From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202504 header.b=mCFuv4aW;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 1D1855A0008
	for <passt-dev@passt.top>; Mon, 14 Apr 2025 04:08:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202504; t=1744596472;
	bh=2eYkXhQ0ewK1JmUhzll0n2c2b79PL3I8vkG/AjmaCDU=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=mCFuv4aWb7fnSAq0yHRDXqndKvrOHshJHSHKmH8WkID4acsYZhXog1YRRndf4wz6O
	 nBMcH89ulzGvmOa0Dw7Dk42E7rPGaV3eq3hb5QvC11oqMHoLuFzxEQ2PpOowR7xhkt
	 /3p5NmN6fI0NXNHYc1nFDdphzJzXEZ+VwUHcFxk2r5PjEi13m0SClnUj/j1kD/hO65
	 /UJUsma+L822MaCJA8DsNxomo+7+40frfrnN3kesb7J6AJINX4fI7rIjhbbm8KOS6n
	 MTfzdTYhyDNZ1FcC8ARejbsmpa7SS6UXb4UI7j4Qx74fySEGtH2fzMDAoL2JFkuP35
	 Lwl/s/YynxoOA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4ZbW084pbtz4x0L; Mon, 14 Apr 2025 12:07:52 +1000 (AEST)
Date: Mon, 14 Apr 2025 12:05:30 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH 1/2] conf: Split add_dns_resolv() into separate IPv4 and
 IPv6 versions
Message-ID: <Z_xtav84GrpdyKzG@zatzit>
References: <20250411091439.2943014-1-sbrivio@redhat.com>
 <20250411091439.2943014-2-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="l6nNzzS6K9b4jgd/"
Content-Disposition: inline
In-Reply-To: <20250411091439.2943014-2-sbrivio@redhat.com>
Message-ID-Hash: UT5ROLJX4I43YFRTQ7EF3PC73KLJLH2U
X-Message-ID-Hash: UT5ROLJX4I43YFRTQ7EF3PC73KLJLH2U
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Andrew Sayers <andrew-bugs.passt.top@pileofstuff.org>, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/Z_xtav84GrpdyKzG@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/UT5ROLJX4I43YFRTQ7EF3PC73KLJLH2U/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--l6nNzzS6K9b4jgd/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 11, 2025 at 11:14:38AM +0200, Stefano Brivio wrote:
> Not really valuable by itself, but dropping one level of nested blocks
> makes the next change more convenient.
>=20
> No functional changes intended.
>=20
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

Not in scope for this code motion, but I did spot another bug here..

> ---
>  conf.c | 101 ++++++++++++++++++++++++++++++++++-----------------------
>  1 file changed, 60 insertions(+), 41 deletions(-)
>=20
> diff --git a/conf.c b/conf.c
> index 168646f..18ed11c 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -414,6 +414,62 @@ static unsigned add_dns6(struct ctx *c, const struct=
 in6_addr *addr,
>  	return 1;
>  }
> =20
> +/**
> + * add_dns_resolv4() - Possibly add one IPv4 nameserver from host's reso=
lv.conf
> + * @c:		Execution context
> + * @ns:		Nameserver address
> + * @idx:	Pointer to index of current IPv4 resolver entry, set on return
> + */
> +static void add_dns_resolv4(struct ctx *c, struct in_addr *ns, unsigned =
*idx)
> +{
> +	if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_host))
> +		c->ip4.dns_host =3D *ns;
> +
> +	/* Special handling if guest or container can only access local
> +	 * addresses via redirect, or if the host gateway is also a resolver and
> +	 * we shadow its address
> +	 */
> +	if (IN4_IS_ADDR_LOOPBACK(ns) ||
> +	    IN4_ARE_ADDR_EQUAL(ns, &c->ip4.map_host_loopback)) {

The second bit here is wrong.  We check if the nameserver address is
the --map-host-loopback address - meaning we can't use it in the
guest - then try to use it in the guest anyway.  That path should
instead return, like the ns =3D=3D 127.0.0.1 && map_host_loopback =3D=3D
0.0.0.0 case.

> +		if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback))
> +			return;
> +
> +		*ns =3D c->ip4.map_host_loopback;
> +		if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match))
> +			c->ip4.dns_match =3D c->ip4.map_host_loopback;
> +	}
> +
> +	*idx +=3D add_dns4(c, ns, *idx);
> +}
> +
> +/**
> + * add_dns_resolv6() - Possibly add one IPv6 nameserver from host's reso=
lv.conf
> + * @c:		Execution context
> + * @ns:		Nameserver address
> + * @idx:	Pointer to index of current IPv6 resolver entry, set on return
> + */
> +static void add_dns_resolv6(struct ctx *c, struct in6_addr *ns, unsigned=
 *idx)
> +{
> +	if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_host))
> +		c->ip6.dns_host =3D *ns;
> +
> +	/* Special handling if guest or container can only access local
> +	 * addresses via redirect, or if the host gateway is also a resolver and
> +	 * we shadow its address
> +	 */
> +	if (IN6_IS_ADDR_LOOPBACK(ns) ||
> +	    IN6_ARE_ADDR_EQUAL(ns, &c->ip6.map_host_loopback)) {

Same bug for IPv6.

> +		if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback))
> +			return;
> +
> +		*ns =3D c->ip6.map_host_loopback;
> +		if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match))
> +			c->ip6.dns_match =3D c->ip6.map_host_loopback;
> +	}
> +
> +	*idx +=3D add_dns6(c, ns, *idx);
> +}
> +
>  /**
>   * add_dns_resolv() - Possibly add ns from host resolv.conf to configura=
tion
>   * @c:		Execution context
> @@ -430,48 +486,11 @@ static void add_dns_resolv(struct ctx *c, const cha=
r *nameserver,
>  	struct in6_addr ns6;
>  	struct in_addr ns4;
> =20
> -	if (idx4 && inet_pton(AF_INET, nameserver, &ns4)) {
> -		if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_host))
> -			c->ip4.dns_host =3D ns4;
> -
> -		/* Special handling if guest or container can only access local
> -		 * addresses via redirect, or if the host gateway is also a
> -		 * resolver and we shadow its address
> -		 */
> -		if (IN4_IS_ADDR_LOOPBACK(&ns4) ||
> -		    IN4_ARE_ADDR_EQUAL(&ns4, &c->ip4.map_host_loopback)) {
> -			if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback))
> -				return;
> -
> -			ns4 =3D c->ip4.map_host_loopback;
> -			if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match))
> -				c->ip4.dns_match =3D c->ip4.map_host_loopback;
> -		}
> -
> -		*idx4 +=3D add_dns4(c, &ns4, *idx4);
> -	}
> -
> -	if (idx6 && inet_pton(AF_INET6, nameserver, &ns6)) {
> -		if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_host))
> -			c->ip6.dns_host =3D ns6;
> -
> -		/* Special handling if guest or container can only access local
> -		 * addresses via redirect, or if the host gateway is also a
> -		 * resolver and we shadow its address
> -		 */
> -		if (IN6_IS_ADDR_LOOPBACK(&ns6) ||
> -		    IN6_ARE_ADDR_EQUAL(&ns6, &c->ip6.map_host_loopback)) {
> -			if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback))
> -				return;
> +	if (idx4 && inet_pton(AF_INET, nameserver, &ns4))
> +		add_dns_resolv4(c, &ns4, idx4);
> =20
> -			ns6 =3D c->ip6.map_host_loopback;
> -
> -			if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match))
> -				c->ip6.dns_match =3D c->ip6.map_host_loopback;
> -		}
> -
> -		*idx6 +=3D add_dns6(c, &ns6, *idx6);
> -	}
> +	if (idx6 && inet_pton(AF_INET6, nameserver, &ns6))
> +		add_dns_resolv6(c, &ns6, idx6);
>  }
> =20
>  /**

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--l6nNzzS6K9b4jgd/
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmf8bVoACgkQzQJF27ox
2GeMLxAAk2+/jRae/AskFMD+J3PZdu9rK8sRhuT6otyjV2SGXOa+BDqk/0iWlVDi
g+ho60fFzv8DNdWwx3KNAHKEA793g1NsFCeRrr3YP8RSXrRj13pMR354htMjdDzA
foEOSkLRSxxLi628QsjB4/cHjCH7479j571R47oUm8Jq1WZokoXWlJwNeYJ8+W9d
kmiJjO7oGxqLpxw8Bj3Xunc4jt/N5pKiMIHmbEDoQNIYx/q8cnfZlmoQ2J8OPt/J
PX0IrPjt7m0pqqFWRlZUI+PHprayFLAM1sLpzXcIsIOcc4FPXCzhsIs4eEOg5siL
gOQq73EokwimlupmYYzpI4HZs9jhmi39VsxaLLr74ArF/6hDF4w0APaltfCzcLsg
RLTJjxQSh3py3MTh9tUqBzGe4vjtuon5cvL1AThGy7xf0NGEw1nulwB9CTL01nlq
2Nk3sZI+O0DvCvP+xDOqrBBtZQrgesbUmpVtWiFRxVQoNih+Qmq88bbaR0RkzraT
nQGmoyBmp9fM7a0srXMM+oxpkGqMnr5AOA1seFy+A/aLspax9deHlAOEWuFed2J7
mcKdmxqkNjWNi+Cs1N/GFW7ghzpdHHbwRN3+beRLXDH9fUqxuBI6LCHDuLi33Oik
6XHqbh/zpgX8Zc/Z27bh9C6AnBSD+DQbk/Z7tXA9QCWmNn6VSxo=
=XXNA
-----END PGP SIGNATURE-----

--l6nNzzS6K9b4jgd/--