From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id A9CEE5A005B for ; Fri, 14 Jun 2024 08:13:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1718345632; bh=EOvqu6O9gS/10H2BDCJyMXKxxywe14LZJkFExsFYdPc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R4Q6dxsZBghPP3puxIVnJoQkA3kGn/4GeYyamKnGQwpZSJzv8LZFqRYMt3jOEZYFB VSULHQxequzoleqwwbUsd1rBUAm9uVsQ/LyOoPhx7gy7sM2o71UTlqb/sfRzfTHR8f 6sMG3myuXmw0sTw1JZmdG2v84moNML2LOrgakohwb5We9Vmri/ljqqla8t2bZX/2KC SqHEtgzOeZQSjVnjqCPkXpclmPAuzjWIWXmy2qpKuBfZGJIrMhkWsQxb4yAUxOXeEZ UB1h0jX1VJKGVi50EgUa3TGiTGk/gP0a1yJno5gKbea+vIakZyAL8XY4s6SwTtDZzt pgTkT+6YFfdqg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4W0prJ0gH2z4wyf; Fri, 14 Jun 2024 16:13:52 +1000 (AEST) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH v6 06/26] tcp: Simplify endpoint validation using flowside information Date: Fri, 14 Jun 2024 16:13:28 +1000 Message-ID: <20240614061348.3814736-7-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240614061348.3814736-1-david@gibson.dropbear.id.au> References: <20240614061348.3814736-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: LLAWAXRBLRVAT6JCPW2RADKRMDFNDWJM X-Message-ID-Hash: LLAWAXRBLRVAT6JCPW2RADKRMDFNDWJM X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jmaloy@redhat.com, David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Now that we store all our endpoints in the flowside structure, use some inany helpers to make validation of those endpoints simpler. Signed-off-by: David Gibson --- inany.h | 1 - tcp.c | 72 +++++++++++++++------------------------------------------ 2 files changed, 18 insertions(+), 55 deletions(-) diff --git a/inany.h b/inany.h index 2bf3becf..27b1c88f 100644 --- a/inany.h +++ b/inany.h @@ -211,7 +211,6 @@ static inline bool inany_is_multicast(const union inany_addr *a) * * Return: true if @a is specified and a unicast address */ -/* cppcheck-suppress unusedFunction */ static inline bool inany_is_unicast(const union inany_addr *a) { return !inany_is_unspecified(a) && !inany_is_multicast(a); diff --git a/tcp.c b/tcp.c index 74883312..09add999 100644 --- a/tcp.c +++ b/tcp.c @@ -1615,38 +1615,14 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af, ini = flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, daddr, dstport); - if (af == AF_INET) { - if (IN4_IS_ADDR_UNSPECIFIED(saddr) || - IN4_IS_ADDR_BROADCAST(saddr) || - IN4_IS_ADDR_MULTICAST(saddr) || srcport == 0 || - IN4_IS_ADDR_UNSPECIFIED(daddr) || - IN4_IS_ADDR_BROADCAST(daddr) || - IN4_IS_ADDR_MULTICAST(daddr) || dstport == 0) { - char sstr[INET_ADDRSTRLEN], dstr[INET_ADDRSTRLEN]; - - debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu", - inet_ntop(AF_INET, saddr, sstr, sizeof(sstr)), - srcport, - inet_ntop(AF_INET, daddr, dstr, sizeof(dstr)), - dstport); - goto cancel; - } - } else if (af == AF_INET6) { - if (IN6_IS_ADDR_UNSPECIFIED(saddr) || - IN6_IS_ADDR_MULTICAST(saddr) || srcport == 0 || - IN6_IS_ADDR_UNSPECIFIED(daddr) || - IN6_IS_ADDR_MULTICAST(daddr) || dstport == 0) { - char sstr[INET6_ADDRSTRLEN], dstr[INET6_ADDRSTRLEN]; - - debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu", - inet_ntop(AF_INET6, saddr, sstr, sizeof(sstr)), - srcport, - inet_ntop(AF_INET6, daddr, dstr, sizeof(dstr)), - dstport); - goto cancel; - } - } else { - ASSERT(0); + if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0 || + !inany_is_unicast(&ini->faddr) || ini->fport == 0) { + char sstr[INANY_ADDRSTRLEN], dstr[INANY_ADDRSTRLEN]; + + debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu", + inany_ntop(&ini->eaddr, sstr, sizeof(sstr)), ini->eport, + inany_ntop(&ini->faddr, dstr, sizeof(dstr)), ini->fport); + goto cancel; } if ((s = tcp_conn_sock(c, af)) < 0) @@ -2270,7 +2246,7 @@ static void tcp_tap_conn_from_sock(struct ctx *c, in_port_t dstport, void tcp_listen_handler(struct ctx *c, union epoll_ref ref, const struct timespec *now) { - char sastr[SOCKADDR_STRLEN]; + const struct flowside *ini; union sockaddr_inany sa; socklen_t sl = sizeof(sa); union flow *flow; @@ -2285,23 +2261,15 @@ void tcp_listen_handler(struct ctx *c, union epoll_ref ref, /* FIXME: When listening port has a specific bound address, record that * as the forwarding address */ - flow_initiate_sa(flow, ref.tcp_listen.pif, &sa, ref.tcp_listen.port); - - if (sa.sa_family == AF_INET) { - const struct in_addr *addr = &sa.sa4.sin_addr; - in_port_t port = sa.sa4.sin_port; - - if (IN4_IS_ADDR_UNSPECIFIED(addr) || - IN4_IS_ADDR_BROADCAST(addr) || - IN4_IS_ADDR_MULTICAST(addr) || port == 0) - goto bad_endpoint; - } else if (sa.sa_family == AF_INET6) { - const struct in6_addr *addr = &sa.sa6.sin6_addr; - in_port_t port = sa.sa6.sin6_port; - - if (IN6_IS_ADDR_UNSPECIFIED(addr) || - IN6_IS_ADDR_MULTICAST(addr) || port == 0) - goto bad_endpoint; + ini = flow_initiate_sa(flow, ref.tcp_listen.pif, &sa, + ref.tcp_listen.port); + + if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0) { + char sastr[SOCKADDR_STRLEN]; + + err("Invalid endpoint from TCP accept(): %s", + sockaddr_ntop(&sa, sastr, sizeof(sastr))); + goto cancel; } if (tcp_splice_conn_from_sock(c, ref.tcp_listen.pif, @@ -2311,10 +2279,6 @@ void tcp_listen_handler(struct ctx *c, union epoll_ref ref, tcp_tap_conn_from_sock(c, ref.tcp_listen.port, flow, s, &sa, now); return; -bad_endpoint: - err("Invalid endpoint from TCP accept(): %s", - sockaddr_ntop(&sa, sastr, sizeof(sastr))); - cancel: flow_alloc_cancel(flow); } -- 2.45.2