From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202504 header.b=RvhRlvZt; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 3CC2E5A0272 for ; Thu, 17 Apr 2025 03:56:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202504; t=1744854945; bh=GWE7+QRqOgn/mAXOg2NNy2ZScbNKqHEQERHCFY5GMXg=; h=From:To:Cc:Subject:Date:From; b=RvhRlvZtF2bAPsXOcl7/jHKQy6Fo6Az4DKIkfs7LErvwh7tZKfot1vXaJYUO6WKkR s802eVNXHdARaxp0rttUE3UbNsAysoWvzST3mgc+8E8dk7l5mn+VdTTtDXKgMz1gai 3/LuKnYR4MeyY7ubWBbhqOUhKGDaGUfYd5MSohBtGzI+HWl2KDxhQB82//bYD4FUfI mxMkfQCi7jkWbnJq5dZHI+NZUcsnW4cxGronjElGEPzsCQnP4+QqrixHlSxdMavRqJ qVs5yeliOt0UraoQ06H40Wm1D2eViHS2vnpuFr/4XJTjOl48R+kiavV0SKHsVHVhkg CPQCYTdv9uhqQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4ZdLZn6KBbz4xS5; Thu, 17 Apr 2025 11:55:45 +1000 (AEST) From: David Gibson To: Stefano Brivio , passt-dev@passt.top, Jon Maloy Subject: [PATCH v2 0/4] Translate source addresses for ICMP errors Date: Thu, 17 Apr 2025 11:55:39 +1000 Message-ID: <20250417015543.457310-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.49.0 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: Q2XLOWCAPR524JBK227UGHPCKHU5P4NM X-Message-ID-Hash: Q2XLOWCAPR524JBK227UGHPCKHU5P4NM X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We now propagate ICMP errors on UDP flows back into ICMP packets on the tap interface. However, we don't always get the source address right for the synthesized message. Because ICMPs can be generated by intermediate routers, that source address might not be one of the endpoints, so the address translation we already have isn't sufficient. Implement properly translating ICMP addresses when we need to. This ended up a bit messier than I hoped, but it seems to work. A simple case to test this is: pasta --config-net --map-host-loopback=172.16.1.1 -- \ sh -c "echo hello | socat STDIO UDP4:172.16.1.1:10001" where 10001 is a port where nothing is listening on the host. Without this series, this will just time out. pasta sends an ICMP Port Unreachable message, but it's sent with source address 127.0.0.1 and so discarded by the guest. With this series, the address is properly translated and we correctly get the error from socat: 2025/04/16 19:02:37 socat[3] E read(5, 0x555c3dbf2000, 8192): Connection refused v2: * Fix a (bogus) coverity warning * Minor cosmetic changes based on Stefano's review David Gibson (4): fwd: Split out helpers for port-independent NAT treewide: Improve robustness against sockaddrs of unexpected family udp: Rework offender address handling in udp_sock_recverr() udp: Translate offender addresses for ICMP messages flow.c | 16 ++++++++-- fwd.c | 87 ++++++++++++++++++++++++++++++++++++++---------------- fwd.h | 3 ++ inany.h | 28 +++++++++++------- tcp.c | 10 +++---- udp.c | 81 ++++++++++++++++++++++++++++++++++++-------------- udp_flow.c | 6 ++-- 7 files changed, 162 insertions(+), 69 deletions(-) -- 2.49.0