From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 2882E5A026D
	for <passt-dev@passt.top>; Tue, 11 Oct 2022 02:13:08 +0200 (CEST)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4MmbpQ3J6mz4x1D; Tue, 11 Oct 2022 11:13:02 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1665447182;
	bh=dVtlnXr4KEZniLTlPsGnl4N2TcbIGECxmqo3QuOcmho=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=i+iqqNQTW0rVxkqXgCag2PtwjLQQoz8G9sPXFtgEJdyFhcwXXyq6M6hN8Xuq7pWAm
	 dAnlM7jXlHHZMh/rFZ/55GwEaqEDOzl1vSySyfN4N3lEJGClpVWVghjWS/x9oUbUZb
	 idLn98Dio+/DV+ohgadRqnMiESGFcQKdFuNpjvIM=
Date: Tue, 11 Oct 2022 11:05:23 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] udp: Fix port and address checks for DNS forwarder
Message-ID: <Y0SzQw+AYlnDznJ4@yekko>
References: <20221010082109.830625-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="RZwFYvVDRO4LzsoZ"
Content-Disposition: inline
In-Reply-To: <20221010082109.830625-1-sbrivio@redhat.com>
Message-ID-Hash: WT7N25FQZGBLBJ4PKJ474BPUXTTGYVLL
X-Message-ID-Hash: WT7N25FQZGBLBJ4PKJ474BPUXTTGYVLL
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <>
Archived-At: <https://archives.passt.top/passt-dev/Y0SzQw+AYlnDznJ4@yekko/>
List-Archive: <>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--RZwFYvVDRO4LzsoZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Oct 10, 2022 at 10:21:09AM +0200, Stefano Brivio wrote:
> First off, as we swap endianness for source ports in
> udp_fill_data_v{4,6}(), we want host endianness, not network
> endianness. It doesn't actually matter if we use htons() or ntohs()
> here, but the current version is confusing.
>=20
> In the IPv4 path, when we remap DNS answers, we already swapped the
> endianness as needed for the source port: don't swap it again,
> otherwise we'll not map DNS answers for IPv4.
>=20
> In the IPv6 path, when we remap DNS answers, we want to check that
> they came from our upstream DNS server, not the one configured via
> --dns-forward (which doesn't even need to exist for this
> functionality to work).

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

=2E.although you appear to have forgotten your S-o-b on this one.

> ---
>  udp.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>=20
> diff --git a/udp.c b/udp.c
> index cac9c65..4b201d3 100644
> --- a/udp.c
> +++ b/udp.c
> @@ -678,7 +678,7 @@ static void udp_sock_fill_data_v4(const struct ctx *c=
, int n,
>  	b->iph.tot_len =3D htons(ip_len);
> =20
>  	src =3D ntohl(b->s_in.sin_addr.s_addr);
> -	src_port =3D htons(b->s_in.sin_port);
> +	src_port =3D ntohs(b->s_in.sin_port);
> =20
>  	if (src >> IN_CLASSA_NSHIFT =3D=3D IN_LOOPBACKNET ||
>  	    src =3D=3D INADDR_ANY || src =3D=3D ntohl(c->ip4.addr_seen)) {
> @@ -693,7 +693,7 @@ static void udp_sock_fill_data_v4(const struct ctx *c=
, int n,
> =20
>  		bitmap_set(udp_act[V4][UDP_ACT_TAP], src_port);
>  	} else if (c->ip4.dns_fwd &&
> -		   src =3D=3D ntohl(c->ip4.dns[0]) && ntohs(src_port) =3D=3D 53) {
> +		   src =3D=3D htonl(c->ip4.dns[0]) && src_port =3D=3D 53) {
>  		b->iph.saddr =3D c->ip4.dns_fwd;
>  	} else {
>  		b->iph.saddr =3D b->s_in.sin_addr.s_addr;
> @@ -795,7 +795,7 @@ static void udp_sock_fill_data_v6(const struct ctx *c=
, int n,
> =20
>  		bitmap_set(udp_act[V6][UDP_ACT_TAP], src_port);
>  	} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_fwd) &&
> -		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns_fwd) && src_port =3D=3D 53) {
> +		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns[0]) && src_port =3D=3D 53) {
>  		b->ip6h.daddr =3D c->ip6.addr_seen;
>  		b->ip6h.saddr =3D c->ip6.dns_fwd;
>  	} else {

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--RZwFYvVDRO4LzsoZ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoULxWu4/Ws0dB+XtgypY4gEwYSIFAmNEsyEACgkQgypY4gEw
YSIfYxAAugPouHQqtecDW1d03DXbGzNSo/L94v6Nj9IbIWW0OvshQl1mdlDRdFXM
GbragRVlBfcQ5GbIQihdd47Dmj6RfrhYyljVnCnhNjv/SutN9IN9plD7+dDBG5+E
bOfW4WzqYWhm/mYitsXHmq9j2gbZrT6FLmbVadpkedJjUegesHRwe6ushbVffs0B
o+WMbE3GyU6XulD3HiCrsGzNHaVOz71iFRCqir2nufdNb6yQoNksFTXE+exGMlik
pr9i1D/ycCOi7PZFASxQask9cxzx3CaRp6rCzoOG+VYFo60z10Sg3kAiWxOFzv2I
qu3ZdZTyZp+0AYgnJBIFKrzAfD+xKGra7t5I3yVUR2/kGldij8tVbJYPDtXufuWP
3YoisocRnwfe+JuTOJhi5RXpAO5PWmCQUViKEH4SmU4phWm+KPxEUd3Sjqbwc/0s
VxD6UzLjoIddRhkVqqplnHyIN0Vk6tWo6Zx1NGLtNUyJ0+DXweRXmX1/eXIKZJ0a
TzS5We96VsPZQNYkht/bY0pWjGbTCnmJRXPYUDqQ/dqVouDao7goBLzRWFxhCpch
RzRSaUcB6M9HoRK4FZ5UEgvX5bGkoQsgcLQVqV6IwBf+B5Kh+MCbIT/4n3oTCgoV
1DFqrEbKvPXUxLXLUHL1/seoox4gwors8XbPgzCTJH1OyBPxbNQ=
=iZZa
-----END PGP SIGNATURE-----

--RZwFYvVDRO4LzsoZ--