From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=Jx+67kyX;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 420855A0265
	for <passt-dev@passt.top>; Fri, 15 May 2026 10:24:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1778833476;
	bh=DkJ1ZtWk95XP2qkE0X4v/yzWDryNy35UCuj/RtiApUk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Jx+67kyXfyYvHMqkzy2eH6+YlXSYul/TA5v7Z4vazijkfREcYcrXM05B8v44+ih55
	 2kzbQsj3KBZT6rOA587HANzCCyt033+MIN/5nh9M1fI3ySTQ97F51fGDLoTpxGJu0O
	 7qU0g5HLJL7o8qBkrZjFBqrhl8eYKzTG34MmYHKWbQHd/L/ABRIQOVsTHhmYeMRTse
	 HWLpomConN+cnLNtl2yuS4NKRWhMfjshHjoSw0ZtmU2nNn30V8gGGKtCAoTGWY1D0y
	 n6a564XkppWmIz+84T2kVPERiyAqyNeBxN+v2KQp8yavbBJ4q3vwAhzXAXfoAN5v6M
	 JRqqhB1LDcUSA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4gH0c43FgBz4vyc; Fri, 15 May 2026 18:24:36 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top,
	Stefano Brivio <sbrivio@redhat.com>
Subject: [PATCH 1/2] fwd_rule: Don't attempt dual stack listen()s if only one IP family
Date: Fri, 15 May 2026 18:24:33 +1000
Message-ID: <20260515082434.630175-2-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.54.0
In-Reply-To: <20260515082434.630175-1-david@gibson.dropbear.id.au>
References: <20260515082434.630175-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: TOA7XF5KM6LTZYJW6J7T4SSRK644BCXB
X-Message-ID-Hash: TOA7XF5KM6LTZYJW6J7T4SSRK644BCXB
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: j.d03@cpc.cx, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260515082434.630175-2-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/TOA7XF5KM6LTZYJW6J7T4SSRK644BCXB/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

With the recent rework to forwarding configuration, we're stricter about
what forwarding rules we allow.  In particular we don't allow dual stack
forwards (listening on both IPv4 and IPv6 addresses) if we only have one
IP family enabled.

This makes what I think was a pre-existing minor bug into a nasty failure.
If we use default forwards with no address specified, e.g.:
    $ pasta -t 1234 -4
    $ pasta -U 4321 -6
these are interpreted as dual-stack forwards.  Previously these would be
applied, leading to a surprising dual stack socket.  Since 0aeda87ca185,
they instead result in an immediate fatal error.

Add logic to interpret a default "any" address as only one IP family if
only one IP family is enabled.

Link: https://bugs.passt.top/show_bug.cgi?id=205
Reported-by: <j.d03@cpc.cx>
Fixes: 0aeda87ca185 ("conf, fwd: Stricter rule checking in fwd_rule_add()")
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 fwd_rule.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fwd_rule.c b/fwd_rule.c
index 5fc04d76..cb37a990 100644
--- a/fwd_rule.c
+++ b/fwd_rule.c
@@ -650,8 +650,9 @@ bad:
 void fwd_rule_parse(char optname, bool del, const char *optarg,
 		    struct fwd_table *fwd)
 {
-	union inany_addr addr_buf = inany_any6, *addr = &addr_buf;
 	char buf[BUFSIZ], *spec, *ifname = NULL;
+	union inany_addr addr_buf = inany_any6;
+	const union inany_addr *addr = &addr_buf;
 	uint8_t proto;
 
 	if (optname == 't' || optname == 'T')
@@ -708,7 +709,7 @@ void fwd_rule_parse(char optname, bool del, const char *optarg,
 				p++;
 			}
 
-			if (!inany_pton(p, addr))
+			if (!inany_pton(p, &addr_buf))
 				die("Bad forwarding address '%s'", p);
 		}
 	} else {
@@ -741,6 +742,12 @@ void fwd_rule_parse(char optname, bool del, const char *optarg,
 		ifname = "lo";
 	}
 
+	/* No need for dual stack if we only have one IP version */
+	if (!addr && !(fwd->caps & FWD_CAP_IPV4))
+		addr = &inany_any6;
+	else if (!addr && !(fwd->caps & FWD_CAP_IPV6))
+		addr = &inany_any4;
+
 	if (ifname && !(fwd->caps & FWD_CAP_IFNAME)) {
 		die(
 "Device binding for '-%c %s' unsupported (requires kernel 5.7+)",
-- 
2.54.0