From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 5/5] udp: Remove PORT_ADDR_SEEN "connection" tracking mode
Date: Wed, 17 May 2023 15:05:29 +1000 [thread overview]
Message-ID: <20230517050529.3505590-6-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20230517050529.3505590-1-david@gibson.dropbear.id.au>
The mode of UDP NAT represented by PORT_ADDR_SEEN isn't actually useful.
In most cases addr_seen and addr will be the same, in which case it's just
redundant with PORT_ADDR. If they are different, that means the guest is
using an address different from the one it's been assigned. The natural
consequence of doing that is that you can't communicate with some other
host which is using the address you squatted. We don't need to shield
the guest from the consequences of shooting itself in the foot this way.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
udp.c | 22 ++++------------------
1 file changed, 4 insertions(+), 18 deletions(-)
diff --git a/udp.c b/udp.c
index 3c78fca..2d05584 100644
--- a/udp.c
+++ b/udp.c
@@ -123,13 +123,11 @@
/**
* enum udp_port_remote - Original remote address of UDP "connection" to a port
* @PORT_LOOPBACK - Original remote address was (host side) loopback
- * @PORT_ADDR_SEEN - Original remote address was the same as the guest is using
- * @PORT_ADDR - Original remote address was guest assigned address
+ * @PORT_ADDR - Original remote address was host address shared with guest
*/
enum udp_port_remote {
PORT_LOOPBACK = 0,
- PORT_ADDR_SEEN = 1,
- PORT_ADDR = 2,
+ PORT_ADDR = 1,
};
/**
@@ -605,17 +603,14 @@ static size_t udp_update_hdr4(const struct ctx *c, int n, in_port_t dstport,
IN4_ARE_ADDR_EQUAL(src, &c->ip4.dns_host) && src_port == 53) {
b->iph.saddr = c->ip4.dns_match.s_addr;
} else if (IN4_IS_ADDR_LOOPBACK(src) ||
- IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr_seen) ||
IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr)) {
b->iph.saddr = c->ip4.gw.s_addr;
udp_tap_map[V4][src_port].ts = now->tv_sec;
if (IN4_IS_ADDR_LOOPBACK(src))
udp_tap_map[V4][src_port].remote = PORT_LOOPBACK;
- else if (IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr))
- udp_tap_map[V4][src_port].remote = PORT_ADDR;
else
- udp_tap_map[V4][src_port].remote = PORT_ADDR_SEEN;
+ udp_tap_map[V4][src_port].remote = PORT_ADDR;
bitmap_set(udp_act[V4][UDP_ACT_TAP], src_port);
} else {
@@ -663,7 +658,6 @@ static size_t udp_update_hdr6(const struct ctx *c, int n, in_port_t dstport,
b->ip6h.daddr = c->ip6.addr_seen;
b->ip6h.saddr = c->ip6.dns_match;
} else if (IN6_IS_ADDR_LOOPBACK(src) ||
- IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr_seen) ||
IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr)) {
b->ip6h.daddr = c->ip6.addr_ll_seen;
@@ -676,10 +670,8 @@ static size_t udp_update_hdr6(const struct ctx *c, int n, in_port_t dstport,
if (IN6_IS_ADDR_LOOPBACK(src))
udp_tap_map[V6][src_port].remote = PORT_LOOPBACK;
- else if (IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr))
- udp_tap_map[V6][src_port].remote = PORT_ADDR;
else
- udp_tap_map[V6][src_port].remote = PORT_ADDR_SEEN;
+ udp_tap_map[V6][src_port].remote = PORT_ADDR;
bitmap_set(udp_act[V6][UDP_ACT_TAP], src_port);
} else {
@@ -863,9 +855,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
case PORT_ADDR:
s_in.sin_addr = c->ip4.addr;
break;
- case PORT_ADDR_SEEN:
- s_in.sin_addr = c->ip4.addr_seen;
- break;
}
}
@@ -915,9 +904,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
case PORT_ADDR:
s_in6.sin6_addr = c->ip6.addr;
break;
- case PORT_ADDR_SEEN:
- s_in6.sin6_addr = c->ip6.addr_seen;
- break;
}
} else if (IN6_IS_ADDR_LINKLOCAL(&s_in6.sin6_addr)) {
bind_addr = &c->ip6.addr_ll;
--
@@ -123,13 +123,11 @@
/**
* enum udp_port_remote - Original remote address of UDP "connection" to a port
* @PORT_LOOPBACK - Original remote address was (host side) loopback
- * @PORT_ADDR_SEEN - Original remote address was the same as the guest is using
- * @PORT_ADDR - Original remote address was guest assigned address
+ * @PORT_ADDR - Original remote address was host address shared with guest
*/
enum udp_port_remote {
PORT_LOOPBACK = 0,
- PORT_ADDR_SEEN = 1,
- PORT_ADDR = 2,
+ PORT_ADDR = 1,
};
/**
@@ -605,17 +603,14 @@ static size_t udp_update_hdr4(const struct ctx *c, int n, in_port_t dstport,
IN4_ARE_ADDR_EQUAL(src, &c->ip4.dns_host) && src_port == 53) {
b->iph.saddr = c->ip4.dns_match.s_addr;
} else if (IN4_IS_ADDR_LOOPBACK(src) ||
- IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr_seen) ||
IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr)) {
b->iph.saddr = c->ip4.gw.s_addr;
udp_tap_map[V4][src_port].ts = now->tv_sec;
if (IN4_IS_ADDR_LOOPBACK(src))
udp_tap_map[V4][src_port].remote = PORT_LOOPBACK;
- else if (IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr))
- udp_tap_map[V4][src_port].remote = PORT_ADDR;
else
- udp_tap_map[V4][src_port].remote = PORT_ADDR_SEEN;
+ udp_tap_map[V4][src_port].remote = PORT_ADDR;
bitmap_set(udp_act[V4][UDP_ACT_TAP], src_port);
} else {
@@ -663,7 +658,6 @@ static size_t udp_update_hdr6(const struct ctx *c, int n, in_port_t dstport,
b->ip6h.daddr = c->ip6.addr_seen;
b->ip6h.saddr = c->ip6.dns_match;
} else if (IN6_IS_ADDR_LOOPBACK(src) ||
- IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr_seen) ||
IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr)) {
b->ip6h.daddr = c->ip6.addr_ll_seen;
@@ -676,10 +670,8 @@ static size_t udp_update_hdr6(const struct ctx *c, int n, in_port_t dstport,
if (IN6_IS_ADDR_LOOPBACK(src))
udp_tap_map[V6][src_port].remote = PORT_LOOPBACK;
- else if (IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr))
- udp_tap_map[V6][src_port].remote = PORT_ADDR;
else
- udp_tap_map[V6][src_port].remote = PORT_ADDR_SEEN;
+ udp_tap_map[V6][src_port].remote = PORT_ADDR;
bitmap_set(udp_act[V6][UDP_ACT_TAP], src_port);
} else {
@@ -863,9 +855,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
case PORT_ADDR:
s_in.sin_addr = c->ip4.addr;
break;
- case PORT_ADDR_SEEN:
- s_in.sin_addr = c->ip4.addr_seen;
- break;
}
}
@@ -915,9 +904,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
case PORT_ADDR:
s_in6.sin6_addr = c->ip6.addr;
break;
- case PORT_ADDR_SEEN:
- s_in6.sin6_addr = c->ip6.addr_seen;
- break;
}
} else if (IN6_IS_ADDR_LINKLOCAL(&s_in6.sin6_addr)) {
bind_addr = &c->ip6.addr_ll;
--
2.40.1
next prev parent reply other threads:[~2023-05-17 5:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-17 5:05 [PATCH 0/5] Improvements to "connection" tracking for UDP David Gibson
2023-05-17 5:05 ` [PATCH 1/5] udp: Don't attempt to translate a 0.0.0.0 source address David Gibson
2023-05-17 5:05 ` [PATCH 2/5] udp: Small streamline to udp_update_hdr4() David Gibson
2023-05-17 5:05 ` [PATCH 3/5] udp: Implement IPv6 PORT_GUA logic for IPv4 as well David Gibson
2023-05-17 5:05 ` [PATCH 4/5] udp: Clarify connection tracking flags David Gibson
2023-05-17 5:05 ` David Gibson [this message]
2023-05-18 5:48 ` [PATCH 0/5] Improvements to "connection" tracking for UDP David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230517050529.3505590-6-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).