From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202508 header.b=XChFKDvn; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id B711D5A027B for ; Thu, 21 Aug 2025 04:03:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202508; t=1755741833; bh=Dp2P1gOCcnkleYJbPwq2xs2lr58xuYdyLfi78jS7NOQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XChFKDvnZ5AZrQ7sYDvGinBKSthyaPGcqK6EMKHd7bWfJojO1H+7BF2RSx9rrKLmv v4TEVEawCwh4+1gx4w/eLN9m/KiuwRMsmfVMssG/ZqVapR0WGPOAdM7HAe/X33Tc+j JNeHyJm8wo7ukO3FHX0lChurzqa9r84NynzMX+JalQqcst/KeznNoUKcXY7Qe9j2WS zvBudjOlM1yx2RT6hmQx81mJLhT6Cj+LkvQZx53h02NIAtonwze4fTau2iWplvjGCH r5MeyeY19mW2zaK0Tuew/h6lHPl5ghkdMFCB/Q3X6+CpL6ktvUrlwzn2+Pde8Xl7Dn Q+/lBro3GXrJw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4c6mp12Mg3z4xQN; Thu, 21 Aug 2025 12:03:53 +1000 (AEST) Date: Thu, 21 Aug 2025 11:46:25 +1000 From: David Gibson To: Jon Maloy Subject: Re: [PATCH v4 7/9] tcp: make tcp_rst_no_conn() respond with correct MAC address Message-ID: References: <20250820031005.2725591-1-jmaloy@redhat.com> <20250820031005.2725591-8-jmaloy@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="SJPwf57itEqZ1B+f" Content-Disposition: inline In-Reply-To: <20250820031005.2725591-8-jmaloy@redhat.com> Message-ID-Hash: 5DFMPI5XP6PFLACIHNREFTUDCMCJ5M47 X-Message-ID-Hash: 5DFMPI5XP6PFLACIHNREFTUDCMCJ5M47 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --SJPwf57itEqZ1B+f Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 19, 2025 at 11:10:03PM -0400, Jon Maloy wrote: > tcp_rst_no_conn() needs to identify and specify which source MAC > address to use when sending an RST to the guest. This is because > it doesn't have access to any flow structure where this address > could be fetched. I'm not sure we actually need to preserve MAC in this case. This happens when the guest sends a TCP packet that doesn't appear to belong to any existing flow. That means that the guest is somehow already out of sync with what's going on in the outside world. So, it's hard to imagine any scenario where the guest needs the correct MAC of this peer that it already has a wrong idea of the state of. > Signed-off-by: Jon Maloy > --- > tcp.c | 17 +++++++++++++++-- > 1 file changed, 15 insertions(+), 2 deletions(-) >=20 > diff --git a/tcp.c b/tcp.c > index bdcd477..28f9ef5 100644 > --- a/tcp.c > +++ b/tcp.c > @@ -309,6 +309,7 @@ > #include "tcp_internal.h" > #include "tcp_buf.h" > #include "tcp_vu.h" > +#include "netlink.h" > =20 > #ifndef __USE_MISC > /* From Linux UAPI, missing in netinet/tcp.h provided by musl */ > @@ -1888,17 +1889,29 @@ static void tcp_rst_no_conn(const struct ctx *c, = int af, > const struct tcphdr *th, size_t l4len) > { > struct iov_tail payload =3D IOV_TAIL(NULL, 0, 0); > + unsigned char src_mac[ETH_ALEN]; > + union inany_addr tgt; > struct tcphdr *rsth; > char buf[USHRT_MAX]; > uint32_t psum =3D 0; > size_t rst_l2len; > + int ifi; > =20 > /* Don't respond to RSTs without a connection */ > if (th->rst) > return; > =20 > + /* Respond with true MAC address if remote host is on > + * the template interface's network segment > + */ > + ifi =3D af =3D=3D AF_INET ? c->ifi4 : c->ifi6; > + memcpy(src_mac, c->our_tap_mac, ETH_ALEN); > + inany_from_af(&tgt, af, daddr); > + if (!fwd_inany_nat(c, &tgt)) > + nl_neigh_mac_get(nl_sock, &tgt, ifi, src_mac); > + > if (af =3D=3D AF_INET) { > - struct iphdr *ip4h =3D tap_push_l2h(c, buf, NULL, ETH_P_IP); > + struct iphdr *ip4h =3D tap_push_l2h(c, buf, src_mac, ETH_P_IP); > const struct in_addr *rst_src =3D daddr; > const struct in_addr *rst_dst =3D saddr; > =20 > @@ -1908,7 +1921,7 @@ static void tcp_rst_no_conn(const struct ctx *c, in= t af, > *rst_src, *rst_dst); > =20 > } else { > - struct ipv6hdr *ip6h =3D tap_push_l2h(c, buf, NULL, ETH_P_IPV6); > + struct ipv6hdr *ip6h =3D tap_push_l2h(c, buf, src_mac, ETH_P_IPV6); > const struct in6_addr *rst_src =3D daddr; > const struct in6_addr *rst_dst =3D saddr; > =20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --SJPwf57itEqZ1B+f Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmimenAACgkQzQJF27ox 2Get7RAAnDtFmoA3XtTh9+u/j3OqsM7wDNiIK+wNjnbzbxw0kG4b15irf/mFFxMT //m1QCaYfIoRXB3od8MCOvkXKfNvM6oaFR2M18nLcjB9+gy4B9FvnAQtYqmJsCC6 O4g8sjtlpJp7U+X9wMh6x/2PzTR4b298xAyzicEmC2onxUweNNoC/6zGy0F1LN8y q8pJdj3Tn0v9txzgi3+m60jpimco3HxkNceF9I8QHH9UeAAKAumWUR8P0e+t9GQ1 y1zlQG9c2yztApYtdN8CEuHC/3hdwXgTYOgL8on2uHbsZ9KzUju9qFM7mda5KCfY Zs6C9Yqk5+Xkrt07r2XOmzJ6zef8+qFsdWS190XTCYvpGJIFtIoEdsAvVZs3AglA 0ohcoX+omol3qfkTKk2gUjPVU32nBcEeqJAWzzElNshcJOmnIghtPwWCIAKAjfQy rspQ5HU/XCCrEQ/BqdNqmEueaoRq0kGhi7OmLx3qukrXRXcpQ2k3P2hjSGOsGmcN FT1c/Oi+3tBKFNodJucABLNWgE7YoQ8MOzq3s39V6muQ7itpMIH7wu9Oi9G6WASC Ax0cbgriOBl+09NXUSTUDUMrMiuoR5y/E+EQqF/RVyahP81DOVcEMiXRF5U9DgjN rA7Om8b8/356PoMgBqABVgksdFnrDI91VgBastFAror4yKiWa8A= =WO0r -----END PGP SIGNATURE----- --SJPwf57itEqZ1B+f--