From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202506 header.b=Vd3oy7Qc;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id D60575A0283
	for <passt-dev@passt.top>; Tue, 22 Jul 2025 04:44:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202506; t=1753152124;
	bh=OMjAh1hl1TaQ0a/TVAL4dn0UCeA5ckLpQ158+khzIkw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=Vd3oy7Qc781LiZy++lMlu7PcpS5UNkkJEsbMnyzQ0J7IEOSVRLm8tks/quyjybec7
	 NmBuhppu26rZakYCHpAjl1/5ZfYee0ZBiAELQJvpwhmDjblze/oSxeDGkmYfQYhC67
	 f2QXbndBREzPtvW0UDH7t5BG/LjHJ/wly0ch7x/sla9i0egCC3Zqbcred8hj3TfJh+
	 Hriaj5qUog97tldaJsYb3RLgjXCDOCv7SLwqSDClqqxHji/vd6I9ciOQl4dtvk/+vm
	 Sg9TH4Td4OLWMFg3RGIc8ygy57VW9GjadLJdx1HP45nURX+R39MNEkq9k9VoH90zlA
	 sXHeJT1f/vMzA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4bmM3w3fR1z4x4w; Tue, 22 Jul 2025 12:42:04 +1000 (AEST)
Date: Tue, 22 Jul 2025 12:39:50 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Jon Maloy <jmaloy@redhat.com>
Subject: Re: [PATCH v3 7/8] tcp: make tcp_rst_no_conn() respond with correct
 MAC address
Message-ID: <aH759rsLkag_NHoR@zatzit>
References: <20250629171348.86323-1-jmaloy@redhat.com>
 <20250629171348.86323-8-jmaloy@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="0bb5vD2MM6HnTHiI"
Content-Disposition: inline
In-Reply-To: <20250629171348.86323-8-jmaloy@redhat.com>
Message-ID-Hash: 2ZF24OEICOJHVXABG2MO5MECGMMO5ZKW
X-Message-ID-Hash: 2ZF24OEICOJHVXABG2MO5MECGMMO5ZKW
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aH759rsLkag_NHoR@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/2ZF24OEICOJHVXABG2MO5MECGMMO5ZKW/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--0bb5vD2MM6HnTHiI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 29, 2025 at 01:13:46PM -0400, Jon Maloy wrote:
> tcp_rst_no_conn() needs to identify and specify which source MAC
> address to use when sending an RST to the guest. This is because
> it doesn't have access to any flow structure where this address
> could be fetched.
>=20
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
>=20
> ---
> v3: - Adapted to the signature change in nl_mac_get() function, so that
>       we now consider only the template interface when checking the
>       ARP/NDP table.
> ---
>  tcp.c | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
>=20
> diff --git a/tcp.c b/tcp.c
> index 3ecf9e8..8c502ea 100644
> --- a/tcp.c
> +++ b/tcp.c
> @@ -309,6 +309,7 @@
>  #include "tcp_internal.h"
>  #include "tcp_buf.h"
>  #include "tcp_vu.h"
> +#include "netlink.h"
> =20
>  #ifndef __USE_MISC
>  /* From Linux UAPI, missing in netinet/tcp.h provided by musl */
> @@ -1888,17 +1889,29 @@ static void tcp_rst_no_conn(const struct ctx *c, =
int af,
>  			    const struct tcphdr *th, size_t l4len)
>  {
>  	struct iov_tail payload =3D IOV_TAIL(NULL, 0, 0);
> +	unsigned char src_mac[ETH_ALEN];
> +	union inany_addr tgt;
>  	struct tcphdr *rsth;
>  	char buf[USHRT_MAX];
>  	uint32_t psum =3D 0;
>  	size_t rst_l2len;
> +	int ifi;
> =20
>  	/* Don't respond to RSTs without a connection */
>  	if (th->rst)
>  		return;
> =20
> +	/* Respond with true MAC address if remote host is on
> +	 * the template interface's network segment
> +	 */
> +	ifi =3D af =3D=3D AF_INET ? c->ifi4 : c->ifi6;
> +	memcpy(src_mac, c->our_tap_mac, ETH_ALEN);
> +	inany_from_af(&tgt, af, daddr);
> +	if (!inany_nat(c, &tgt))
> +		nl_mac_get(nl_sock, &tgt, ifi, src_mac);

As with all these cases, this will fail if it's the first time we've
contacted the peer.  That's probably harmless in this case... but
similarly it's also probably harmless to always use the standard MAC
like we were before.  If we get here, we've basically got a garbage
packet from the guest - does it really need to know the real MAC of
the host it might have been contacting if things were in a much saner
state than they apparently are.

> +
>  	if (af =3D=3D AF_INET) {
> -		struct iphdr *ip4h =3D tap_push_l2h(c, buf, NULL, ETH_P_IP);
> +		struct iphdr *ip4h =3D tap_push_l2h(c, buf, src_mac, ETH_P_IP);
>  		const struct in_addr *rst_src =3D daddr;
>  		const struct in_addr *rst_dst =3D saddr;
> =20
> @@ -1908,7 +1921,7 @@ static void tcp_rst_no_conn(const struct ctx *c, in=
t af,
>  					      *rst_src, *rst_dst);
> =20
>  	} else {
> -		struct ipv6hdr *ip6h =3D tap_push_l2h(c, buf, NULL, ETH_P_IPV6);
> +		struct ipv6hdr *ip6h =3D tap_push_l2h(c, buf, src_mac, ETH_P_IPV6);
>  		const struct in6_addr *rst_src =3D daddr;
>  		const struct in6_addr *rst_dst =3D saddr;
> =20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--0bb5vD2MM6HnTHiI
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmh++fYACgkQzQJF27ox
2GfwEA/7BYRxlmPwSAdOvX4iQmO0WxvTT743560YBLB950lH/rcYRIMTblgW8xOA
cXLoWu9PKAwMx5hJbkpK7vW3oHLvHaq0I7txAifBzhcRhwbA7HCI9trljN2156Cg
JbMaVvvDL9qLwvH5hSKJMMUJsgKEVI8uFoDVbfLsPywsTQDy4fM1J2ocVs8cFfwZ
YcZNUvCOb9oMDwwA9rSFXcF+id9UH56VxDRCkTtdKeJnQbYqI3R2HCz8xOY/yClf
bm9NkKBauOnfv3de6DvkE229ohjce7OrHrqFNPXrY0b7PJA78hUZ/M6khHE41CjH
1pPhyqbfKWLEoGJRShMM4/bDplmKeSt+D/cbcFgYnij0XWtDhlG5VZVMvOpRI1ZY
l9/MDRw1qjGFvxBk5g6CvvQ8s7EdZ4YLnSv0XM4IHrqQQMOBFoQlQiPzEspp6KqG
tPEVKjcFIhft8BI4t6oWKjE4vMZn5SRjKXnmLD9dDcaHyRlCNp3j3AIlgxUIuy8f
oU0jaGmjaq9CfzGQ5EaRysRycxesEfFDztIWhYvLtwFKNKZXajGr2KAmHq86iaCG
9g25KDBgh98CF2KZB1rCKuQLnRcWfsCA74Bf2Nkp7jf8fB++JaOB0fga2cyZ5d4C
oH94UPpyaKQJH5ehqpA6D/aNXoZbjThgbaDTahSd2ZMBK2wQqmE=
=9oVL
-----END PGP SIGNATURE-----

--0bb5vD2MM6HnTHiI--