From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202502 header.b=Nxgu+4TJ; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id E654E5A0274 for ; Thu, 20 Feb 2025 04:47:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202502; t=1740023269; bh=h5SM6dt++3yn5GyTa1LdNh7b2LDRFiQaEZHTkJry698=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Nxgu+4TJfEbpGX5FZcpmB48j3phk56v32CJV03iG49wVkm6iKaOU6TI13/MFRL2y0 Rkwyk7gD/kxHkpdT23lPdIAPEWHkgUjamYcOLMR9ZJHNIXEnew8B5CAQH1beibH40L z4qgZy2JvVpvn8MR85yBHO5WhjEV6cPOfe13rB4uMlidfP433UHPrTb5zsc2Xz9FIH Zjzgkr1YpaWeEtmtgmJ5H53g99EwtHi8bn6I4mE98N0PHvsU0SlSI3Jyx+LR8DKOp2 jXSQEgSB7uqlFdtzBYXJfKYHqFGYsV8wmSCbPETMFicpi6Fb3EXOSwZVWITkItxpC7 RfH4AgbK0xZBQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Yyzjx1ykzz4x2c; Thu, 20 Feb 2025 14:47:49 +1100 (AEDT) Date: Thu, 20 Feb 2025 14:47:45 +1100 From: David Gibson To: Jon Maloy Subject: Re: [PATCH v3 0/2] Reconstruct ICMP headers for failed UDP connect Message-ID: References: <20250219193007.2336670-1-jmaloy@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="rmhbwJc4nEUdWw3f" Content-Disposition: inline In-Reply-To: <20250219193007.2336670-1-jmaloy@redhat.com> Message-ID-Hash: SDITDY7APC372MPMJYDD6XQO7465OPGR X-Message-ID-Hash: SDITDY7APC372MPMJYDD6XQO7465OPGR X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, sbrivio@redhat.com, lvivier@redhat.com, dgibson@redhat.com X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --rmhbwJc4nEUdWw3f Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 19, 2025 at 02:30:05PM -0500, Jon Maloy wrote: > Reconstruct incoming ICMP headers for failed UDP connect and forward back > to local peer. >=20 > v2: - Added patch breaking out udp header creation from function > tap_udp4_send(). > - Updated the ICMP creation by using the new function. > - Added logics to find correct flow, depending on origin. > - All done after feedback from David Gibson. > v3: - More changes after feedback from David Gibson. I gave this a test. The outbound "connection" version works nicely: $ ./pasta --config-net socat STDIO UDP4::9999 Multiple default IPv4 routes, picked first Multiple default IPv6 routes, picked first qwer 2025/02/20 14:39:08 socat[1] E read(5, 0x55c12494f000, 8192): Connection re= fused I also tried with an inbound "connection" to test the handling of errors on listening sockets. There I, 1. Start a server in pasta 2. Connect and write with a client on the host 3. Kill the client 4. Attempt to more data from the server Without pasta in the way, this gives a similar Connection refused error on the server socat. With pasta in the way, it doesn't, even with this patch. Looking at an strace I suspect the problem is that the kernel doesn't deliver EPOLLERR events to non-connect()ed sockets for ICMPs, so pasta never knows to look for an error. It think it works for plain socat, because it - even in server mode - connect()s its socket. pasta doesn't however, and just sends the outbound packets via the original "listening" socket. The only way I can see to fix this would be to create connect()ed sockets for both ends of a flow when we establish it. I _think_ we can have the listening and connected socket concurrently (at least with REUSEADDR) with the connect()ed socket taking priority when it matches. However, it does have a complication: there's a brief time window between bind() and connect() on the new socket, when it might pick up packets that should go to the original listening socket. We'd need to decide what to do with that case. In any case, it kind of looks like there's not much point trying to handle error events on the listening socket (beyond a debug() message), since I'm not sure such events are ever delivered. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --rmhbwJc4nEUdWw3f Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAme2peAACgkQzQJF27ox 2Gc1EA/+IBEZHGC0Otj5JTpPP+V4J0hcbYmLaUvn0FcAYd5hAfjM5ccI7dwP82D3 nKfUK2DIsQHDc4m74tKNDNaEKvUvNdM2MXJy0i4NNBA+t+D2NvVJz+wJPO6VtEvX LZPS07rVFZ/vhOa2tZLDRRw7hAbHYp9s0nRaNDOhrE4KYP6IiphyXgL+hDUGsMHH I/V5sEav1cCT4fHFDpDc/fg/MOoBHo5/41l70Jff01rLfR0jZzUw8xj1HcwNDVCK 5bLilOu1T/1oxMwjpDGhic9dGNjCKrZ1Pl6W0eK2qZGL0c5f6FA03q+e0t/nB3t6 Sfykgz4vYFSP1qJG7aUy4KRI3dejqlf2kVZ/1ubMQiDRoKT35VPWMsne+L06RaIB eV0Fcg2T3Bf+ndRYJoIFlieRSgOpzFb98Qt1Nk+1K6goteu/TCQgL/pFKKrziK36 LmNhBFp3r1vcRtaXozx1rbeTNE9vTNh++IMKLSTmwegh+9unvLesucXq1uiXdz+B pJXJNoxlBuav8cqArCuPHeuTzR50vfZJ9iFHfCG16JoRL/xTo97XfX4gr+60todR kw9HdkyUdFMcMUMkGMOwjcSkrXUxorXjwxQ+mv9EOI7TRRpUMCyw6wk4QzV1IrmY wTVl+tL4ZwjOusjjM4142kwhHLP7TxdJdHZ7d9y2OWmByE1onJU= =nKaL -----END PGP SIGNATURE----- --rmhbwJc4nEUdWw3f--