From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 94EEA5A0082 for ; Fri, 25 Nov 2022 02:47:57 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669340876; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Cq1Yf79jsS2ANs5QasDPHpHbRu2bancLicdS54Owfn4=; b=KOjRqTfSLhavQQhIgkugrOfmlxoVgMWfrYDZLFw7B8GdCJd/7k70DNU5ne5yQ3PFQd97hB 1qLKxXpXEbj0oN6zz8HsaYarfgOqAlXzEebLX0Sxqm4ncL8yhFcF6CXmwjlqPDXA6v7WxR bDlB2wzo33+igp8AE5DXmFKqthw8CEk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-537-xTPei_dwNFO0Ik17NyOcvA-1; Thu, 24 Nov 2022 20:47:55 -0500 X-MC-Unique: xTPei_dwNFO0Ik17NyOcvA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 925E0801585; Fri, 25 Nov 2022 01:47:54 +0000 (UTC) Received: from maya.cloud.tilaa.com (ovpn-208-30.brq.redhat.com [10.40.208.30]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 589931415114; Fri, 25 Nov 2022 01:47:54 +0000 (UTC) Date: Fri, 25 Nov 2022 02:47:51 +0100 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH v2 01/16] udp: Also bind() connected ports for "splice" forwarding Message-ID: <20221125024751.36cbc4be@elisabeth> In-Reply-To: <20221124011659.1024901-2-david@gibson.dropbear.id.au> References: <20221124011659.1024901-1-david@gibson.dropbear.id.au> <20221124011659.1024901-2-david@gibson.dropbear.id.au> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: LZWBKNVNKZP6ZLR26ZYUM4G6ON4PRRAU X-Message-ID-Hash: LZWBKNVNKZP6ZLR26ZYUM4G6ON4PRRAU X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 24 Nov 2022 12:16:44 +1100 David Gibson wrote: > pasta handles "spliced" port forwarding by resending datagrams received on > a bound socket in the init namespace to a connected socket in the guest > namespace. This means there are actually three ports associated with each > "connection". First there's the source and destination ports of the > originating datagram. That's also the destination port of the forwarded > datagram, but the source port of the forwarded datagram is the kernel > allocated bound address of the connected socket. > > However, by bind()ing as well as connect()ing the forwarding socket we can > choose the source port of the forwarded datagrams. By choosing it to match > the original source port we remove that surprising third port number and > no longer need to store port numbers in struct udp_splice_port. If you wondered, I think the whole connect() with getsockname() thing without a bind() came from the fundamental misconception I had that you couldn't connect() a bound socket -- and I didn't quite think of dropping connect() as you do in 3/16 anyway. There's one minor problem this introduces: the source port of the originating datagram now needs to be free in the init namespace. It's still better than the alternative problem you fix in 16/16, though. I'm wondering if we could, _once you're done with all this_ (it already looks complicated enough), revisit the 'goto fail' in udp_splice_connect() (now udp_splice_new()) when bind() fails, and just proceed with an ephemeral port then. Also, I haven't tried, but I'm not sure if this introduces some kind of DoS possibility: even if pasta forwards a single port, it should be possible for a remote host to make pasta bind to a large amount of non-ephemeral ports. Maybe it would make sense to think of a limit on how many ports a single peer could cause pasta to bind. I'm not sure yet how we could track peers without a separate address storage (even though keeping an LRU array should be feasible) -- the simpler alternative, limiting bound ports by destination port, would offer an even more convenient way to a DoS. On the other hand, this is exceedingly minor I guess. We're binding ports in the namespace after all, and we can reuse bound sockets. -- Stefano