From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202512 header.b=gsR68ecW;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 1572D5A0624
	for <passt-dev@passt.top>; Wed, 28 Jan 2026 01:37:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202512; t=1769560644;
	bh=oNG0U07V55Kp5M6wy3cgR8+PRwKh/kDrYumHPwhht88=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=gsR68ecW1S0tDDGT8DqeZNNqJJXGIqtBN6cObbx+hts1YErFokcC14ke9d9KoAlOV
	 Z8JMWAYUZ31sp8QdItQlHeTBDQSE/zBLO1Lx8HSz0ie6CMEVgVoEx2+fz8+6j4Nb/F
	 uGbd0KIb/4RJQzpqUkU7v96DJzbW/yV2hQc9rm0m5wEnEPO/Tpyy+a5Ds9ucMwfyvK
	 vz+YXOQ7SpfRsHzccz9BcUqrg/CeRPnZ/fbxFDvSZHEp2+vYcW+xmH/71KL0xwbIvU
	 Cf2l3hqF8+1W7hh3NEUQJlvPxvUHTPuiVXR5t1OADNWY81mRGZPjc5Cr4rEi+t45gm
	 +FivagxVhw9Og==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4f13JN0CD3z4wDK; Wed, 28 Jan 2026 11:37:24 +1100 (AEDT)
Date: Wed, 28 Jan 2026 11:12:24 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH 2/3] tcp: Properly propagate tap-side RST to socket side
Message-ID: <aXlUaKjjo0dmgvJi@zatzit>
References: <20260127083953.824556-1-david@gibson.dropbear.id.au>
 <20260127083953.824556-3-david@gibson.dropbear.id.au>
 <20260127123232.4877d5e3@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="urMfQn3GzPvcrQzf"
Content-Disposition: inline
In-Reply-To: <20260127123232.4877d5e3@elisabeth>
Message-ID-Hash: H4D7SIYKTKHIFSUZ5BA7P4UK2YVQI7R6
X-Message-ID-Hash: H4D7SIYKTKHIFSUZ5BA7P4UK2YVQI7R6
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aXlUaKjjo0dmgvJi@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/H4D7SIYKTKHIFSUZ5BA7P4UK2YVQI7R6/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--urMfQn3GzPvcrQzf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 27, 2026 at 12:32:32PM +0100, Stefano Brivio wrote:
> On Tue, 27 Jan 2026 19:39:52 +1100
> David Gibson <david@gibson.dropbear.id.au> wrote:
>=20
> > When the guest sends a TCP RST, or on certain error conditions, we want=
 to
> > signal the abnormal termination of a TCP connection to the peer with an
> > RST as well.  We attempt to do that by close()ing the socket.
> >=20
> > That doesn't work: a close() will usually send a FIN, rather than an RS=
T.
> > The standard method of forcing an RST on a socket is to set the SO_LING=
ER
> > socket option with a 0 timeout, then close().
> >=20
> > Update the tcp_rst() path to do this, so it forces a socket side RST.
> > Update the handling of a guest side RST to use the same path (minus
> > sending a tap side RST) so that we properly propagate guest RSTs to the
> > peer.
> >=20
> > Link: https://bugs.passt.top/show_bug.cgi?id=3D191
> >=20
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >  tcp.c | 37 +++++++++++++++++++++++++++++++++----
> >  1 file changed, 33 insertions(+), 4 deletions(-)
> >=20
> > diff --git a/tcp.c b/tcp.c
> > index 45dde5a0..9da37c2f 100644
> > --- a/tcp.c
> > +++ b/tcp.c
> > @@ -1403,7 +1403,34 @@ static int tcp_send_flag(const struct ctx *c, st=
ruct tcp_tap_conn *conn,
> >  }
> > =20
> >  /**
> > - * tcp_rst_do() - Reset a tap connection: send RST segment to tap, clo=
se socket
> > + * tcp_sock_rst() - Close TCP connection forcing RST on socket side
> > + * @c:		Execution context
> > + * @conn:	Connection pointer
> > + */
> > +static void tcp_sock_rst(const struct ctx *c, struct tcp_tap_conn *con=
n)
> > +{
> > +	const struct linger linger0 =3D {
> > +		.l_onoff =3D 1,
> > +		.l_linger =3D 0,
> > +	};
> > +
> > +	/* Force RST on socket to inform the peer
> > +	 *
> > +	 * We do this by setting SO_LINGER with 0 timeout, which means that
> > +	 * close() will send an RST (unless the connection is already closed =
in
> > +	 * both directions).
> > +	 */
> > +	if (setsockopt(conn->sock, SOL_SOCKET,
> > +		       SO_LINGER, &linger0, sizeof(linger0)) < 0) {
> > +		flow_dbg_perror(conn,
> > +				"SO_LINGER failed, may not send RST to peer");
> > +	}
> > +
> > +	conn_event(c, conn, CLOSED);
> > +}
> > +
> > +/**
> > + * tcp_rst_do() - Reset a tap connection: send RST segment on both sid=
es, close
> >   * @c:		Execution context
> >   * @conn:	Connection pointer
> >   */
> > @@ -1412,8 +1439,10 @@ void tcp_rst_do(const struct ctx *c, struct tcp_=
tap_conn *conn)
> >  	if (conn->events =3D=3D CLOSED)
> >  		return;
> > =20
> > +	/* Send RST on tap */
> >  	tcp_send_flag(c, conn, RST);
> > -	conn_event(c, conn, CLOSED);
> > +
> > +	tcp_sock_rst(c, conn);
> >  }
> > =20
> >  /**
> > @@ -1884,7 +1913,7 @@ static int tcp_data_from_tap(const struct ctx *c,=
 struct tcp_tap_conn *conn,
> >  			return -1;
> > =20
> >  		if (th->rst) {
> > -			conn_event(c, conn, CLOSED);
> > +			tcp_sock_rst(c, conn);
>=20
> The whole series looks good to me, except for one exceedingly minor
> aspect: should we do this also in the getsockopt() error handling path
> of tcp_prepare_flags()?

Yes, I think we should.  Or, perhaps more to the point, we should
actually handle the error code that tcp_prepare_flags() returns via
tcp_send_flag(), and we currently ignore in all callers.

> I would be inclined to apply it regardless of that, the fix is critical
> enough. I'll start the usual test run in a few hours.
>=20
> --=20
> Stefano
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--urMfQn3GzPvcrQzf
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAml5VFcACgkQzQJF27ox
2Gft9xAAjOHaWX1smZXySxN0yL6lR7g63ltRxIdjxRsfQbo3bF3HYjvcsGK89Cdy
BfmMKKT2EwiVMfJaQX6NMMJt3rhKECUSZesbiGn4UYXHZLg6nIe7w2+J4lH6cw3X
wA2XltmGIJV+7BPKlTjnFQHtg5MHhHqQM5BrdyN/9DEj6f7/SRwgDvXZVjYOzowW
wA7dI8IYSaMqeebBHd6Cf5TKXXCLbKyu4ky4dp1sq3GIg2awV6bp0yaQmtgTRxnt
2dE4dIsNtI0X2Xr26jign4yqNNmwMcJ0sCOskwPkE/U1C1PaTxbQCBA3lJ9NiEUi
NIs+eb9+icyCjjr5rca8mU2FIq/PKzm/BZSUt5pNiOlsLarUosuT/oyINb0G5tCD
DQ5gsvwwGBrUI1Eg4G+6wVXdFkXCrJdVE7auypF9dN3iX8Y3q+oZwAlVvyHJ2QaU
340eQqe4g6JbySyvBcgk+Ub6TY239cmxDQCRo/wEWJdkolkE+QxWs9sT4fG0o/y7
SCfT2tgcf2abaOT5MwsiP5KJ5u0t4mb9LovEfDDMMkrgMglHvJIBQb/FjdjbxZP7
1dWQbGvyB8FTSu2c0qeMZsJV3fwPkMzt6yhJvlZ9gjSZu65zjhkZZww2DNNChp7I
AEcr4Pegr1wOHkGjyqo3vubYW1gBYcBlaOTDcPnykJy0a2LrlWQ=
=F58x
-----END PGP SIGNATURE-----

--urMfQn3GzPvcrQzf--