From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jkusti.notcom.org (jkusti.notcom.org [118.27.113.153]) by passt.top (Postfix) with ESMTPS id 655135A026F for ; Tue, 18 Jul 2023 10:14:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=notcom.org; s=jk; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender: Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oRrDwllw53naP3PtkpLoTStyUB1rdQlB62j/H922e+Q=; t=1689668066; x=1690532066; b=MwnRCVRoIgVsIRnhjGL6U+HH6QGpGqTC7Pd0vBfYSNDv8cnRbES21u0Qf0E/up0h7uYrY0198IO p8UqFQOkcL+XOCj00vViGxftm4GELqV3yY+XyIsbZN7TXe7ILAQ/4405DDhynQgEGpC1GnAA95yKR Mj6xfurgG09ulFjWZPgk8cS3u98HTkeGKmEmTgHK4YqHLQJfZ+/Oyw/S7aobeQzIgy2RFgiQi/Vaw WhyhUP4LPqoQ3hg832nlYCx0svlfphJdOd/BZffLOploRUwsq6+p8OxR2wDOI5ozK3rtA6yXJjR5D JzWHSKKNq/BD/NRKghxl8oPRaCA41MpYRNCw==; Received: from submission.internal (id=9cdceae8c7b5bf2d4c2c643b5341fa4197f0c084) by jkusti.notcom.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.x) (envelope-from ) id 1qLfqe-003EEr-0k for passt-dev@passt.top; Tue, 18 Jul 2023 08:14:20 +0000 Received: from a10d750d756b015054aa81d63d047a232e64e839 by sendhost.internal with local (Exim 4.x) (envelope-from ) id 1qLfqY-005trT-Eb for passt-dev@passt.top; Tue, 18 Jul 2023 11:14:14 +0300 Date: Tue, 18 Jul 2023 11:14:14 +0300 From: Valtteri Vuorikoski To: passt-dev@passt.top Subject: ip_nonlocal_bind causes havoc with local connection detection Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20230517-193-0143df-dirty X-MailFrom: vuori@notcom.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: NXF6XHKHZL2VFENDOJ6HMOP74XFDHIDG X-Message-ID-Hash: NXF6XHKHZL2VFENDOJ6HMOP74XFDHIDG X-Mailman-Approved-At: Tue, 18 Jul 2023 11:32:25 +0200 X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: If net.ipv4.ip_nonlocal_bind is enabled, the following code in tcp_conn_from_tap gets very confused: if (!bind(s, sa, sl)) { tcp_rst(c, conn); /* Nobody is listening then */ return; } if (errno != EADDRNOTAVAIL && errno != EACCES) conn_flag(c, conn, LOCAL); This is especially visible if net.ipv4.ip_unprivileged_port_start is set to a value lower than the default. For example, if net.ipv4.ip_unprivileged_port_start=443 and net.ipv4.ip_nonlocal_bind=1, the bind()==0 branch will be hit for all outgoing connections going to port 443 because bind() succeeds even when "sa" contains the remote address, and pretty much nothing will work. It might the best to skip the check and marking connections as LOCAL if net.ipv4.ip_nonlocal_bind is enabled? If that doesn't seem reasonable, then maybe show a warning at start and/or just document that the ip_nonlocal_bind setting shouldn't be used with passt? -Valtteri