08/32] tcp: Add connection union type David Gibson
2022-11-18  0:25   ` Stefano Brivio
2022-11-18  1:10     ` David Gibson
2022-11-19  8:39       ` Stefano Brivio
2022-11-17  5:58 ` [PATCH v2 09/32] tcp: Improved helpers to update connections after moving David Gibson
2022-11-17  5:58 ` [PATCH v2 10/32] tcp: Unify spliced and non-spliced connection tables David Gibson
2022-11-17  5:58 ` [PATCH v2 11/32] tcp: Unify tcp_defer_handler and tcp_splice_defer_handler() David Gibson
2022-11-17  5:58 ` [PATCH v2 12/32] tcp: Partially unify tcp_timer() and tcp_splice_timer() David Gibson
2022-11-17  5:58 ` [PATCH v2 13/32] tcp: Unify the IN_EPOLL flag David Gibson
2022-11-17  5:58 ` [PATCH v2 14/32] tcp: Separate helpers to create ns listening sockets David Gibson
2022-11-17  5:58 ` [PATCH v2 15/32] tcp: Unify part of spliced and non-spliced conn_from_sock path David Gibson
2022-11-17  5:58 ` [PATCH v2 16/32] tcp: Use the same sockets to listen for spliced and non-spliced connections David Gibson
2022-11-17  5:58 ` [PATCH v2 17/32] tcp: Remove splice from tcp_epoll_ref David Gibson
2022-11-17  5:58 ` [PATCH v2 18/32] tcp: Don't store hash bucket in connection structures David Gibson
2022-11-17  5:58 ` [PATCH v2 19/32] inany: Helper functions for handling addresses which could be IPv4 or IPv6 David Gibson
2022-11-17  5:58 ` [PATCH v2 20/32] tcp: Hash IPv4 and IPv4-mapped-IPv6 addresses the same David Gibson
2022-11-17  5:58 ` [PATCH v2 21/32] tcp: Take tcp_hash_insert() address from struct tcp_conn David Gibson
2022-11-17  5:58 ` [PATCH v2 22/32] tcp: Simplify tcp_hash_match() to take an inany_addr David Gibson
2022-11-17  5:58 ` [PATCH v2 23/32] tcp: Unify initial sequence number calculation for IPv4 and IPv6 David Gibson
2022-11-17  5:59 ` [PATCH v2 24/32] tcp: Have tcp_seq_init() take its parameters from struct tcp_conn David Gibson
2022-11-17  5:59 ` [PATCH v2 25/32] tcp: Fix small errors in tcp_seq_init() time handling David Gibson
2022-11-17  5:59 ` [PATCH v2 26/32] tcp: Remove v6 flag from tcp_epoll_ref David Gibson
2022-11-17  5:59 ` David Gibson [this message]
2022-11-17  5:59 ` [PATCH v2 28/32] tcp_splice: Allow splicing of connections from IPv4-mapped loopback David Gibson
2022-11-17  5:59 ` [PATCH v2 29/32] tcp: Consolidate tcp_sock_init[46] David Gibson
2022-11-17  5:59 ` [PATCH v2 30/32] util: Allow sock_l4() to open dual stack sockets David Gibson
2022-11-17  5:59 ` [PATCH v2 31/32] util: Always return -1 on error in sock_l4() David Gibson
2022-11-17  5:59 ` [PATCH v2 32/32] tcp: Use dual stack sockets for port forwarding when possible David Gibson
2022-11-25  9:22 ` [PATCH v2 00/32] Use dual stack sockets to listen for inbound TCP connections Stefano Brivio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221117055908.2782981-28-david@gibson.dropbear.id.au \
    --to=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=sbrivio@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).