From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202512 header.b=jSU57qWs;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id B2BDC5A0773
	for <passt-dev@passt.top>; Mon, 15 Dec 2025 11:08:30 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202512; t=1765793302;
	bh=n8AbP4HJKhT/Wq4kQy6n5eacuFiYA7c1pefDy/YIFBo=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=jSU57qWs6vyBhB8u6Sykcm4fC7lM288ktjKP/xkM/jnuoyRBQmMLeFdVFaY0oFh57
	 ncri5MJvBue3o4uOhuVNgiEOE/Jal9qMspD1OcdelYhOP7/fRAnOkPIN1ufq1AAuU4
	 65dV6PZD4G5icDAegIf1JwfpUIIf2PpmFKAF3LewGKDf5PrpJhB/sxmMXcypJab5/9
	 kmpWnLYoi443t0JVevgz9umyLhGG7hm/vXX/aiYF0mSjnAtKLC/G1Y1ymjOQdXy5/c
	 17/SpudC8x+Lt8vyZKj0VDtBOP4seS3dsyBsDVxcGnJots3I4mDo8NpB3iEDKEMUGf
	 /16kh+Fb5LyTA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4dVG3V2M41z4wDl; Mon, 15 Dec 2025 21:08:22 +1100 (AEDT)
Date: Mon, 15 Dec 2025 21:06:32 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Jon Maloy <jmaloy@redhat.com>
Subject: Re: [RFC  05/12] fwd: Check all configured addresses in guest
 accessibility functions
Message-ID: <aT_dqGl949HGmoFN@zatzit>
References: <20251215015441.887736-1-jmaloy@redhat.com>
 <20251215015441.887736-6-jmaloy@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="46eW/ehpHo9tJ35L"
Content-Disposition: inline
In-Reply-To: <20251215015441.887736-6-jmaloy@redhat.com>
Message-ID-Hash: ZTWJX3YC2FJZPPSBMSB64C3E5JYUBUCV
X-Message-ID-Hash: ZTWJX3YC2FJZPPSBMSB64C3E5JYUBUCV
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sbrivio@redhat.com, dgibson@redhat.com, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aT_dqGl949HGmoFN@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/ZTWJX3YC2FJZPPSBMSB64C3E5JYUBUCV/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--46eW/ehpHo9tJ35L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 14, 2025 at 08:54:34PM -0500, Jon Maloy wrote:
> We update fwd_guest_accessible4() and fwd_guest_accessible6() to check
> against all addresses in the addrs[] array, not just addrs[0].
>=20
> This ensures that when multiple addresses are configured via -a options,
> traffic using any of them is correctly identified as guest traffic for
> NAT and forwarding decisions.

That last paragraph is not an accurate.  fwd_guest_accessible() isn't
about "identifying guest traffic".  It's about detecting inbound
traffic that we have *no way* to forward to the guest and dropping it.
This occurs when we have a peer address that we have no translation
for, but collides with an address the guest is using.

>=20
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
> ---
>  fwd.c | 22 ++++++++++++++++------
>  1 file changed, 16 insertions(+), 6 deletions(-)
>=20
> diff --git a/fwd.c b/fwd.c
> index 408af30..ece381d 100644
> --- a/fwd.c
> +++ b/fwd.c
> @@ -502,6 +502,8 @@ static bool is_dns_flow(uint8_t proto, const struct f=
lowside *ini)
>  static bool fwd_guest_accessible4(const struct ctx *c,
>  				    const struct in_addr *addr)
>  {
> +	int i;
> +
>  	if (IN4_IS_ADDR_LOOPBACK(addr))
>  		return false;
> =20
> @@ -513,11 +515,15 @@ static bool fwd_guest_accessible4(const struct ctx =
*c,
>  	if (IN4_IS_ADDR_UNSPECIFIED(addr))
>  		return false;
> =20
> -	/* For IPv4, addr_seen is initialised to addr, so is always a valid
> -	 * address
> +	/* Check against all configured guest addresses */
> +	for (i =3D 0; i < c->ip4.addr_count; i++)
> +		if (IN4_ARE_ADDR_EQUAL(addr, &c->ip4.addrs[i].addr))
> +			return false;
> +
> +	/* Also check addr_seen: it tracks the address the guest is actually
> +	 * using, which may differ from configured addresses.
>  	 */
> -	if (IN4_ARE_ADDR_EQUAL(addr, &c->ip4.addrs[0].addr) ||
> -	    IN4_ARE_ADDR_EQUAL(addr, &c->ip4.addr_seen))
> +	if (IN4_ARE_ADDR_EQUAL(addr, &c->ip4.addr_seen))

Really an overall series comment, rather than specific to this patch:

If we're allowing multiple addresses, it doesn't make sense to leave
the 'addr_seen' mechanism as-is.  If the guest actually uses multiple
addresses, then addr_seen will bounce around between them in a not
very meaningful way.

Personally, I've never been super-convinced that allowing the guest to
just use an arbitrary address we didn't give it is a good idea.  But,
I guess it's an established feature now.  I think the way to do that
in a multi-address environment would be to add addresses we observe
the guest using to the list of addresses.  They should probably be
flagged as having been observed coming from the guest, rather than
coming from either -a or the host.

>  		return false;
> =20
>  	return true;
> @@ -534,11 +540,15 @@ static bool fwd_guest_accessible4(const struct ctx =
*c,
>  static bool fwd_guest_accessible6(const struct ctx *c,
>  				  const struct in6_addr *addr)
>  {
> +	int i;
> +
>  	if (IN6_IS_ADDR_LOOPBACK(addr))
>  		return false;
> =20
> -	if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.addrs[0].addr))
> -		return false;
> +	/* Check against all configured guest addresses */
> +	for (i =3D 0; i < c->ip6.addr_count; i++)
> +		if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.addrs[i].addr))
> +			return false;
> =20
>  	/* For IPv6, addr_seen starts unspecified, because we don't know what LL
>  	 * address the guest will take until we see it.  Only check against it
> --=20
> 2.51.1
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--46eW/ehpHo9tJ35L
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmk/3acACgkQzQJF27ox
2Gcp9w/6A3A5ATqG0BoFrkS3ohmtjQS8AiX8jb2t51NdnZ+bS+xfyGrQkZNL7WPD
4VIL1P5JB6qs9tX33dHjShPc4jZSnB/94hB5Iyo5MLt8etPdEq9pe/73eTa1GNfZ
Mlfjyse6+z8KDGIeLMkcinGxfXupAo7jaUvOXYUlhvlNcsQE1akS/fFGI10lsCwj
EQSBT0UF4ZTjU0fBtWN5EqI3d0v93outFzSWLhttpTBvX+7CMbcv7WHhz+uh9LgD
XnhZe+0E9UcoguR7LX4Ce6En7ecA/NY46UmCmPC7nI/JxHhwDcy8Gta4GOl4fPcD
wslIi90L98JvDfFvLiVksOL3gg6UaZaVf7slzkrn46xorHTb6jR8CUMa+fwhSd0Y
VY9tDMWW0sP1DTmfXvw1PZvlA7DIC/u3ubSvDvcRGq4xu7/9G8NTZstQ50aaLs96
/s3w+Z0f1kYlRXVGFGrtenRHYtbrBnC8Hm5dY4nwr5cJ8zzU5Qq0LklW24Ge9uRi
h/JBtTsrVK7hRUEA5aA17xMX/v3BV4/cFt/EF/jQlq9RqszI6qzGEILcHP+c1vzZ
C+aKlHADhNJF9vYhkwCN3HreCHK15AiGmuaIL4xWz3mbvxff5sYDEoHoRmSVPbDb
H1TMWh8jxYIe150OaKWSG+5K5xp6T1mm7OyY9/+JJFD7JRNAg3Q=
=q9ql
-----END PGP SIGNATURE-----

--46eW/ehpHo9tJ35L--