From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Yxa6AnRT;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id 043825A004C
	for <passt-dev@passt.top>; Wed, 25 Sep 2024 10:29:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1727252992;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=TG9MtTAOaDbY+cDseE/oTKDoE06cn+zk8mTyM2K4E38=;
	b=Yxa6AnRTuzK6G7jX5iC+UW8vPWBb3/KZa2LPtGN224uqTUvVUZWqPRc8cTQgXNmUM654o1
	EVdqVBXioLq1IcocgzRMvtWJAZebSj1P+r84xSrSo0JeiaRv1GJuuNhh7APP040bJxFzKo
	Gr5ZYeJcUq10cUKk85lavwgFmA6tQ/s=
Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com
 [209.85.210.198]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-534-7YOeShc1Ovy3bXbztui6Eg-1; Wed, 25 Sep 2024 04:29:50 -0400
X-MC-Unique: 7YOeShc1Ovy3bXbztui6Eg-1
Received: by mail-pf1-f198.google.com with SMTP id d2e1a72fcca58-718db8e61bfso9574553b3a.0
        for <passt-dev@passt.top>; Wed, 25 Sep 2024 01:29:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1727252989; x=1727857789;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=TG9MtTAOaDbY+cDseE/oTKDoE06cn+zk8mTyM2K4E38=;
        b=MaoN4Hz/zPN907LXQW6VZw37Pw4bIqxUV+9iCzXLWGl465vTZWEHEXoV4K82cFn/xD
         S+bD3FNitOcfqNQmBwl9ze+HPbGYAVmmS6RwiVY0x01jdlAxuG+TNxndyETgOTrx+KKl
         y4AL38EyPfmeepfOtSblnkNn1a8F6Ti4DVsSqVazqRhjiunfphng2RSBoUsOmnROIYu+
         iHT5VjUxXTHE2AGtG9pK+uuaHjee2xK96upZ9AxErqghBpAYePTjvlrn3KoDTKVQW35j
         c1wilaDL6N05vgDOEyDtJ2V6bMORvvgTqoDTx9w/fYmdEuOV27FewFlwDgMwBJDGxbSQ
         PDBQ==
X-Gm-Message-State: AOJu0YxF/T0ElUyMbPGzM9nCn13hN94cN+aaIim1vB3gjdaV4a8ZYFxl
	C+vgbYJn4bJjxJ0Af6PxYUONzBa6w9mGFXFrzTl64QrhpPotDrVGEFszq/J6bkdxgR7ZgOZBv9c
	VB1rXDFP3DNmUdzgHLK8Z2bH0n+SQe3ddWrwXRmfOC5icWUtg8BhKwCuSEQ==
X-Received: by 2002:a05:6a21:58b:b0:1d3:ba1:18f4 with SMTP id adf61e73a8af0-1d4d4ac8e7dmr2931403637.26.1727252989002;
        Wed, 25 Sep 2024 01:29:49 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEOQQSiyGG67XcUQWLVcEhhSHnt1TP9eYao6Yx+HsI2OLcymi3cg0UcB/Y9pIzR5jlr4obdEw==
X-Received: by 2002:a05:6a21:58b:b0:1d3:ba1:18f4 with SMTP id adf61e73a8af0-1d4d4ac8e7dmr2931379637.26.1727252988549;
        Wed, 25 Sep 2024 01:29:48 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71afc985672sm2316439b3a.184.2024.09.25.01.29.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Sep 2024 01:29:47 -0700 (PDT)
Date: Wed, 25 Sep 2024 10:29:44 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH 2/2] fwd: Direct inbound spliced forwards to the guest's
 external address
Message-ID: <20240925102944.7cd28dfb@elisabeth>
In-Reply-To: <20240925065436.2064995-3-david@gibson.dropbear.id.au>
References: <20240925065436.2064995-1-david@gibson.dropbear.id.au>
	<20240925065436.2064995-3-david@gibson.dropbear.id.au>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: RHKODHXUP6R3BGSPSZV4RKR7W5MSYQXT
X-Message-ID-Hash: RHKODHXUP6R3BGSPSZV4RKR7W5MSYQXT
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240925102944.7cd28dfb@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/RHKODHXUP6R3BGSPSZV4RKR7W5MSYQXT/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, 25 Sep 2024 16:54:36 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> In pasta mode, where addressing permits we "splice" connections, forwarding
> directly from host socket to guest/container socket without any L2 or L3
> processing.  This gives us a very large performance improvement when it's
> possible.
> 
> Since the traffic is from a local socket within the guest, it will go over
> the guest's 'lo' interface, and accordingly we set the guest side address
> to be the loopback address.  However this has a surprising side effect:
> sometimes guests will run services that are only supposed to be used within
> the guest and are therefore bound to only 127.0.0.1 and/or ::1.  pasta's
> forwarding exposes those services to the host, which isn't generally what
> we want.
> 
> Correct this by instead forwarding inbound "splice" flows to the guest's
> external address.
> 
> Link: https://github.com/containers/podman/issues/24045
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>  fwd.c | 24 +++++++++++++++---------
>  1 file changed, 15 insertions(+), 9 deletions(-)
> 
> diff --git a/fwd.c b/fwd.c
> index a505098..d5149db 100644
> --- a/fwd.c
> +++ b/fwd.c
> @@ -447,20 +447,26 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
>  	    (proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {
>  		/* spliceable */
>  
> -		/* Preserve the specific loopback adddress used, but let the
> -		 * kernel pick a source port on the target side
> +		/* The traffic will go over the guest's 'lo' interface, but use
> +		 * its external address, so we don't inadvertendly expose

inadvertently

> +		 * services that listen only on the guest's loopback address.
> +		 *
> +		 * Let the kernel pick our address on PIF_SPLICE
>  		 */
> -		tgt->oaddr = ini->eaddr;
> +		if (inany_v4(&ini->eaddr)) {
> +			tgt->eaddr = inany_from_v4(c->ip4.addr_seen);
> +			tgt->oaddr = inany_any4;
> +		} else {
> +			tgt->eaddr.a6 = c->ip6.addr_seen;
> +			tgt->oaddr = inany_any6;
> +		}
> +
> +		/* Let the kernel pick port */
>  		tgt->oport = 0;
>  		if (proto == IPPROTO_UDP)
> -			/* But for UDP preserve the source port */
> +			/* Except for UDP, preserve the source port */

It means the same thing, but it's less clear now: does it mean "Except
for UDP: in that case preserve the source port" or "Except for UDP: in
all other cases preserve the source port"?

I would keep the original version unless I'm missing something subtle
that this patch would change regarding ports.

>  			tgt->oport = ini->eport;
>  
> -		if (inany_v4(&ini->eaddr))
> -			tgt->eaddr = inany_loopback4;
> -		else
> -			tgt->eaddr = inany_loopback6;
> -
>  		return PIF_SPLICE;
>  	}
>  

The series looks good to me (yes, I know I still have to review one
pending series from you), except for the concern I mentioned as a
comment to the cover letter.

-- 
Stefano