From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=A8+jCxKP; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 0B1CF5A0619 for ; Fri, 17 Oct 2025 05:05:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202510; t=1760670328; bh=Bv1GJKSbJ4m3ucfJ6pa3uOhnWP4ODhJXwPMNDNqFB/o=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=A8+jCxKPWd+39yfJpYE1PB25bm2twpWaE3t2thfVib0v8r7MIgGuUuBvXwRPB6Q42 d3qDwVpHxgduUgR7uZ940AssfiycI2caPnzNonkazthk0TJV6itEHAuZLYY3i0rFi8 71cjqJTGLGAOtUES+/8Epo8An8p1B47bmQzQZbXLOS5QPdCRDsHjcC5Wu/UJyln7W+ i9Etd5fx8sz5rcTyue9H1FrVEYiMkq4OTIyNx62P7YR3qfsS+3PnebG4ri35Ov/A9d vXzvO3c6z6K4J/jSpfhv/dqQscco7mzSKeUZ5LPGT+Oa8wveQbeccdCmXDEa0mXXhS xpO1Fmy2JvzGA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4cnqSm61K3z4wCx; Fri, 17 Oct 2025 14:05:28 +1100 (AEDT) Date: Fri, 17 Oct 2025 14:05:23 +1100 From: David Gibson To: Jon Maloy Subject: Re: [PATCH v14 03/10] fwd: Add cache table for ARP/NDP contents Message-ID: References: <20251015025521.1449156-1-jmaloy@redhat.com> <20251015025521.1449156-4-jmaloy@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QBYZCu3u8i8dMsmB" Content-Disposition: inline In-Reply-To: <20251015025521.1449156-4-jmaloy@redhat.com> Message-ID-Hash: 5IURMGEIWANRJF6SGJN3YTRBBAJ6IIX4 X-Message-ID-Hash: 5IURMGEIWANRJF6SGJN3YTRBBAJ6IIX4 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --QBYZCu3u8i8dMsmB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 14, 2025 at 10:55:14PM -0400, Jon Maloy wrote: > We add a cache table to keep track of the contents of the kernel ARP > and NDP tables. The table is fed from the just introduced netlink based > neigbour subscription function. >=20 > Signed-off-by: Jon Maloy Reviewed-by: David Gibson I do see one error here, but it's fairly harmless, so I think a follow up makes more sense than a respin. [snip] > + /* Blocker entries to stop events from hosts using these addresses */ > + if (!inany_is_unspecified4(&mhl)) > + fwd_neigh_table_update(c, &mhl, c->our_tap_mac, true); > + > + if (!inany_is_unspecified4(&ggw) && !c->no_map_gw) > + fwd_neigh_table_update(c, &ggw, c->our_tap_mac, true); > + > + if (!inany_is_unspecified4(&mga) && !inany_equals(&mhl, &mga)) { That made me realise that we should throw an error during configuration if map_host_loopback =3D=3D map_guest_addr. It doesn't make sense for these to be the same - if they are, we have no way of knowing if a packet should be mapped to 127.0.0.1 or to guest_addr. *checks* looks like map_host_loopback will take precedence in this case, because of the way nat_outbound() is ordered. In any case I think you can drop the inany_equals() test - the permanent bit will stop the second update from clobbering the first, even if we are misconfigured. > + uint8_t mac[ETH_ALEN]; > + int rc; > + > + rc =3D nl_link_get_mac(nl_sock, c->ifi4, mac); > + if (rc < 0) { > + debug("Couldn't get ip4 MAC addr: %s", strerror_(-rc)); > + memcpy(mac, c->our_tap_mac, ETH_ALEN); > + } Using the host's MAC for --map-guest-addr only makes sense if the guest address is the same as the host address. If -a is used to make the guest address different, then it may shadow some other random node, not the host. We don't need special handling for that case - the nat_inbound() you already have will do what we need. IIUC, the host itself doesn't appear in the neighbour table, so we do need special handling if we want to use the host MAC when --map-guest-addr *does* refer to the host. To handle that, I think what we want is pseudo-codishly: fwd_neigh_table_update(c, nat_inbound(host_addr), host_mac, true); The wrinkle is that while we do get the host address at some point, I'm not sure we keep it around (it's typically irrelevant after init). Strictly speaking 'permanent' isn't really correct here, but it's not worth the hassle of setting up a whole other netlink monitor to watch for changes in the host's MAC address. In fact.. I'm not sure it's worth handling this case at all. I think it would be ok to just drop this clause. That means we'll use our_tap_mac by default for things NATted to the (non loopback) host, which is probably fine. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --QBYZCu3u8i8dMsmB Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmjxsnIACgkQzQJF27ox 2GcQ9g/8CK0DWd5QO4fHply9fpytU9OCUDQ5eFCucFMVwshQmgkZG7cCBgIyMOoR Hz3qMi9axBOhSEKKNVJRlY5tHOHoYKC9HKdnfnKuQ9ls3WedzCKzKi3eQxfRqXW4 W5dv6xswnjyinBUX3Y12gZjv6naF/8c3RBZcvSTkfRpIA7YZ6t+cKOJ6bYCszeSz gtFeg5pZOWLB5850v1+zM7iVdzPLyqme/UAD0I1JnRQz3c2cWcpez770mw2YEcit Xf2GY0sprbBB2qm8iii/pLPc66We2YubkgbNob+H+29I5yvC+Bci8f2fne3KA8EH 7kgyMS3WdmPulyAfeMOCgy0j2M+OdCh1rP84yuo4E4ite4yMpy9wrrxU7ksIpWw6 /vxpz+R3W2mr0uz4MB3ZTDClZYhV2ORTEkHb3+3vummb0xZmkDn7xwsVhAtTsVJM 10a/qC9MjsGvmR/xgTfLgkBxXmJxbqQ3oT/nnIdveZqn6TUzoaIlJw2hGLmLHpcH 0/SSS/vK1SKN/fghvVdkSJ3xYxzepsmnkSxHSpPfJr/o+QNh5qy++9mkeHlpH5fw z25ewZNRs92jDQ1xs9gI0tjSe7wj17uk4h8xhF+TZSqbpT8FL9A9wxig3NdLKbkb 2vCNhJO36/qxcRuMUgWYa0gijGHpSnz70/uoQkKXgb9HiJnV8WE= =OrhQ -----END PGP SIGNATURE----- --QBYZCu3u8i8dMsmB--