From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id 94EEA5A0082
	for <passt-dev@passt.top>; Fri, 25 Nov 2022 02:47:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1669340876;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Cq1Yf79jsS2ANs5QasDPHpHbRu2bancLicdS54Owfn4=;
	b=KOjRqTfSLhavQQhIgkugrOfmlxoVgMWfrYDZLFw7B8GdCJd/7k70DNU5ne5yQ3PFQd97hB
	1qLKxXpXEbj0oN6zz8HsaYarfgOqAlXzEebLX0Sxqm4ncL8yhFcF6CXmwjlqPDXA6v7WxR
	bDlB2wzo33+igp8AE5DXmFKqthw8CEk=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-537-xTPei_dwNFO0Ik17NyOcvA-1; Thu, 24 Nov 2022 20:47:55 -0500
X-MC-Unique: xTPei_dwNFO0Ik17NyOcvA-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 925E0801585;
	Fri, 25 Nov 2022 01:47:54 +0000 (UTC)
Received: from maya.cloud.tilaa.com (ovpn-208-30.brq.redhat.com [10.40.208.30])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 589931415114;
	Fri, 25 Nov 2022 01:47:54 +0000 (UTC)
Date: Fri, 25 Nov 2022 02:47:51 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v2 01/16] udp: Also bind() connected ports for "splice"
 forwarding
Message-ID: <20221125024751.36cbc4be@elisabeth>
In-Reply-To: <20221124011659.1024901-2-david@gibson.dropbear.id.au>
References: <20221124011659.1024901-1-david@gibson.dropbear.id.au>
	<20221124011659.1024901-2-david@gibson.dropbear.id.au>
Organization: Red Hat
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: LZWBKNVNKZP6ZLR26ZYUM4G6ON4PRRAU
X-Message-ID-Hash: LZWBKNVNKZP6ZLR26ZYUM4G6ON4PRRAU
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20221125024751.36cbc4be@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/LZWBKNVNKZP6ZLR26ZYUM4G6ON4PRRAU/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu, 24 Nov 2022 12:16:44 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:

> pasta handles "spliced" port forwarding by resending datagrams received on
> a bound socket in the init namespace to a connected socket in the guest
> namespace.  This means there are actually three ports associated with each
> "connection".  First there's the source and destination ports of the
> originating datagram.  That's also the destination port of the forwarded
> datagram, but the source port of the forwarded datagram is the kernel
> allocated bound address of the connected socket.
> 
> However, by bind()ing as well as connect()ing the forwarding socket we can
> choose the source port of the forwarded datagrams.  By choosing it to match
> the original source port we remove that surprising third port number and
> no longer need to store port numbers in struct udp_splice_port.

If you wondered, I think the whole connect() with getsockname() thing
without a bind() came from the fundamental misconception I had that you
couldn't connect() a bound socket -- and I didn't quite think of
dropping connect() as you do in 3/16 anyway.

There's one minor problem this introduces: the source port of the
originating datagram now needs to be free in the init namespace. It's
still better than the alternative problem you fix in 16/16, though.

I'm wondering if we could, _once you're done with all this_ (it already
looks complicated enough), revisit the 'goto fail' in
udp_splice_connect() (now udp_splice_new()) when bind() fails, and just
proceed with an ephemeral port then.

Also, I haven't tried, but I'm not sure if this introduces some kind of
DoS possibility: even if pasta forwards a single port, it should be
possible for a remote host to make pasta bind to a large amount of
non-ephemeral ports.

Maybe it would make sense to think of a limit on how many ports a
single peer could cause pasta to bind.

I'm not sure yet how we could track peers without a separate address
storage (even though keeping an LRU array should be feasible) -- the
simpler alternative, limiting bound ports by destination port, would
offer an even more convenient way to a DoS.

On the other hand, this is exceedingly minor I guess. We're binding
ports in the namespace after all, and we can reuse bound sockets.

-- 
Stefano