From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: passt.top; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20251104 header.b=KXpuSizy; dkim-atps=neutral Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) by passt.top (Postfix) with ESMTPS id 8394A5A0271 for ; Wed, 03 Jun 2026 03:15:38 +0200 (CEST) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-7e2cb01a974so40763217b3.1 for ; Tue, 02 Jun 2026 18:15:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780449337; cv=none; d=google.com; s=arc-20240605; b=jjlq9aihBSBbzCY7xR8TGZbZ2TrTjikaYZva2HEpJOJAhpKQEeJ/5TZuHKGrGi2HjB zlkY9QovDax7QM4uESMEkRpcHk7PyFhUOQz+zyBftmdISonHCdg7imiEHrv2aDm/5iVr 1tOHifQ2ykzrRND5DRfKBNzmm5EfNuwoPvRhiJG3/gx0+U+c1pc3tkxZBvnRhV588DJ/ fqbM/Ywv5EqGSu5UTLNzLXmF/TELs9sXEh8mUGWtPT5ddo/MmA7cnzJ2Jn79cM3rm/vp NPTUpcTFSuxoA3a7P2DjTT9h81QXZRxCvk8iFnyZGQ2Ze+f6xOtSs/3qQh4G8vH4AhEY s7pA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:reply-to:mime-version :dkim-signature; bh=XJjb+WtdYZaur5q0+JPLVj9hIDnRJVbsw8EJjCuVh14=; fh=MP6pDY7h4lyla7quOTgkRjeKcXyvTic0y98AGmvb8DU=; b=GK8igO2M3z/NodNN/qNIlDdRuz5aSqUlFsL+viBuQ2viNKNXjXxjQvCekp6OY95+zG BYxvghdRJ0ZXXYF5kkYTsT0sG/LTwcwW3DNdsLbHQ64S6QC+hSoVHviALrE0EwqgUJtR iUyJZK1LFLSj0xhETybF4U5nJgfKOF4e3ZuJyXPDPb6KFpHS4P+1uDd//zY9bOIjU9cQ WAyNOCgIoJkUVIKnLhpxoiC/2qSA2TZklprMsvG8gacsYyg8ED2mnG1Mso+//9c1u+Xs c+oNcQtnRV/8GEKhzPCtIddaJrIz+qV9tsvV3bxpeABdWT8TKRTSyYal2EOqhjm6afqr x6LA==; darn=passt.top ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780449337; x=1781054137; darn=passt.top; h=to:subject:message-id:date:from:reply-to:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=XJjb+WtdYZaur5q0+JPLVj9hIDnRJVbsw8EJjCuVh14=; b=KXpuSizyEtAKHKAmddC0GuKbIRdRz3ASbAbavt8gW4XfK7S2yJt2Z3DZmHncDC82VH b7mgwYXqXIJmRCojrzfeVaJOppkhURJ9iwgS59qyDxxu/KBKwxJxJJwTwEsyWeghYcH3 ZJ9FTLf/phK5XKS048Yb4gl+COicXPPtMMsincjcHAR1G0xEZqEOut2htJk1cXyk05eH NEsUiQu/8xqkXuyapfaINCP3FIEWI54uKdMmbcnG2M24MMKvd6Unz5khU5AyT0cYQ/Q8 ACTK3M491mSGrE2SXxdjdAisxLceJWkTBHBm5erE9JYi5HIy3TSC7rGSWCB7l0KBZOPO 77hA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780449337; x=1781054137; h=to:subject:message-id:date:from:reply-to:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XJjb+WtdYZaur5q0+JPLVj9hIDnRJVbsw8EJjCuVh14=; b=ajvI1jsFxCZI2e932EF7xA4iZMAxK24VDmH3jaxqbbwDBM9kgHAX5WjDw023nKLzRt 8RtrXLhQRWT7afdsxILQPMDtsPWKGHbGaRFSK60EX1+KRP2uDZ8fXgXneS45Y74Kkr9N eqRDhRrwx0SGQk10zAhIOLwEeCoJ7QSdnRtZodQsdBh9buf3e48Oa6rce4RjjvoQUR4k DRlIh3f9YpFFW/oHnQCLoHW+xX9yc7MtDcMJ/DK+YlNVLnktc8DZrgxKAZdEnDiC5RMv +/qIFD1cEXxMgjXH4IHg7demaYXEQn+DvdlXkUnxKCImcGFgGs8Krnd+BkDZDxEEQJ4T XKuQ== X-Gm-Message-State: AOJu0YxWR7yXSGnbfO7HSbgVkxpcNntlMzsnlTpBy5MLEIhDIu2zwqet 4rTin9qIJliD0jI8VK+kzuuquDmh1m0Xp5luTRP2LbHqTB47DiIogo4gcpfvD//HC7Ts7gqcJsm AcCLZt7lhLVH53gQet2Q2MiiHKOmecrUzfHPolTI= X-Gm-Gg: Acq92OH2oSzsSQ4FBWyjxta7vRcRX4QOXTcDA0BWGx5TMbtQ/yOFUym6Y7jJGj/eSqe srxQG+Kckq33v3T+12WTvk7ePj3RQ2cRN1hYIVMFw/6V0olwKNZgfDCJGoUIK06Mb8GbVciQZPc dbaPIO4JAESmzHYFxjjyJR0bj6Ot2u+Ta6/h5NkBNDI4qLNTkRvoclEGAa3mjNJxFM9BoPtqW2k i5J8e+2mvb+leQpiYdIWaZOgpXVlEOKDdZGJa1TI6HVewvf5krYz1p2vlTZNjlcvHN20uN0gxil DGmYEsrQ0QuPEyRe0A== X-Received: by 2002:a05:690c:6c85:b0:7bd:a6ea:c507 with SMTP id 00721157ae682-7ea49e603cdmr14480567b3.25.1780449336839; Tue, 02 Jun 2026 18:15:36 -0700 (PDT) MIME-Version: 1.0 From: EJ Campbell Date: Tue, 2 Jun 2026 18:15:24 -0700 X-Gm-Features: AVHnY4LyTKM0gTM_ZxJ0Rj10nmRDnky646bvcRIEwpKxXw_evsvhmHxSO37VKP0 Message-ID: Subject: [PATCH] tap: don't let overheard traffic move addr_seen when serving a fixed address To: passt-dev@passt.top Content-Type: text/plain; charset="UTF-8" X-MailFrom: ej.campbell@gmail.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: JKAGXBJ2XRHDBRGDKZ2BUKAFZYNNDPGM X-Message-ID-Hash: JKAGXBJ2XRHDBRGDKZ2BUKAFZYNNDPGM X-Mailman-Approved-At: Wed, 03 Jun 2026 09:02:59 +0200 X-Mailman-Version: 3.3.8 Precedence: list Reply-To: ej@campbell.name List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: The latest source address seen on the tap interface (ip4.addr_seen) is taken to be the guest's and is used as the target for inbound port forwarding. The update accepts any source address. On a point-to-point tap that is always correct. But when the tap sits on a shared L2 segment -- for example when it is bridged together with other hosts -- pasta also sees frames from those other hosts. With a static configuration (-a / address set, DHCP disabled), an overheard frame from another host silently moves addr_seen to that host, and every subsequent inbound forwarded connection is sent there instead of to the guest, so connections are reset or hang. I hit this running pasta with its tap enslaved to a Linux bridge that also carries other traffic: inbound port forwarding to the guest broke as soon as another address was seen on the segment. Restrict the update so that, when DHCP is disabled (no_dhcp), only frames sourced from the configured guest address may move addr_seen. With DHCP enabled -- the default -- behaviour is unchanged, since the guest's address is whatever pasta leases and tracking it is still correct. The same reasoning applies to ip6.addr_seen on a shared segment; I left IPv6 alone for now since I only exercise IPv4 in this setup, and would be glad to extend it the same way if you prefer. Signed-off-by: EJ Campbell --- tap.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tap.c b/tap.c index 4cba4c7..514379e 100644 --- a/tap.c +++ b/tap.c @@ -770,7 +770,19 @@ resume: continue; } - if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr) + /* The latest source address seen on the tap is taken to be the + * guest's, and becomes the target for inbound forwarding. On a + * point-to-point tap that's always correct. But if the tap sits + * on a shared L2 segment (for example bridged together with + * other hosts) and we serve a fixed address (DHCP disabled), a + * frame overheard from another host on that segment must not + * move addr_seen and silently retarget forwarded connections + * away from the guest. When DHCP is disabled, only the + * configured guest address may update addr_seen; with DHCP + * enabled (the default) behaviour is unchanged. + */ + if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr && + (!c->no_dhcp || iph->saddr == c->ip4.addr.s_addr)) c->ip4.addr_seen.s_addr = iph->saddr; if (!iov_drop_header(&data, hlen)) base-commit: 4b2823784aab04a70dfc295b16fd6f0592955790 -- 2.53.0