At present, we set up forwarding as we parse the -t, and -u options, not keeping a persistent data structure with all the details. We do have some information in struct fwd_ports, but it doesn't capture all the nuance that the options do. As a first step to generalising our forwarding model, add a table of all the forwarding rules to struct fwd_ports. For now it covers only explicit forwards, not automatic, and we don't do anything with it other than print some additional debug information. We'll do more with it in future patches. Signed-off-by: David Gibson --- conf.c | 80 ++++++++++++++++++++++++++++++------------------- fwd.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 35 +++++++++++++++++++++- 3 files changed, 179 insertions(+), 31 deletions(-) diff --git a/conf.c b/conf.c index c936664b..127e69f5 100644 --- a/conf.c +++ b/conf.c @@ -137,7 +137,7 @@ static int parse_port_range(const char *s, char **endptr, * @last: Last port to forward * @exclude: Bitmap of ports to exclude * @to: Port to translate @first to when forwarding - * @weak: Ignore errors, as long as at least one port is mapped + * @flags: Flags for forwarding entries */ static void conf_ports_range_except(const struct ctx *c, char optname, const char *optarg, struct fwd_ports *fwd, @@ -145,10 +145,11 @@ static void conf_ports_range_except(const struct ctx *c, char optname, const char *ifname, uint16_t first, uint16_t last, const uint8_t *exclude, uint16_t to, - bool weak) + uint8_t flags) { + unsigned delta = to - first; bool bound_one = false; - unsigned i; + unsigned base, i; int fd; if (first == 0) { @@ -172,37 +173,45 @@ static void conf_ports_range_except(const struct ctx *c, char optname, } } - for (i = first; i <= last; i++) { - if (bitmap_isset(exclude, i)) + for (base = first; base <= last; base++) { + if (bitmap_isset(exclude, base)) continue; - if (bitmap_isset(fwd->map, i)) { - warn( -"Altering mapping of already mapped port number: %s", optarg); - } + for (i = base; i <= last; i++) { + if (bitmap_isset(exclude, i)) + break; - bitmap_set(fwd->map, i); - fwd->delta[i] = to - first; + if (bitmap_isset(fwd->map, i)) { + warn( +"Altering mapping of already mapped port number: %s", optarg); + } - if (optname == 't') - fd = tcp_listen(c, PIF_HOST, addr, ifname, i); - else if (optname == 'u') - fd = udp_listen(c, PIF_HOST, addr, ifname, i); - else - /* No way to check in advance for -T and -U */ - fd = 0; + if (optname == 't') + fd = tcp_listen(c, PIF_HOST, addr, ifname, i); + else if (optname == 'u') + fd = udp_listen(c, PIF_HOST, addr, ifname, i); + else + /* No way to check in advance for -T and -U */ + fd = 0; + + if (fd == -ENFILE || fd == -EMFILE) { + die( +"Can't open enough sockets for port specifier: %s", + optarg); + } - if (fd == -ENFILE || fd == -EMFILE) { - die("Can't open enough sockets for port specifier: %s", - optarg); + if (fd >= 0) { + bound_one = true; + } else if (!(flags & FWD_WEAK)) { + die( +"Failed to bind port %u (%s) for option '-%c %s'", + i, strerror_(-fd), optname, optarg); + } } - if (fd >= 0) { - bound_one = true; - } else if (!weak) { - die("Failed to bind port %u (%s) for option '-%c %s'", - i, strerror_(-fd), optname, optarg); - } + fwd_rule_add(fwd, flags, addr, ifname, base, i - 1, + base + delta); + base = i - 1; } if (!bound_one) @@ -272,7 +281,7 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, conf_ports_range_except(c, optname, optarg, fwd, NULL, NULL, 1, NUM_PORTS - 1, exclude, - 1, true); + 1, FWD_WEAK); return; } @@ -357,7 +366,7 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, conf_ports_range_except(c, optname, optarg, fwd, addr, ifname, 1, NUM_PORTS - 1, exclude, - 1, true); + 1, FWD_WEAK); return; } @@ -390,7 +399,7 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, addr, ifname, orig_range.first, orig_range.last, exclude, - mapped_range.first, false); + mapped_range.first, 0); } while ((p = next_chunk(p, ','))); return; @@ -1225,6 +1234,17 @@ dns6: info(" %s", c->dns_search[i].n); } } + + info("Inbound TCP forwarding:"); + fwd_rules_print(&c->tcp.fwd_in); + info("Inbound UDP forwarding:"); + fwd_rules_print(&c->udp.fwd_in); + if (c->mode == MODE_PASTA) { + info("Outbound TCP forwarding:"); + fwd_rules_print(&c->tcp.fwd_out); + info("Outbound UDP forwarding:"); + fwd_rules_print(&c->udp.fwd_out); + } } /** diff --git a/fwd.c b/fwd.c index 961c533f..ad398e54 100644 --- a/fwd.c +++ b/fwd.c @@ -13,6 +13,7 @@ * Author: David Gibson */ +#include #include #include #include @@ -22,6 +23,8 @@ #include "util.h" #include "ip.h" +#include "siphash.h" +#include "inany.h" #include "fwd.h" #include "passt.h" #include "lineread.h" @@ -300,6 +303,19 @@ parse_err: warn("Unable to parse %s", PORT_RANGE_SYSCTL); } +/** + * fwd_rule_addr() - Return match address for a rule + * @rule: Forwarding rule + * + * Return: Rule's match address, or NULL, if it matches any address + */ +static const union inany_addr *fwd_rule_addr(const struct fwd_rule *rule) +{ + if (rule->flags & FWD_DUAL_STACK_ANY) + return NULL; + return &rule->addr; +} + /** * fwd_port_is_ephemeral() - Is port number ephemeral? * @port: Port number @@ -313,6 +329,85 @@ bool fwd_port_is_ephemeral(in_port_t port) return (port >= fwd_ephemeral_min) && (port <= fwd_ephemeral_max); } +/** + * fwd_rule_add() - Add a rule to a forwarding table + * @fwd: Table to add to + * @flags: Flags for this entry + * @addr: Our address to forward (NULL for both 0.0.0.0 and ::) + * @ifname: Only forward from this interface name, if non-empty + * @first: First port number to forward + * @last: Last port number to forward + * @to: First port of target port range to map to + */ +void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, + const union inany_addr *addr, const char *ifname, + in_port_t first, in_port_t last, in_port_t to) +{ + /* Flags which can be set from the caller */ + const uint8_t allowed_flags = FWD_WEAK; + struct fwd_rule *new; + unsigned port; + + ASSERT(!(flags & ~allowed_flags)); + + if (fwd->count >= ARRAY_SIZE(fwd->rules)) + die("Too many port forwarding ranges"); + + new = &fwd->rules[fwd->count++]; + new->flags = flags; + + if (addr) { + new->addr = *addr; + } else { + new->addr = inany_any6; + new->flags |= FWD_DUAL_STACK_ANY; + } + + memset(new->ifname, 0, sizeof(new->ifname)); + if (ifname) + strncpy(new->ifname, ifname, sizeof(new->ifname)); + + ASSERT(first <= last); + new->first = first; + new->last = last; + + new->to = to; + + for (port = new->first; port <= new->last; port++) { + /* Fill in the legacy data structures to match the table */ + bitmap_set(fwd->map, port); + fwd->delta[port] = new->to - new->first; + } +} + +/** + * fwd_rules_print() - Print forwarding rules for debugging + * @fwd: Table to print + */ +void fwd_rules_print(const struct fwd_ports *fwd) +{ + unsigned i; + + for (i = 0; i < fwd->count; i++) { + const struct fwd_rule *rule = &fwd->rules[i]; + const char *weak = rule->flags & FWD_WEAK ? " WEAK" : ""; + const char *percent = *rule->ifname ? "%" : ""; + char addr[INANY_ADDRSTRLEN]; + + inany_ntop(fwd_rule_addr(rule), addr, sizeof(addr)); + + if (rule->first == rule->last) { + info(" [%s]%s%s:%hu => %hu %s", + addr, percent, rule->ifname, + rule->first, rule->to, weak); + } else { + info(" [%s]%s%s:%hu-%hu => %hu-%hu %s", + addr, percent, rule->ifname, rule->first, rule->last, + rule->to, rule->last - rule->first + rule->to, weak); + } + } +} + /* See enum in kernel's include/net/tcp_states.h */ #define UDP_LISTEN 0x07 #define TCP_LISTEN 0x0a diff --git a/fwd.h b/fwd.h index 934bab33..3dfc7959 100644 --- a/fwd.h +++ b/fwd.h @@ -16,6 +16,30 @@ struct flowside; void fwd_probe_ephemeral(void); bool fwd_port_is_ephemeral(in_port_t port); +/** + * struct fwd_rule - Forwarding rule governing a range of ports + * @addr: Address to forward from + * @ifname: Interface to forward from + * @first: First port number to forward + * @last: Last port number to forward + * @to: Port number to forward port @first to. + * @flags: Flag mask + * FWD_DUAL_STACK_ANY - match any IPv4 or IPv6 address (@addr should be ::) + * FWD_WEAK - Don't give an error if binds fail for some forwards + * + * FIXME: @addr and @ifname currently ignored for outbound tables + */ +struct fwd_rule { + union inany_addr addr; + char ifname[IFNAMSIZ]; + in_port_t first, last, to; +#define FWD_DUAL_STACK_ANY BIT(0) +#define FWD_WEAK BIT(1) + uint8_t flags; +}; + +#define MAX_FWD_RULES 128 + /** * union fwd_listen_ref - information about a single listening socket * @port: Bound port number of the socket @@ -44,6 +68,8 @@ enum fwd_ports_mode { * @mode: Overall forwarding mode (all, none, auto, specific ports) * @scan4: /proc/net fd to scan for IPv4 ports when in AUTO mode * @scan6: /proc/net fd to scan for IPv6 ports when in AUTO mode + * @count: Number of forwarding rules + * @rules: Array of forwarding rules * @map: Bitmap describing which ports are forwarded * @delta: Offset between the original destination and mapped port number */ @@ -51,14 +77,21 @@ struct fwd_ports { enum fwd_ports_mode mode; int scan4; int scan6; + unsigned count; + struct fwd_rule rules[MAX_FWD_RULES]; uint8_t map[PORT_BITMAP_SIZE]; in_port_t delta[NUM_PORTS]; }; #define FWD_PORT_SCAN_INTERVAL 1000 /* ms */ +void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, + const union inany_addr *addr, const char *ifname, + in_port_t first, in_port_t last, in_port_t to); +void fwd_rules_print(const struct fwd_ports *fwd); + void fwd_scan_ports_init(struct ctx *c); -void fwd_scan_ports_timer(struct ctx *c, const struct timespec *now); +void fwd_scan_ports_timer(struct ctx * c, const struct timespec *now); bool nat_inbound(const struct ctx *c, const union inany_addr *addr, union inany_addr *translated); -- 2.52.0

Currently the forwarding table records details of explicit port forwards, but nothing for -[tTuU] auto. That looks a little odd on the debug output, and will be a problem for future changes. Extend the forward table to have rules for auto-scanned forwards, using a new FWD_SCAN flag. For now the mechanism of auto port forwarding isn't updated, and we will only create a single FWD_SCAN rule per protocol and direction. We'll better integrate auto scanning with other forward table mechanics in future. Signed-off-by: David Gibson --- conf.c | 31 ++++++++++++++++++++++++++----- fwd.c | 18 +++++++++++------- fwd.h | 2 ++ 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/conf.c b/conf.c index b486fefe..0bcf80d7 100644 --- a/conf.c +++ b/conf.c @@ -135,7 +135,7 @@ static int parse_port_range(const char *s, char **endptr, * @ifname: Listening interface * @first: First port to forward * @last: Last port to forward - * @exclude: Bitmap of ports to exclude + * @exclude: Bitmap of ports to exclude (may be NULL) * @to: Port to translate @first to when forwarding * @flags: Flags for forwarding entries */ @@ -168,11 +168,11 @@ static void conf_ports_range_except(const struct ctx *c, char optname, } for (base = first; base <= last; base++) { - if (bitmap_isset(exclude, base)) + if (exclude && bitmap_isset(exclude, base)) continue; for (i = base; i <= last; i++) { - if (bitmap_isset(exclude, i)) + if (exclude && bitmap_isset(exclude, i)) break; if (bitmap_isset(fwd->map, i)) { @@ -180,9 +180,9 @@ static void conf_ports_range_except(const struct ctx *c, char optname, "Altering mapping of already mapped port number: %s", optarg); } - if (optname == 't') + if (!(flags & FWD_SCAN) && optname == 't') fd = tcp_listen(c, PIF_HOST, addr, ifname, i); - else if (optname == 'u') + else if (!(flags & FWD_SCAN) && optname == 'u') fd = udp_listen(c, PIF_HOST, addr, ifname, i); else /* No way to check in advance for -T and -U */ @@ -2202,6 +2202,27 @@ void conf(struct ctx *c, int argc, char **argv) if (!c->udp.fwd_out.mode) c->udp.fwd_out.mode = fwd_default; + if (c->tcp.fwd_in.mode == FWD_AUTO) { + conf_ports_range_except(c, 't', "auto", &c->tcp.fwd_in, + NULL, NULL, 1, NUM_PORTS - 1, + NULL, 1, FWD_SCAN); + } + if (c->tcp.fwd_out.mode == FWD_AUTO) { + conf_ports_range_except(c, 'T', "auto", &c->tcp.fwd_out, + NULL, "lo", 1, NUM_PORTS - 1, + NULL, 1, FWD_SCAN); + } + if (c->udp.fwd_in.mode == FWD_AUTO) { + conf_ports_range_except(c, 'u', "auto", &c->udp.fwd_in, + NULL, NULL, 1, NUM_PORTS - 1, + NULL, 1, FWD_SCAN); + } + if (c->udp.fwd_out.mode == FWD_AUTO) { + conf_ports_range_except(c, 'U', "auto", &c->udp.fwd_out, + NULL, "lo", 1, NUM_PORTS - 1, + NULL, 1, FWD_SCAN); + } + if (!c->quiet) conf_print(c); } diff --git a/fwd.c b/fwd.c index ad398e54..69aca441 100644 --- a/fwd.c +++ b/fwd.c @@ -344,7 +344,7 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, in_port_t first, in_port_t last, in_port_t to) { /* Flags which can be set from the caller */ - const uint8_t allowed_flags = FWD_WEAK; + const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN; struct fwd_rule *new; unsigned port; @@ -375,7 +375,8 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, for (port = new->first; port <= new->last; port++) { /* Fill in the legacy data structures to match the table */ - bitmap_set(fwd->map, port); + if (!(new->flags & FWD_SCAN)) + bitmap_set(fwd->map, port); fwd->delta[port] = new->to - new->first; } } @@ -391,19 +392,22 @@ void fwd_rules_print(const struct fwd_ports *fwd) for (i = 0; i < fwd->count; i++) { const struct fwd_rule *rule = &fwd->rules[i]; const char *weak = rule->flags & FWD_WEAK ? " WEAK" : ""; + const char *scan = rule->flags & FWD_SCAN ? " AUTO" : ""; const char *percent = *rule->ifname ? "%" : ""; char addr[INANY_ADDRSTRLEN]; inany_ntop(fwd_rule_addr(rule), addr, sizeof(addr)); if (rule->first == rule->last) { - info(" [%s]%s%s:%hu => %hu %s", + info(" [%s]%s%s:%hu => %hu %s%s", addr, percent, rule->ifname, - rule->first, rule->to, weak); + rule->first, rule->to, weak, scan); } else { - info(" [%s]%s%s:%hu-%hu => %hu-%hu %s", - addr, percent, rule->ifname, rule->first, rule->last, - rule->to, rule->last - rule->first + rule->to, weak); + info(" [%s]%s%s:%hu-%hu => %hu-%hu %s%s", + addr, percent, rule->ifname, + rule->first, rule->last, + rule->to, rule->last - rule->first + rule->to, + weak, scan); } } } diff --git a/fwd.h b/fwd.h index 3dfc7959..94869c2a 100644 --- a/fwd.h +++ b/fwd.h @@ -26,6 +26,7 @@ bool fwd_port_is_ephemeral(in_port_t port); * @flags: Flag mask * FWD_DUAL_STACK_ANY - match any IPv4 or IPv6 address (@addr should be ::) * FWD_WEAK - Don't give an error if binds fail for some forwards + * FWD_SCAN - Only forward if we scan a listener on the target * * FIXME: @addr and @ifname currently ignored for outbound tables */ @@ -35,6 +36,7 @@ struct fwd_rule { in_port_t first, last, to; #define FWD_DUAL_STACK_ANY BIT(0) #define FWD_WEAK BIT(1) +#define FWD_SCAN BIT(2) uint8_t flags; }; -- 2.52.0

Now that we've moved listening socket management to the new forwarding table data structure, the existing arrays of socket fds are maintained, but never consulted. Remove them. Signed-off-by: David Gibson --- conf.c | 1 - tcp.c | 24 ------------------------ udp.c | 30 ------------------------------ udp.h | 1 - 4 files changed, 56 deletions(-) diff --git a/conf.c b/conf.c index 57693b3f..725cf88b 100644 --- a/conf.c +++ b/conf.c @@ -2063,7 +2063,6 @@ void conf(struct ctx *c, int argc, char **argv) * settings */ fwd_probe_ephemeral(); - udp_portmap_clear(); optind = 0; do { name = getopt_long(argc, argv, optstring, options, NULL); diff --git a/tcp.c b/tcp.c index 976f0ab7..e9b440da 100644 --- a/tcp.c +++ b/tcp.c @@ -414,10 +414,6 @@ static const char *tcp_flag_str[] __attribute((__unused__)) = { "ACK_FROM_TAP_DUE", "ACK_FROM_TAP_BLOCKS", "SYN_RETRIED", }; -/* Listening sockets, used for automatic port forwarding in pasta mode only */ -static int tcp_sock_init_ext [NUM_PORTS][IP_VERSIONS]; -static int tcp_sock_ns [NUM_PORTS][IP_VERSIONS]; - /* Table of our guest side addresses with very low RTT (assumed to be local to * the host), LRU */ @@ -2689,8 +2685,6 @@ int tcp_listen(const struct ctx *c, uint8_t pif, .port = port, .pif = pif, }; - const struct fwd_ports *fwd; - int (*socks)[IP_VERSIONS]; int s; ASSERT(!c->no_tcp); @@ -2710,25 +2704,9 @@ int tcp_listen(const struct ctx *c, uint8_t pif, return -EACCES; } - if (pif == PIF_HOST) { - fwd = &c->tcp.fwd_in; - socks = tcp_sock_init_ext; - } else { - ASSERT(pif == PIF_SPLICE); - fwd = &c->tcp.fwd_out; - socks = tcp_sock_ns; - } - s = pif_sock_l4(c, EPOLL_TYPE_TCP_LISTEN, pif, addr, ifname, port, ref.u32); - if (fwd->mode == FWD_AUTO) { - if (!addr || inany_v4(addr)) - socks[port][V4] = s < 0 ? -1 : s; - if (!addr || !inany_v4(addr)) - socks[port][V6] = s < 0 ? -1 : s; - } - return s; } @@ -2870,8 +2848,6 @@ int tcp_init(struct ctx *c) memset(init_sock_pool4, 0xff, sizeof(init_sock_pool4)); memset(init_sock_pool6, 0xff, sizeof(init_sock_pool6)); - memset(tcp_sock_init_ext, 0xff, sizeof(tcp_sock_init_ext)); - memset(tcp_sock_ns, 0xff, sizeof(tcp_sock_ns)); tcp_sock_refill_init(c); diff --git a/udp.c b/udp.c index 7c5546df..92a87198 100644 --- a/udp.c +++ b/udp.c @@ -124,10 +124,6 @@ - sizeof(struct udphdr) \ - sizeof(struct ipv6hdr)) -/* "Spliced" sockets indexed by bound port (host order) */ -static int udp_splice_ns [IP_VERSIONS][NUM_PORTS]; -static int udp_splice_init[IP_VERSIONS][NUM_PORTS]; - /* Static buffers */ /* UDP header and data for inbound messages */ @@ -193,19 +189,6 @@ static struct mmsghdr udp_mh_splice [UDP_MAX_FRAMES]; /* IOVs for L2 frames */ static struct iovec udp_l2_iov [UDP_MAX_FRAMES][UDP_NUM_IOVS]; -/** - * udp_portmap_clear() - Clear UDP port map before configuration - */ -void udp_portmap_clear(void) -{ - unsigned i; - - for (i = 0; i < NUM_PORTS; i++) { - udp_splice_ns[V4][i] = udp_splice_ns[V6][i] = -1; - udp_splice_init[V4][i] = udp_splice_init[V6][i] = -1; - } -} - /** * udp_update_l2_buf() - Update L2 buffers with Ethernet and IPv4 addresses * @eth_d: Ethernet destination address, NULL if unchanged @@ -1145,18 +1128,10 @@ int udp_listen(const struct ctx *c, uint8_t pif, .pif = pif, .port = port, }; - int (*socks)[NUM_PORTS]; int s; ASSERT(!c->no_udp); - if (pif == PIF_HOST) { - socks = udp_splice_init; - } else { - ASSERT(pif == PIF_SPLICE); - socks = udp_splice_ns; - } - if (!c->ifi4) { if (!addr) /* Restrict to v6 only */ @@ -1175,11 +1150,6 @@ int udp_listen(const struct ctx *c, uint8_t pif, s = pif_sock_l4(c, EPOLL_TYPE_UDP_LISTEN, pif, addr, ifname, port, ref.u32); - if (!addr || inany_v4(addr)) - socks[V4][port] = s < 0 ? -1 : s; - if (!addr || !inany_v4(addr)) - socks[V6][port] = s < 0 ? -1 : s; - return s; } diff --git a/udp.h b/udp.h index 73efe036..3c6f90a9 100644 --- a/udp.h +++ b/udp.h @@ -6,7 +6,6 @@ #ifndef UDP_H #define UDP_H -void udp_portmap_clear(void); void udp_listen_sock_handler(const struct ctx *c, union epoll_ref ref, uint32_t events, const struct timespec *now); void udp_sock_handler(const struct ctx *c, union epoll_ref ref, -- 2.52.0

When auto-forwarding based on port scans, we must exclude our own listening ports, to avoid circular forwards. Currently we use the (previous value of the) forwarding bitmaps for the reverse direction to determine that. Instead, generate it from the tables of listening sockets that we now maintain. For now this seems like a lot more work to get to the same place. However, it does mean we're basing our exclusions directly on the relevant information: which of the scanned listens belong to us. More importantly, it's a step towards removing the bitmaps entirely. Signed-off-by: David Gibson --- fwd.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/fwd.c b/fwd.c index 5208155b..3f088fd2 100644 --- a/fwd.c +++ b/fwd.c @@ -680,6 +680,28 @@ static void fwd_scan_ports_udp(struct fwd_ports *fwd, bitmap_and_not(fwd->map, PORT_BITMAP_SIZE, fwd->map, exclude); } +/** + * current_listen_map() - Get bitmap of which ports we're already listening on + * @map: Bitmap to populate + * @fwd: Forwarding table to consider + */ +static void current_listen_map(uint8_t *map, const struct fwd_ports *fwd) +{ + unsigned i; + + memset(map, 0, PORT_BITMAP_SIZE); + + for (i = 0; i < fwd->count; i++) { + const struct fwd_rule *rule = &fwd->rules[i]; + unsigned port; + + for (port = rule->first; port <= rule->last; port++) { + if (rule->socks[port - rule->first] >= 0) + bitmap_set(map, port); + } + } +} + /** * fwd_scan_ports() - Scan automatic port forwarding information * @c: Execution context @@ -689,10 +711,10 @@ static void fwd_scan_ports(struct ctx *c) uint8_t excl_tcp_out[PORT_BITMAP_SIZE], excl_udp_out[PORT_BITMAP_SIZE]; uint8_t excl_tcp_in[PORT_BITMAP_SIZE], excl_udp_in[PORT_BITMAP_SIZE]; - memcpy(excl_tcp_out, c->tcp.fwd_in.map, sizeof(excl_tcp_out)); - memcpy(excl_tcp_in, c->tcp.fwd_out.map, sizeof(excl_tcp_in)); - memcpy(excl_udp_out, c->udp.fwd_in.map, sizeof(excl_udp_out)); - memcpy(excl_udp_in, c->udp.fwd_out.map, sizeof(excl_udp_in)); + current_listen_map(excl_tcp_out, &c->tcp.fwd_in); + current_listen_map(excl_tcp_in, &c->tcp.fwd_out); + current_listen_map(excl_udp_out, &c->udp.fwd_in); + current_listen_map(excl_udp_in, &c->udp.fwd_out); fwd_scan_ports_tcp(&c->tcp.fwd_out, excl_tcp_out); fwd_scan_ports_tcp(&c->tcp.fwd_in, excl_tcp_in); -- 2.52.0

It's possible for a user to supply conflicting forwarding parameters, e.g. $ pasta -t 80:8080 -t 127.0.0.1/80:8888 We give a warning in this case, but it's based on the legacy forwarding bitmaps. This is too strict, because it will also warn on cases that shouldn't conflict because they use different addresses, e.g. $ pasta -t 192.0.2.1/80:8080 127.0.0.1/80:8888 Theoretically, it's also too loose because it won't take into account auto-scan forwarding rules. We can't hit that in practice now, because we only ever have one auto-scan rule and nothing else, but we want to remove that restriction in future. Replace the bitmap based check with a check based on actually scanning the forwarding rules for conflicts. Signed-off-by: David Gibson --- conf.c | 5 ----- fwd.c | 21 ++++++++++++++++++++- inany.c | 19 +++++++++++++++++++ inany.h | 1 + 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/conf.c b/conf.c index 725cf88b..e8d6d5d9 100644 --- a/conf.c +++ b/conf.c @@ -172,11 +172,6 @@ static void conf_ports_range_except(const struct ctx *c, char optname, for (i = base; i <= last; i++) { if (exclude && bitmap_isset(exclude, i)) break; - - if (bitmap_isset(fwd->map, i)) { - warn( -"Altering mapping of already mapped port number: %s", optarg); - } } if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { diff --git a/fwd.c b/fwd.c index 70ef73a3..5208155b 100644 --- a/fwd.c +++ b/fwd.c @@ -348,7 +348,7 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN; unsigned num = (unsigned)last - first + 1; struct fwd_rule *new; - unsigned port; + unsigned i, port; ASSERT(!(flags & ~allowed_flags)); @@ -357,6 +357,25 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, if ((fwd->listen_sock_count + num) > ARRAY_SIZE(fwd->listen_socks)) die("Too many listening sockets"); + /* Check for any conflicting entries */ + for (i = 0; i < fwd->count; i++) { + char newstr[INANY_ADDRSTRLEN], rulestr[INANY_ADDRSTRLEN]; + struct fwd_rule *rule = &fwd->rules[i]; + + if (!inany_matches(addr, fwd_rule_addr(rule))) + /* Non-conflicting addresses */ + continue; + + if (last < rule->first || rule->last < first) + /* Port ranges don't overlap */ + continue; + + die("Forwarding configuration conflict: %s/%u-%u versus %s/%u-%u", + inany_ntop(addr, newstr, sizeof(newstr)), first, last, + inany_ntop(fwd_rule_addr(rule), rulestr, sizeof(rulestr)), + rule->first, rule->last); + } + new = &fwd->rules[fwd->count++]; new->flags = flags; diff --git a/inany.c b/inany.c index 87a4d8b6..a8c44237 100644 --- a/inany.c +++ b/inany.c @@ -21,6 +21,25 @@ const union inany_addr inany_loopback4 = INANY_INIT4(IN4ADDR_LOOPBACK_INIT); const union inany_addr inany_any4 = INANY_INIT4(IN4ADDR_ANY_INIT); +/** inany_matches - Do two addresses match + * @a, @b: IPv[46] addresses (NULL for 0.0.0.0 & ::) + * + * Return: true if they match, false otherwise + * + * Addresses match themselves, but also with unspecified addresses of the same + * family. + */ +bool inany_matches(const union inany_addr *a, const union inany_addr *b) +{ + if (!a || !b) + return true; + + if (inany_is_unspecified(a) || inany_is_unspecified(b)) + return !!inany_v4(a) == !!inany_v4(b); + + return inany_equals(a, b); +} + /** inany_ntop - Convert an IPv[46] address to text format * @src: IPv[46] address (NULL for unspecified) * @dst: output buffer, minimum INANY_ADDRSTRLEN bytes diff --git a/inany.h b/inany.h index 61b36fb4..b02c2891 100644 --- a/inany.h +++ b/inany.h @@ -293,6 +293,7 @@ static inline void inany_siphash_feed(struct siphash_state *state, #define INANY_ADDRSTRLEN MAX(INET_ADDRSTRLEN, INET6_ADDRSTRLEN) +bool inany_matches(const union inany_addr *a, const union inany_addr *b); const char *inany_ntop(const union inany_addr *src, char *dst, socklen_t size); int inany_pton(const char *src, union inany_addr *dst); -- 2.52.0

Currently we remap port numbers based on the legacy delta[] array, which is indexed only by original port number, not the listening address. Now that we look up a forwarding rule entry in flow_target(), we can use this entry to directly determine the correct remapped port. Implement this, and remove the old delta[] array. Link: https://bugs.passt.top/show_bug.cgi?id=187 Signed-off-by: David Gibson --- flow.c | 7 ++++--- fwd.c | 21 +++++++-------------- fwd.h | 7 +++---- 3 files changed, 14 insertions(+), 21 deletions(-) diff --git a/flow.c b/flow.c index 045e9712..38f88732 100644 --- a/flow.c +++ b/flow.c @@ -493,6 +493,7 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, struct flow_common *f = &flow->f; const struct flowside *ini = &f->side[INISIDE]; struct flowside *tgt = &f->side[TGTSIDE]; + const struct fwd_rule *rule = NULL; uint8_t tgtpif = PIF_NONE; ASSERT(flow_new_entry == flow && f->state == FLOW_STATE_INI); @@ -514,7 +515,7 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, else goto nofwd; - if (!fwd_rule_search(fwd, ini)) { + if (!(rule = fwd_rule_search(fwd, ini))) { /* This shouldn't happen, because if there's no rule for * it we should have no listening socket that would let * us get here @@ -531,11 +532,11 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, break; case PIF_SPLICE: - tgtpif = fwd_nat_from_splice(c, proto, ini, tgt); + tgtpif = fwd_nat_from_splice(rule, proto, ini, tgt); break; case PIF_HOST: - tgtpif = fwd_nat_from_host(c, proto, ini, tgt); + tgtpif = fwd_nat_from_host(c, rule, proto, ini, tgt); fwd_neigh_mac_get(c, &tgt->oaddr, f->tap_omac); break; default: diff --git a/fwd.c b/fwd.c index 633ba5db..7c4575ff 100644 --- a/fwd.c +++ b/fwd.c @@ -405,7 +405,6 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, /* Fill in the legacy forwarding data structures to match the table */ if (!(new->flags & FWD_SCAN)) bitmap_set(fwd->map, port); - fwd->delta[port] = new->to - new->first; } } @@ -978,7 +977,7 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto, /** * fwd_nat_from_splice() - Determine to forward a flow from the splice interface - * @c: Execution context + * @rule: Forwarding rule to apply * @proto: Protocol (IP L4 protocol number) * @ini: Flow address information of the initiating side * @tgt: Flow address information on the target side (updated) @@ -986,7 +985,7 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto, * Return: pif of the target interface to forward the flow to, PIF_NONE if the * flow cannot or should not be forwarded at all. */ -uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto, +uint8_t fwd_nat_from_splice(const struct fwd_rule *rule, uint8_t proto, const struct flowside *ini, struct flowside *tgt) { if (!inany_is_loopback(&ini->eaddr) || @@ -1010,11 +1009,7 @@ uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto, /* But for UDP preserve the source port */ tgt->oport = ini->eport; - tgt->eport = ini->oport; - if (proto == IPPROTO_TCP) - tgt->eport += c->tcp.fwd_out.delta[tgt->eport]; - else if (proto == IPPROTO_UDP) - tgt->eport += c->udp.fwd_out.delta[tgt->eport]; + tgt->eport = ini->oport - rule->first + rule->to; return PIF_HOST; } @@ -1058,6 +1053,7 @@ bool nat_inbound(const struct ctx *c, const union inany_addr *addr, /** * fwd_nat_from_host() - Determine to forward a flow from the host interface * @c: Execution context + * @rule: Forwarding rule to apply * @proto: Protocol (IP L4 protocol number) * @ini: Flow address information of the initiating side * @tgt: Flow address information on the target side (updated) @@ -1065,15 +1061,12 @@ bool nat_inbound(const struct ctx *c, const union inany_addr *addr, * Return: pif of the target interface to forward the flow to, PIF_NONE if the * flow cannot or should not be forwarded at all. */ -uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, +uint8_t fwd_nat_from_host(const struct ctx *c, + const struct fwd_rule *rule, uint8_t proto, const struct flowside *ini, struct flowside *tgt) { /* Common for spliced and non-spliced cases */ - tgt->eport = ini->oport; - if (proto == IPPROTO_TCP) - tgt->eport += c->tcp.fwd_in.delta[tgt->eport]; - else if (proto == IPPROTO_UDP) - tgt->eport += c->udp.fwd_in.delta[tgt->eport]; + tgt->eport = ini->oport - rule->first + rule->to; if (!c->no_splice && inany_is_loopback(&ini->eaddr) && (proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { diff --git a/fwd.h b/fwd.h index a10bdbb4..cfe9ed46 100644 --- a/fwd.h +++ b/fwd.h @@ -82,7 +82,6 @@ enum fwd_ports_mode { * @count: Number of forwarding rules * @rules: Array of forwarding rules * @map: Bitmap describing which ports are forwarded - * @delta: Offset between the original destination and mapped port number * @listen_sock_count: Number of entries used in @listen_socks * @listen_socks: Listening sockets for forwarding */ @@ -93,7 +92,6 @@ struct fwd_ports { unsigned count; struct fwd_rule rules[MAX_FWD_RULES]; uint8_t map[PORT_BITMAP_SIZE]; - in_port_t delta[NUM_PORTS]; unsigned listen_sock_count; int listen_socks[MAX_LISTEN_SOCKS]; }; @@ -117,9 +115,10 @@ bool nat_inbound(const struct ctx *c, const union inany_addr *addr, union inany_addr *translated); uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto, const struct flowside *ini, struct flowside *tgt); -uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto, +uint8_t fwd_nat_from_splice(const struct fwd_rule *rule, uint8_t proto, const struct flowside *ini, struct flowside *tgt); -uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, +uint8_t fwd_nat_from_host(const struct ctx *c, + const struct fwd_rule *rule, uint8_t proto, const struct flowside *ini, struct flowside *tgt); void fwd_neigh_table_update(const struct ctx *c, const union inany_addr *addr, const uint8_t *mac, bool permanent); -- 2.52.0

Now that listening sockets include a reference to the forwarding rule which created them we can, in many cases, avoid a linear search of the forwarding table when we want to find the relevant rule. Instead we can take the rule index from the socket's epoll reference, and use that to immediately find the correct rule. This is conceptually simple, but requires a moderate amount of plumbing to get the index from the reference through to the rule lookup. We still allow fall back to linear search if we don't have the index, and this may (rarely) be used in the udp_flush_flow() case, where we could get packets for one flow on a different flow's socket, rather than through a listening socket as usual. Signed-off-by: David Gibson --- flow.c | 13 +++++++++++-- flow_table.h | 2 +- fwd.c | 3 +-- fwd.h | 1 + icmp.c | 2 +- tcp.c | 4 ++-- udp.c | 14 +++++++++----- udp_flow.c | 14 ++++++++------ udp_flow.h | 2 +- udp_internal.h | 4 ++-- 10 files changed, 37 insertions(+), 22 deletions(-) diff --git a/flow.c b/flow.c index 38f88732..85759970 100644 --- a/flow.c +++ b/flow.c @@ -482,12 +482,13 @@ struct flowside *flow_initiate_sa(union flow *flow, uint8_t pif, * flow_target() - Determine where flow should forward to, and move to TGT * @c: Execution context * @flow: Flow to forward + * @rule_hint: Index of relevant forwarding rule, or -1 if unknown * @proto: Protocol * * Return: pointer to the target flowside information */ struct flowside *flow_target(const struct ctx *c, union flow *flow, - uint8_t proto) + int rule_hint, uint8_t proto) { char estr[INANY_ADDRSTRLEN], ostr[INANY_ADDRSTRLEN]; struct flow_common *f = &flow->f; @@ -515,7 +516,15 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, else goto nofwd; - if (!(rule = fwd_rule_search(fwd, ini))) { + if (rule_hint >= 0) { + ASSERT((unsigned)rule_hint < fwd->count); + rule = &fwd->rules[rule_hint]; + if (!fwd_rule_match(rule, ini)) { + flow_dbg(flow, + "Unexpected mismatching forward rule"); + goto nofwd; + } + } else if (!(rule = fwd_rule_search(fwd, ini))) { /* This shouldn't happen, because if there's no rule for * it we should have no listening socket that would let * us get here diff --git a/flow_table.h b/flow_table.h index 5ee13acc..73de13ba 100644 --- a/flow_table.h +++ b/flow_table.h @@ -207,7 +207,7 @@ const struct flowside *flow_target_af(union flow *flow, uint8_t pif, const void *saddr, in_port_t sport, const void *daddr, in_port_t dport); struct flowside *flow_target(const struct ctx *c, union flow *flow, - uint8_t proto); + int rule_hint, uint8_t proto); union flow *flow_set_type(union flow *flow, enum flow_type type); #define FLOW_SET_TYPE(flow_, t_, var_) (&flow_set_type((flow_), (t_))->var_) diff --git a/fwd.c b/fwd.c index 6727d26f..250b470c 100644 --- a/fwd.c +++ b/fwd.c @@ -415,8 +415,7 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, * * Returns: true if the rule applies to the flow, false otherwise */ -static bool fwd_rule_match(const struct fwd_rule *rule, - const struct flowside *ini) +bool fwd_rule_match(const struct fwd_rule *rule, const struct flowside *ini) { return inany_matches(&ini->oaddr, fwd_rule_addr(rule)) && ini->oport >= rule->first && ini->oport <= rule->last; diff --git a/fwd.h b/fwd.h index 435f422a..2af7791d 100644 --- a/fwd.h +++ b/fwd.h @@ -106,6 +106,7 @@ struct fwd_ports { void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags, const union inany_addr *addr, const char *ifname, in_port_t first, in_port_t last, in_port_t to); +bool fwd_rule_match(const struct fwd_rule *rule, const struct flowside *ini); const struct fwd_rule *fwd_rule_search(const struct fwd_ports *fwd, const struct flowside *ini); void fwd_rules_print(const struct fwd_ports *fwd); diff --git a/icmp.c b/icmp.c index 9564c496..0f4d48bb 100644 --- a/icmp.c +++ b/icmp.c @@ -183,7 +183,7 @@ static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c, return NULL; flow_initiate_af(flow, PIF_TAP, af, saddr, id, daddr, id); - if (!(tgt = flow_target(c, flow, proto))) + if (!(tgt = flow_target(c, flow, -1, proto))) goto cancel; if (flow->f.pif[TGTSIDE] != PIF_HOST) { diff --git a/tcp.c b/tcp.c index fc03e38f..89b22a51 100644 --- a/tcp.c +++ b/tcp.c @@ -1657,7 +1657,7 @@ static void tcp_conn_from_tap(const struct ctx *c, sa_family_t af, ini = flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, daddr, dstport); - if (!(tgt = flow_target(c, flow, IPPROTO_TCP))) + if (!(tgt = flow_target(c, flow, -1, IPPROTO_TCP))) goto cancel; if (flow->f.pif[TGTSIDE] != PIF_HOST) { @@ -2496,7 +2496,7 @@ void tcp_listen_handler(const struct ctx *c, union epoll_ref ref, goto cancel; } - if (!flow_target(c, flow, IPPROTO_TCP)) + if (!flow_target(c, flow, ref.listen.rule, IPPROTO_TCP)) goto cancel; switch (flow->f.pif[TGTSIDE]) { diff --git a/udp.c b/udp.c index 761221f6..d7e47e52 100644 --- a/udp.c +++ b/udp.c @@ -838,12 +838,13 @@ static void udp_buf_sock_to_tap(const struct ctx *c, int s, int n, * udp_sock_fwd() - Forward datagrams from a possibly unconnected socket * @c: Execution context * @s: Socket to forward from + * @rule_hint: Forwarding rule to use, or -1 if unknown * @frompif: Interface to which @s belongs * @port: Our (local) port number of @s * @now: Current timestamp */ -void udp_sock_fwd(const struct ctx *c, int s, uint8_t frompif, - in_port_t port, const struct timespec *now) +void udp_sock_fwd(const struct ctx *c, int s, int rule_hint, + uint8_t frompif, in_port_t port, const struct timespec *now) { union sockaddr_inany src; union inany_addr dst; @@ -868,7 +869,8 @@ void udp_sock_fwd(const struct ctx *c, int s, uint8_t frompif, continue; } - tosidx = udp_flow_from_sock(c, frompif, &dst, port, &src, now); + tosidx = udp_flow_from_sock(c, frompif, &dst, port, &src, + rule_hint, now); topif = pif_at_sidx(tosidx); if (pif_is_socket(topif)) { @@ -910,8 +912,10 @@ void udp_listen_sock_handler(const struct ctx *c, union epoll_ref ref, uint32_t events, const struct timespec *now) { - if (events & (EPOLLERR | EPOLLIN)) - udp_sock_fwd(c, ref.fd, ref.listen.pif, ref.listen.port, now); + if (events & (EPOLLERR | EPOLLIN)) { + udp_sock_fwd(c, ref.fd, ref.listen.rule, + ref.listen.pif, ref.listen.port, now); + } } /** diff --git a/udp_flow.c b/udp_flow.c index 8907f2f7..b82c6c06 100644 --- a/udp_flow.c +++ b/udp_flow.c @@ -139,6 +139,7 @@ static int udp_flow_sock(const struct ctx *c, * udp_flow_new() - Common setup for a new UDP flow * @c: Execution context * @flow: Initiated flow + * @rule_hint: Index of forwarding rule, or -1 if unknown * @now: Timestamp * * Return: sidx for the target side of the new UDP flow, or FLOW_SIDX_NONE @@ -147,13 +148,13 @@ static int udp_flow_sock(const struct ctx *c, * #syscalls getsockname */ static flow_sidx_t udp_flow_new(const struct ctx *c, union flow *flow, - const struct timespec *now) + int rule_hint, const struct timespec *now) { struct udp_flow *uflow = NULL; const struct flowside *tgt; unsigned sidei; - if (!(tgt = flow_target(c, flow, IPPROTO_UDP))) + if (!(tgt = flow_target(c, flow, rule_hint, IPPROTO_UDP))) goto cancel; uflow = FLOW_SET_TYPE(flow, FLOW_UDP, udp); @@ -216,6 +217,7 @@ cancel: * @dst: Our (local) address to which the datagram is arriving * @port: Our (local) port number to which the datagram is arriving * @s_in: Source socket address, filled in by recvmmsg() + * @rule_hint: Index of forwarding rule, or -1 if unknown * @now: Timestamp * * #syscalls fcntl arm:fcntl64 ppc64:fcntl64|fcntl i686:fcntl64 @@ -226,7 +228,7 @@ cancel: flow_sidx_t udp_flow_from_sock(const struct ctx *c, uint8_t pif, const union inany_addr *dst, in_port_t port, const union sockaddr_inany *s_in, - const struct timespec *now) + int rule_hint, const struct timespec *now) { const struct flowside *ini; struct udp_flow *uflow; @@ -260,7 +262,7 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, uint8_t pif, return FLOW_SIDX_NONE; } - return udp_flow_new(c, flow, now); + return udp_flow_new(c, flow, rule_hint, now); } /** @@ -316,7 +318,7 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c, return FLOW_SIDX_NONE; } - return udp_flow_new(c, flow, now); + return udp_flow_new(c, flow, -1, now); } /** @@ -332,7 +334,7 @@ static void udp_flush_flow(const struct ctx *c, { /* We don't know exactly where the datagrams will come from, but we know * they'll have an interface and oport matching this flow */ - udp_sock_fwd(c, uflow->s[sidei], uflow->f.pif[sidei], + udp_sock_fwd(c, -1, uflow->s[sidei], uflow->f.pif[sidei], uflow->f.side[sidei].oport, now); } diff --git a/udp_flow.h b/udp_flow.h index 4c528e95..14e0f920 100644 --- a/udp_flow.h +++ b/udp_flow.h @@ -35,7 +35,7 @@ struct udp_flow *udp_at_sidx(flow_sidx_t sidx); flow_sidx_t udp_flow_from_sock(const struct ctx *c, uint8_t pif, const union inany_addr *dst, in_port_t port, const union sockaddr_inany *s_in, - const struct timespec *now); + int rule_hint, const struct timespec *now); flow_sidx_t udp_flow_from_tap(const struct ctx *c, uint8_t pif, sa_family_t af, const void *saddr, const void *daddr, diff --git a/udp_internal.h b/udp_internal.h index 96d11cff..f0ce8f14 100644 --- a/udp_internal.h +++ b/udp_internal.h @@ -28,7 +28,7 @@ size_t udp_update_hdr4(struct iphdr *ip4h, struct udp_payload_t *bp, size_t udp_update_hdr6(struct ipv6hdr *ip6h, struct udp_payload_t *bp, const struct flowside *toside, size_t dlen, bool no_udp_csum); -void udp_sock_fwd(const struct ctx *c, int s, uint8_t frompif, - in_port_t port, const struct timespec *now); +void udp_sock_fwd(const struct ctx *c, int s, int rule_hint, + uint8_t frompif, in_port_t port, const struct timespec *now); #endif /* UDP_INTERNAL_H */ -- 2.52.0

On Thu, Jan 08, 2026 at 02:22:21PM +0100, Laurent Vivier wrote:

On 1/8/26 03:29, David Gibson wrote:

...

Add a function to get the name of an IP protocol from its number. Usually this would be done by getprotobynumber(), but that requires access to /etc/protocols and might allocate. We can't do either of those once we've self-isolated.

Signed-off-by: David Gibson --- ip.c | 27 +++++++++++++++++++++++++++ ip.h | 2 ++ 2 files changed, 29 insertions(+)

diff --git a/ip.c b/ip.c index 9a7f4c54..f1d224bd 100644 --- a/ip.c +++ b/ip.c @@ -67,3 +67,30 @@ found: *proto = nh; return true; } + +/** + * ipproto_name() - Get IP protocol name from number + * @proto: IP protocol number + * + * Return: pointer to name of protocol @proto + * + * Usually this would be done with getprotobynumber(3) but that reads + * /etc/protocols and might allocate, which isn't possible for us once + * self-isolated. + */ +/* cppcheck-suppress unusedFunction */ +const char *ipproto_name(uint8_t proto) +{ + switch (proto) { + case IPPROTO_ICMP: + return "ICMP"; + case IPPROTO_TCP: + return "TCP"; + case IPPROTO_UDP: + return "UDP"; + case IPPROTO_ICMPV6: + return "ICMPv6"; + default: + return "<unknown protocol>"; + } +} diff --git a/ip.h b/ip.h index 5830b923..42b417c5 100644 --- a/ip.h +++ b/ip.h @@ -116,6 +116,7 @@ static inline uint32_t ip6_get_flow_lbl(const struct ipv6hdr *ip6h) } bool ipv6_l4hdr(struct iov_tail *data, uint8_t *proto, size_t *dlen); +const char *ipproto_name(uint8_t proto); /* IPv6 link-local all-nodes multicast address, ff02::1 */ static const struct in6_addr in6addr_ll_all_nodes = { @@ -135,4 +136,5 @@ static const struct in_addr in4addr_broadcast = { 0xffffffff }; #define IPV6_MIN_MTU 1280 #endif +

Extra blank line

Oops, fixed.

...

#endif /* IP_H */

Reviewed-by: Laurent Vivier

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson