From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZzvBuxty;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id 1BBB05A004E
	for <passt-dev@passt.top>; Tue, 20 Aug 2024 21:56:36 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1724183794;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tQ1csgYDhyPi8+M7nmujW0TtPEl3ltSvq1O10/U3eds=;
	b=ZzvBuxtysaLarrJbI2YvLo9JeD9jqsdEr/0bxtZ5pyN09RBYalKO+3HsS+YKZ6L95wsjSb
	p+0Ox7r/U6jPwJE+EQlPHi8YOdA6YOZTFflI9V4wwasiYVbe0mMnn/YYql3sQIMqibfgA4
	TLWrB0MujKoRpTLEjTC2SOoltGAIrf8=
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com
 [209.85.214.199]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-634-_uCmPAnxP7m5BAgHIRsSCQ-1; Tue, 20 Aug 2024 15:56:31 -0400
X-MC-Unique: _uCmPAnxP7m5BAgHIRsSCQ-1
Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-201f45e20b1so54343425ad.2
        for <passt-dev@passt.top>; Tue, 20 Aug 2024 12:56:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724183789; x=1724788589;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=LjTWzZm1nS9gCRO+2AiENafbxT8RNuFZ8woanp+URvQ=;
        b=buf32r3l9SiYB3yIqfF1qpHoYyAfPZKKiZzLrRkSM0gkUvJxIzEhtAp6NbBWPDj6xS
         V247jXw2GSAkK0B3yEAm8MO3ng5vTNS0owQIhF61j92pNeD36rozthroeKDXU+P6pbsN
         WvCN05Di4vJ31Hie8NBeoMNy4F6BySeL+BefAApSbj8m7YkKLyW9If6+oNFcB+uVUT+W
         25EguHDwFJ2F+VcBIWgvg2epuFX8dvlVIBOp+c8nauS0Bs9ojcykJ34wRV+mb8ojR2W2
         b4Wg34H2VC6Hpx20qImOqewUae1UsOF8Jt6KWEF8W0p2Gvou59LiDvxUJ2cTiEnohi9p
         O0VQ==
X-Gm-Message-State: AOJu0YxvV6JP7Q42lXEt2K469izdAH8N90BJOQJVVhes67xz1/J7nyHh
	PAMeCfqYOTmjl3wpgs0PQhvW5aLa/OOYKql5qMS4bl4nmmeZOimzlxCKq/eSt0SOCUzmyKiov8X
	ahm9WMtRMXAf1cOdOmd7OTmeBECwlR9C3H2BrSPEoChKo74UzJxLKz3JIrg==
X-Received: by 2002:a17:903:18d:b0:1fb:451a:449b with SMTP id d9443c01a7336-203681e3dbdmr63335ad.60.1724183788890;
        Tue, 20 Aug 2024 12:56:28 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHwL/dN7taE/Lle5iJ0A/zX0picVndWhS1oRzlMMzgreo0SJpII7varTpTv8PNIUUNGUv4PRw==
X-Received: by 2002:a17:903:18d:b0:1fb:451a:449b with SMTP id d9443c01a7336-203681e3dbdmr63055ad.60.1724183788344;
        Tue, 20 Aug 2024 12:56:28 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-201f038b4e9sm81042185ad.209.2024.08.20.12.56.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 20 Aug 2024 12:56:27 -0700 (PDT)
Date: Tue, 20 Aug 2024 21:56:24 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH 17/22] fwd: Split notion of "our tap address" from
 gateway for IPv4
Message-ID: <20240820215624.5ec8e221@elisabeth>
In-Reply-To: <20240816054004.1335006-18-david@gibson.dropbear.id.au>
References: <20240816054004.1335006-1-david@gibson.dropbear.id.au>
	<20240816054004.1335006-18-david@gibson.dropbear.id.au>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 7KDUMNSK66NRF3JLJMHQDBIOPBGM5EGE
X-Message-ID-Hash: 7KDUMNSK66NRF3JLJMHQDBIOPBGM5EGE
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240820215624.5ec8e221@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/7KDUMNSK66NRF3JLJMHQDBIOPBGM5EGE/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Fri, 16 Aug 2024 15:39:58 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> ip4.gw conflates 3 conceptually different things, which (for now) have th=
e
> same value:
>   1. The router/gateway address as seen by the guest
>   2. An address to NAT to the host with --no-map-gw isn't specified
>   3. An address to use as source when nothing else makes sense
>=20
> Case 3 occurs in two situations:
>=20
> a) for our DHCP responses - since they come from passt internally there's
>    no naturally meaningful address for them to come from
> b) for forwarded connections coming from an address that isn't guest
>    accessible (localhost or the guest's own address).
>=20
> (b) occurs even with --no-map-gw, and the expected behaviour of forwardin=
g
> local connections requires it.
>=20
> For IPv6 role (3) is now taken by ip6.our_tap_ll (which usually has the
> same value as ip6.gw).  For future flexibility we may want to make this
> "address of last resort" different from the gateway address, so split the=
m
> logically for IPv4 as well.
>=20
> Specifically, add a new ip4.our_tap_addr field for the address with this
> role, and initialise it to ip4.gw for now.  Unlike IPv6 where we can alwa=
ys
> get a link-local address, we might not be able to get a (non 0.0.0.0)
> address here.  In that case we have to disable DHCP

It's not entirely clear to me in which case we would not be able to
get any address, but at least RFC 2131 doesn't have a problem with this:

diff --git a/dhcp.c b/dhcp.c
index aa9f59d..3de8a6e 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -282,6 +282,7 @@ int dhcp(const struct ctx *c, const struct pool *p)
 =09struct in_addr mask;
 =09unsigned int i;
 =09struct msg *m;
+=09struct in_addr zeroes =3D { 0 };
=20
 =09eh  =3D packet_get(p, 0, offset, sizeof(*eh),  NULL);
 =09offset +=3D sizeof(*eh);
@@ -378,7 +379,7 @@ int dhcp(const struct ctx *c, const struct pool *p)
 =09=09opt_set_dns_search(c, sizeof(m->o));
=20
 =09dlen =3D offsetof(struct msg, o) + fill(m);
-=09tap_udp4_send(c, c->ip4.gw, 67, c->ip4.addr, 68, m, dlen);
+=09tap_udp4_send(c, zeroes, 67, c->ip4.addr, 68, m, dlen);
=20
 =09return 1;
 }

and:

$ ./pasta -p dhcp.pcap
Saving packet capture to dhcp.pcap
# dhclient
# tshark -r dhcp.pcap
Running as user "root" and group "root". This could be dangerous.
    1   0.000000           :: =E2=86=92 ff02::16     ICMPv6 90 Multicast Li=
stener Report Message v2
    2   0.016265      0.0.0.0 =E2=86=92 255.255.255.255 DHCP 342 DHCP Disco=
ver - Transaction ID 0x75759d11
    3   0.016361      0.0.0.0 =E2=86=92 88.198.0.164 DHCP 342 DHCP Offer   =
 - Transaction ID 0x75759d11
    4   0.016479      0.0.0.0 =E2=86=92 255.255.255.255 DHCP 342 DHCP Reque=
st  - Transaction ID 0x75759d11
    5   0.016493      0.0.0.0 =E2=86=92 88.198.0.164 DHCP 342 DHCP ACK     =
 - Transaction ID 0x75759d11
[...]

so this could be a reasonable fallback.

> and forwarding of
> inbound connections with guest-inaccessible source addresses.
>=20
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>  conf.c  |  7 ++++++-
>  dhcp.c  |  4 ++--
>  fwd.c   | 10 +++++++---
>  passt.h |  2 ++
>  4 files changed, 17 insertions(+), 6 deletions(-)
>=20
> diff --git a/conf.c b/conf.c
> index 954f20ea..9f962fc8 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -660,6 +660,8 @@ static unsigned int conf_ip4(unsigned int ifi,
> =20
>  =09ip4->addr_seen =3D ip4->addr;
> =20
> +=09ip4->our_tap_addr =3D ip4->gw;
> +
>  =09if (MAC_IS_ZERO(mac)) {
>  =09=09int rc =3D nl_link_get_mac(nl_sock, ifi, mac);
>  =09=09if (rc < 0) {
> @@ -1666,7 +1668,10 @@ void conf(struct ctx *c, int argc, char **argv)
>  =09=09die("External interface not usable");
> =20
>  =09if (c->ifi4 && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.gw))
> -=09=09c->no_map_gw =3D c->no_dhcp =3D 1;
> +=09=09c->no_map_gw =3D 1;
> +
> +=09if (c->ifi4 && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr))
> +=09=09c->no_dhcp =3D 1;
> =20
>  =09if (c->ifi6 && IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw))
>  =09=09c->no_map_gw =3D 1;
> diff --git a/dhcp.c b/dhcp.c
> index acc5b03e..a935dc94 100644
> --- a/dhcp.c
> +++ b/dhcp.c
> @@ -347,7 +347,7 @@ int dhcp(const struct ctx *c, const struct pool *p)
>  =09mask.s_addr =3D htonl(0xffffffff << (32 - c->ip4.prefix_len));
>  =09memcpy(opts[1].s,  &mask,        sizeof(mask));
>  =09memcpy(opts[3].s,  &c->ip4.gw,   sizeof(c->ip4.gw));
> -=09memcpy(opts[54].s, &c->ip4.gw,   sizeof(c->ip4.gw));
> +=09memcpy(opts[54].s, &c->ip4.our_tap_addr, sizeof(c->ip4.our_tap_addr))=
;

Nit: this was supposed to look like a table, so it would be nice to add
extra whitespace in the lines above this one.

--=20
Stefano