From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=fail reason="key not found in DNS" header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202312 header.b=IHI4aLfa; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 6469C5A004E for ; Wed, 21 Aug 2024 04:51:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1724208670; bh=Cp5AWWLHfftwRXz7/6xKQCcUchYowcxoPF4WnMV+PP4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IHI4aLfathlADq38tuR8azhkl1NkvTQVMuhFn1urhgH66jQTgF8h0JmF8PRWP/zfj QEEtUsoAA7vbM9oFkESYfSp19GG4+T+1WDy5VCpsTxrbrc3/qPzkFHe7ifCcc/zUZh ZY23I4K9YWWXTxzLvx3PFKtPgNUrhDxfSQPYkCXtcy6ob2Hub87Z/ktuCt95WXNtM7 +Mfp4OCaJiBe6thZdPWvPeHQpqLY9RvWOvKd4fbBzYhFRrVpQxUyXa87+OA/S4luG9 jSyM0fl9K+TPFag19Rc9zY59bHdHh5yPPVB5tuci212qTBMA/VHkW+aUHKGt4io2fP yDkF0D0DiV2xQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WpW721ckcz4x8F; Wed, 21 Aug 2024 12:51:10 +1000 (AEST) Date: Wed, 21 Aug 2024 11:56:11 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 17/22] fwd: Split notion of "our tap address" from gateway for IPv4 Message-ID: References: <20240816054004.1335006-1-david@gibson.dropbear.id.au> <20240816054004.1335006-18-david@gibson.dropbear.id.au> <20240820215624.5ec8e221@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VI6YQe/5KlH87q4H" Content-Disposition: inline In-Reply-To: <20240820215624.5ec8e221@elisabeth> Message-ID-Hash: JD3ZC3LYGTKNUETVL6LMRJQYQYFGHD3G X-Message-ID-Hash: JD3ZC3LYGTKNUETVL6LMRJQYQYFGHD3G X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --VI6YQe/5KlH87q4H Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 20, 2024 at 09:56:24PM +0200, Stefano Brivio wrote: > On Fri, 16 Aug 2024 15:39:58 +1000 > David Gibson wrote: >=20 > > ip4.gw conflates 3 conceptually different things, which (for now) have = the > > same value: > > 1. The router/gateway address as seen by the guest > > 2. An address to NAT to the host with --no-map-gw isn't specified > > 3. An address to use as source when nothing else makes sense > >=20 > > Case 3 occurs in two situations: > >=20 > > a) for our DHCP responses - since they come from passt internally there= 's > > no naturally meaningful address for them to come from > > b) for forwarded connections coming from an address that isn't guest > > accessible (localhost or the guest's own address). > >=20 > > (b) occurs even with --no-map-gw, and the expected behaviour of forward= ing > > local connections requires it. > >=20 > > For IPv6 role (3) is now taken by ip6.our_tap_ll (which usually has the > > same value as ip6.gw). For future flexibility we may want to make this > > "address of last resort" different from the gateway address, so split t= hem > > logically for IPv4 as well. > >=20 > > Specifically, add a new ip4.our_tap_addr field for the address with this > > role, and initialise it to ip4.gw for now. Unlike IPv6 where we can al= ways > > get a link-local address, we might not be able to get a (non 0.0.0.0) > > address here. In that case we have to disable DHCP >=20 > It's not entirely clear to me in which case we would not be able to > get any address, Currently, when we don't have a gateway address on the host: no connectivity, or a point-to-point link with no gateway, or the like. We used to absolutely require it, but that restriction has been eased and may ease further in future. > but at least RFC 2131 doesn't have a problem with this: >=20 > diff --git a/dhcp.c b/dhcp.c > index aa9f59d..3de8a6e 100644 > --- a/dhcp.c > +++ b/dhcp.c > @@ -282,6 +282,7 @@ int dhcp(const struct ctx *c, const struct pool *p) > struct in_addr mask; > unsigned int i; > struct msg *m; > + struct in_addr zeroes =3D { 0 }; > =20 > eh =3D packet_get(p, 0, offset, sizeof(*eh), NULL); > offset +=3D sizeof(*eh); > @@ -378,7 +379,7 @@ int dhcp(const struct ctx *c, const struct pool *p) > opt_set_dns_search(c, sizeof(m->o)); > =20 > dlen =3D offsetof(struct msg, o) + fill(m); > - tap_udp4_send(c, c->ip4.gw, 67, c->ip4.addr, 68, m, dlen); > + tap_udp4_send(c, zeroes, 67, c->ip4.addr, 68, m, dlen); > =20 > return 1; > } >=20 > and: >=20 > $ ./pasta -p dhcp.pcap > Saving packet capture to dhcp.pcap > # dhclient > # tshark -r dhcp.pcap > Running as user "root" and group "root". This could be dangerous. > 1 0.000000 :: =E2=86=92 ff02::16 ICMPv6 90 Multicast = Listener Report Message v2 > 2 0.016265 0.0.0.0 =E2=86=92 255.255.255.255 DHCP 342 DHCP Dis= cover - Transaction ID 0x75759d11 > 3 0.016361 0.0.0.0 =E2=86=92 88.198.0.164 DHCP 342 DHCP Offer = - Transaction ID 0x75759d11 > 4 0.016479 0.0.0.0 =E2=86=92 255.255.255.255 DHCP 342 DHCP Req= uest - Transaction ID 0x75759d11 > 5 0.016493 0.0.0.0 =E2=86=92 88.198.0.164 DHCP 342 DHCP ACK = - Transaction ID 0x75759d11 > [...] >=20 > so this could be a reasonable fallback. Fair point. I've removed the disabling of DHCP in this case. >=20 > > and forwarding of > > inbound connections with guest-inaccessible source addresses. > >=20 > > Signed-off-by: David Gibson > > --- > > conf.c | 7 ++++++- > > dhcp.c | 4 ++-- > > fwd.c | 10 +++++++--- > > passt.h | 2 ++ > > 4 files changed, 17 insertions(+), 6 deletions(-) > >=20 > > diff --git a/conf.c b/conf.c > > index 954f20ea..9f962fc8 100644 > > --- a/conf.c > > +++ b/conf.c > > @@ -660,6 +660,8 @@ static unsigned int conf_ip4(unsigned int ifi, > > =20 > > ip4->addr_seen =3D ip4->addr; > > =20 > > + ip4->our_tap_addr =3D ip4->gw; > > + > > if (MAC_IS_ZERO(mac)) { > > int rc =3D nl_link_get_mac(nl_sock, ifi, mac); > > if (rc < 0) { > > @@ -1666,7 +1668,10 @@ void conf(struct ctx *c, int argc, char **argv) > > die("External interface not usable"); > > =20 > > if (c->ifi4 && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.gw)) > > - c->no_map_gw =3D c->no_dhcp =3D 1; > > + c->no_map_gw =3D 1; > > + > > + if (c->ifi4 && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) > > + c->no_dhcp =3D 1; > > =20 > > if (c->ifi6 && IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw)) > > c->no_map_gw =3D 1; > > diff --git a/dhcp.c b/dhcp.c > > index acc5b03e..a935dc94 100644 > > --- a/dhcp.c > > +++ b/dhcp.c > > @@ -347,7 +347,7 @@ int dhcp(const struct ctx *c, const struct pool *p) > > mask.s_addr =3D htonl(0xffffffff << (32 - c->ip4.prefix_len)); > > memcpy(opts[1].s, &mask, sizeof(mask)); > > memcpy(opts[3].s, &c->ip4.gw, sizeof(c->ip4.gw)); > > - memcpy(opts[54].s, &c->ip4.gw, sizeof(c->ip4.gw)); > > + memcpy(opts[54].s, &c->ip4.our_tap_addr, sizeof(c->ip4.our_tap_addr)); >=20 > Nit: this was supposed to look like a table, so it would be nice to add > extra whitespace in the lines above this one. Makes sense, done. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --VI6YQe/5KlH87q4H Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmbFSToACgkQzQJF27ox 2Gcy0w//RarCOPAVZbxtHJ/0hzXBXmIa923Zt+9Uz+YBMZzV0Swv79uSEdlHspCe ejos4vIeO3j0Cv1BftIRLroO/P66X7L8B4WKFPv+TeIv9awsAQ/wumsVz/taNABk 6+3WqqzslB94Di+Eeu8dyrzseP7J5aSm8RhwQbDi/pn0+VLIM5NgnqXGzhljSkmy zPVzTSRXzqR0nK/YZ1LzJBERgbIHb2Uj6B0U60Y/e91NGxaFORfpoUhdUz1Fcqyw 9slEfMrmKLf7AFuAP80FSBomWYvv9poo06z2xfQArGlRHfJhc6OlYd+fKubbIpIg i2s0d0KYlSkmsfCOpB3iqPCsyJPZMiH2DlggQRgCr/l8zbOOm8jCOAUgO2UxsekA h3jMtfJdEiUXBv593ieFoG4rmHwqMa0hcd/WF+Yf1EJQrOuK7s9qSkV58NZxdb80 jQDum7+7HMuQ3AWsHo4iAga/zYuohEln750RpqHGX+h577oxK81LVS8gtnB93S5K cVOLGwNqc2f98RlUgMBMPxiUYpE3GpcmmoSqXViw7SoA/oIxL7QP/6NpGXuzjSz5 9KVjbNwoBW3K00Bleb1Sb34MucNRtUIBX7/jtcykQuD62SC3BLpf+wU4H+BGZL3g F7xbdfJ3fN2ClLgV+WICBdjCTNXvoP2fz2rjq2HhyVwN62pvE/s= =1c3D -----END PGP SIGNATURE----- --VI6YQe/5KlH87q4H--