From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id B19F45A026A
	for <passt-dev@passt.top>; Mon, 27 Feb 2023 14:29:57 +0100 (CET)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4PQLvg5y5Kz4xDv; Tue, 28 Feb 2023 00:29:51 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1677504591;
	bh=BScs5JczDox4QXzWpD/8ZnqiXdwz9QSz87ZfYw7HKeg=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=afmu5fcYblhulx+YvfbF9AfalOeFrYXf9QjZ3EwZOBFc05Dz67okXPFJd7ncGENTT
	 9QcAMGCdENX72MsQ4sigkUM44zcSW8YLPEhVYmdDapP5E+Zkw2Q8IWLhyykleZNr3c
	 K3OZ4gNVbl21aqUdPpcz3Y6IExmd+6OjQPXiNBuY=
Date: Mon, 27 Feb 2023 23:07:31 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH 3/3] conf, udp: Allow any loopback address to be used as
 resolver
Message-ID: <Y/ydA39RpSGSLvxG@yekko>
References: <20230223170800.3888094-1-sbrivio@redhat.com>
 <20230223170800.3888094-4-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="T0lmnq/RUackzlzv"
Content-Disposition: inline
In-Reply-To: <20230223170800.3888094-4-sbrivio@redhat.com>
Message-ID-Hash: KDCXTC43W4CV4JEL25BAIIWJ4GE2A7FZ
X-Message-ID-Hash: KDCXTC43W4CV4JEL25BAIIWJ4GE2A7FZ
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Andrea Bolognani <abologna@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/Y/ydA39RpSGSLvxG@yekko/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/KDCXTC43W4CV4JEL25BAIIWJ4GE2A7FZ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--T0lmnq/RUackzlzv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 23, 2023 at 06:08:00PM +0100, Stefano Brivio wrote:
> Andrea reports that with a Fedora 37 guest running on a Fedora 37
> host, both using systemd-resolved, with passt connecting them,
> running with default options, DNS queries don't work.
>=20
> systemd-resolved on the host is reachable only at the loopback
> address 127.0.0.53.
>=20
> We advertise the default gateway address to the guest as resolver,
> because our local address is of course unreachable from there, which
> means we see DNS queries directed to the default gateway, and we
> redirect them to 127.0.0.1. However, systemd-resolved doesn't answer
> on 127.0.0.1.
>=20
> To fix this, set @dns_match to the address of the default gateway,
> unless a different resolver address is explicitly configured, so that
> we know we explicitly have to map DNS queries, in this case, to the
> address of the local resolver.
>=20
> This means that in udp_tap_handler() we need to check, first, if
> the destination address of packets matches @dns_match: even if it's
> the address of the local gateway, we want to map that to a specific
> address, which isn't necessarily 127.0.0.1.
>=20
> Do the same for IPv6 for consistency, even though IPv6 defines a
> single loopback address.
>=20
> Reported-by: Andrea Bolognani <abologna@redhat.com>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  conf.c |  6 ++++++
>  udp.c  | 20 ++++++++++----------
>  2 files changed, 16 insertions(+), 10 deletions(-)
>=20
> diff --git a/conf.c b/conf.c
> index ed25e35..37f25d6 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -395,6 +395,9 @@ static void add_dns4(struct ctx *c, struct in_addr *a=
ddr, struct in_addr **conf)
>  		if (!c->no_map_gw) {
>  			**conf =3D c->ip4.gw;
>  			(*conf)++;
> +
> +			if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match))
> +				c->ip4.dns_match =3D c->ip4.gw;
>  		}
>  	} else {
>  		**conf =3D *addr;
> @@ -419,6 +422,9 @@ static void add_dns6(struct ctx *c,
>  		if (!c->no_map_gw) {
>  			memcpy(*conf, &c->ip6.gw, sizeof(**conf));
>  			(*conf)++;
> +
> +			if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match))
> +				memcpy(&c->ip6.dns_match, addr, sizeof(*addr));
>  		}
>  	} else {
>  		memcpy(*conf, addr, sizeof(**conf));
> diff --git a/udp.c b/udp.c
> index 1d65559..20a9ea0 100644
> --- a/udp.c
> +++ b/udp.c
> @@ -857,17 +857,16 @@ int udp_tap_handler(struct ctx *c, int af, const vo=
id *addr,
> =20
>  		udp_tap_map[V4][src].ts =3D now->tv_sec;
> =20
> -		if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr, &c->ip4.gw) &&
> -		    !c->no_map_gw) {
> +		if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr, &c->ip4.dns_match) &&
> +		    ntohs(s_in.sin_port) =3D=3D 53) {
> +			s_in.sin_addr =3D c->ip4.dns_host;
> +		} else if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr, &c->ip4.gw) &&
> +			   !c->no_map_gw) {
>  			if (!(udp_tap_map[V4][dst].flags & PORT_LOCAL) ||
>  			    (udp_tap_map[V4][dst].flags & PORT_LOOPBACK))
>  				s_in.sin_addr.s_addr =3D htonl(INADDR_LOOPBACK);
>  			else
>  				s_in.sin_addr =3D c->ip4.addr_seen;
> -		} else if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr,
> -					      &c->ip4.dns_match) &&
> -			   ntohs(s_in.sin_port) =3D=3D 53) {
> -			s_in.sin_addr =3D c->ip4.dns_host;
>  		}
>  	} else {
>  		s_in6 =3D (struct sockaddr_in6) {
> @@ -880,7 +879,11 @@ int udp_tap_handler(struct ctx *c, int af, const voi=
d *addr,
>  		sa =3D (struct sockaddr *)&s_in6;
>  		sl =3D sizeof(s_in6);
> =20
> -		if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.gw) && !c->no_map_gw) {
> +		if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.dns_match) &&
> +		    ntohs(s_in6.sin6_port) =3D=3D 53) {
> +			s_in6.sin6_addr =3D c->ip6.dns_host;
> +		} else if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.gw) &&
> +			   !c->no_map_gw) {
>  			if (!(udp_tap_map[V6][dst].flags & PORT_LOCAL) ||
>  			    (udp_tap_map[V6][dst].flags & PORT_LOOPBACK))
>  				s_in6.sin6_addr =3D in6addr_loopback;
> @@ -888,9 +891,6 @@ int udp_tap_handler(struct ctx *c, int af, const void=
 *addr,
>  				s_in6.sin6_addr =3D c->ip6.addr;
>  			else
>  				s_in6.sin6_addr =3D c->ip6.addr_seen;
> -		} else if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.dns_match) &&
> -			   ntohs(s_in6.sin6_port) =3D=3D 53) {
> -			s_in6.sin6_addr =3D c->ip6.dns_host;
>  		} else if (IN6_IS_ADDR_LINKLOCAL(&s_in6.sin6_addr)) {
>  			bind_addr =3D &c->ip6.addr_ll;
>  		}

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--T0lmnq/RUackzlzv
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmP8nP0ACgkQzQJF27ox
2GdfsBAAqXaL3NRKZ/MskjaoiRoBK8TJ2cJEzMLKAkEYl8U4DDBkCHcyKmlZ8orV
is5IEt275oegiTmgZWkCdhzJRUdXIu+wyOZYDa1DgpIIzAz6/nd+mKRrGXuKQtt6
OWh6ZSkjdPgsayKW/cRj8EaTOtifSs7zt3zGH3gZgel9qwhdwzmdM2WxN7VewrYC
V4MM8xM2vaDzDMBHY2gH8RrlRmTO2+2kNAwZjGE0xLd9oziCNI97GXEgeFwIbvxK
zAp2pNlNC4A4JdGfrMuX+AUVMEGb6YaX8HgQAD13eH67d0qHN0PFBYncjerKFUse
u2hSfnkOAWL4mT7C6RYkBxNFcbw+4X4bT2xJAXseCCT3N1LypxZyH5yS6TiZ9shu
ASGoK3tOXhTfn6GaRgvbKT9PMvHg9Mbo37x8uuHmqQ5cw71iML1YrXpxjtzG5M/G
pZq2w4ibALAfgSjt5RZ5qqG9XKyWGm1D2Ue/hAs60CZyf5UbxB251KfggjB2Jhz0
h3hTfNRM9d8Mv+De4NKIypeUQoeOEvOTJuVn4l68ApH4XFUK+E97KMl4tSNYPmCt
igXLRTdplvtpTP7pMppOK7w3/URYHMR44scyN5VwdeZNp6iel3FrXKQ8RQmop6cO
8VmNAKBR9yCwaU985ojM/6OfaM7TtHAwtCMukpikObLpif17tVw=
=XOaQ
-----END PGP SIGNATURE-----

--T0lmnq/RUackzlzv--