From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=X9+E3sZN; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id A99285A0271 for ; Tue, 13 Jan 2026 00:26:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768260411; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YclWUJnA3tXolvMOAIdZ7fO0ZlBbxSKWvFXfGZdohXE=; b=X9+E3sZNugnWQnEXsDjSL6swOUX2Yn5mT6UJIVTQBWw2wT0f9uPHY//8wFriEa22DnYTxn g6r2kahp1cRBSoRyh0O/9MZI7Si26L+pKOzhDYjAAoTj6OrUXjzkx8R0Zu/DlhzE6hlG/z IiDeczKgmhPNsmm6AN38vK4pUjT04JA= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-170-F7wUNlzGNdCadFwmHGctkA-1; Mon, 12 Jan 2026 18:26:50 -0500 X-MC-Unique: F7wUNlzGNdCadFwmHGctkA-1 X-Mimecast-MFC-AGG-ID: F7wUNlzGNdCadFwmHGctkA_1768260409 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4779edba8f3so54499945e9.3 for ; Mon, 12 Jan 2026 15:26:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768260408; x=1768865208; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YclWUJnA3tXolvMOAIdZ7fO0ZlBbxSKWvFXfGZdohXE=; b=aYo2Km4zInq0to7vEus4AzGZx14dJTkbHeqNcRqAUnsEDQWGELa57PIgnuLTTniiC1 EHxI7v14jqnG4mydhZ3HwuQo1Z3LydPWzgxk2CQJBN9bF+Sj7KCw8u1vzzwK6TMssD2j 7L8K31+A7go6NIQKRmsT4xmsY1Lax9A/k1+JYidsGSi3J1EXn+O6VLhK/f0ONScmo+Vc ABkx1FVA8KkIeFobM3ehmQfJtTW5qNad4KNnls1bAlE/km53LNVpLurDWcZrjBCSvztP OU90AXeDzEhTF1Oa5UvTSh45Gw4J0NKSwexPh/s/1/xQxQQkSQAHKB7mswU5I3mKNqfM aMTw== X-Gm-Message-State: AOJu0Yy54XQU5y11etInbSOfrySQptQbXLD/yvm9zwm6mFoel6nDCAUG KRGEagNF1UMWoIRD3o/nlu6KAB6nKSm4AavOjB1aDMfsKwhHwtmBIAjJ/9Gucl40aCZx9+3TUx5 /6julRNegtB2zPT7Ul4KO3EAttK7mYqc9uoxr2TUXa9+dzZRrIe4DvKDEsgHydg== X-Gm-Gg: AY/fxX4p7RzdaPDWA5iDUEz//PW/Ptha8Pbp8dIKG9iUOmNPs0aDJVUJ+LdSY9w0yQz EufbFLZ7J+yuQ8e7Xxi3p0rmdCbu9Zrgy8+RcjwK7hEqTYLkR0riOZXPcLUD3u8wvBNayG6OLjE NdWBwL3dq66pP5lYgapcHgFcr7WBBtIrVMWbWx+rF1v1f7NwCUG4sUHhEwNq4YmfKSZ33jj1pc4 jdPQ9HyOJIbsYbbJtpzPkFPeBFnUS+cOL60BrYGqZ8ZZTwZ0hh5X+hr5/ihxsaltdJdoOx5gJ4i a82TNvZd9xLByhkvKwhzEY9TyasfAYmumWP3LFRywML5kKz0ZiW6nlEVikxkYfp1OoDG106GSS6 +77uTt8bkonPXLKY/A1umgkdcW09Yb5urYapAqg== X-Received: by 2002:a05:600c:6287:b0:477:7af8:c88b with SMTP id 5b1f17b1804b1-47d84b1861bmr209534485e9.11.1768260408233; Mon, 12 Jan 2026 15:26:48 -0800 (PST) X-Google-Smtp-Source: AGHT+IFDiuaBojXyyQznjCTo4NSuBjOrsnPExbDTnosTxH7/LmZSwgBaB5sE4pwqseNulrUa2TJt8A== X-Received: by 2002:a05:600c:6287:b0:477:7af8:c88b with SMTP id 5b1f17b1804b1-47d84b1861bmr209534355e9.11.1768260407855; Mon, 12 Jan 2026 15:26:47 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e19bfsm40464223f8f.18.2026.01.12.15.26.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jan 2026 15:26:47 -0800 (PST) Date: Tue, 13 Jan 2026 00:26:46 +0100 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH v3 09/14] conf, fwd: Check forwarding table for conflicting rules Message-ID: <20260113002646.5fcf58b2@elisabeth> In-Reply-To: <20260108022948.2657573-10-david@gibson.dropbear.id.au> References: <20260108022948.2657573-1-david@gibson.dropbear.id.au> <20260108022948.2657573-10-david@gibson.dropbear.id.au> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: hlP28HE26-h2ZwHw0Sa9YNa0UODjpk2B8pOqfxPTZzA_1768260409 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: LWLJUXAMLQQG45IFP5MN4JOAK5L6XHEQ X-Message-ID-Hash: LWLJUXAMLQQG45IFP5MN4JOAK5L6XHEQ X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 8 Jan 2026 13:29:43 +1100 David Gibson wrote: > It's possible for a user to supply conflicting forwarding parameters, e.g. > $ pasta -t 80:8080 -t 127.0.0.1/80:8888 > > We give a warning in this case, but it's based on the legacy > forwarding bitmaps. This is too strict, because it will also warn on > cases that shouldn't conflict because they use different addresses, > e.g. > $ pasta -t 192.0.2.1/80:8080 127.0.0.1/80:8888 > > Theoretically, it's also too loose because it won't take into account > auto-scan forwarding rules. We can't hit that in practice now, > because we only ever have one auto-scan rule and nothing else, but we > want to remove that restriction in future. > > Replace the bitmap based check with a check based on actually scanning > the forwarding rules for conflicts. > > Signed-off-by: David Gibson > --- > conf.c | 5 ----- > fwd.c | 21 ++++++++++++++++++++- > inany.c | 19 +++++++++++++++++++ > inany.h | 1 + > 4 files changed, 40 insertions(+), 6 deletions(-) > > diff --git a/conf.c b/conf.c > index 725cf88b..e8d6d5d9 100644 > --- a/conf.c > +++ b/conf.c > @@ -172,11 +172,6 @@ static void conf_ports_range_except(const struct ctx *c, char optname, > for (i = base; i <= last; i++) { > if (exclude && bitmap_isset(exclude, i)) > break; > - > - if (bitmap_isset(fwd->map, i)) { > - warn( > -"Altering mapping of already mapped port number: %s", optarg); > - } > } > > if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { > diff --git a/fwd.c b/fwd.c > index 70ef73a3..5208155b 100644 > --- a/fwd.c > +++ b/fwd.c > @@ -348,7 +348,7 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, > const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN; > unsigned num = (unsigned)last - first + 1; > struct fwd_rule *new; > - unsigned port; > + unsigned i, port; > > ASSERT(!(flags & ~allowed_flags)); > > @@ -357,6 +357,25 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, > if ((fwd->listen_sock_count + num) > ARRAY_SIZE(fwd->listen_socks)) > die("Too many listening sockets"); > > + /* Check for any conflicting entries */ > + for (i = 0; i < fwd->count; i++) { > + char newstr[INANY_ADDRSTRLEN], rulestr[INANY_ADDRSTRLEN]; > + struct fwd_rule *rule = &fwd->rules[i]; > + > + if (!inany_matches(addr, fwd_rule_addr(rule))) > + /* Non-conflicting addresses */ > + continue; > + > + if (last < rule->first || rule->last < first) > + /* Port ranges don't overlap */ > + continue; > + > + die("Forwarding configuration conflict: %s/%u-%u versus %s/%u-%u", > + inany_ntop(addr, newstr, sizeof(newstr)), first, last, > + inany_ntop(fwd_rule_addr(rule), rulestr, sizeof(rulestr)), > + rule->first, rule->last); Same as comments to earlier places in fwd_rule_add(): we'll eventually trigger this from a client so we should eventually report failure rather than quitting. > + } > + > new = &fwd->rules[fwd->count++]; > new->flags = flags; > > diff --git a/inany.c b/inany.c > index 87a4d8b6..a8c44237 100644 > --- a/inany.c > +++ b/inany.c > @@ -21,6 +21,25 @@ > const union inany_addr inany_loopback4 = INANY_INIT4(IN4ADDR_LOOPBACK_INIT); > const union inany_addr inany_any4 = INANY_INIT4(IN4ADDR_ANY_INIT); > > +/** inany_matches - Do two addresses match Nit: "Do [...] match?" > + * @a, @b: IPv[46] addresses (NULL for 0.0.0.0 & ::) > + * > + * Return: true if they match, false otherwise > + * > + * Addresses match themselves, but also with unspecified addresses of the same > + * family. > + */ > +bool inany_matches(const union inany_addr *a, const union inany_addr *b) > +{ > + if (!a || !b) > + return true; > + > + if (inany_is_unspecified(a) || inany_is_unspecified(b)) > + return !!inany_v4(a) == !!inany_v4(b); > + > + return inany_equals(a, b); > +} > + > /** inany_ntop - Convert an IPv[46] address to text format > * @src: IPv[46] address (NULL for unspecified) > * @dst: output buffer, minimum INANY_ADDRSTRLEN bytes > diff --git a/inany.h b/inany.h > index 61b36fb4..b02c2891 100644 > --- a/inany.h > +++ b/inany.h > @@ -293,6 +293,7 @@ static inline void inany_siphash_feed(struct siphash_state *state, > > #define INANY_ADDRSTRLEN MAX(INET_ADDRSTRLEN, INET6_ADDRSTRLEN) > > +bool inany_matches(const union inany_addr *a, const union inany_addr *b); > const char *inany_ntop(const union inany_addr *src, char *dst, socklen_t size); > int inany_pton(const char *src, union inany_addr *dst); > I reviewed up to 10/14 only (I have no comments on that one), I still need a bit of time for the remaining four patches. -- Stefano