From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=k29Z58Bd;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id F11CA5A026D
	for <passt-dev@passt.top>; Tue, 21 Apr 2026 04:43:50 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1776739427;
	bh=vvhDL0nVrj2R0118qsj0D/CxFhaaQRe82tO16c/fyto=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=k29Z58BdhhViSlNdR+kwIDlo26TIcC1sZTlNOg5u2uQNiJSIIxDDjJrb6QIPjo9L+
	 pP+Sqv3ZlgNnTHQ0dH1SCA/CquwC7QhV2eoctmLRrDz0QDd1zAyzLtwga6429g1f2W
	 vdyS+EgKniTbagtSMs8GkXTSWUAULWZ2panbUoArrH5Ki+NuzQE+EG6q/8Y8SrGIP9
	 b8QJSIof8vwHxmyznmNnL0hSHA+fPRXDx3bbLtac7p8GmU3TY7r9X7qPoXQRD5exz0
	 4B2IYg+dnG5dWwOXp+VcWe4DIutG1AJOL23EHklg4c5UEcdfcQj+eAcWlEeeN7QIYo
	 7P9NExO3PclTQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4g069v1nbtz4wC3; Tue, 21 Apr 2026 12:43:47 +1000 (AEST)
Date: Tue, 21 Apr 2026 10:29:07 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Laurent Vivier <lvivier@redhat.com>
Subject: Re: [PATCH v3 07/11] conf, fwd: Stricter rule checking in
 fwd_rule_add()
Message-ID: <aebE09QRlRlzlenh@zatzit>
References: <20260417050520.102247-1-david@gibson.dropbear.id.au>
 <20260417050520.102247-8-david@gibson.dropbear.id.au>
 <10b179ed-fdab-4306-a92a-4dfb104a942f@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="KVcHZFUaegllJYAU"
Content-Disposition: inline
In-Reply-To: <10b179ed-fdab-4306-a92a-4dfb104a942f@redhat.com>
Message-ID-Hash: HJG2VDGNYX3IR4XDJKKCX3EN35BLOX6B
X-Message-ID-Hash: HJG2VDGNYX3IR4XDJKKCX3EN35BLOX6B
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aebE09QRlRlzlenh@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HJG2VDGNYX3IR4XDJKKCX3EN35BLOX6B/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--KVcHZFUaegllJYAU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 20, 2026 at 06:48:48PM +0200, Laurent Vivier wrote:
> On 4/17/26 07:05, David Gibson wrote:
> > Although fwd_rule_add() performs some sanity checks on the rule it is
> > given, there are invalid rules we don't check for, assuming that its
> > callers will do that.
> >=20
> > That won't be enough when we can get rules inserted by a dynamic update
> > client without going through the existing parsing code.  So, add strict=
er
> > checks to fwd_rule_add(), which is now possible thanks to the capabilit=
ies
> > bits in the struct fwd_table.  Where those duplicate existing checks in=
 the
> > callers, remove the old copies.
> >=20
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >   conf.c | 19 -------------------
> >   fwd.c  | 51 ++++++++++++++++++++++++++++++++++++++++++++++-----
> >   2 files changed, 46 insertions(+), 24 deletions(-)
> >=20
> > diff --git a/conf.c b/conf.c
> > index ecc3a342..3b373b22 100644
> > --- a/conf.c
> > +++ b/conf.c
> > @@ -310,10 +310,6 @@ static void conf_ports_spec(struct fwd_table *fwd,=
 uint8_t proto,
> >   		if (p !=3D ep) /* Garbage after the ranges */
> >   			goto bad;
> > -		if (orig_range.first =3D=3D 0) {
> > -			die("Can't forward port 0 included in '%s'", spec);
> > -		}
> > -
>=20
> We remove the die() here but we keep the "assert(first !=3D 0)" in
> conf_ports_range_except(), so the user can trigger it with "-t 0" before =
the
> call to fwd_rule_add().

Oops.  Fixed.

>=20
>=20
> >   		conf_ports_range_except(fwd, proto, addr, ifname,
> >   					orig_range.first, orig_range.last,
> >   					exclude,
> > @@ -356,11 +352,6 @@ static void conf_ports(char optname, const char *o=
ptarg, struct fwd_table *fwd)
> >   		return;
> >   	}
> > -	if (proto =3D=3D IPPROTO_TCP && !(fwd->caps & FWD_CAP_TCP))
> > -		die("TCP port forwarding requested but TCP is disabled");
> > -	if (proto =3D=3D IPPROTO_UDP && !(fwd->caps & FWD_CAP_UDP))
> > -		die("UDP port forwarding requested but UDP is disabled");
> > -
> >   	strncpy(buf, optarg, sizeof(buf) - 1);
> >   	if ((spec =3D strchr(buf, '/'))) {
> > @@ -405,16 +396,6 @@ static void conf_ports(char optname, const char *o=
ptarg, struct fwd_table *fwd)
> >   		addr =3D NULL;
> >   	}
> > -	if (addr) {
> > -		if (!(fwd->caps & FWD_CAP_IPV4) && inany_v4(addr)) {
> > -			die("IPv4 is disabled, can't use -%c %s",
> > -			    optname, optarg);
> > -		} else if (!(fwd->caps & FWD_CAP_IPV6) && !inany_v4(addr)) {
> > -			die("IPv6 is disabled, can't use -%c %s",
> > -			    optname, optarg);
> > -		}
> > -	}
> > -
> >   	if (optname =3D=3D 'T' || optname =3D=3D 'U') {
> >   		assert(!addr && !ifname);
> > diff --git a/fwd.c b/fwd.c
> > index c7fd1a9d..aa966731 100644
> > --- a/fwd.c
> > +++ b/fwd.c
> > @@ -367,17 +367,58 @@ int fwd_rule_add(struct fwd_table *fwd, const str=
uct fwd_rule *new)
> >   		     new->first, new->last);
> >   		return -EINVAL;
> >   	}
> > +	if (!new->first) {
> > +		warn("Forwarding rule attempts to map from port 0");
> > +		return -EINVAL;
> > +	}
> > +	if (!new->to || (new->to + new->last - new->first) < new->to) {
>=20
> Why do we need the second part?

To check for the case where we have a (valid) source range of ports
mapped to a target range starting high enough that there's no room, so
it wraps around covering port 0

> We know new->first < new->last and this cannot overflow as values are
> uint16_t and arithmetic uses int.

Bother, I always forget that minimum promotion rule.  I've added a
cast so it *will* overflow in the case I'm looking for.

>=20
> FWIW:
> (gdb) print (unsigned short)65535
> $1 =3D 65535
> (gdb) print (unsigned short)65536
> $2 =3D 0
> (gdb) print (unsigned short)65535 + (unsigned short)1
> $3 =3D 65536
>=20
>=20
> > +		warn("Forwarding rule attempts to map to port 0");
> > +		return -EINVAL;
> > +	}
> >   	if (new->flags & ~allowed_flags) {
> >   		warn("Rule has invalid flags 0x%hhx",
> >   		     new->flags & ~allowed_flags);
> >   		return -EINVAL;
> >   	}
> > -	if (new->flags & FWD_DUAL_STACK_ANY &&
> > -	    !inany_equals(&new->addr, &inany_any6)) {
> > -		char astr[INANY_ADDRSTRLEN];
> > +	if (new->flags & FWD_DUAL_STACK_ANY) {
> > +		if (!inany_equals(&new->addr, &inany_any6)) {
> > +			char astr[INANY_ADDRSTRLEN];
> > -		warn("Dual stack rule has non-wildcard address %s",
> > -		     inany_ntop(&new->addr, astr, sizeof(astr)));
> > +			warn("Dual stack rule has non-wildcard address %s",
> > +			     inany_ntop(&new->addr, astr, sizeof(astr)));
> > +			return -EINVAL;
> > +		}
> > +		if (!(fwd->caps & FWD_CAP_IPV4)) {
> > +			warn("Dual stack forward, but IPv4 not enabled");
> > +			return -EINVAL;
> > +		}
> > +		if (!(fwd->caps & FWD_CAP_IPV6)) {
> > +			warn("Dual stack forward, but IPv6 not enabled");
> > +			return -EINVAL;
> > +		}
> > +	} else {
> > +		if (inany_v4(&new->addr) && !(fwd->caps & FWD_CAP_IPV4)) {
> > +			warn("IPv4 forward, but IPv4 not enabled");
> > +			return -EINVAL;
> > +		}
> > +		if (!inany_v4(&new->addr) && !(fwd->caps & FWD_CAP_IPV6)) {
> > +			warn("IPv6 forward, but IPv6 not enabled");
> > +			return -EINVAL;
> > +		}
> > +	}
> > +	if (new->proto =3D=3D IPPROTO_TCP) {
> > +		if (!(fwd->caps & FWD_CAP_TCP)) {
> > +			warn("Can't add TCP forwarding rule, TCP not enabled");
> > +			return -EINVAL;
> > +		}
> > +	} else if (new->proto =3D=3D IPPROTO_UDP) {
> > +		if (!(fwd->caps & FWD_CAP_UDP)) {
> > +			warn("Can't add UDP forwarding rule, UDP not enabled");
> > +			return -EINVAL;
> > +		}
> > +	} else {
> > +		warn("Unsupported protocol 0x%hhx (%s) for forwarding rule",
> > +		     new->proto, ipproto_name(new->proto));
> >   		return -EINVAL;
> >   	}
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--KVcHZFUaegllJYAU
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmnmxNIACgkQzQJF27ox
2Gc+ow//ag447PS7CPrc0atYaCbFGo+fBG2qpGze64RAwHBeZfRs8usgzPJxDqtQ
o3s7aIY9Ge4exEhDQ5xfQGxTCYdCwILEYLKG9TWUi7JSxfw8AYx5ED3wAFcVS6nC
PJoJ0V+njwaXNg1vKJU5QAvdRFPo5k21mqwmdArAFPVRtQJYgvliHUyMSQ01QJSC
OncQtLU3zhzVLu9d9i5pjZAIWE57jbOBVATJ4wokwHNvBAh9UMBJv2j1EGfwuAZ/
cLMfAiH/KoULwb7+cFt4P+wXJnmreQc1djm4pkX1ncQA+wvLNo+TdK2ol3WvqCqp
JIlIg9Qc7+DSVfueKSmxB30JuO46XY20rDdx1zfBhbv2B4StqdzV2bvnt3EZSrDZ
qnWZpwQ+S4MRT0q5jsgwtIJAjUWfmUyamKJkNJVDjVowPNjdfrtyZIHccjAKqaFJ
MamJHfS/jTl5BbRGjCKtTfGJze15rngxZjKro3tU6R8zcwXq+BzGGqH5MbUUzi9Y
LllUsgLkqvczbfTD9V7TBCB8koIhylcAIPvGS+LBW0UZFaC1EW5AIruCjoVZ66bz
baYauNtGxHvEaDldvADpD8n721ZB390XdjvkGzXZ1iZXxjJ8l5/taRpMsNPQRHZw
FYVLv8wHMf1Z+/itWaI+0kHlV27U/hwKpsBWfX9DHJNTW5ecAkw=
=rRT/
-----END PGP SIGNATURE-----

--KVcHZFUaegllJYAU--