From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 4C5A15A031F
	for <passt-dev@passt.top>; Thu, 18 Jul 2024 07:27:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1721280418;
	bh=z/u49OR84WQoDK6F5OuOXqZTkuK+CT5E7K/20K3TPfw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=EunemdCWFZ3HSGNtKijGHa9J1hB5Cg1XQwBdFcktIXeEJ8nPzzGqKXPdNYM5om+Kc
	 7MI580xLmL6nGXwOyH0mEaRRJmiHpuhb9y4Kj+GXvN3ucEMo7p5nLMJh9f4GnqH0a6
	 vzfsSEIUdj3LBQEfyNCGV/WKvUG1rm12CqJofdOmLlgUKmikgnixT5wxwRymrS/qlS
	 3Gf7HYDNNUZeMZg0U/fPZLUmR20xLXwGinSrRhMc3GWOSO+g9XwBx6E66lnmaBJOZP
	 Oy4E9wKz68aUM7PfB2M5vnKLEouAFOHFivf3BpPwtSBfdtC2Kqs5qOW9NTIvRe7Hy4
	 jvhEtPYU6WJ5g==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4WPhBV5s7Hz4x12; Thu, 18 Jul 2024 15:26:58 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH v8 05/27] tcp: Manage outbound address via flow table
Date: Thu, 18 Jul 2024 15:26:31 +1000
Message-ID: <20240718052653.3241585-6-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20240718052653.3241585-1-david@gibson.dropbear.id.au>
References: <20240718052653.3241585-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: YKCNS7ID2Y4Y4MYBVRQXPBYOOVLNO3WS
X-Message-ID-Hash: YKCNS7ID2Y4Y4MYBVRQXPBYOOVLNO3WS
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: jmaloy@redhat.com, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240718052653.3241585-6-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/YKCNS7ID2Y4Y4MYBVRQXPBYOOVLNO3WS/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

For now when we forward a connection to the host we leave the host side
forwarding address and port blank since we don't necessarily know what
source address and port will be used by the kernel.  When the outbound
address option is active, though, we do know the address at least, so we
can record it in the flowside.

Having done that, use it as the primary source of truth, binding the
outgoing socket based on the information in there.  This allows the
possibility of more complex rules for what outbound address and/or port
we use in future.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 tcp.c | 93 ++++++++++++++++++++++++++++++++---------------------------
 1 file changed, 50 insertions(+), 43 deletions(-)

diff --git a/tcp.c b/tcp.c
index bac72c02..f0bf76bc 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1581,46 +1581,48 @@ static uint16_t tcp_conn_tap_mss(const struct tcp_tap_conn *conn,
 /**
  * tcp_bind_outbound() - Bind socket to outbound address and interface if given
  * @c:		Execution context
+ * @conn:	Connection entry for socket to bind
  * @s:		Outbound TCP socket
- * @af:		Address family
  */
-static void tcp_bind_outbound(const struct ctx *c, int s, sa_family_t af)
+static void tcp_bind_outbound(const struct ctx *c,
+			      const struct tcp_tap_conn *conn, int s)
 {
-	if (af == AF_INET) {
-		if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out)) {
-			struct sockaddr_in addr4 = {
-				.sin_family = AF_INET,
-				.sin_port = 0,
-				.sin_addr = c->ip4.addr_out,
-			};
-
-			if (bind(s, (struct sockaddr *)&addr4, sizeof(addr4)))
-				debug_perror("IPv4 TCP socket address bind");
+	const struct flowside *tgt = &conn->f.side[TGTSIDE];
+	union sockaddr_inany bind_sa;
+	socklen_t sl;
+
+
+	pif_sockaddr(c, &bind_sa, &sl, PIF_HOST, &tgt->faddr, tgt->fport);
+	if (!inany_is_unspecified(&tgt->faddr) || tgt->fport) {
+		if (bind(s, &bind_sa.sa, sl)) {
+			char sstr[INANY_ADDRSTRLEN];
+
+			flow_dbg(conn,
+				 "Can't bind TCP outbound socket to %s:%hu: %s",
+				 inany_ntop(&tgt->faddr, sstr, sizeof(sstr)),
+				 tgt->fport, strerror(errno));
 		}
+	}
 
+	if (bind_sa.sa_family == AF_INET) {
 		if (*c->ip4.ifname_out) {
 			if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
 				       c->ip4.ifname_out,
-				       strlen(c->ip4.ifname_out)))
-				debug_perror("IPv4 TCP socket interface bind");
-		}
-	} else if (af == AF_INET6) {
-		if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) {
-			struct sockaddr_in6 addr6 = {
-				.sin6_family = AF_INET6,
-				.sin6_port = 0,
-				.sin6_addr = c->ip6.addr_out,
-			};
-
-			if (bind(s, (struct sockaddr *)&addr6, sizeof(addr6)))
-				debug_perror("IPv6 TCP socket address bind");
+				       strlen(c->ip4.ifname_out))) {
+				flow_dbg(conn, "Can't bind IPv4 TCP socket to"
+					 " interface %s: %s", c->ip4.ifname_out,
+					 strerror(errno));
+			}
 		}
-
+	} else if (bind_sa.sa_family == AF_INET6) {
 		if (*c->ip6.ifname_out) {
 			if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
 				       c->ip6.ifname_out,
-				       strlen(c->ip6.ifname_out)))
-				debug_perror("IPv6 TCP socket interface bind");
+				       strlen(c->ip6.ifname_out))) {
+				flow_dbg(conn, "Can't bind IPv6 TCP socket to"
+					 " interface %s: %s", c->ip6.ifname_out,
+					 strerror(errno));
+			}
 		}
 	}
 }
@@ -1643,9 +1645,9 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 {
 	in_port_t srcport = ntohs(th->source);
 	in_port_t dstport = ntohs(th->dest);
+	union inany_addr srcaddr, dstaddr; /* FIXME: Avoid bulky temporaries */
 	const struct flowside *ini, *tgt;
 	struct tcp_tap_conn *conn;
-	union inany_addr dstaddr; /* FIXME: Avoid bulky temporary */
 	union sockaddr_inany sa;
 	union flow *flow;
 	int s = -1, mss;
@@ -1666,9 +1668,24 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 
 	}
 
-	/* FIXME: Record outbound source address when known */
+	if (inany_is_linklocal6(&dstaddr)) {
+		srcaddr.a6 = c->ip6.addr_ll;
+	} else if (inany_is_loopback(&dstaddr)) {
+		srcaddr = dstaddr;
+	} else if (inany_v4(&dstaddr)) {
+		if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out))
+			srcaddr = inany_from_v4(c->ip4.addr_out);
+		else
+			srcaddr = inany_any4;
+	} else {
+		if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out))
+			srcaddr.a6 = c->ip6.addr_out;
+		else
+			srcaddr = inany_any6;
+	}
+
 	tgt = flow_target_af(flow, PIF_HOST, AF_INET6,
-			     NULL, 0, /* Kernel decides source address */
+			     &srcaddr, 0, /* Kernel decides source port */
 			     &dstaddr, dstport);
 	conn = FLOW_SET_TYPE(flow, FLOW_TCP, tcp);
 
@@ -1731,18 +1748,6 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 			goto cancel;
 	}
 
-	if (inany_is_linklocal6(&tgt->eaddr)) {
-		struct sockaddr_in6 addr6_ll = {
-			.sin6_family = AF_INET6,
-			.sin6_addr = c->ip6.addr_ll,
-			.sin6_scope_id = c->ifi6,
-		};
-		if (bind(s, (struct sockaddr *)&addr6_ll, sizeof(addr6_ll)))
-			goto cancel;
-	} else if (!inany_is_loopback(&tgt->eaddr)) {
-		tcp_bind_outbound(c, s, af);
-	}
-
 	conn->sock = s;
 	conn->timer = -1;
 	conn_event(c, conn, TAP_SYN_RCVD);
@@ -1771,6 +1776,8 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 
 	tcp_hash_insert(c, conn);
 
+	tcp_bind_outbound(c, conn, s);
+
 	if (connect(s, &sa.sa, sl)) {
 		if (errno != EINPROGRESS) {
 			tcp_rst(c, conn);
-- 
2.45.2