From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=jWIVbVXz;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 9E6485A061E
	for <passt-dev@passt.top>; Wed, 11 Mar 2026 13:03:25 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1773230596;
	bh=UpDJYoUD4x4PzspeVs+XdCWOu642FFytFDxorusWXQI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=jWIVbVXz80LM7gjXM3+Uo2GoK2Pb/x7/UUQ3pAxKS0Iidl9bDkYQiZbdr/uC+3eIF
	 GNlfw5+6USf8viLIecfetsL9SPIPSigSKWPVqOFvUhVsdU4qUCYFfEe8XhvlBb5QZF
	 SEL7ik2ynnvlhtXU+KAdhRPdOyAwM3vReE2hZxiecUPOzrJGAhOvT0IhFS/hWY0k2X
	 VF1ClFkmRc9qsR2NC0VqQQEQhxcd09MbAZDpWJ9YxN+GwPeSnnjW2H4z1x0x6iTShp
	 LqMEiZJeGXYAx+z9gdeR98S9oNzTHRqw3sHK1yBYIe34yaNTMLPk4S/hAUo9cTBZ+v
	 RsgCXHPu3wM4A==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4fW8XN2Drwz4wMH; Wed, 11 Mar 2026 23:03:16 +1100 (AEDT)
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top,
	Stefano Brivio <sbrivio@redhat.com>
Subject: [PATCH v2 7/9] fwd: Always open /proc/net{tcp,tcp6,udp,udp6} in pasta mode
Date: Wed, 11 Mar 2026 23:03:12 +1100
Message-ID: <20260311120314.933546-8-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260311120314.933546-1-david@gibson.dropbear.id.au>
References: <20260311120314.933546-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: HXHESKADMF3FEXRBJJAPV2CPMJ26OQW7
X-Message-ID-Hash: HXHESKADMF3FEXRBJJAPV2CPMJ26OQW7
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260311120314.933546-8-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HXHESKADMF3FEXRBJJAPV2CPMJ26OQW7/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Currently we open these files only if have forwarding rules based on the
scanning these are used for.  We plan to allow dynamic updates to the
forwarding rules, which could add such a rule after the point
fwd_scan_ports_init() is called.  We can't open the /proc files later,
because of our self-isolation.

In any case, not opening these files when unneeded doesn't have very much
advantage.  So, in anticipation of dynamic updates, always open these files
when in pasta mode.

This also fixes an arguable small bug.  To deal with certain protocols like
iperf3, we automatically forward UDP ports if the corresponding TCP ports
are open.  However, we only open /proc/net/tcp* if we have TCP port scans.
That means that:
    $ pasta --config-net -T none -U auto
might open different UDP ports than:
    $ pasta --config-net -T auto -U auto
which is surprising behaviour.  This change removes that buglet as a side
effect.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 fwd.c | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/fwd.c b/fwd.c
index 1843ec8b..bedbf98a 100644
--- a/fwd.c
+++ b/fwd.c
@@ -877,23 +877,19 @@ void fwd_scan_ports_init(struct ctx *c)
 	c->udp.scan_in.scan4 = c->udp.scan_in.scan6 = -1;
 	c->udp.scan_out.scan4 = c->udp.scan_out.scan6 = -1;
 
-	if (has_scan_rules(&c->fwd_in, IPPROTO_TCP)) {
-		c->tcp.scan_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags);
-		c->tcp.scan_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags);
-	}
-	if (has_scan_rules(&c->fwd_in, IPPROTO_UDP)) {
-		c->udp.scan_in.scan4 = open_in_ns(c, "/proc/net/udp", flags);
-		c->udp.scan_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags);
-	}
-	if (has_scan_rules(&c->fwd_out, IPPROTO_TCP)) {
+	if (c->mode == MODE_PASTA) {
 		c->tcp.scan_out.scan4 = open("/proc/net/tcp", flags);
 		c->tcp.scan_out.scan6 = open("/proc/net/tcp6", flags);
-	}
-	if (has_scan_rules(&c->fwd_out, IPPROTO_UDP)) {
 		c->udp.scan_out.scan4 = open("/proc/net/udp", flags);
 		c->udp.scan_out.scan6 = open("/proc/net/udp6", flags);
+
+		c->tcp.scan_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags);
+		c->tcp.scan_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags);
+		c->udp.scan_in.scan4 = open_in_ns(c, "/proc/net/udp", flags);
+		c->udp.scan_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags);
+
+		fwd_scan_ports(c);
 	}
-	fwd_scan_ports(c);
 }
 
 /* Last time we scanned for open ports */
-- 
2.53.0