From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=DuETU1BW;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id E2EC15A0652
	for <passt-dev@passt.top>; Mon, 27 Apr 2026 07:20:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1777267226;
	bh=zqyodnPgfd/Car1PS8MfPpufqCt3iG/MPNMg43FzgFw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=DuETU1BWQtqrkhI/ztqq82e8ykg1oRmhoFqjRskvPFysHkpsTh0JrCCqMepy2R/id
	 IyVm3Q+x47GgSQ8eZYT+pmmX/Z37h/nXdn2wBFBr2mSaUzC4Ep7pcMbZaKksF19jFv
	 V0dhq7n2CQ+QKlh4U5mkDFZnew7k7dUIGz1MgF5sMpDHWKLz1X0TvKtxvxi98sh7C7
	 PqGFRxGvxZqzm83mz5y2oepOG1zXPkQIXQdpzT+rTX9AEqD9ScPSKLHlqJVW8lvOlQ
	 sutbo1vXu9Rn8D135s66NInmfCqfcTPHEX3r5z+OqNoRVk7s8fEliZUNQDqhNBstU2
	 MZqN8rq0h7Eeg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4g3sMt1pPfz4wJj; Mon, 27 Apr 2026 15:20:26 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: Jon Maloy <jmaloy@redhat.com>
Subject: Re: [PATCH v5 01/18] conf, fwd: Stricter rule checking in
 fwd_rule_add()
Message-ID: <ae1q7Hjk0TIiyjgP@zatzit>
References: <20260421062516.2601204-1-david@gibson.dropbear.id.au>
 <20260421062516.2601204-2-david@gibson.dropbear.id.au>
 <a51ca0e5-f75e-4e98-95c5-10832c3fd1c4@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="a8IvX7DHiVAwqNcT"
Content-Disposition: inline
In-Reply-To: <a51ca0e5-f75e-4e98-95c5-10832c3fd1c4@redhat.com>
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Hits: emergency
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved
Message-ID-Hash: 6XSUVGWXV3NOT6PVMEU4QLUNB67WPVSS
X-Message-ID-Hash: 6XSUVGWXV3NOT6PVMEU4QLUNB67WPVSS
X-Mailman-Approved-At: Mon, 27 Apr 2026 09:47:04 +0200
CC: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ae1q7Hjk0TIiyjgP@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/6XSUVGWXV3NOT6PVMEU4QLUNB67WPVSS/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>
Date: Mon, 27 Apr 2026 05:20:34 
X-Original-Date: Sun, 26 Apr 2026 11:31:24 +1000


--a8IvX7DHiVAwqNcT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Apr 25, 2026 at 11:31:40AM -0400, Jon Maloy wrote:
>=20
>=20
> On 2026-04-21 02:24, David Gibson wrote:
> > Although fwd_rule_add() performs some sanity checks on the rule it is
> > given, there are invalid rules we don't check for, assuming that its
> > callers will do that.
> >=20
>=20
> > diff --git a/fwd.c b/fwd.c
> > index c7fd1a9d..979c1494 100644
> > --- a/fwd.c
> > +++ b/fwd.c
> > @@ -367,17 +367,59 @@ int fwd_rule_add(struct fwd_table *fwd, const str=
uct fwd_rule *new)
> >   		     new->first, new->last);
> >   		return -EINVAL;
> >   	}
> > +	if (!new->first) {
> > +		warn("Forwarding rule attempts to map from port 0");
> > +		return -EINVAL;
> > +	}
> > +	if (!new->to ||
> > +	    (in_port_t)(new->to + new->last - new->first) < new->to) {
> > +		warn("Forwarding rule attempts to map to port 0");
>=20
> Not strictly true. We are also catching a range overflow case.
> Maybe "Forwarding rule maps to invalid port number"

Well.. the specific overflow case is that the target range "wraps
around", thereby covering port 0, is the reasoning here.

>=20
> /jon
>=20
> > +		return -EINVAL;
> > +	}
> >   	if (new->flags & ~allowed_flags) {
> >   		warn("Rule has invalid flags 0x%hhx",
> >   		     new->flags & ~allowed_flags);
> >   		return -EINVAL;
> >   	}
> > -	if (new->flags & FWD_DUAL_STACK_ANY &&
> > -	    !inany_equals(&new->addr, &inany_any6)) {
> > -		char astr[INANY_ADDRSTRLEN];
> > +	if (new->flags & FWD_DUAL_STACK_ANY) {
> > +		if (!inany_equals(&new->addr, &inany_any6)) {
> > +			char astr[INANY_ADDRSTRLEN];
> > -		warn("Dual stack rule has non-wildcard address %s",
> > -		     inany_ntop(&new->addr, astr, sizeof(astr)));
> > +			warn("Dual stack rule has non-wildcard address %s",
> > +			     inany_ntop(&new->addr, astr, sizeof(astr)));
> > +			return -EINVAL;
> > +		}
> > +		if (!(fwd->caps & FWD_CAP_IPV4)) {
> > +			warn("Dual stack forward, but IPv4 not enabled");
> > +			return -EINVAL;
> > +		}
> > +		if (!(fwd->caps & FWD_CAP_IPV6)) {
> > +			warn("Dual stack forward, but IPv6 not enabled");
> > +			return -EINVAL;
> > +		}
> > +	} else {
> > +		if (inany_v4(&new->addr) && !(fwd->caps & FWD_CAP_IPV4)) {
> > +			warn("IPv4 forward, but IPv4 not enabled");
> > +			return -EINVAL;
> > +		}
> > +		if (!inany_v4(&new->addr) && !(fwd->caps & FWD_CAP_IPV6)) {
> > +			warn("IPv6 forward, but IPv6 not enabled");
> > +			return -EINVAL;
> > +		}
> > +	}
> > +	if (new->proto =3D=3D IPPROTO_TCP) {
> > +		if (!(fwd->caps & FWD_CAP_TCP)) {
> > +			warn("Can't add TCP forwarding rule, TCP not enabled");
> > +			return -EINVAL;
> > +		}
> > +	} else if (new->proto =3D=3D IPPROTO_UDP) {
> > +		if (!(fwd->caps & FWD_CAP_UDP)) {
> > +			warn("Can't add UDP forwarding rule, UDP not enabled");
> > +			return -EINVAL;
> > +		}
> > +	} else {
> > +		warn("Unsupported protocol 0x%hhx (%s) for forwarding rule",
> > +		     new->proto, ipproto_name(new->proto));
> >   		return -EINVAL;
> >   	}
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--a8IvX7DHiVAwqNcT
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmntatQACgkQzQJF27ox
2GdVMg/+MVv3Th6tNghC4zb/EqAu2gGhNbNU0f14mt5V8Y4MCzT9Msdey1dUeVOH
U4VNMxszq8RLMIOHxgzTKpXfby6+mjPDeZD8Mg4vJyVr3Brc/utffsczL3qR1Bni
rWmBdB1AaTBw3AUL0cqCPsNkVFxAEZKlhNPPfrUmxHBn8rBpSaMopNAcQ+5p2EnS
MImfw4kJDjK/oeGh97537g3yEA/91BBl3v4rc1ZQN+Tnt8pGV6eyIJic9l734t+8
QEjVaycKV4EvJ3yIPyV1Ibj/uMxRAcYjHu0RcjwVbgO2GZpGBIvm/QxAiCReGxB4
PoWRav/UNyUa3qbZhQ6r7s5lmJu+TulQtM6fhdqfa2ExPNCt68oJOanS8DFyM4qE
lR9/m+6OmjAdxjxNhOhHIQrQo9Ise4jr1Giqu1M36OcQ13SDmhanrBKQNTSSdI3H
8cyseOLSveEiE6OpZfmKTM3yrB4+NoI3ncKGg8JmON4kos4hixq1F4sb4j4DVbWk
+9DJqZwkLiplG5ozfJq+MsbfIknzdJchE/soNmZMfCuRkX3TKu06q1+mA7auXsxn
YllyMari+CiFF2AdbotwkTMdu/HQ6ZAEROqygSuDf/mcDlDL7YaRnWM+h+PHaets
8jIzw985XppRC41sIi+5P1B6HWSTYuOkMfVJG0/CTmtUcwiz000=
=z98T
-----END PGP SIGNATURE-----

--a8IvX7DHiVAwqNcT--