From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202504 header.b=PDTuqL7b; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 2C6D55A061E for ; Wed, 16 Apr 2025 11:07:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202504; t=1744794428; bh=Swh6bKs73iY46ceoLl5cuzWtwNEuWGs8OGwZrL0M8tw=; h=From:To:Cc:Subject:Date:From; b=PDTuqL7bshlIr26lGF+ur7Odi8Wku3llFOKxhhxwycAYJgZHlJS/pMTBKF6qe0atN NezhNGO4C6y/lkBVxgVvPOPKnaziHUd+u8K9xX3wzIkxomo3ckhfOgZvMR32Mi5bRA aP+MZelmHJSw1KZ6d2TCzsDU6OX9OBcxkSss8X+akO7wWNGKJhkdF+ek4ZUEExOWaB A6PvLv6juFPR90avQOuBEOG+ILf4J4I2Ab/l6kohN9X8W1bPNdokO72JIcK851EYUl BJpjuw3T2KVbEuG/DmPX5ktlpk7ONNoSXjliNXXmSxZsaa0URU0sb6reijRTjAxzKr KHDLznYyt18XA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4ZcwC05JQFz4xLy; Wed, 16 Apr 2025 19:07:08 +1000 (AEST) From: David Gibson To: Stefano Brivio , Jon Maloy , passt-dev@passt.top Subject: [PATCH 0/4] Translate source addresses for ICMP errors Date: Wed, 16 Apr 2025 19:07:03 +1000 Message-ID: <20250416090707.393497-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.49.0 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: L67JBLALPAF32PFHODH7W4DNPKKI5BAA X-Message-ID-Hash: L67JBLALPAF32PFHODH7W4DNPKKI5BAA X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We now propagate ICMP errors on UDP flows back into ICMP packets on the tap interface. However, we don't always get the source address right for the synthesized message. Because ICMPs can be generated by intermediate routers, that source address might not be one of the endpoints, so the address translation we already have isn't sufficient. Implement properly translating ICMP addresses when we need to. This ended up a bit messier than I hoped, but it seems to work. A simple case to test this is: pasta --config-net --map-host-loopback=172.16.1.1 -- \ sh -c "echo hello | socat STDIO UDP4:172.16.1.1:10001" where 10001 is a port where nothing is listening on the host. Without this series, this will just time out. pasta sends an ICMP Port Unreachable message, but it's sent with source address 127.0.0.1 and so discarded by the guest. With this series, the address is properly translated and we correctly get the error from socat: 2025/04/16 19:02:37 socat[3] E read(5, 0x555c3dbf2000, 8192): Connection refused David Gibson (4): fwd: Split out helpers for port-independent NAT treewide: Improve robustness against sockaddrs of unexpected family udp: Rework offender address handling in udp_sock_recverr() udp: Translate offender addresses for ICMP messages flow.c | 16 ++++++++-- fwd.c | 87 ++++++++++++++++++++++++++++++++++++++---------------- fwd.h | 3 ++ inany.h | 22 +++++++++----- tcp.c | 10 +++---- udp.c | 79 +++++++++++++++++++++++++++++++++++-------------- udp_flow.c | 6 ++-- 7 files changed, 157 insertions(+), 66 deletions(-) -- 2.49.0