From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202502 header.b=BJhfPf62; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 4F1125A026F for ; Fri, 28 Mar 2025 04:34:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202502; t=1743132859; bh=VLM/ubLEryUiPJOsmk3Sy+awPF0ZzreOWA7TNsRampI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BJhfPf62bRkwtU9ZIwlFr04VfFnAM12WZ9IagPJQf8MbOXHWEU4TOaPegQbi+m3lS wgC2qIrjmKQldqpAXmlFpWdClvJgVaqzndL37iyO5UHt7hCDKKJtn7pRHiaa/AQlEF CV9le/Q2C94RNRLPz+GPETL96n0BuVJayh0NhvNTrzROPZj/awX9U7VVFBjq6wkckX wEVRMoz9lUB0/H86mehLP1xVAOCXtoJqAsda2XL58k0pznQvAQVFsNfdRFGBVd6wbp enW6uuBAUHGRTfw61TGDt+GCxJJRGR4lt4LHpIQOzV2DM/S4J+xSWQc+KYC9t/pU8d jQ6rRNA+KhAOw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4ZP5jl57LBz4x2c; Fri, 28 Mar 2025 14:34:19 +1100 (AEDT) From: David Gibson To: Stefano Brivio , passt-dev@passt.top, Jon Maloy Subject: [PATCH v2 1/2] udp: Don't attempt to forward ICMP socket errors to other sockets Date: Fri, 28 Mar 2025 14:34:14 +1100 Message-ID: <20250328033415.1038536-2-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250328033415.1038536-1-david@gibson.dropbear.id.au> References: <20250328033415.1038536-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: CYSGHJKOJJFQS3BKAFVHI5GOZ7K5VVNW X-Message-ID-Hash: CYSGHJKOJJFQS3BKAFVHI5GOZ7K5VVNW X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Recently we added support for detecting ICMP triggered errors on UDP sockets and forwarding them to the tap interface. However, in udp_sock_recverr() where this is handled we don't know for certain that the tap interface is the other side of the UDP flow. It could be a spliced connection with another socket on the other side. To forward errors in that case, we'd need to force the other side's socket to trigger issue an ICMP error. I'm not sure if there's a way to do that; probably not for an arbitrary ICMP but it might be possible for certain error conditions. Nonetheless what we do now - synthesise an ICMP on the tap interface - is certainly wrong. It's probably harmless; for a spliced connection it will have loopback addresses meaning we can expect the guest to discard it. But, correct this for now, by not attempting to propagate errors when the other side of the flow is a socket. Fixes: 55431f007 ("udp: create and send ICMPv4 to local peer when...") Fixes: 68b04182e ("udp: create and send ICMPv6 to local peer when...") Signed-off-by: David Gibson Acked-by: Jon Maloy --- udp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/udp.c b/udp.c index 0c223b4e..e410f55e 100644 --- a/udp.c +++ b/udp.c @@ -560,7 +560,10 @@ static int udp_sock_recverr(const struct ctx *c, union epoll_ref ref) const struct flowside *toside = flowside_at_sidx(sidx); size_t dlen = rc; - if (hdr->cmsg_level == IPPROTO_IP) { + if (pif_is_socket(pif_at_sidx(sidx))) { + /* XXX Is there any way to propagate ICMPs from socket + * to socket? */ + } else if (hdr->cmsg_level == IPPROTO_IP) { dlen = MIN(dlen, ICMP4_MAX_DLEN); udp_send_conn_fail_icmp4(c, &eh->ee, toside, eh->saddr.sa4.sin_addr, -- 2.49.0