From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202508 header.b=bUoTlhEA;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id EF83F5A0271
	for <passt-dev@passt.top>; Mon, 08 Sep 2025 05:35:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202508; t=1757302554;
	bh=NOTiDnDGgUiZXMSo7gyPx8/qJzpSRRuShm/AvfTWcRw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=bUoTlhEAWsdKSdcJFVg4E4to3iQP5Tlnsre3FTfpziqL2eHMwOpbiA7XWUfXByZBd
	 43Ybz8Xv3pIXDn3b/E5CQmEQqzBt+MNATCzlfnRuv4G6iEBBUoQ1x50GP3cEfrKabk
	 5wi7FNyJSiFKawutAPcYlKlB2c+fLXGnqMlRF7lUcbLKbzB+tDxGWLM6TfKJWdee3y
	 rqe0pkXdpWrcqcEkF8bujWV9uG517mRJ/WokYudG8ZYxE6AUIOkIWD5cLAVflPVH7S
	 RnzKYtgxt0AT4aNLR1WEjtuHzp3VkUWwiK3IclOPwsu+VqkWUgGF5qCrGoaXS0WZ+P
	 Q4j2L7NaAMxlA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4cKszt4V6hz4w9v; Mon,  8 Sep 2025 13:35:54 +1000 (AEST)
Date: Mon, 8 Sep 2025 13:29:38 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Jon Maloy <jmaloy@redhat.com>
Subject: Re: [PATCH v5 09/10] tcp: make tcp_rst_no_conn() respond with
 correct MAC address
Message-ID: <aL5Nou_srHH8thza@zatzit>
References: <20250906021154.2760611-1-jmaloy@redhat.com>
 <20250906021154.2760611-10-jmaloy@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="87oBe07CSHqf6/aL"
Content-Disposition: inline
In-Reply-To: <20250906021154.2760611-10-jmaloy@redhat.com>
Message-ID-Hash: HLTVTFZZF52TBOLX3OW4UHAV3X4RUPGD
X-Message-ID-Hash: HLTVTFZZF52TBOLX3OW4UHAV3X4RUPGD
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aL5Nou_srHH8thza@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HLTVTFZZF52TBOLX3OW4UHAV3X4RUPGD/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--87oBe07CSHqf6/aL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 05, 2025 at 10:11:53PM -0400, Jon Maloy wrote:
> tcp_rst_no_conn() needs to identify and specify which source MAC
> address to use when sending an RST to the guest. This is because
> it doesn't have access to any flow structure where this address
> could be fetched.
>=20
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
>=20
> ---
> v3: - Adapted to the signature change in nl_mac_get() function, so that
>       we now consider only the template interface when checking the
>       ARP/NDP table.
> v4: - Adapted to previous name changes in this series
> v5: - Eliminated use of function fwd_iany_nat().
>     - Instead using the translation result of an attempted NAT lookup.
> ---
>  tcp.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
>=20
> diff --git a/tcp.c b/tcp.c
> index 383654c..54e75bb 100644
> --- a/tcp.c
> +++ b/tcp.c
> @@ -1912,6 +1912,8 @@ static void tcp_rst_no_conn(const struct ctx *c, in=
t af,
>  			    const struct tcphdr *th, size_t l4len)
>  {
>  	struct iov_tail payload =3D IOV_TAIL(NULL, 0, 0);
> +	unsigned char src_mac[ETH_ALEN];
> +	union inany_addr tgt, tgt_nat;

'tgt' is not a good name here.  'tgt' typically refers to the "target"
(non initiating) side of a flow.  But in this instance there is no flow.

>  	struct tcphdr *rsth;
>  	char buf[USHRT_MAX];
>  	uint32_t psum =3D 0;
> @@ -1921,9 +1923,15 @@ static void tcp_rst_no_conn(const struct ctx *c, i=
nt af,
>  	if (th->rst)
>  		return;
> =20
> +	/* Try to use true MAC address if remote host's address or
> +	 *  NAT translated address can be found in ARP/NDP table.
> +	 */
> +	inany_from_af(&tgt, af, daddr);
> +	nat_outbound(c, &tgt, &tgt_nat);
> +	fwd_neigh_mac_get(c, &tgt_nat, src_mac);

I'm not convinced we actually want to do a MAC lookup in this case.
In this case the guest has send us a packet that looks bogus.  The RST
is explicitly something we're synthesizing, not something that's
_actually_ from the peer.  We have to lie about the IP address or the
guest won't attach this RST to the right connection, but I don't see
that we need to lie about the MAC address as well - especially since
it has a cost to do so.

Or to look at it another way, if we get here the guest's idea of what
the surrounding network is already out of sync with passt's idea.  So
trying to preserve that idea by faking the MAC is kind of pointless.

>  	if (af =3D=3D AF_INET) {
> -		struct iphdr *ip4h =3D tap_push_l2h(c, buf, c->our_tap_mac,
> -						  ETH_P_IP);
> +		struct iphdr *ip4h =3D tap_push_l2h(c, buf, src_mac, ETH_P_IP);
>  		const struct in_addr *rst_src =3D daddr;
>  		const struct in_addr *rst_dst =3D saddr;
> =20
> @@ -1933,7 +1941,7 @@ static void tcp_rst_no_conn(const struct ctx *c, in=
t af,
>  					      *rst_src, *rst_dst);
> =20
>  	} else {
> -		struct ipv6hdr *ip6h =3D tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IP=
V6);
> +		struct ipv6hdr *ip6h =3D tap_push_l2h(c, buf, src_mac, ETH_P_IPV6);
>  		const struct in6_addr *rst_src =3D daddr;
>  		const struct in6_addr *rst_dst =3D saddr;
> =20
> --=20
> 2.50.1
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--87oBe07CSHqf6/aL
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmi+TaEACgkQzQJF27ox
2GfjqQ//Q5HL+UoL6Qt/wTjlLMyFfzlbudOjJ5/3voc0vVrawUlPtVKhKG5fAQo3
5qAhvs9XeRDJqYItdu5EdkVxPW8V8NHitNesgxSct/4YHmkfcgZOLVvCFkJvfqj2
G6P6M+8iCLMl4CrzAssJp9rzFaVO8TknUBFopLVSrR7spm5mndZ0m5O9e6MhZNEq
Nk+QM4aryD7ixJDHXammpLOrWPU04CbLDJ1E1OTVzMfCs/22+VPHFuUjsM2qi9MO
SXag/YjdzPTNCj3nRuAbRxy0O7FLZbapJi3g1wjelsv/V40QCS2wVsgRtA2k+4k1
WU94/n16+IDEy6PFaLq9AypmmuVVXpiS/36fTNX9sgdQuVI+4wJ6HmUk66XicS9I
JU2TUYZeaCusd044lYqaAckHincorsd9B5eOF7ic3cfJqaTaZhi4jPX2DIOnpGMF
MkK8fSwfypMHVw00NDo5iSe5v2mDCnFc2i/k+ETy0a8qZJ1Uq5NkWx30zOtgdk7o
i2mAWdBP+wVqoOY49bDhJgzwx9leVam5yCUBkS8LxcoOlCWunlnlIczFeDGXillv
ppGMWRgzPfQAqyOazBjAp5IWKgKcbrhKYuqm5AOI5jWJwGoilmQKCmUSPlfxSLVp
eV2PhRCJA2PvWBnXfNVa+V6SFJgDA6j6kV9/QpUJqw7x5C2wy6o=
=oP1J
-----END PGP SIGNATURE-----

--87oBe07CSHqf6/aL--