From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202410 header.b=O50Nqf6r; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id B5E155A061B for ; Fri, 29 Nov 2024 04:33:55 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202410; t=1732851215; bh=+JyLTY4ifbadmN0QQdcJTqq0O2+qrdWtH0SqqU9sjaE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=O50Nqf6rikFKxJOhGrEP0AE6MMdHKlDyCmKJT9QWO5CyXvg63/NndlP5DdGLuiwqc sP3F/NZKVPQdiRITS3JuwHpkqzlsbM+Rb4PpM/ensXvLd4XH8NtkvPfX1dYvftdZi6 dDPnGUx3GSWIYdH35JAJCulcErWOP6e/7Bl9Sb0LU828ukURDII4sNC2yomQsssZVO JnHG82iz38CRCKqbSftySXBmxRskZw/UBjyoM1W2zyBOw0Ab6Ybl72SFKvkuhABp0w 3FM5qSV6Cc3zokL5mYzFvtAyUdeU3269GVX7OXdYDCFDVLtvIzIgqpcCLYdLEVc6le nE0kA/kSXSIYA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4XzzKq6ZpRz4x4t; Fri, 29 Nov 2024 14:33:35 +1100 (AEDT) Date: Fri, 29 Nov 2024 14:33:33 +1100 From: David Gibson To: Jon Maloy Subject: Re: [PATCH] pasta: make it possible to disable socket splicing Message-ID: References: <20241129004532.2514834-1-jmaloy@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lZEYxzXlofuuWvZs" Content-Disposition: inline In-Reply-To: Message-ID-Hash: HZQN2ORGZ4DSYICXRHRFZKXIHIRCTGPI X-Message-ID-Hash: HZQN2ORGZ4DSYICXRHRFZKXIHIRCTGPI X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, sbrivio@redhat.com, lvivier@redhat.com, dgibson@redhat.com X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --lZEYxzXlofuuWvZs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 28, 2024 at 08:21:23PM -0500, Jon Maloy wrote: >=20 >=20 > On 2024-11-28 19:45, Jon Maloy wrote: > > During testing it is sometimes useful to force traffic which would > > normally be forwarded by socket splicing through the tap interface. > >=20 > > In this commit, we add a command switch making it possible to disable > > splicing for inbound local traffic. > >=20 > > For outbound local traffic this seems to be much trickier, so I leave > > that for a possible later commit. > I am looking for more input here. >=20 > David suggested that I simply don't re-bind any sockets inwards towards > the local namespace, so that all outbound traffic would use the default > route and be forced to go via the tap interface. >=20 > I tried this, and realized it won't work. Outgoing traffic using INADDR_A= NY > or loopback address will never be routed via the default route; if it > doesn't > find the destination port in the local name space it will simply return w= ith > 'connection refused'. There is no nice way to force such traffic via the > default > route, as far as I understand. Right. I think the confusion here is because splicing kind of does two things. First, it takes some cases that would work with tap, but optimises them. Second it makes some cases possible that aren't possible with just the tap interface: specifically redirecting guest side traffic with destination 0.0.0.0 or 127.0.0.1/8. I've been assuming that a --no-splice option would disable both cases. So traffic that *can* be redirected via tap instead would be, but things that are only possible with splice would just be disallowed. The latter has the arguable advantage that it eliminates the (small) network behavioural differences between pasta and passt mode. > I am even questioning if it is necessary: If the port is bound on the hos= t, > the client only needs to use some of the non-loopback addresses on the > host to reach it via the tap interface. Right. In fact with both --no-splice as per your draft, and no -T and -U options, I don't think any use of splice is possible. We could maybe put a test in fwd_nat_from_splice() to check. >=20 > ///jon > >=20 > > Suggested-by: David Gibson > > Signed-off-by: Jon Maloy > > --- > > conf.c | 5 +++++ > > fwd.c | 2 +- > > passt.h | 1 + > > 3 files changed, 7 insertions(+), 1 deletion(-) > >=20 > > diff --git a/conf.c b/conf.c > > index eaa7d99..8d58652 100644 > > --- a/conf.c > > +++ b/conf.c > > @@ -890,6 +890,7 @@ static void usage(const char *name, FILE *f, int st= atus) > > " --no-ndp Disable NDP responses\n" > > " --no-dhcpv6 Disable DHCPv6 server\n" > > " --no-ra Disable router advertisements\n" > > + " --no-splice Disable outbound socket splicing\n" > > " --freebind Bind to any address for forwarding\n" > > " --no-map-gw Don't map gateway address to host\n" > > " -4, --ipv4-only Enable IPv4 operation only\n" > > @@ -1319,6 +1320,7 @@ void conf(struct ctx *c, int argc, char **argv) > > {"no-dhcpv6", no_argument, &c->no_dhcpv6, 1 }, > > {"no-ndp", no_argument, &c->no_ndp, 1 }, > > {"no-ra", no_argument, &c->no_ra, 1 }, > > + {"no-splice", no_argument, &c->no_splice, 1 }, > > {"freebind", no_argument, &c->freebind, 1 }, > > {"no-map-gw", no_argument, &no_map_gw, 1 }, > > {"ipv4-only", no_argument, NULL, '4' }, > > @@ -1756,6 +1758,9 @@ void conf(struct ctx *c, int argc, char **argv) > > } > > } while (name !=3D -1); > > + if (c->mode =3D=3D MODE_PASST) > > + c->no_splice =3D 1; > > + > > if (c->mode =3D=3D MODE_PASTA && !c->pasta_conf_ns) { > > if (copy_routes_opt) > > die("--no-copy-routes needs --config-net"); > > diff --git a/fwd.c b/fwd.c > > index 0b7f8b1..2829cd2 100644 > > --- a/fwd.c > > +++ b/fwd.c > > @@ -443,7 +443,7 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint= 8_t proto, > > else if (proto =3D=3D IPPROTO_UDP) > > tgt->eport +=3D c->udp.fwd_in.delta[tgt->eport]; > > - if (c->mode =3D=3D MODE_PASTA && inany_is_loopback(&ini->eaddr) && > > + if (!c->no_splice && inany_is_loopback(&ini->eaddr) && > > (proto =3D=3D IPPROTO_TCP || proto =3D=3D IPPROTO_UDP)) { > > /* spliceable */ > > diff --git a/passt.h b/passt.h > > index c038630..0271e7c 100644 > > --- a/passt.h > > +++ b/passt.h > > @@ -291,6 +291,7 @@ struct ctx { > > int no_dhcpv6; > > int no_ndp; > > int no_ra; > > + int no_splice; > > int host_lo_to_ns_lo; > > int freebind; >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --lZEYxzXlofuuWvZs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmdJNgwACgkQzQJF27ox 2GcALA//bV5jJIReIsRA9UzonBzpWMoI7J4ul1vF9wVtATulyL8ZqDDmqGewId0t Qq8G6KEOSN6prAMbcUKscDXYjWi7nE2YxgbQXlR1kV6qzCtGdIf+Wo4LH+hB4gnh NdbED8AFD6c/YhLQyTT5MhxPHyYFFYyeh+NSrcIIJnlgqTQTxhbm3TQlmjp46X12 SD3ubtTXa5AkfUTDsDq19XnwlDJbJjH3mooWvH7F2hPNEpWNwo4wR3Ibing4x7Um iREJTMSDlOPT/AtaHfLpB70E9uCQcNYFBnqiEjvUCWCuzUb2lScqLzARQvOS2cbk 43qiPMtU4oVtN6+371sGHsd84/2DVCy5xg4e/SLKbmZWKfZjJTGmQAMkC2WXx9h/ guLZX8RqgD+bRdKmEKcXN/qnsOsaBVQkE87YNUuEuztizH2kQh29j/rz2Ho3p89f 1MfVaAzr770zh0EHnU0DXLJxMNgnE7tocwquD3C9rd1k78zxwqHpCWfK51XoS80e CLDQTyDV0iRSoxp3HoRIY8u1vrATZEUUOFiojfvXTdRnPDzmqgPrJupCkDBaG1vG A1P8bWOFS3ux6N1hE/x0aqz6U3DDVgLs6ajwQF0PLtO67AuWmxnbDoMJICV0RXYl RYfdYfPVtWAoeX5HpkMDMpArswCiP9hWzE/mDMpghBV7p2yWC/o= =+OL1 -----END PGP SIGNATURE----- --lZEYxzXlofuuWvZs--