From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
Jon Maloy <jmaloy@redhat.com>,
passt-dev@passt.top
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 0/4] Translate source addresses for ICMP errors
Date: Wed, 16 Apr 2025 19:07:03 +1000 [thread overview]
Message-ID: <20250416090707.393497-1-david@gibson.dropbear.id.au> (raw)
We now propagate ICMP errors on UDP flows back into ICMP packets on
the tap interface. However, we don't always get the source address
right for the synthesized message. Because ICMPs can be generated by
intermediate routers, that source address might not be one of the
endpoints, so the address translation we already have isn't
sufficient.
Implement properly translating ICMP addresses when we need to. This
ended up a bit messier than I hoped, but it seems to work. A simple
case to test this is:
pasta --config-net --map-host-loopback=172.16.1.1 -- \
sh -c "echo hello | socat STDIO UDP4:172.16.1.1:10001"
where 10001 is a port where nothing is listening on the host.
Without this series, this will just time out. pasta sends an ICMP
Port Unreachable message, but it's sent with source address 127.0.0.1
and so discarded by the guest. With this series, the address is
properly translated and we correctly get the error from socat:
2025/04/16 19:02:37 socat[3] E read(5, 0x555c3dbf2000, 8192): Connection refused
David Gibson (4):
fwd: Split out helpers for port-independent NAT
treewide: Improve robustness against sockaddrs of unexpected family
udp: Rework offender address handling in udp_sock_recverr()
udp: Translate offender addresses for ICMP messages
flow.c | 16 ++++++++--
fwd.c | 87 ++++++++++++++++++++++++++++++++++++++----------------
fwd.h | 3 ++
inany.h | 22 +++++++++-----
tcp.c | 10 +++----
udp.c | 79 +++++++++++++++++++++++++++++++++++--------------
udp_flow.c | 6 ++--
7 files changed, 157 insertions(+), 66 deletions(-)
--
2.49.0
next reply other threads:[~2025-04-16 9:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-16 9:07 David Gibson [this message]
2025-04-16 9:07 ` [PATCH 1/4] fwd: Split out helpers for port-independent NAT David Gibson
2025-04-16 9:07 ` [PATCH 2/4] treewide: Improve robustness against sockaddrs of unexpected family David Gibson
2025-04-16 9:41 ` Stefano Brivio
2025-04-17 1:14 ` David Gibson
2025-04-16 9:07 ` [PATCH 3/4] udp: Rework offender address handling in udp_sock_recverr() David Gibson
2025-04-16 14:27 ` Stefano Brivio
2025-04-17 1:33 ` David Gibson
2025-04-16 9:07 ` [PATCH 4/4] udp: Translate offender addresses for ICMP messages David Gibson
2025-04-16 14:27 ` [PATCH 0/4] Translate source addresses for ICMP errors Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250416090707.393497-1-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=jmaloy@redhat.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).