From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=jKg14bit; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTP id ACAC25A061B for ; Fri, 29 Nov 2024 02:21:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1732843290; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HElzAVtFi2ponNdA+jVw/+fmdf08wMI+bIDpcKa8Ngk=; b=jKg14bitHt3O5XF3E1PpWg9WOfjtHSXVbqoqjOHna4ovHRROPp6tp/efTB7sTBIW3pogfn wAQ5cTKWUHfbCoMNAVpTcMEEl8Ydm2+8b+yfD7wZJXNFERkse4vZYT6+O9DLmaC1nDt82o U27DL7mGE1OYxztbcjpbuaX9AVPdjng= Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-522-GzK-9Y4gM5eOi-4oAWOOYQ-1; Thu, 28 Nov 2024 20:21:29 -0500 X-MC-Unique: GzK-9Y4gM5eOi-4oAWOOYQ-1 X-Mimecast-MFC-AGG-ID: GzK-9Y4gM5eOi-4oAWOOYQ Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-6d8829edb92so5225566d6.0 for ; Thu, 28 Nov 2024 17:21:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732843288; x=1733448088; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HElzAVtFi2ponNdA+jVw/+fmdf08wMI+bIDpcKa8Ngk=; b=o58UvsUYoadrtEP5mT6Xv3jM41UKDK3lTQiRubhlj30+218Kfqu9aOlY1q49PROwM6 FhlJJ5POf3FngAFFRFtD9eGQJEnNq+QDm2bd2vMxQyZdqk+BTRyROBMPOnHVRmgJCU+S PSaxovtDkHH+OUMcC3z3o2P8eUS6GRN+0nKZeaCN2wCtVLRE6NxSc9HQxpf8pJaavL4a cCiojrx7yCa6z9Rx3uzkaazBH2LyKf3pEu16K4989IK7epkfJELZHFlVbNl3T+qAilff n0fCw2ur8cHfS6eFtotx3HBZyeiYEAFhrJjZ4ddLx/2idQhGcKLDRLyyqLhJRnkk5Ye4 M6Hw== X-Gm-Message-State: AOJu0YxzoqUMa6wOxAdlVXft37J4sf6/bYIDqtU8boSzQaUON1hSPqbh w5AOlMmWMKZN3ehIeSP3fvV5ZfwI1stFAvJ7eMpmYmNL+l0MPJ2VApmoPjZYt6TL7yyXlB88o5r mcuZ+y8kg0e1qDv+7UGBFSMoDSU4RbcOvrU8FHFMeCj/sC75Ky3vgk3i24CebdqkD+FltHyXnQ7 8V8drcevBwv8+nUl1ZmnBREao1rWJ5NtY= X-Gm-Gg: ASbGnct5EgClOf33Q0+z2YvE2X/3YJYf5NIuXC4aF2072UYRR/nTubIxbKyAhWCmFC5 6DN8pHudu0kchjq25c3vcvtVW3PlQjNb82ZRsofLrYzZn3kk1S7QLot1mwM5qoZLvodi0GU78S2 XXg4zoFfonfZlQ12tzpxs6f6XcJTpIeparnANePiKoTKSUF2Ua7kcLODSu76gg63p7vXjt8QLKx zDih5GNRzfCtyZYLs/8Hc7BOMY0q5VG0H2tF2Vbr6qBFtNC X-Received: by 2002:a05:6214:5087:b0:6c3:6477:16e7 with SMTP id 6a1803df08f44-6d8729734d3mr79505506d6.11.1732843288487; Thu, 28 Nov 2024 17:21:28 -0800 (PST) X-Google-Smtp-Source: AGHT+IEzPDDteOtMgK6n+kDMImShNphSg77EhnzqT+ivC3OXJ1NugvHb+SfSf/58lveeWWOr6ZdRlQ== X-Received: by 2002:a05:6214:5087:b0:6c3:6477:16e7 with SMTP id 6a1803df08f44-6d8729734d3mr79504456d6.11.1732843286645; Thu, 28 Nov 2024 17:21:26 -0800 (PST) Received: from [10.0.0.175] ([24.225.235.209]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6d88125a191sm4651326d6.114.2024.11.28.17.21.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 28 Nov 2024 17:21:25 -0800 (PST) Message-ID: Date: Thu, 28 Nov 2024 20:21:23 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] pasta: make it possible to disable socket splicing To: passt-dev@passt.top, sbrivio@redhat.com, lvivier@redhat.com, dgibson@redhat.com References: <20241129004532.2514834-1-jmaloy@redhat.com> From: Jon Maloy In-Reply-To: <20241129004532.2514834-1-jmaloy@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: L3IFQAcdJG823K7mOmwENDUd7f2znh0Oiks1q7mSh1c_1732843289 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: BYJTQTLC6XGT56CR33I365IQW5WV2EZ4 X-Message-ID-Hash: BYJTQTLC6XGT56CR33I365IQW5WV2EZ4 X-MailFrom: jmaloy@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 2024-11-28 19:45, Jon Maloy wrote: > During testing it is sometimes useful to force traffic which would > normally be forwarded by socket splicing through the tap interface. > > In this commit, we add a command switch making it possible to disable > splicing for inbound local traffic. > > For outbound local traffic this seems to be much trickier, so I leave > that for a possible later commit. I am looking for more input here. David suggested that I simply don't re-bind any sockets inwards towards the local namespace, so that all outbound traffic would use the default route and be forced to go via the tap interface. I tried this, and realized it won't work. Outgoing traffic using INADDR_ANY or loopback address will never be routed via the default route; if it doesn't find the destination port in the local name space it will simply return with 'connection refused'. There is no nice way to force such traffic via the default route, as far as I understand. I am even questioning if it is necessary: If the port is bound on the host, the client only needs to use some of the non-loopback addresses on the host to reach it via the tap interface. ///jon > > Suggested-by: David Gibson > Signed-off-by: Jon Maloy > --- > conf.c | 5 +++++ > fwd.c | 2 +- > passt.h | 1 + > 3 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/conf.c b/conf.c > index eaa7d99..8d58652 100644 > --- a/conf.c > +++ b/conf.c > @@ -890,6 +890,7 @@ static void usage(const char *name, FILE *f, int status) > " --no-ndp Disable NDP responses\n" > " --no-dhcpv6 Disable DHCPv6 server\n" > " --no-ra Disable router advertisements\n" > + " --no-splice Disable outbound socket splicing\n" > " --freebind Bind to any address for forwarding\n" > " --no-map-gw Don't map gateway address to host\n" > " -4, --ipv4-only Enable IPv4 operation only\n" > @@ -1319,6 +1320,7 @@ void conf(struct ctx *c, int argc, char **argv) > {"no-dhcpv6", no_argument, &c->no_dhcpv6, 1 }, > {"no-ndp", no_argument, &c->no_ndp, 1 }, > {"no-ra", no_argument, &c->no_ra, 1 }, > + {"no-splice", no_argument, &c->no_splice, 1 }, > {"freebind", no_argument, &c->freebind, 1 }, > {"no-map-gw", no_argument, &no_map_gw, 1 }, > {"ipv4-only", no_argument, NULL, '4' }, > @@ -1756,6 +1758,9 @@ void conf(struct ctx *c, int argc, char **argv) > } > } while (name != -1); > > + if (c->mode == MODE_PASST) > + c->no_splice = 1; > + > if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { > if (copy_routes_opt) > die("--no-copy-routes needs --config-net"); > diff --git a/fwd.c b/fwd.c > index 0b7f8b1..2829cd2 100644 > --- a/fwd.c > +++ b/fwd.c > @@ -443,7 +443,7 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, > else if (proto == IPPROTO_UDP) > tgt->eport += c->udp.fwd_in.delta[tgt->eport]; > > - if (c->mode == MODE_PASTA && inany_is_loopback(&ini->eaddr) && > + if (!c->no_splice && inany_is_loopback(&ini->eaddr) && > (proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { > /* spliceable */ > > diff --git a/passt.h b/passt.h > index c038630..0271e7c 100644 > --- a/passt.h > +++ b/passt.h > @@ -291,6 +291,7 @@ struct ctx { > int no_dhcpv6; > int no_ndp; > int no_ra; > + int no_splice; > int host_lo_to_ns_lo; > int freebind; >