From: David Gibson <david@gibson.dropbear.id.au>
To: Jon Maloy <jmaloy@redhat.com>
Cc: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top
Subject: Re: [PATCH v3 2/8] arp/ndp: respond with true MAC address of LAN local remote hosts
Date: Tue, 22 Jul 2025 11:55:57 +1000 [thread overview]
Message-ID: <aH7vrcjbuClSBAtz@zatzit> (raw)
In-Reply-To: <20250629171348.86323-3-jmaloy@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 7246 bytes --]
On Sun, Jun 29, 2025 at 01:13:41PM -0400, Jon Maloy wrote:
> When we receive an ARP request or NDP neigbor solicitation over
> the tap interface for a host on the local network segment attached
> to the template interface, we respond with that host's real MAC
> address.
>
> The local host, which is acting as a proxy for the default gateway,
> is still exempted from this rule.
>
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
>
> ---
> v3: - Added helper function to find out if a remote ip address is subject
> to NAT. This filters out local host addresses which should be
> presented with the passt/pasta local MAC address 9a:55:9a:55:9a:55 even
> though it is on the local segment.
> - Adapted to the change in nl_mac_get() function, so that we now consider
> only the template interface when checking the ARP/NDP table.
> ---
> arp.c | 9 +++++++++
> fwd.c | 2 +-
> fwd.h | 3 ++-
> inany.c | 15 +++++++++++++++
> inany.h | 1 +
> ndp.c | 9 +++++++++
> 6 files changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/arp.c b/arp.c
> index fc482bb..1952a63 100644
> --- a/arp.c
> +++ b/arp.c
> @@ -29,6 +29,7 @@
> #include "dhcp.h"
> #include "passt.h"
> #include "tap.h"
> +#include "netlink.h"
>
> /**
> * arp() - Check if this is a supported ARP message, reply as needed
> @@ -40,6 +41,7 @@
> int arp(const struct ctx *c, const struct pool *p)
> {
> unsigned char swap[4];
> + union inany_addr tgt;
> struct ethhdr *eh;
> struct arphdr *ah;
> struct arpmsg *am;
> @@ -72,6 +74,13 @@ int arp(const struct ctx *c, const struct pool *p)
> memcpy(am->tha, am->sha, sizeof(am->tha));
> memcpy(am->sha, c->our_tap_mac, sizeof(am->sha));
>
> + /* Respond with true MAC address if remote host is on
> + * the template interface's network segment
> + */
> + inany_from_af(&tgt, AF_INET, am->tip);
> + if (!inany_nat(c, &tgt))
> + nl_mac_get(nl_sock, &tgt, c->ifi4, am->sha);
> +
Hmm. Here's one concern about the overall concept here. If neither
the guest nor the host has contacted this neighbour before, it
probably won't be in the host's arp/neighbour table so this lookup
will fail, and we'll use our_tap_mac. The guest then contacts it, so
the host ARPs it. When the guest's ARP times out, it re-ARPs and this
time gets the actual MAC address. i.e. it seems to me this approach
may substantially increase the odds of the guest seeing a peer change
MAC. Not sure if that's a problem.
> memcpy(swap, am->tip, sizeof(am->tip));
> memcpy(am->tip, am->sip, sizeof(am->tip));
> memcpy(am->sip, swap, sizeof(am->sip));
> diff --git a/fwd.c b/fwd.c
> index 250cf56..02ebc9d 100644
> --- a/fwd.c
> +++ b/fwd.c
> @@ -332,7 +332,7 @@ static bool fwd_guest_accessible(const struct ctx *c,
> * Only handles translations that depend *only* on the address. Anything
> * related to specific ports or flows is handled elsewhere.
> */
> -static void nat_outbound(const struct ctx *c, const union inany_addr *addr,
> +void nat_outbound(const struct ctx *c, const union inany_addr *addr,
> union inany_addr *translated)
> {
> if (inany_equals4(addr, &c->ip4.map_host_loopback))
> diff --git a/fwd.h b/fwd.h
> index 0458a3c..61632f2 100644
> --- a/fwd.h
> +++ b/fwd.h
> @@ -56,5 +56,6 @@ uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto,
> const struct flowside *ini, struct flowside *tgt);
> uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
> const struct flowside *ini, struct flowside *tgt);
> -
> +void nat_outbound(const struct ctx *c, const union inany_addr *addr,
> + union inany_addr *translated);
> #endif /* FWD_H */
> diff --git a/inany.c b/inany.c
> index f5483bf..0ecf10a 100644
> --- a/inany.c
> +++ b/inany.c
> @@ -16,6 +16,7 @@
> #include "ip.h"
> #include "siphash.h"
> #include "inany.h"
> +#include "fwd.h"
>
> const union inany_addr inany_loopback4 = INANY_INIT4(IN4ADDR_LOOPBACK_INIT);
> const union inany_addr inany_any4 = INANY_INIT4(IN4ADDR_ANY_INIT);
> @@ -56,3 +57,17 @@ int inany_pton(const char *src, union inany_addr *dst)
>
> return 0;
> }
> +
> +/** inany_nat - Find if a remote IPv[46] address is subject to NAT
> + * @c: Execution context
> + * @addr: IPv[46] address
> + *
> + * Return: true if translated, false otherwise
> + */
> +bool inany_nat(const struct ctx *c, const union inany_addr *addr)
This certainly doesn't belong in inany.h, it should be in fwd.[ch].
inany.h is about the mechanics of handling inany addresses. This
function is about NAT, a much higher level concept.
... and indeed it might be better just to extend nat_outbound() with
this functionality rather than writing a new wrapper.
> +{
> + union inany_addr addr_nat;
> +
> + nat_outbound(c, addr, &addr_nat);
> + return !inany_equals(addr, &addr_nat);
Hrm... I'm having trouble convincing myself is this is the correct
logic. Having an address NATted doesn't necessarily preclude sensibly
maintaining it's MAC, as long as the translation is consistent and 1
to 1. Though you could certainly argue that if you're translating the
L3 address, maintaining the L2 address is kind of meaningless.
In the other direction, I'm not sure if we should be preserving MACs
for things that are "logically" NATted. That is, they do hit one of
the translation cases in nat_outbound(), but it happens that the
translated address is the same as the original address.
> +}
> diff --git a/inany.h b/inany.h
> index 7ca5cbd..b2a66b0 100644
> --- a/inany.h
> +++ b/inany.h
> @@ -278,5 +278,6 @@ static inline void inany_siphash_feed(struct siphash_state *state,
>
> const char *inany_ntop(const union inany_addr *src, char *dst, socklen_t size);
> int inany_pton(const char *src, union inany_addr *dst);
> +bool inany_nat(const struct ctx *c, const union inany_addr *addr);
>
> #endif /* INANY_H */
> diff --git a/ndp.c b/ndp.c
> index 3e15494..2e7f0bc 100644
> --- a/ndp.c
> +++ b/ndp.c
> @@ -32,6 +32,7 @@
> #include "passt.h"
> #include "tap.h"
> #include "log.h"
> +#include "netlink.h"
>
> #define RT_LIFETIME 65535
>
> @@ -196,6 +197,7 @@ static void ndp_send(const struct ctx *c, const struct in6_addr *dst,
> static void ndp_na(const struct ctx *c, const struct in6_addr *dst,
> const struct in6_addr *addr)
> {
> + union inany_addr tgt;
> struct ndp_na na = {
> .ih = {
> .icmp6_type = NA,
> @@ -215,6 +217,13 @@ static void ndp_na(const struct ctx *c, const struct in6_addr *dst,
>
> memcpy(na.target_l2_addr.mac, c->our_tap_mac, ETH_ALEN);
>
> + /* Respond with true link-layer address if remote host is on
> + * the template interface's network segment
> + */
> + inany_from_af(&tgt, AF_INET6, addr);
> + if (!inany_nat(c, &tgt))
> + nl_mac_get(nl_sock, &tgt, c->ifi6, na.target_l2_addr.mac);
> +
> ndp_send(c, dst, &na, sizeof(na));
> }
>
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2025-07-22 2:21 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-29 17:13 [PATCH v3 0/8] use true MAC address of LAN local remote hosts Jon Maloy
2025-06-29 17:13 ` [PATCH v3 1/8] netlink: add function to extract MAC addresses from NDP/ARP table Jon Maloy
2025-07-22 0:53 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 2/8] arp/ndp: respond with true MAC address of LAN local remote hosts Jon Maloy
2025-07-22 1:55 ` David Gibson [this message]
2025-06-29 17:13 ` [PATCH v3 3/8] flow: add MAC address of LAN local remote hosts to flow Jon Maloy
2025-07-22 2:12 ` David Gibson
2025-07-22 2:33 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 4/8] udp: forward external source MAC address through tap interface Jon Maloy
2025-07-22 2:19 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 5/8] tcp: " Jon Maloy
2025-07-22 2:29 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 6/8] tap: change signature of function tap_push_l2h() Jon Maloy
2025-07-22 2:36 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 7/8] tcp: make tcp_rst_no_conn() respond with correct MAC address Jon Maloy
2025-07-22 2:39 ` David Gibson
2025-06-29 17:13 ` [PATCH v3 8/8] icmp: let icmp use mac address from flowside structure Jon Maloy
2025-07-22 2:44 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aH7vrcjbuClSBAtz@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=dgibson@redhat.com \
--cc=jmaloy@redhat.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).