From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 491E45A027F
	for <passt-dev@passt.top>; Wed, 17 May 2023 07:05:38 +0200 (CEST)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4QLgzH2r0Jz4x3d; Wed, 17 May 2023 15:05:31 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1684299931;
	bh=8HO/uvS9uwELDscYkg4noR+TtecVCOh9spnyznsUde4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=DUqqvO0YW8qkjsiFFyM0sy8QZw6p2JmW+RJ70uM6aOJdFZ9ZFfdiHhLNLrBhTEWy0
	 7D7M32QvDiwlyW6AyU7NXqoGIJt+4ML5pqdjtWx6KIad29XxumFizbb4WAlizxrQzI
	 9lJTJ2VtrScq6AuwFWHm7BZPYyTLtPQjRbhgGeK0=
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH 5/5] udp: Remove PORT_ADDR_SEEN "connection" tracking mode
Date: Wed, 17 May 2023 15:05:29 +1000
Message-Id: <20230517050529.3505590-6-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230517050529.3505590-1-david@gibson.dropbear.id.au>
References: <20230517050529.3505590-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: BZ5MED7FPTIZHDBLZ4K27CBFPYGFQOSF
X-Message-ID-Hash: BZ5MED7FPTIZHDBLZ4K27CBFPYGFQOSF
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230517050529.3505590-6-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/BZ5MED7FPTIZHDBLZ4K27CBFPYGFQOSF/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

The mode of UDP NAT represented by PORT_ADDR_SEEN isn't actually useful.
In most cases addr_seen and addr will be the same, in which case it's just
redundant with PORT_ADDR.  If they are different, that means the guest is
using an address different from the one it's been assigned.  The natural
consequence of doing that is that you can't communicate with some other
host which is using the address you squatted.  We don't need to shield
the guest from the consequences of shooting itself in the foot this way.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 udp.c | 22 ++++------------------
 1 file changed, 4 insertions(+), 18 deletions(-)

diff --git a/udp.c b/udp.c
index 3c78fca..2d05584 100644
--- a/udp.c
+++ b/udp.c
@@ -123,13 +123,11 @@
 /**
  * enum udp_port_remote - Original remote address of UDP "connection" to a port
  * @PORT_LOOPBACK  - Original remote address was (host side) loopback
- * @PORT_ADDR_SEEN - Original remote address was the same as the guest is using
- * @PORT_ADDR      - Original remote address was guest assigned address
+ * @PORT_ADDR      - Original remote address was host address shared with guest
  */
 enum udp_port_remote {
 	PORT_LOOPBACK = 0,
-	PORT_ADDR_SEEN = 1,
-	PORT_ADDR = 2,
+	PORT_ADDR = 1,
 };
 
 /**
@@ -605,17 +603,14 @@ static size_t udp_update_hdr4(const struct ctx *c, int n, in_port_t dstport,
 	    IN4_ARE_ADDR_EQUAL(src, &c->ip4.dns_host) && src_port == 53) {
 		b->iph.saddr = c->ip4.dns_match.s_addr;
 	} else if (IN4_IS_ADDR_LOOPBACK(src) ||
-		   IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr_seen) ||
 		   IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr)) {
 		b->iph.saddr = c->ip4.gw.s_addr;
 		udp_tap_map[V4][src_port].ts = now->tv_sec;
 
 		if (IN4_IS_ADDR_LOOPBACK(src))
 			udp_tap_map[V4][src_port].remote = PORT_LOOPBACK;
-		else if (IN4_ARE_ADDR_EQUAL(src, &c->ip4.addr))
-			udp_tap_map[V4][src_port].remote = PORT_ADDR;
 		else
-			udp_tap_map[V4][src_port].remote = PORT_ADDR_SEEN;
+			udp_tap_map[V4][src_port].remote = PORT_ADDR;
 
 		bitmap_set(udp_act[V4][UDP_ACT_TAP], src_port);
 	} else {
@@ -663,7 +658,6 @@ static size_t udp_update_hdr6(const struct ctx *c, int n, in_port_t dstport,
 		b->ip6h.daddr = c->ip6.addr_seen;
 		b->ip6h.saddr = c->ip6.dns_match;
 	} else if (IN6_IS_ADDR_LOOPBACK(src)			||
-		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr_seen)	||
 		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr)) {
 		b->ip6h.daddr = c->ip6.addr_ll_seen;
 
@@ -676,10 +670,8 @@ static size_t udp_update_hdr6(const struct ctx *c, int n, in_port_t dstport,
 
 		if (IN6_IS_ADDR_LOOPBACK(src))
 			udp_tap_map[V6][src_port].remote = PORT_LOOPBACK;
-		else if (IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr))
-			udp_tap_map[V6][src_port].remote = PORT_ADDR;
 		else
-			udp_tap_map[V6][src_port].remote = PORT_ADDR_SEEN;
+			udp_tap_map[V6][src_port].remote = PORT_ADDR;
 
 		bitmap_set(udp_act[V6][UDP_ACT_TAP], src_port);
 	} else {
@@ -863,9 +855,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
 			case PORT_ADDR:
 				s_in.sin_addr = c->ip4.addr;
 				break;
-			case PORT_ADDR_SEEN:
-				s_in.sin_addr = c->ip4.addr_seen;
-				break;
 			}
 		}
 
@@ -915,9 +904,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
 			case PORT_ADDR:
 				s_in6.sin6_addr = c->ip6.addr;
 				break;
-			case PORT_ADDR_SEEN:
-				s_in6.sin6_addr = c->ip6.addr_seen;
-				break;
 			}
 		} else if (IN6_IS_ADDR_LINKLOCAL(&s_in6.sin6_addr)) {
 			bind_addr = &c->ip6.addr_ll;
-- 
2.40.1