Re: [PATCH v3 0/2] Reconstruct ICMP headers for failed UDP connect

[David Gibson <david@gibson.dropbear.id.au>]

[-- Attachment #1: Type: text/plain, Size: 2505 bytes --]

On Wed, Feb 19, 2025 at 02:30:05PM -0500, Jon Maloy wrote:
> Reconstruct incoming ICMP headers for failed UDP connect and forward back
> to local peer.
> 
> v2: - Added patch breaking out udp header creation from function
>       tap_udp4_send().
>     - Updated the ICMP creation by using the new function.
>     - Added logics to find correct flow, depending on origin.
>     - All done after feedback from David Gibson.
> v3: - More changes after feedback from David Gibson.

I gave this a test.  The outbound "connection" version works nicely:

$ ./pasta --config-net socat STDIO UDP4:<gw address>:9999
Multiple default IPv4 routes, picked first
Multiple default IPv6 routes, picked first
qwer
2025/02/20 14:39:08 socat[1] E read(5, 0x55c12494f000, 8192): Connection refused

I also tried with an inbound "connection" to test the handling of
errors on listening sockets.  There I,

	1. Start a server in pasta
	2. Connect and write with a client on the host
	3. Kill the client
	4. Attempt to more data from the server

Without pasta in the way, this gives a similar Connection refused
error on the server socat.  With pasta in the way, it doesn't, even
with this patch.

Looking at an strace I suspect the problem is that the kernel doesn't
deliver EPOLLERR events to non-connect()ed sockets for ICMPs, so pasta
never knows to look for an error.  It think it works for plain socat,
because it - even in server mode - connect()s its socket.  pasta
doesn't however, and just sends the outbound packets via the original
"listening" socket.

The only way I can see to fix this would be to create connect()ed
sockets for both ends of a flow when we establish it.  I _think_ we can
have the listening and connected socket concurrently (at least with
REUSEADDR) with the connect()ed socket taking priority when it
matches.

However, it does have a complication: there's a brief time window
between bind() and connect() on the new socket, when it might pick up
packets that should go to the original listening socket.  We'd need to
decide what to do with that case.

In any case, it kind of looks like there's not much point trying to
handle error events on the listening socket (beyond a debug()
message), since I'm not sure such events are ever delivered.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]