public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: Paul Holzinger <pholzing@redhat.com>,
	David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 17/23] fwd: Split notion of "our tap address" from gateway for IPv4
Date: Wed, 21 Aug 2024 14:20:13 +1000	[thread overview]
Message-ID: <20240821042020.718422-18-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20240821042020.718422-1-david@gibson.dropbear.id.au>

ip4.gw conflates 3 conceptually different things, which (for now) have the
same value:
  1. The router/gateway address as seen by the guest
  2. An address to NAT to the host with --no-map-gw isn't specified
  3. An address to use as source when nothing else makes sense

Case 3 occurs in two situations:

a) for our DHCP responses - since they come from passt internally there's
   no naturally meaningful address for them to come from
b) for forwarded connections coming from an address that isn't guest
   accessible (localhost or the guest's own address).

(b) occurs even with --no-map-gw, and the expected behaviour of forwarding
local connections requires it.

For IPv6 role (3) is now taken by ip6.our_tap_ll (which usually has the
same value as ip6.gw).  For future flexibility we may want to make this
"address of last resort" different from the gateway address, so split them
logically for IPv4 as well.

Specifically, add a new ip4.our_tap_addr field for the address with this
role, and initialise it to ip4.gw for now.  Unlike IPv6 where we can always
get a link-local address, we might not be able to get a (non 0.0.0.0)
address here (e.g. if the host is disconnected or only has a point to point
link with no gateway address).  In that case we have to disable forwarding
of inbound connections with guest-inaccessible source addresses.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 dhcp.c  |  8 ++++----
 fwd.c   | 10 +++++++---
 passt.h |  2 ++
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/dhcp.c b/dhcp.c
index acc5b03e..353de323 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -345,9 +345,9 @@ int dhcp(const struct ctx *c, const struct pool *p)
 
 	m->yiaddr = c->ip4.addr;
 	mask.s_addr = htonl(0xffffffff << (32 - c->ip4.prefix_len));
-	memcpy(opts[1].s,  &mask,        sizeof(mask));
-	memcpy(opts[3].s,  &c->ip4.gw,   sizeof(c->ip4.gw));
-	memcpy(opts[54].s, &c->ip4.gw,   sizeof(c->ip4.gw));
+	memcpy(opts[1].s,  &mask,                sizeof(mask));
+	memcpy(opts[3].s,  &c->ip4.gw,           sizeof(c->ip4.gw));
+	memcpy(opts[54].s, &c->ip4.our_tap_addr, sizeof(c->ip4.our_tap_addr));
 
 	/* If the gateway is not on the assigned subnet, send an option 121
 	 * (Classless Static Routing) adding a dummy route to it.
@@ -377,7 +377,7 @@ int dhcp(const struct ctx *c, const struct pool *p)
 		opt_set_dns_search(c, sizeof(m->o));
 
 	dlen = offsetof(struct msg, o) + fill(m);
-	tap_udp4_send(c, c->ip4.gw, 67, c->ip4.addr, 68, m, dlen);
+	tap_udp4_send(c, c->ip4.our_tap_addr, 67, c->ip4.addr, 68, m, dlen);
 
 	return 1;
 }
diff --git a/fwd.c b/fwd.c
index d6f8a233..664b8ac6 100644
--- a/fwd.c
+++ b/fwd.c
@@ -387,10 +387,14 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
 	}
 
 	if (!fwd_guest_accessible(c, &ini->eaddr)) {
-		if (inany_v4(&ini->eaddr))
-			tgt->oaddr = inany_from_v4(c->ip4.gw);
-		else
+		if (inany_v4(&ini->eaddr)) {
+			if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr))
+				/* No source address we can use */
+				return PIF_NONE;
+			tgt->oaddr = inany_from_v4(c->ip4.our_tap_addr);
+		} else {
 			tgt->oaddr.a6 = c->ip6.our_tap_ll;
+		}
 	} else {
 		tgt->oaddr = ini->eaddr;
 	}
diff --git a/passt.h b/passt.h
index 3b8a6283..ecfed1e7 100644
--- a/passt.h
+++ b/passt.h
@@ -97,6 +97,7 @@ enum passt_modes {
  * @gw:			Default IPv4 gateway
  * @dns:		DNS addresses for DHCP, zero-terminated
  * @dns_match:		Forward DNS query if sent to this address
+ * @our_tap_addr:	IPv4 address for passt's use on tap
  * @dns_host:		Use this DNS on the host for forwarding
  * @addr_out:		Optional source address for outbound traffic
  * @ifname_out:		Optional interface name to bind outbound sockets to
@@ -111,6 +112,7 @@ struct ip4_ctx {
 	struct in_addr gw;
 	struct in_addr dns[MAXNS + 1];
 	struct in_addr dns_match;
+	struct in_addr our_tap_addr;
 
 	/* PIF_HOST addresses */
 	struct in_addr dns_host;
-- 
@@ -97,6 +97,7 @@ enum passt_modes {
  * @gw:			Default IPv4 gateway
  * @dns:		DNS addresses for DHCP, zero-terminated
  * @dns_match:		Forward DNS query if sent to this address
+ * @our_tap_addr:	IPv4 address for passt's use on tap
  * @dns_host:		Use this DNS on the host for forwarding
  * @addr_out:		Optional source address for outbound traffic
  * @ifname_out:		Optional interface name to bind outbound sockets to
@@ -111,6 +112,7 @@ struct ip4_ctx {
 	struct in_addr gw;
 	struct in_addr dns[MAXNS + 1];
 	struct in_addr dns_match;
+	struct in_addr our_tap_addr;
 
 	/* PIF_HOST addresses */
 	struct in_addr dns_host;
-- 
2.46.0


  parent reply	other threads:[~2024-08-21  4:20 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-21  4:19 [PATCH v2 00/23] Allow configuration of special case NATs David Gibson
2024-08-21  4:19 ` [PATCH v2 01/23] treewide: Use "our address" instead of "forwarding address" David Gibson
2024-08-21  4:19 ` [PATCH v2 02/23] util: Helper for formatting MAC addresses David Gibson
2024-08-21  4:19 ` [PATCH v2 03/23] treewide: Rename MAC address fields for clarity David Gibson
2024-08-21  4:20 ` [PATCH v2 04/23] treewide: Use struct assignment instead of memcpy() for IP addresses David Gibson
2024-08-21  4:20 ` [PATCH v2 05/23] conf: Use array indices rather than pointers for DNS array slots David Gibson
2024-08-21  4:20 ` [PATCH v2 06/23] conf: More accurately count entries added in get_dns() David Gibson
2024-08-21  4:20 ` [PATCH v2 07/23] conf: Move DNS array bounds checks into add_dns[46] David Gibson
2024-08-21  4:20 ` [PATCH v2 08/23] conf: Move adding of a nameserver from resolv.conf into subfunction David Gibson
2024-08-21  4:20 ` [PATCH v2 09/23] conf: Correct setting of dns_match address in add_dns6() David Gibson
2024-08-21  4:20 ` [PATCH v2 10/23] conf: Treat --dns addresses as guest visible addresses David Gibson
2024-08-21  4:20 ` [PATCH v2 11/23] conf: Remove incorrect initialisation of addr_ll_seen David Gibson
2024-08-21  4:20 ` [PATCH v2 12/23] util: Correct sock_l4() binding for link local addresses David Gibson
2024-08-21  4:20 ` [PATCH v2 13/23] treewide: Change misleading 'addr_ll' name David Gibson
2024-08-21  4:20 ` [PATCH v2 14/23] Clarify which addresses in ip[46]_ctx are meaningful where David Gibson
2024-08-21  4:20 ` [PATCH v2 15/23] Initialise our_tap_ll to ip6.gw when suitable David Gibson
2024-08-21  4:20 ` [PATCH v2 16/23] fwd: Helpers to clarify what host addresses aren't guest accessible David Gibson
2024-08-21  4:20 ` David Gibson [this message]
2024-08-21  4:20 ` [PATCH v2 18/23] Don't take "our" MAC address from the host David Gibson
2024-08-21  4:20 ` [PATCH v2 19/23] conf, fwd: Split notion of gateway/router from guest-visible host address David Gibson
2024-08-21  4:20 ` [PATCH v2 20/23] test: Reconfigure IPv6 address after changing MTU David Gibson
2024-08-21  4:20 ` [PATCH v2 21/23] conf: Allow address remapped to host to be configured David Gibson
2024-08-21  4:20 ` [PATCH v2 22/23] fwd: Distinguish translatable from untranslatable addresses on inbound David Gibson
2024-08-21  4:20 ` [PATCH v2 23/23] fwd, conf: Allow NAT of the guest's assigned address David Gibson
2024-08-21 10:38 ` [PATCH v2 00/23] Allow configuration of special case NATs Stefano Brivio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240821042020.718422-18-david@gibson.dropbear.id.au \
    --to=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=pholzing@redhat.com \
    --cc=sbrivio@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).