From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 262635A031E
	for <passt-dev@passt.top>; Fri, 05 Jul 2024 04:07:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1720145250;
	bh=tM9mf0wmehtfvhcnMjuv9K9Hl6locBVwhM0ZBV/ss+8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=DSU2dTyzw5raReQeKemD8b2mvohvHuH7KiQzVPeC1J89Vuw0/YcFo9sh98IFcWdvw
	 lX0y49lr1BjQvjkAHSLuQc/dEmRVgfVEebBzosVcts3JUsI/dF93c72/cKa5X4WPKD
	 R1bTwavgk1gJ8gt+odDDpEl7iHA0LJaccIUA8kmhpERWa0fjh1UGvL7iiJMgJ0TR1u
	 b2nhrdO9idxiE31QlxkUdEWI/LOIJkr/2J6GyVWkr5Y624sdE2OSTQ4eRlx22u8q/8
	 y3cB7Gdw3oXgj3NXKk6V4+MNj8xOg0BMl87KXjgokJidXHsHYLIHW/jajPPbDnjGYH
	 +UhuF5caEereA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4WFcNL6wLnz4wxx; Fri,  5 Jul 2024 12:07:30 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH v7 05/27] tcp: Manage outbound address via flow table
Date: Fri,  5 Jul 2024 12:07:02 +1000
Message-ID: <20240705020724.3447719-6-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20240705020724.3447719-1-david@gibson.dropbear.id.au>
References: <20240705020724.3447719-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 3J7X5CGE5DQZWPJ3ZQ3JNDAVECZCZU4F
X-Message-ID-Hash: 3J7X5CGE5DQZWPJ3ZQ3JNDAVECZCZU4F
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: jmaloy@redhat.com, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240705020724.3447719-6-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/3J7X5CGE5DQZWPJ3ZQ3JNDAVECZCZU4F/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

For now when we forward a connection to the host we leave the host side
forwarding address and port blank since we don't necessarily know what
source address and port will be used by the kernel.  When the outbound
address option is active, though, we do know the address at least, so we
can record it in the flowside.

Having done that, use it as the primary source of truth, binding the
outgoing socket based on the information in there.  This allows the
possibility of more complex rules for what outbound address and/or port
we use in future.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 tcp.c | 92 +++++++++++++++++++++++++++++++----------------------------
 1 file changed, 49 insertions(+), 43 deletions(-)

diff --git a/tcp.c b/tcp.c
index b03028ad..f92414fb 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1535,46 +1535,47 @@ static uint16_t tcp_conn_tap_mss(const struct tcp_tap_conn *conn,
 /**
  * tcp_bind_outbound() - Bind socket to outbound address and interface if given
  * @c:		Execution context
+ * @conn:	Connection entry for socket to bind
  * @s:		Outbound TCP socket
- * @af:		Address family
  */
-static void tcp_bind_outbound(const struct ctx *c, int s, sa_family_t af)
+static void tcp_bind_outbound(const struct ctx *c,
+			      const struct tcp_tap_conn *conn, int s)
 {
-	if (af == AF_INET) {
-		if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out)) {
-			struct sockaddr_in addr4 = {
-				.sin_family = AF_INET,
-				.sin_port = 0,
-				.sin_addr = c->ip4.addr_out,
-			};
-
-			if (bind(s, (struct sockaddr *)&addr4, sizeof(addr4)))
-				debug_perror("IPv4 TCP socket address bind");
+	const struct flowside *tgt = &conn->f.side[TGTSIDE];
+	union sockaddr_inany bind_sa;
+	socklen_t sl;
+
+
+	if (pif_sockaddr(c, &bind_sa, &sl, PIF_HOST, &tgt->faddr, tgt->fport)) {
+		if (bind(s, &bind_sa.sa, sl)) {
+			char sstr[INANY_ADDRSTRLEN];
+
+			flow_dbg(conn,
+				 "Can't bind TCP outbound socket to %s:%hu: %s",
+				 inany_ntop(&tgt->faddr, sstr, sizeof(sstr)),
+				 tgt->fport, strerror(errno));
 		}
+	}
 
+	if (bind_sa.sa_family == AF_INET) {
 		if (*c->ip4.ifname_out) {
 			if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
 				       c->ip4.ifname_out,
-				       strlen(c->ip4.ifname_out)))
-				debug_perror("IPv4 TCP socket interface bind");
-		}
-	} else if (af == AF_INET6) {
-		if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) {
-			struct sockaddr_in6 addr6 = {
-				.sin6_family = AF_INET6,
-				.sin6_port = 0,
-				.sin6_addr = c->ip6.addr_out,
-			};
-
-			if (bind(s, (struct sockaddr *)&addr6, sizeof(addr6)))
-				debug_perror("IPv6 TCP socket address bind");
+				       strlen(c->ip4.ifname_out))) {
+				flow_dbg(conn, "Can't bind IPv4 TCP socket to"
+					 " interface %s: %s", c->ip4.ifname_out,
+					 strerror(errno));
+			}
 		}
-
+	} else if (bind_sa.sa_family == AF_INET6) {
 		if (*c->ip6.ifname_out) {
 			if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
 				       c->ip6.ifname_out,
-				       strlen(c->ip6.ifname_out)))
-				debug_perror("IPv6 TCP socket interface bind");
+				       strlen(c->ip6.ifname_out))) {
+				flow_dbg(conn, "Can't bind IPv6 TCP socket to"
+					 " interface %s: %s", c->ip6.ifname_out,
+					 strerror(errno));
+			}
 		}
 	}
 }
@@ -1597,9 +1598,9 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 {
 	in_port_t srcport = ntohs(th->source);
 	in_port_t dstport = ntohs(th->dest);
+	union inany_addr srcaddr, dstaddr; /* FIXME: Avoid bulky temporaries */
 	const struct flowside *ini, *tgt;
 	struct tcp_tap_conn *conn;
-	union inany_addr dstaddr; /* FIXME: Avoid bulky temporary */
 	union sockaddr_inany sa;
 	union flow *flow;
 	int s = -1, mss;
@@ -1620,9 +1621,24 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 
 	}
 
-	/* FIXME: Record outbound source address when known */
+	if (inany_is_linklocal6(&dstaddr)) {
+		srcaddr.a6 = c->ip6.addr_ll;
+	} else if (inany_is_loopback(&dstaddr)) {
+		srcaddr = dstaddr;
+	} else if (inany_v4(&dstaddr)) {
+		if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out))
+			srcaddr = inany_from_v4(c->ip4.addr_out);
+		else
+			srcaddr = inany_any4;
+	} else {
+		if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out))
+			srcaddr.a6 = c->ip6.addr_out;
+		else
+			srcaddr = inany_any6;
+	}
+
 	tgt = flow_target_af(flow, PIF_HOST, AF_INET6,
-			     NULL, 0, /* Kernel decides source address */
+			     &srcaddr, 0, /* Kernel decides source port */
 			     &dstaddr, dstport);
 	conn = FLOW_SET_TYPE(flow, FLOW_TCP, tcp);
 
@@ -1685,18 +1701,6 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 			goto cancel;
 	}
 
-	if (inany_is_linklocal6(&tgt->eaddr)) {
-		struct sockaddr_in6 addr6_ll = {
-			.sin6_family = AF_INET6,
-			.sin6_addr = c->ip6.addr_ll,
-			.sin6_scope_id = c->ifi6,
-		};
-		if (bind(s, (struct sockaddr *)&addr6_ll, sizeof(addr6_ll)))
-			goto cancel;
-	} else if (!inany_is_loopback(&tgt->eaddr)) {
-		tcp_bind_outbound(c, s, af);
-	}
-
 	conn->sock = s;
 	conn->timer = -1;
 	conn_event(c, conn, TAP_SYN_RCVD);
@@ -1725,6 +1729,8 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 
 	tcp_hash_insert(c, conn);
 
+	tcp_bind_outbound(c, conn, s);
+
 	if (connect(s, &sa.sa, sl)) {
 		if (errno != EINPROGRESS) {
 			tcp_rst(c, conn);
-- 
2.45.2