From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 74CB05A0271 for ; Mon, 18 Sep 2023 06:17:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1695010660; bh=6+Hq6fbTSIc4lT1Wg5jhVhc4mD38RnK3u4+5iRVg1lY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=E+pE/WusslohfbHR/jMsiTWkQ5vfIVBB+qIF0F92BrUCSLpFDSVMoVVleTMlKz7Px FquihnwW11X/YYI6adyOmch2jmtzs3U0oVkdYpm+oaaVHrATtrJDZmBiWvucUeOQL2 m02O/wxrbV2uHw+Jt3oqcBeZTHO4XKlR+GEOrjTc= Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Rps2r53Hcz4x5j; Mon, 18 Sep 2023 14:17:40 +1000 (AEST) Date: Mon, 18 Sep 2023 12:26:03 +1000 From: David Gibson To: Nikolay Edigaryev Subject: Re: [PATCH] arp: only send ARP replies for --gateway address Message-ID: References: <20230915142045.73457-1-edigaryev@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IjtgFL6uaRJijDVn" Content-Disposition: inline In-Reply-To: <20230915142045.73457-1-edigaryev@gmail.com> Message-ID-Hash: G2PJKBGYKW5A4SSU5JAJBLB3SIAZAIVP X-Message-ID-Hash: G2PJKBGYKW5A4SSU5JAJBLB3SIAZAIVP X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --IjtgFL6uaRJijDVn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 15, 2023 at 06:20:45PM +0400, Nikolay Edigaryev wrote: > Problem: when passt/pasta are working in a broadcast domain with more > than one host machine, Oof. So, at present, passt/pasta is really not designed to have more than a single machine on the "tap" side. Changing the ARP behaviour is likely to be the least of the problems with that setup. I do have plans to change that so we can handle multiple logical guest side machines, but accomplishing that is a ways off. > it will answer for all of these machines, > except for the one having --address. This is akin to ARP spoofing > and breaks connection with these machines if passt/pasta ARP reply > arrives before the original one. >=20 > Solution: only be responsible and send ARP replies > for the --gateway's address. > --- > arp.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/arp.c b/arp.c > index a35c1b6..f873491 100644 > --- a/arp.c > +++ b/arp.c > @@ -67,8 +67,8 @@ int arp(const struct ctx *c, const struct pool *p) > !memcmp(am->sip, am->tip, sizeof(am->sip))) > return 1; > =20 > - /* Don't resolve our own address, either. */ > - if (!memcmp(am->tip, &c->ip4.addr, sizeof(am->tip))) > + /* Don't resolve anything but gateway address. */ > + if (memcmp(am->tip, &c->ip4.gw, sizeof(am->tip)) !=3D 0) > return 1; > =20 > ah->ar_op =3D htons(ARPOP_REPLY); --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --IjtgFL6uaRJijDVn Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmUHtTQACgkQzQJF27ox 2Gcdtg//YaDgxX1KA6LFw4TZeECKoqVuglHFi5s0gvBUEH1rm4K/lI+R43DDK6uX G6XCCw4a6sqf6Gr5C6K0EfSxPnyvdeoWdG5AIym69tt2y1Z1leot9WMb5D3o8Iib 1bCDX8swqe7pgH4zPgvMkQwsDuTtF5zlUp734yPaPrVXySoP0EUhQWyV9HvncE8y wiZrSCBRSRewJ1KMTJVQ6leQ3NH84Osb9L9TwSfWIP1vpqFyXdF8gJxp4nPIUvma uHQjLoESFpQhs7xwokwsnPIFTnIiDbf4Gll002bi9nr7HTRpT1tLEAujRFzl42kg BMzs/DeNLQ6f/SZUBgRgXj+WfVSWRTt6BWOMiW3knMxZkKQXvVDo3ijxdNbyXfUI 0FpMfMGjeym/5QhYcTiLKmfoDLLVX4esWRpzBiE/qVYccs7YF79r0BEXKUNmva49 Mb+OC5AAgFH42A8B5vhLzsObWWi3zUL78iWNpHyXmAv3k1ndXmwttznKADfarhWE qoyH2eluIyFD1zSOyyV5ImFNw/RyuBvWXy5Yc0yYbPj+6b7fgIIsnihuOueIsggU SWcti+BSVldwcvSWyjeVCk8kJ3n+3miTtckLaECKYsBdb/nx1PD1uWzHaF122MT8 z9BQC1xJGa+3XOLV3BTA1412VPCU8eoYRWsyAFl8KC3+IjCanuU= =RJ58 -----END PGP SIGNATURE----- --IjtgFL6uaRJijDVn--