From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 3CA485A0274 for ; Mon, 18 Mar 2024 04:28:55 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1710732529; bh=cYFUrej8yUm9h6gL+2i7HNKf51V56gVE1ICFe1f2Cb8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=UghDWu8aHekgXXw01Z2wwmJz56O09llaLYqOGJn8/59WpbFbdJA0rH/B5BVzR1qYT co70t1E/jFV7TVhYq8+OWRShGx7551Fbs2OaymE5J+8MqkVrxUnEqrHBGpAGNeNAWK KkhBcYL70kinjzoOTerkm0Atqho7BHzXGAKHGmEaM1w0gk3GuolVIERT621CRnwTjH 7DKRroMc4vdUj+ciIvWEQrhyq/RhnzyF2nGn0yfYkDslswSZnkk7G8OzMEVAkaM9Dq Cj6bgZNH9pXwew60wQ4gLZrH1tPIMtlcoPVHUr+xH+knnoCLSUGBNjkR6fr21Syul7 2vjnBAL8Pohdg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4TygLT1pv6z4wc9; Mon, 18 Mar 2024 14:28:49 +1100 (AEDT) Date: Mon, 18 Mar 2024 14:26:18 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] udp: Translate source address of resolver only for DNS remapped queries Message-ID: References: <20240315142637.580496-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="H3iyL2dpENtFUjFN" Content-Disposition: inline In-Reply-To: <20240315142637.580496-1-sbrivio@redhat.com> Message-ID-Hash: I3NQKTFFXHCA5K2VT567CHH6PCTCJSYI X-Message-ID-Hash: I3NQKTFFXHCA5K2VT567CHH6PCTCJSYI X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --H3iyL2dpENtFUjFN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 15, 2024 at 03:26:37PM +0100, Stefano Brivio wrote: > Paul reports that if pasta is configured with --dns-forward, and the > container queries a resolver which is configured on the host directly, > without using the address given for --dns-forward, we'll translate > the source address of the response pretending it's coming from the > address passed as --dns-forward, and the client will discard the > reply. >=20 > That is, >=20 > $ cat /etc/resolv.conf > 198.51.100.1 > $ pasta --config-net --dns-forward 192.0.2.1 nslookup passt.top >=20 > will not work, because we change the source address of the reply from > 198.51.100.1 to 192.0.2.1. But the client contacted 198.51.100.1, and > it's from that address that it expects an answer. >=20 > Add a PORT_DNS_FWD flag for tap-facing ports, which is triggered by > activity in the opposite direction as the other flags. If the > tap-facing port was seen sending a DNS query that was remapped, we'll > remap the source address of the response, otherwise we'll leave it > unaffected. >=20 > Reported-by: Paul Holzinger > Signed-off-by: Stefano Brivio Blech. Ok, I've really got to do my flow table implementation to avoid more of this fragile nonsense. I guess as a stop gap. Reviewed-by: David Gibson > --- > udp.c | 21 +++++++++++++++------ > 1 file changed, 15 insertions(+), 6 deletions(-) >=20 > diff --git a/udp.c b/udp.c > index 0a7f3b7..694424a 100644 > --- a/udp.c > +++ b/udp.c > @@ -127,15 +127,16 @@ > /** > * struct udp_tap_port - Port tracking based on tap-facing source port > * @sock: Socket bound to source port used as index > - * @flags: Flags for local bind, loopback address/unicast address as sou= rce > + * @flags: Flags for recent activity type seen from/to port > * @ts: Activity timestamp from tap, used for socket aging > */ > struct udp_tap_port { > int sock; > uint8_t flags; > -#define PORT_LOCAL BIT(0) > -#define PORT_LOOPBACK BIT(1) > -#define PORT_GUA BIT(2) > +#define PORT_LOCAL BIT(0) /* Port was contacted from local address */ > +#define PORT_LOOPBACK BIT(1) /* Port was contacted from loopback address= */ > +#define PORT_GUA BIT(2) /* Port was contacted from global unicast */ > +#define PORT_DNS_FWD BIT(3) /* Port used as source for DNS remapped quer= y */ > =20 > time_t ts; > }; > @@ -579,7 +580,8 @@ static size_t udp_update_hdr4(const struct ctx *c, st= ruct udp4_l2_buf_t *b, > struct in_addr src =3D b->s_in.sin_addr; > =20 > if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match) && > - IN4_ARE_ADDR_EQUAL(&src, &c->ip4.dns_host) && srcport =3D=3D 53) { > + IN4_ARE_ADDR_EQUAL(&src, &c->ip4.dns_host) && srcport =3D=3D 53 && > + (udp_tap_map[V4][dstport].flags & PORT_DNS_FWD)) { > src =3D c->ip4.dns_match; > } else if (IN4_IS_ADDR_LOOPBACK(&src) || > IN4_ARE_ADDR_EQUAL(&src, &c->ip4.addr_seen)) { > @@ -632,7 +634,8 @@ static size_t udp_update_hdr6(const struct ctx *c, st= ruct udp6_l2_buf_t *b, > dst =3D &c->ip6.addr_ll_seen; > } else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match) && > IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns_host) && > - srcport =3D=3D 53) { > + srcport =3D=3D 53 && > + (udp_tap_map[V4][dstport].flags & PORT_DNS_FWD)) { > src =3D &c->ip6.dns_match; > } else if (IN6_IS_ADDR_LOOPBACK(src) || > IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr_seen) || > @@ -841,6 +844,9 @@ int udp_tap_handler(struct ctx *c, uint8_t pif, > if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr, &c->ip4.dns_match) && > ntohs(s_in.sin_port) =3D=3D 53) { > s_in.sin_addr =3D c->ip4.dns_host; > + udp_tap_map[V4][src].ts =3D now->tv_sec; > + udp_tap_map[V4][src].flags |=3D PORT_DNS_FWD; > + bitmap_set(udp_act[V4][UDP_ACT_TAP], src); > } else if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr, &c->ip4.gw) && > !c->no_map_gw) { > if (!(udp_tap_map[V4][dst].flags & PORT_LOCAL) || > @@ -890,6 +896,9 @@ int udp_tap_handler(struct ctx *c, uint8_t pif, > if (IN6_ARE_ADDR_EQUAL(daddr, &c->ip6.dns_match) && > ntohs(s_in6.sin6_port) =3D=3D 53) { > s_in6.sin6_addr =3D c->ip6.dns_host; > + udp_tap_map[V6][src].ts =3D now->tv_sec; > + udp_tap_map[V6][src].flags |=3D PORT_DNS_FWD; > + bitmap_set(udp_act[V6][UDP_ACT_TAP], src); > } else if (IN6_ARE_ADDR_EQUAL(daddr, &c->ip6.gw) && > !c->no_map_gw) { > if (!(udp_tap_map[V6][dst].flags & PORT_LOCAL) || --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --H3iyL2dpENtFUjFN Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmX3tFkACgkQzQJF27ox 2GcUgg/+INJroBLgkhdFtjWk6rHklS5YWabYtxlfiPqpVm2Ehf40nDJVvW2Oudck 8SM6sOEAdmUYZLCmR0zqcqEhuXuLg69YXY74ELZpnIvBlUb2EjAGp6QXhwM0Um8N VTraIGuNbZGJQzam0OO+ooKPXuqT7pWy1y2NaQALUP7ogpkTCbRFzOn1wlDU++Uj xhy6ULb6dzClCGllBrflejBSMSYkv/kSZhClR3vfkGY29wNifhKnzTxOFkie0wKa LAytvJ02h+1Yabs79rTqhjf2mdZ5VDLcCSfJXb9HW2c56nd65pBZnr41GXKOWn7T 0LmGTTuyCY/e2zxAoCEtCSaXOQqOfs4EUGa1UdLp6OPLhiKm7etkItCX0yRnC0zH j1+Qo+X+JpSrqX7eKfPTo7rUBh4OsODleEuzrVLdYy9Kb8LgfgtFjDJPPSuUr2J4 yhlFaf36sdNW3YIy7omw5D+gQ0O0fK4J87QMOUgMeFKctQLAa9SnzCdYxoweczhF FWSXfCvREcsQKxFSQEgKCO223hHksmWUX8Oel6FsQTBnp17zc8kP1Ghx7GVA6ovp MjHyUev2KZ5dKXI8LZ/dA+Ar705JsfVRLKTOn4wQQcch1oz2JceQ6HbjIpnSlwyw +u5B2AUmRw5kKRRt5O2AHbd7CPNruOHtKRcBz83hGUs/18qk6Ck= =v+ek -----END PGP SIGNATURE----- --H3iyL2dpENtFUjFN--