[PATCH v7 0/8] Use true MAC address of LAN local remote hosts

newer
[PATCH v4] Send an initial ARP and...

Jon Maloy

10 Sep 2025 10 Sep '25

5:03 p.m.

Bug #120 asks us to use the true MAC addresses of LAN local remote hosts, since some programs need this information. These commits introduces this for ARP, NDP, UDP, TCP and ICMP. --- v3: Updated according to feedback from Stefano and David: - Made the ARP/NDP lookup call filter out the requested address by itself, qualified by the index if the template interface - Moved the flow specific MAC address from struct flowside to struct flow_common. v4: - Updated according to feedback from David and Stefan - Added a cache table for ARP/NDP table contents v5: - Updated according to feedback from David and Stefan - Added cache table entries to FIFO/LRU queue - New criteria for when to consult ARP/NDP v6: - Simplified and merged mac cache table commits - Other changes after feedback from David. v7: - Fixes in patch #2 based on feedback from David and Stefano. Jon Maloy (8): netlink: add function to extract MAC addresses from NDP/ARP table fwd: Added cache table for ARP/NDP contents arp/ndp: respond with true MAC address of LAN local remote hosts flow: add MAC address of LAN local remote hosts to flow udp: forward external source MAC address through tap interface tcp: forward external source MAC address through tap interface tap: change signature of function tap_push_l2h() icmp: let icmp use mac address from flowside structure arp.c | 9 ++- conf.c | 1 + flow.c | 2 + flow.h | 2 + fwd.c | 184 +++++++++++++++++++++++++++++++++++++++++++++++-- fwd.h | 6 ++ icmp.c | 8 ++- inany.c | 1 + ndp.c | 10 ++- netlink.c | 82 ++++++++++++++++++++++ netlink.h | 2 + passt.c | 9 ++- passt.h | 3 +- pasta.c | 2 +- tap.c | 24 ++++--- tap.h | 7 +- tcp.c | 18 +++-- tcp.h | 2 +- tcp_buf.c | 37 +++++----- tcp_internal.h | 4 +- tcp_vu.c | 5 +- udp.c | 57 +++++++++------ udp.h | 2 +- util.c | 12 ++++ util.h | 1 + 25 files changed, 407 insertions(+), 83 deletions(-) -- 2.50.1

Show replies by date

Jon Maloy

10 Sep 10 Sep

5:03 p.m.

New subject: [PATCH v7 1/8] netlink: add function to extract MAC addresses from NDP/ARP table

The solution to bug https://bugs.passt.top/show_bug.cgi?id=120 requires the ability to translate from an IP address to its corresponding MAC address in cases where those are present in the ARP/NDP table. We add this feature here. Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: - Added an attribute contianing NDA_DST to sent message, so that we let the kernel do the filtering of the IP address and return only one entry. - Added interface index to the call signature. Since the only interface we know is the template interface, this limits the number of hosts that will be seen as 'network segment local' from a PASST viewpoint. v4: - Made loop independent of attribute order. - Ignoring L2 addresses which are not of size ETH_ALEN. v5: - Changed return value of new function, so caller can know if a MAC address really was found. v6: - Removed warning printout which had ended up in the wrong commit. --- netlink.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ netlink.h | 2 ++ 2 files changed, 84 insertions(+) diff --git a/netlink.c b/netlink.c index 8f82e73..3ba0597 100644 --- a/netlink.c +++ b/netlink.c @@ -800,6 +800,88 @@ int nl_addr_get(int s, unsigned int ifi, sa_family_t af, return status; } +/** + * nl_neigh_mac_get() - Get neighbor MAC address from the kernel neigh table + * @s: Netlink socket fd + * @addr: IPv4 or IPv6 address + * @ifi: Interface index + * @mac: Buffer for Ethernet MAC, left unchanged if not found/usable + * + * Return: true if a valid address was found, false otherwise. + */ +bool nl_neigh_mac_get(int s, const union inany_addr *addr, + int ifi, unsigned char *mac) +{ + const void *ip = inany_v4(addr); + struct req_t { + struct nlmsghdr nlh; + struct ndmsg ndm; + struct rtattr rta; + char ip[RTA_ALIGN(sizeof(struct in6_addr))]; + } req; + struct nlmsghdr *nh; + char buf[NLBUFSIZ]; + bool found = false; + ssize_t status; + uint32_t seq; + int msglen; + int iplen; + + memset(&req, 0, sizeof(req)); + req.ndm.ndm_ifindex = ifi; + req.rta.rta_type = NDA_DST; + + if (ip) { + req.ndm.ndm_family = AF_INET; + iplen = sizeof(struct in_addr); + } else { + req.ndm.ndm_family = AF_INET6; + ip = &addr; + iplen = sizeof(struct in6_addr); + } + + req.rta.rta_len = RTA_LENGTH(iplen); + memcpy(RTA_DATA(&req.rta), ip, iplen); + msglen = NLMSG_ALIGN(sizeof(req.nlh) + sizeof(req.ndm) + RTA_LENGTH(iplen)); + seq = nl_send(s, &req, RTM_GETNEIGH, 0, msglen); + + /* Drain all RTM_NEWNEIGH replies for this seq */ + nl_foreach_oftype(nh, status, s, buf, seq, RTM_NEWNEIGH) { + struct ndmsg *ndm = NLMSG_DATA(nh); + struct rtattr *rta = (struct rtattr *)(ndm + 1); + const uint8_t *lladdr = NULL; + size_t na = RTM_PAYLOAD(nh); + const void *dst = NULL; + size_t lladdr_len = 0; + size_t dstlen = 0; + + for (; RTA_OK(rta, na); rta = RTA_NEXT(rta, na)) { + switch (rta->rta_type) { + case NDA_DST: + dst = RTA_DATA(rta); + dstlen = RTA_PAYLOAD(rta); + break; + case NDA_LLADDR: + lladdr = RTA_DATA(rta); + lladdr_len = RTA_PAYLOAD(rta); + break; + default: + break; + } + } + + if (dst && dstlen == (size_t)iplen && memcmp(dst, ip, iplen) == 0) { + /* Only copy Ethernet-style addresses; leave unchanged otherwise */ + if (lladdr && lladdr_len == ETH_ALEN) { + memcpy(mac, lladdr, ETH_ALEN); + found = true; + } + } + } + + return found; +} + /** * nl_addr_get_ll() - Get first IPv6 link-local address for a given interface * @s: Netlink socket diff --git a/netlink.h b/netlink.h index b51e99c..1dbe1db 100644 --- a/netlink.h +++ b/netlink.h @@ -17,6 +17,8 @@ int nl_route_dup(int s_src, unsigned int ifi_src, int s_dst, unsigned int ifi_dst, sa_family_t af); int nl_addr_get(int s, unsigned int ifi, sa_family_t af, void *addr, int *prefix_len, void *addr_l); +bool nl_neigh_mac_get(int s, const union inany_addr *addr, int ifi, + unsigned char *mac); int nl_addr_set(int s, unsigned int ifi, sa_family_t af, const void *addr, int prefix_len); int nl_addr_get_ll(int s, unsigned int ifi, struct in6_addr *addr); -- 2.50.1

Jon Maloy

5:03 p.m.

New subject: [PATCH v7 2/8] fwd: Added cache table for ARP/NDP contents

We add a cache table to keep partial contents of the kernel ARP/NDP tables. This way, we drastically reduce the number of netlink calls to read those tables. We create undefined cache entries representing non- or not-yet- existing ARP/NDP entries when needed. We add a short expiration time to each such entry, so that we can know when to make repeated calls to the kernel tables in the beginning. We also add an access counter to the entries, to ensure that the timer becomes longer and the call frequency abates over time if no ARP/NDP entry shows up. For regular entries we use a much longer timer, with the purpose to update the entry in the rare case that a remote host changes its MAC address. Signed-off-by: Jon Maloy --- v5: - Moved to earlier in series to reduce rebase conflicts v6: - Sqashed the hash list commit and the FIFO/LRU queue commit - Removed hash lookup. We now only use linear lookup in a linked list - Eliminated dynamic memory allocation. - Ensured there is only one call to clock_gettime() - Using MAC_ZERO instead of the previously dedicated definitions v7: - NOW using MAC_ZERO where needed - I am still using linear back-off for empty cache entries. Even an incoming, flow-creating packet from a local host gives no guarantee that its MAC address is in the ARP table, so we must allow for a few new attempts at first possible occasions. Only after several failed lookups can we conclude that we probably never will succeed. Hence the back-off. - Fixed a bug that David inadvertently made me aware of: I only intended to set the initial expiry value to MAC_CACHE_RENEWAL when an ARP/NDP table lookup was successful. - Improved struct and function description comments --- conf.c | 1 + fwd.c | 189 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 4 ++ util.c | 12 ++++ util.h | 1 + 5 files changed, 207 insertions(+) diff --git a/conf.c b/conf.c index f47f48e..27b04d3 100644 --- a/conf.c +++ b/conf.c @@ -2122,6 +2122,7 @@ void conf(struct ctx *c, int argc, char **argv) c->udp.fwd_out.mode = fwd_default; fwd_scan_ports_init(c); + fwd_mac_cache_init(); if (!c->quiet) conf_print(c); diff --git a/fwd.c b/fwd.c index 250cf56..fcd119e 100644 --- a/fwd.c +++ b/fwd.c @@ -19,6 +19,8 @@ #include #include #include +#include +#include #include "util.h" #include "ip.h" @@ -26,6 +28,8 @@ #include "passt.h" #include "lineread.h" #include "flow_table.h" +#include "inany.h" +#include "netlink.h" /* Empheral port range: values from RFC 6335 */ static in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); @@ -33,6 +37,191 @@ static in_port_t fwd_ephemeral_max = NUM_PORTS - 1; #define PORT_RANGE_SYSCTL "/proc/sys/net/ipv4/ip_local_port_range" +#define MAC_CACHE_SIZE 128 +#define MAC_CACHE_RENEWAL 3600 /* Refresh entry from ARP/NDP every hour */ + +/* Partial cache of ARP/NDP table contents */ +/** + * mac_cache_entry - Entry in the ARP/NDP table cache + * @prev: Previous entry in LRU list + * @next: Next entry in LRU list + * @expiry: Point of time after which a new netlink lookup is allowed + * @addr: IP address of represented host + * @mac: MAC address of represented host, if known + * @access_count: Access counter. Used for back-off from netlink calls + */ +struct mac_cache_entry { + struct mac_cache_entry *prev; + struct mac_cache_entry *next; + struct timespec expiry; + union inany_addr addr; + uint8_t mac[ETH_ALEN]; + uint16_t access_count; +}; + +/** + * mac_cache_entry - Partial cache of ARP/NDP table contents + * @head: Least recent used entry in LRU list + * @tail: Most recent used entry in LRU list + * @mac_table: Array of entries, organized as FIFO/LRU list + */ +struct mac_cache_table { + struct mac_cache_entry *head; + struct mac_cache_entry *tail; + struct mac_cache_entry mac_table[MAC_CACHE_SIZE]; +}; + +static struct mac_cache_table mac_cache; + +/** + * fwd_mac_cache_unlink() - Unlink entry from LRU queue + */ +static void fwd_mac_cache_unlink(struct mac_cache_entry *e) +{ + struct mac_cache_table *t = &mac_cache; + + if (e->prev) + e->prev->next = e->next; + else + t->head = e->next; + + if (e->next) + e->next->prev = e->prev; + else + t->tail = e->prev; + + e->prev = e->next = NULL; +} + +/** + * fwd_mac_cache_append_tail() - Add entry to tail of LRU queue + */ +static void fwd_mac_cache_append_to_tail(struct mac_cache_entry *e) +{ + struct mac_cache_table *t = &mac_cache; + + e->next = NULL; + e->prev = t->tail; + t->tail->next = e; + t->tail = e; +} + +/** + * fwd_mac_cache_move_to_tail() - Move entry to tail of LRU queue + */ +static void fwd_mac_cache_move_to_tail(struct mac_cache_entry *e) +{ + struct mac_cache_table *t = &mac_cache; + + if (t->tail == e) + return; + + fwd_mac_cache_unlink(e); + fwd_mac_cache_append_to_tail(e); +} + +/** + * mac_entry_set_expiry() - Set the time for a cache entry to expire + * @now: Current point in time + * @e: Cache entry + * @expiry: Expiration time, in seconds from current moment. + */ +static void mac_entry_set_expiry(struct mac_cache_entry *e, struct timespec *now, int expiry) +{ + e->expiry = *now; + e->expiry.tv_sec += expiry; +} + +/** + * fwd_mac_cache_find() - Find an entry in the ARP/NDP cache table + * @addr: IPv4 or IPv6 address, used as key for the lookup + * + * Return: Pointer to the entry on success, NULL on failure. + */ +static struct mac_cache_entry *fwd_mac_cache_find(const union inany_addr *addr) +{ + const struct mac_cache_table *t = &mac_cache; + struct mac_cache_entry *e = t->tail; + + for (e = t->tail; e; e = e->prev) { + if (inany_equals(&e->addr, addr)) + return e; + } + return NULL; +} + +/** + * fwd_neigh_mac_get() - Lookup MAC address in the real or cached ARP/NDP table + * @c: Execution context + * @addr: IPv4 or IPv6 address, used as lookup key + * @mac: Buffer for Ethernet MAC to return, found or default value. + * + * Return: true if real MAC found, false if not found or if failure + */ +bool fwd_neigh_mac_get(const struct ctx *c, const union inany_addr *addr, + uint8_t *mac) +{ + struct mac_cache_entry *e = fwd_mac_cache_find(addr); + int ifi = inany_v4(addr) ? c->ifi4 : c->ifi6; + bool refresh = false; + struct timespec now; + bool found = false; + + clock_gettime(CLOCK_MONOTONIC, &now); + + if (e) { + refresh = timespec_before(&e->expiry, &now); + } else { + /* Recycle least recently used entry */ + e = mac_cache.head; + e->addr = *addr; + memcpy(e->mac, MAC_ZERO, ETH_ALEN); + e->access_count = 0; + refresh = true; + } + + if (!refresh) { + found = !MAC_IS_ZERO(e->mac); + } else { + found = nl_neigh_mac_get(nl_sock, addr, ifi, e->mac); + if (found) + mac_entry_set_expiry(e, &now, MAC_CACHE_RENEWAL); + } + + if (found) { + memcpy(mac, e->mac, ETH_ALEN); + } else { + /* Back off from new netlink calls if nothing found */ + mac_entry_set_expiry(e, &now, e->access_count++); + memcpy(mac, c->our_tap_mac, ETH_ALEN); + } + + /* Set to most recently used */ + fwd_mac_cache_move_to_tail(e); + + return found; +} + +/** + * fwd_mac_cache_init() - Initiate ARP/NDP cache table + */ +void fwd_mac_cache_init(void) +{ + struct mac_cache_table *t = &mac_cache; + struct mac_cache_entry *e; + int i; + + memset(t, 0, sizeof(*t)); + + for (i = 0; i < MAC_CACHE_SIZE; i++) { + e = &t->mac_table[i]; + e->prev = (i == 0) ? NULL : &t->mac_table[i - 1]; + e->next = (i < (MAC_CACHE_SIZE - 1)) ? &t->mac_table[i + 1] : NULL; + } + t->head = &t->mac_table[0]; + t->tail = &t->mac_table[MAC_CACHE_SIZE - 1]; +} + /** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral * * Work out what ports the host thinks are emphemeral and record it for later diff --git a/fwd.h b/fwd.h index 65c7c96..728601f 100644 --- a/fwd.h +++ b/fwd.h @@ -57,4 +57,8 @@ uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto, uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, const struct flowside *ini, struct flowside *tgt); +bool fwd_neigh_mac_get(const struct ctx *c, const union inany_addr *addr, + uint8_t *mac); +void fwd_mac_cache_init(void); + #endif /* FWD_H */ diff --git a/util.c b/util.c index c492f90..8a8846c 100644 --- a/util.c +++ b/util.c @@ -305,6 +305,18 @@ long timespec_diff_ms(const struct timespec *a, const struct timespec *b) return timespec_diff_us(a, b) / 1000; } +/** + * timespec_before() - Check the relation between two points in time + * @a: Point in time to be tested + * @b: Point in time test a against + * Return: True if a comes before b, otherwise b + */ +bool timespec_before(const struct timespec *a, const struct timespec *b) +{ + return (a->tv_sec < b->tv_sec) || + (a->tv_sec == b->tv_sec && a->tv_nsec < b->tv_nsec); +} + /** * bitmap_set() - Set single bit in bitmap * @map: Pointer to bitmap diff --git a/util.h b/util.h index 2a8c38f..5ec3f22 100644 --- a/util.h +++ b/util.h @@ -207,6 +207,7 @@ int sock_unix(char *sock_path); void sock_probe_mem(struct ctx *c); long timespec_diff_ms(const struct timespec *a, const struct timespec *b); int64_t timespec_diff_us(const struct timespec *a, const struct timespec *b); +bool timespec_before(const struct timespec *a, const struct timespec *b); void bitmap_set(uint8_t *map, unsigned bit); void bitmap_clear(uint8_t *map, unsigned bit); bool bitmap_isset(const uint8_t *map, unsigned bit); -- 2.50.1

David Gibson

12 Sep 12 Sep

5:27 a.m.

New subject: [PATCH v7 2/8] fwd: Added cache table for ARP/NDP contents

On Wed, Sep 10, 2025 at 11:03:49AM -0400, Jon Maloy wrote:

...

We add a cache table to keep partial contents of the kernel ARP/NDP tables. This way, we drastically reduce the number of netlink calls to read those tables.

We create undefined cache entries representing non- or not-yet- existing ARP/NDP entries when needed. We add a short expiration time to each such entry, so that we can know when to make repeated calls to the kernel tables in the beginning. We also add an access counter to the entries, to ensure that the timer becomes longer and the call frequency abates over time if no ARP/NDP entry shows up.

For regular entries we use a much longer timer, with the purpose to update the entry in the rare case that a remote host changes its MAC address.

Signed-off-by: Jon Maloy

--- v5: - Moved to earlier in series to reduce rebase conflicts v6: - Sqashed the hash list commit and the FIFO/LRU queue commit - Removed hash lookup. We now only use linear lookup in a linked list - Eliminated dynamic memory allocation. - Ensured there is only one call to clock_gettime() - Using MAC_ZERO instead of the previously dedicated definitions v7: - NOW using MAC_ZERO where needed - I am still using linear back-off for empty cache entries. Even an incoming, flow-creating packet from a local host gives no guarantee that its MAC address is in the ARP table, so we must allow for a few new attempts at first possible occasions. Only after several failed lookups can we conclude that we probably never will succeed. Hence the back-off.

Still not sure I'm entirely convinced, but ok. Reviewed-by: David Gibson

...

- Fixed a bug that David inadvertently made me aware of: I only intended to set the initial expiry value to MAC_CACHE_RENEWAL when an ARP/NDP table lookup was successful. - Improved struct and function description comments --- conf.c | 1 + fwd.c | 189 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 4 ++ util.c | 12 ++++ util.h | 1 + 5 files changed, 207 insertions(+)

diff --git a/conf.c b/conf.c index f47f48e..27b04d3 100644 --- a/conf.c +++ b/conf.c @@ -2122,6 +2122,7 @@ void conf(struct ctx *c, int argc, char **argv) c->udp.fwd_out.mode = fwd_default;

fwd_scan_ports_init(c); + fwd_mac_cache_init();

if (!c->quiet) conf_print(c); diff --git a/fwd.c b/fwd.c index 250cf56..fcd119e 100644 --- a/fwd.c +++ b/fwd.c @@ -19,6 +19,8 @@ #include #include #include +#include +#include

#include "util.h" #include "ip.h" @@ -26,6 +28,8 @@ #include "passt.h" #include "lineread.h" #include "flow_table.h" +#include "inany.h" +#include "netlink.h"

/* Empheral port range: values from RFC 6335 */ static in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); @@ -33,6 +37,191 @@ static in_port_t fwd_ephemeral_max = NUM_PORTS - 1;

#define PORT_RANGE_SYSCTL "/proc/sys/net/ipv4/ip_local_port_range"

+#define MAC_CACHE_SIZE 128 +#define MAC_CACHE_RENEWAL 3600 /* Refresh entry from ARP/NDP every hour */ + +/* Partial cache of ARP/NDP table contents */ +/** + * mac_cache_entry - Entry in the ARP/NDP table cache + * @prev: Previous entry in LRU list + * @next: Next entry in LRU list + * @expiry: Point of time after which a new netlink lookup is allowed + * @addr: IP address of represented host + * @mac: MAC address of represented host, if known + * @access_count: Access counter. Used for back-off from netlink calls + */ +struct mac_cache_entry { + struct mac_cache_entry *prev; + struct mac_cache_entry *next; + struct timespec expiry; + union inany_addr addr; + uint8_t mac[ETH_ALEN]; + uint16_t access_count; +}; + +/** + * mac_cache_entry - Partial cache of ARP/NDP table contents + * @head: Least recent used entry in LRU list + * @tail: Most recent used entry in LRU list + * @mac_table: Array of entries, organized as FIFO/LRU list + */ +struct mac_cache_table { + struct mac_cache_entry *head; + struct mac_cache_entry *tail; + struct mac_cache_entry mac_table[MAC_CACHE_SIZE]; +}; + +static struct mac_cache_table mac_cache; + +/** + * fwd_mac_cache_unlink() - Unlink entry from LRU queue + */ +static void fwd_mac_cache_unlink(struct mac_cache_entry *e) +{ + struct mac_cache_table *t = &mac_cache; + + if (e->prev) + e->prev->next = e->next; + else + t->head = e->next; + + if (e->next) + e->next->prev = e->prev; + else + t->tail = e->prev; + + e->prev = e->next = NULL; +} + +/** + * fwd_mac_cache_append_tail() - Add entry to tail of LRU queue + */ +static void fwd_mac_cache_append_to_tail(struct mac_cache_entry *e) +{ + struct mac_cache_table *t = &mac_cache; + + e->next = NULL; + e->prev = t->tail; + t->tail->next = e; + t->tail = e; +} + +/** + * fwd_mac_cache_move_to_tail() - Move entry to tail of LRU queue + */ +static void fwd_mac_cache_move_to_tail(struct mac_cache_entry *e) +{ + struct mac_cache_table *t = &mac_cache; + + if (t->tail == e) + return; + + fwd_mac_cache_unlink(e); + fwd_mac_cache_append_to_tail(e); +} + +/** + * mac_entry_set_expiry() - Set the time for a cache entry to expire + * @now: Current point in time + * @e: Cache entry + * @expiry: Expiration time, in seconds from current moment. + */ +static void mac_entry_set_expiry(struct mac_cache_entry *e, struct timespec *now, int expiry) +{ + e->expiry = *now; + e->expiry.tv_sec += expiry; +} + +/** + * fwd_mac_cache_find() - Find an entry in the ARP/NDP cache table + * @addr: IPv4 or IPv6 address, used as key for the lookup + * + * Return: Pointer to the entry on success, NULL on failure. + */ +static struct mac_cache_entry *fwd_mac_cache_find(const union inany_addr *addr) +{ + const struct mac_cache_table *t = &mac_cache; + struct mac_cache_entry *e = t->tail; + + for (e = t->tail; e; e = e->prev) { + if (inany_equals(&e->addr, addr)) + return e; + } + return NULL; +} + +/** + * fwd_neigh_mac_get() - Lookup MAC address in the real or cached ARP/NDP table + * @c: Execution context + * @addr: IPv4 or IPv6 address, used as lookup key + * @mac: Buffer for Ethernet MAC to return, found or default value. + * + * Return: true if real MAC found, false if not found or if failure + */ +bool fwd_neigh_mac_get(const struct ctx *c, const union inany_addr *addr, + uint8_t *mac) +{ + struct mac_cache_entry *e = fwd_mac_cache_find(addr); + int ifi = inany_v4(addr) ? c->ifi4 : c->ifi6; + bool refresh = false; + struct timespec now; + bool found = false; + + clock_gettime(CLOCK_MONOTONIC, &now); + + if (e) { + refresh = timespec_before(&e->expiry, &now); + } else { + /* Recycle least recently used entry */ + e = mac_cache.head; + e->addr = *addr; + memcpy(e->mac, MAC_ZERO, ETH_ALEN); + e->access_count = 0; + refresh = true; + } + + if (!refresh) { + found = !MAC_IS_ZERO(e->mac); + } else { + found = nl_neigh_mac_get(nl_sock, addr, ifi, e->mac); + if (found) + mac_entry_set_expiry(e, &now, MAC_CACHE_RENEWAL); + } + + if (found) { + memcpy(mac, e->mac, ETH_ALEN); + } else { + /* Back off from new netlink calls if nothing found */ + mac_entry_set_expiry(e, &now, e->access_count++); + memcpy(mac, c->our_tap_mac, ETH_ALEN); + } + + /* Set to most recently used */ + fwd_mac_cache_move_to_tail(e); + + return found; +} + +/** + * fwd_mac_cache_init() - Initiate ARP/NDP cache table + */ +void fwd_mac_cache_init(void) +{ + struct mac_cache_table *t = &mac_cache; + struct mac_cache_entry *e; + int i; + + memset(t, 0, sizeof(*t)); + + for (i = 0; i < MAC_CACHE_SIZE; i++) { + e = &t->mac_table[i]; + e->prev = (i == 0) ? NULL : &t->mac_table[i - 1]; + e->next = (i < (MAC_CACHE_SIZE - 1)) ? &t->mac_table[i + 1] : NULL; + } + t->head = &t->mac_table[0]; + t->tail = &t->mac_table[MAC_CACHE_SIZE - 1]; +} + /** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral * * Work out what ports the host thinks are emphemeral and record it for later diff --git a/fwd.h b/fwd.h index 65c7c96..728601f 100644 --- a/fwd.h +++ b/fwd.h @@ -57,4 +57,8 @@ uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto, uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, const struct flowside *ini, struct flowside *tgt);

+bool fwd_neigh_mac_get(const struct ctx *c, const union inany_addr *addr, + uint8_t *mac); +void fwd_mac_cache_init(void); + #endif /* FWD_H */ diff --git a/util.c b/util.c index c492f90..8a8846c 100644 --- a/util.c +++ b/util.c @@ -305,6 +305,18 @@ long timespec_diff_ms(const struct timespec *a, const struct timespec *b) return timespec_diff_us(a, b) / 1000; }

+/** + * timespec_before() - Check the relation between two points in time + * @a: Point in time to be tested + * @b: Point in time test a against + * Return: True if a comes before b, otherwise b + */ +bool timespec_before(const struct timespec *a, const struct timespec *b) +{ + return (a->tv_sec < b->tv_sec) || + (a->tv_sec == b->tv_sec && a->tv_nsec < b->tv_nsec); +} + /** * bitmap_set() - Set single bit in bitmap * @map: Pointer to bitmap diff --git a/util.h b/util.h index 2a8c38f..5ec3f22 100644 --- a/util.h +++ b/util.h @@ -207,6 +207,7 @@ int sock_unix(char *sock_path); void sock_probe_mem(struct ctx *c); long timespec_diff_ms(const struct timespec *a, const struct timespec *b); int64_t timespec_diff_us(const struct timespec *a, const struct timespec *b); +bool timespec_before(const struct timespec *a, const struct timespec *b); void bitmap_set(uint8_t *map, unsigned bit); void bitmap_clear(uint8_t *map, unsigned bit); bool bitmap_isset(const uint8_t *map, unsigned bit); -- 2.50.1

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

Jon Maloy

10 Sep 10 Sep

5:03 p.m.

New subject: [PATCH v7 3/8] arp/ndp: respond with true MAC address of LAN local remote hosts

When we receive an ARP request or NDP neigbor solicitation over the tap interface for a host on the local network segment attached to the template interface, we respond with that host's real MAC address. Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: - Added helper function to find out if a remote ip address is subject to NAT. This filters out local host addresses which should be presented with the passt/pasta local MAC address 9a:55:9a:55:9a:55 even though it is on the local segment. - Adapted to the change in nl_mac_get() function, so that we now consider only the template interface when checking the ARP/NDP table. v4: - Moved NAT check into the function nat_outbound() to obtain more precise criteria for when NAT is used. We may in theory have NAT even if original and translated addresses are equal, and we want to catch this case. - I chose to keep the wrapper funtion inany_nat(), but moved it to fwd.h/fwd.c and renamed it to fwd_inany_nat(). v5: - Simplified criteria for when we do ARP/NDP lookup. Now, we just try with the potentially translated address after an attempted NAT check. - Using the new ARP/NDP cache table instead of using netlink directly. v6: - Fixes after feedback from David: - Renamed nat_outbound() to fwd_nat_outbound() - Eliminated unnecessary temporary variable in arp.c::arp() --- arp.c | 9 +++++++-- fwd.c | 8 ++++---- fwd.h | 2 ++ inany.c | 1 + ndp.c | 8 ++++++++ 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/arp.c b/arp.c index 44677ad..90ed5dc 100644 --- a/arp.c +++ b/arp.c @@ -69,6 +69,7 @@ static bool ignore_arp(const struct ctx *c, */ int arp(const struct ctx *c, struct iov_tail *data) { + union inany_addr tgt, tgt_nat; struct { struct ethhdr eh; struct arphdr ah; @@ -102,8 +103,12 @@ int arp(const struct ctx *c, struct iov_tail *data) resp.ah.ar_hln = ah->ar_hln; resp.ah.ar_pln = ah->ar_pln; - /* ARP message */ - memcpy(resp.am.sha, c->our_tap_mac, sizeof(resp.am.sha)); + /* MAC address to return in ARP message */ + inany_from_af(&tgt, AF_INET, am->tip); + fwd_nat_outbound(c, &tgt, &tgt_nat); + fwd_neigh_mac_get(c, &tgt_nat, resp.am.sha); + + /* Rest of ARP message */ memcpy(resp.am.sip, am->tip, sizeof(resp.am.sip)); memcpy(resp.am.tha, am->sha, sizeof(resp.am.tha)); memcpy(resp.am.tip, am->sip, sizeof(resp.am.tip)); diff --git a/fwd.c b/fwd.c index fcd119e..9e4dbb8 100644 --- a/fwd.c +++ b/fwd.c @@ -513,7 +513,7 @@ static bool fwd_guest_accessible(const struct ctx *c, } /** - * nat_outbound() - Apply address translation for outbound (TAP to HOST) + * fwd_nat_outbound() - Apply address translation for outbound (TAP to HOST) * @c: Execution context * @addr: Input address (as seen on TAP interface) * @translated: Output address (as seen on HOST interface) @@ -521,8 +521,8 @@ static bool fwd_guest_accessible(const struct ctx *c, * Only handles translations that depend *only* on the address. Anything * related to specific ports or flows is handled elsewhere. */ -static void nat_outbound(const struct ctx *c, const union inany_addr *addr, - union inany_addr *translated) +void fwd_nat_outbound(const struct ctx *c, const union inany_addr *addr, + union inany_addr *translated) { if (inany_equals4(addr, &c->ip4.map_host_loopback)) *translated = inany_loopback4; @@ -556,7 +556,7 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto, inany_equals6(&ini->oaddr, &c->ip6.dns_match)) tgt->eaddr.a6 = c->ip6.dns_host; else - nat_outbound(c, &ini->oaddr, &tgt->eaddr); + fwd_nat_outbound(c, &ini->oaddr, &tgt->eaddr); tgt->eport = ini->oport; diff --git a/fwd.h b/fwd.h index 728601f..a4dd6bb 100644 --- a/fwd.h +++ b/fwd.h @@ -50,6 +50,8 @@ void fwd_scan_ports_init(struct ctx *c); bool nat_inbound(const struct ctx *c, const union inany_addr *addr, union inany_addr *translated); +void fwd_nat_outbound(const struct ctx *c, const union inany_addr *addr, + union inany_addr *translated); uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto, const struct flowside *ini, struct flowside *tgt); uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto, diff --git a/inany.c b/inany.c index 65a39f9..7680439 100644 --- a/inany.c +++ b/inany.c @@ -16,6 +16,7 @@ #include "ip.h" #include "siphash.h" #include "inany.h" +#include "fwd.h" const union inany_addr inany_loopback4 = INANY_INIT4(IN4ADDR_LOOPBACK_INIT); const union inany_addr inany_any4 = INANY_INIT4(IN4ADDR_ANY_INIT); diff --git a/ndp.c b/ndp.c index eb090cd..944371c 100644 --- a/ndp.c +++ b/ndp.c @@ -196,6 +196,7 @@ static void ndp_send(const struct ctx *c, const struct in6_addr *dst, static void ndp_na(const struct ctx *c, const struct in6_addr *dst, const struct in6_addr *addr) { + union inany_addr tgt, tgt_nat; struct ndp_na na = { .ih = { .icmp6_type = NA, @@ -215,6 +216,13 @@ static void ndp_na(const struct ctx *c, const struct in6_addr *dst, memcpy(na.target_l2_addr.mac, c->our_tap_mac, ETH_ALEN); + /* Respond with true MAC address if remote host's address or + * NAT translated address can be found in NDP table. + */ + inany_from_af(&tgt, AF_INET6, addr); + fwd_nat_outbound(c, &tgt, &tgt_nat); + fwd_neigh_mac_get(c, &tgt_nat, na.target_l2_addr.mac); + ndp_send(c, dst, &na, sizeof(na)); } -- 2.50.1

Jon Maloy

5:03 p.m.

New subject: [PATCH v7 4/8] flow: add MAC address of LAN local remote hosts to flow

When communicating with remote hosts on the local network, some guest applications want to see the real MAC address of that host instead of PASST/PASTA's own tap address. The flow_common structure is a convenient location for storing that address, so we do that in this commit. Note that we don´t add actual usage of this address here, that will be done in later commits. Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: - Moved the remote host macaddress from struct flowside to struct flow_common. I chose to call it 'omac' as suggested by David, although in my understanding the correct name would be 'emac'. (In general I find the address naming scheme confusing.) - Adapted to new signature of function nl_mac_get(), now passing it the index of the template interface. v4: - Renamed flow_commeon->omac to flow_common->tap_omac to make is role in the code clearer v5: - Modified the criteria for ARP/NDP table lookup like in the previous commits. - Removed the PIF_TAP lookup case, as David suggested, and did instead give the flow->tap_omac field a value marking it as non-initialized. - Calling the cache table instead of netlink for ARP/NDP lookup. - Unconditionally using the potentially translated IP address in the lookup, instead of only if NAT really was applied. v6: - Using MAC_ZERO instead of own definitions --- flow.c | 2 ++ flow.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/flow.c b/flow.c index feefda3..510f3c5 100644 --- a/flow.c +++ b/flow.c @@ -449,6 +449,7 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, switch (f->pif[INISIDE]) { case PIF_TAP: + memcpy(f->tap_omac, MAC_ZERO, ETH_ALEN); tgtpif = fwd_nat_from_tap(c, proto, ini, tgt); break; @@ -458,6 +459,7 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, case PIF_HOST: tgtpif = fwd_nat_from_host(c, proto, ini, tgt); + fwd_neigh_mac_get(c, &ini->eaddr, f->tap_omac); break; default: diff --git a/flow.h b/flow.h index cac618a..f342895 100644 --- a/flow.h +++ b/flow.h @@ -177,6 +177,7 @@ int flowside_connect(const struct ctx *c, int s, * @type: Type of packet flow * @pif[]: Interface for each side of the flow * @side[]: Information for each side of the flow + * @tap_omac: MAC address of remote endpoint as seen from the guest */ struct flow_common { #ifdef __GNUC__ @@ -192,6 +193,7 @@ struct flow_common { #endif uint8_t pif[SIDES]; struct flowside side[SIDES]; + uint8_t tap_omac[6]; }; #define FLOW_INDEX_BITS 17 /* 128k - 1 */ -- 2.50.1

Jon Maloy

5:03 p.m.

New subject: [PATCH v7 5/8] udp: forward external source MAC address through tap interface

We forward the incoming MAC address through the tap interface when receiving incoming packets from network local hosts. This is a part of the solution to bug https://bugs.passt.top/show_bug.cgi?id=120 Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: - Adapted to the move of external MAC address from struct flowside to struct flow_common v4: - Changed signature of udp_tap_prepare() to take a MAC address instead of a flow. - Eliminated initialization of MAC source address in all frames, since those now are set per send occasion anyway. v5: - Added lookup in ARP/NDP table on incoming messages in case flow->tap_omac wasn't initialized at flow creation, i.e., the flow was initiated from the guest. v6: - Using MAC_ZERO --- passt.c | 2 +- udp.c | 45 +++++++++++++++++++++++++-------------------- udp.h | 2 +- 3 files changed, 27 insertions(+), 22 deletions(-) diff --git a/passt.c b/passt.c index a4ec115..2a28e20 100644 --- a/passt.c +++ b/passt.c @@ -154,7 +154,7 @@ static void timer_init(struct ctx *c, const struct timespec *now) void proto_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s) { tcp_update_l2_buf(eth_d, eth_s); - udp_update_l2_buf(eth_d, eth_s); + udp_update_l2_buf(eth_d); } /** diff --git a/udp.c b/udp.c index 86585b7..eb57f05 100644 --- a/udp.c +++ b/udp.c @@ -133,11 +133,8 @@ static int udp_splice_init[IP_VERSIONS][NUM_PORTS]; /* UDP header and data for inbound messages */ static struct udp_payload_t udp_payload[UDP_MAX_FRAMES]; -/* Ethernet header for IPv4 frames */ -static struct ethhdr udp4_eth_hdr; - -/* Ethernet header for IPv6 frames */ -static struct ethhdr udp6_eth_hdr; +/* Ethernet headers for IPv4 and IPv6 frames */ +static struct ethhdr udp_eth_hdr[UDP_MAX_FRAMES]; /** * struct udp_meta_t - Pre-cooked headers for UDP packets @@ -210,12 +207,13 @@ void udp_portmap_clear(void) /** * udp_update_l2_buf() - Update L2 buffers with Ethernet and IPv4 addresses * @eth_d: Ethernet destination address, NULL if unchanged - * @eth_s: Ethernet source address, NULL if unchanged */ -void udp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s) +void udp_update_l2_buf(const unsigned char *eth_d) { - eth_update_mac(&udp4_eth_hdr, eth_d, eth_s); - eth_update_mac(&udp6_eth_hdr, eth_d, eth_s); + int i; + + for (i = 0; i < UDP_MAX_FRAMES; i++) + eth_update_mac(&udp_eth_hdr[i], eth_d, NULL); } /** @@ -238,6 +236,7 @@ static void udp_iov_init_one(const struct ctx *c, size_t i) *siov = IOV_OF_LVALUE(payload->data); + tiov[UDP_IOV_ETH] = IOV_OF_LVALUE(udp_eth_hdr[i]); tiov[UDP_IOV_TAP] = tap_hdr_iov(c, &meta->taph); tiov[UDP_IOV_PAYLOAD].iov_base = payload; @@ -253,9 +252,6 @@ static void udp_iov_init(const struct ctx *c) { size_t i; - udp4_eth_hdr.h_proto = htons_constant(ETH_P_IP); - udp6_eth_hdr.h_proto = htons_constant(ETH_P_IPV6); - for (i = 0; i < UDP_MAX_FRAMES; i++) udp_iov_init_one(c, i); } @@ -352,31 +348,34 @@ size_t udp_update_hdr6(struct ipv6hdr *ip6h, struct udp_payload_t *bp, * udp_tap_prepare() - Convert one datagram into a tap frame * @mmh: Receiving mmsghdr array * @idx: Index of the datagram to prepare + * @tap_omac: MAC address of remote endpoint as seen from the guest * @toside: Flowside for destination side * @no_udp_csum: Do not set UDP checksum */ static void udp_tap_prepare(const struct mmsghdr *mmh, - unsigned idx, const struct flowside *toside, + unsigned int idx, + const uint8_t *tap_omac, + const struct flowside *toside, bool no_udp_csum) { struct iovec (*tap_iov)[UDP_NUM_IOVS] = &udp_l2_iov[idx]; struct udp_payload_t *bp = &udp_payload[idx]; struct udp_meta_t *bm = &udp_meta[idx]; + struct ethhdr *eh = (*tap_iov)[UDP_IOV_ETH].iov_base; size_t l4len; + eth_update_mac(eh, NULL, tap_omac); if (!inany_v4(&toside->eaddr) || !inany_v4(&toside->oaddr)) { l4len = udp_update_hdr6(&bm->ip6h, bp, toside, mmh[idx].msg_len, no_udp_csum); - tap_hdr_update(&bm->taph, l4len + sizeof(bm->ip6h) + - sizeof(udp6_eth_hdr)); - (*tap_iov)[UDP_IOV_ETH] = IOV_OF_LVALUE(udp6_eth_hdr); + tap_hdr_update(&bm->taph, l4len + sizeof(bm->ip6h) + ETH_HLEN); + eh->h_proto = htons_constant(ETH_P_IPV6); (*tap_iov)[UDP_IOV_IP] = IOV_OF_LVALUE(bm->ip6h); } else { l4len = udp_update_hdr4(&bm->ip4h, bp, toside, mmh[idx].msg_len, no_udp_csum); - tap_hdr_update(&bm->taph, l4len + sizeof(bm->ip4h) + - sizeof(udp4_eth_hdr)); - (*tap_iov)[UDP_IOV_ETH] = IOV_OF_LVALUE(udp4_eth_hdr); + tap_hdr_update(&bm->taph, l4len + sizeof(bm->ip4h) + ETH_HLEN); + eh->h_proto = htons_constant(ETH_P_IP); (*tap_iov)[UDP_IOV_IP] = IOV_OF_LVALUE(bm->ip4h); } (*tap_iov)[UDP_IOV_PAYLOAD].iov_len = l4len; @@ -801,13 +800,19 @@ static void udp_buf_sock_to_tap(const struct ctx *c, int s, int n, flow_sidx_t tosidx) { const struct flowside *toside = flowside_at_sidx(tosidx); + struct udp_flow *uflow = udp_at_sidx(tosidx); + uint8_t *omac = uflow->f.tap_omac; int i; if ((n = udp_sock_recv(c, s, udp_mh_recv, n)) <= 0) return; + /* Make one attempt to find true MAC address in ARP/NDP table */ + if (MAC_IS_ZERO(omac)) + fwd_neigh_mac_get(c, &toside->oaddr, omac); + for (i = 0; i < n; i++) - udp_tap_prepare(udp_mh_recv, i, toside, false); + udp_tap_prepare(udp_mh_recv, i, omac, toside, false); tap_send_frames(c, &udp_l2_iov[0][0], UDP_NUM_IOVS, n); } diff --git a/udp.h b/udp.h index 8f8531a..dd6e5ad 100644 --- a/udp.h +++ b/udp.h @@ -21,7 +21,7 @@ int udp_sock_init(const struct ctx *c, int ns, const union inany_addr *addr, const char *ifname, in_port_t port); int udp_init(struct ctx *c); void udp_timer(struct ctx *c, const struct timespec *now); -void udp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s); +void udp_update_l2_buf(const unsigned char *eth_d); /** * union udp_listen_epoll_ref - epoll reference for "listening" UDP sockets -- 2.50.1

Jon Maloy

5:03 p.m.

New subject: [PATCH v7 6/8] tcp: forward external source MAC address through tap interface

We forward the incoming mac address through the tap interface when receiving incoming packets from network local hosts. This is a part of the solution to bug https://bugs.passt.top/show_bug.cgi?id=120 Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: - Adapted to the signature change in nl_mac_get() function, so that we now consider only the template interface when checking the ARP/NDP table. v4: - Adapted to previous name changes in this series v5: - Added lookup in ARP/NDP cache and/or table on incoming messages in case flow->tap_omac wasn't initialized at flow creation, i.e., the flow was initiated from the guest. v6: - Using MAC_IS_ZERO() instead of mac_undefined() - I ignored David's suggestion to move the test for undefined flow->tap_omac to tcp_{buf,vu}_data_from_sock(), at least for now. It looks like a sub-optimization to first have to look up the flow instance in these calls, and then do the test for MAC_IS_ZERO(), even though we might in theory end up with fewer such calls (how often?). --- passt.c | 7 +++---- passt.h | 3 +-- pasta.c | 2 +- tap.c | 2 +- tcp.c | 13 +++++++++++-- tcp.h | 2 +- tcp_buf.c | 37 +++++++++++++++++-------------------- tcp_internal.h | 4 ++-- tcp_vu.c | 5 ++--- 9 files changed, 39 insertions(+), 36 deletions(-) diff --git a/passt.c b/passt.c index 2a28e20..adf7b19 100644 --- a/passt.c +++ b/passt.c @@ -149,11 +149,10 @@ static void timer_init(struct ctx *c, const struct timespec *now) /** * proto_update_l2_buf() - Update scatter-gather L2 buffers in protocol handlers * @eth_d: Ethernet destination address, NULL if unchanged - * @eth_s: Ethernet source address, NULL if unchanged */ -void proto_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s) +void proto_update_l2_buf(const unsigned char *eth_d) { - tcp_update_l2_buf(eth_d, eth_s); + tcp_update_l2_buf(eth_d); udp_update_l2_buf(eth_d); } @@ -256,7 +255,7 @@ int main(int argc, char **argv) if ((!c.no_udp && udp_init(&c)) || (!c.no_tcp && tcp_init(&c))) _exit(EXIT_FAILURE); - proto_update_l2_buf(c.guest_mac, c.our_tap_mac); + proto_update_l2_buf(c.guest_mac); if (c.ifi4 && !c.no_dhcp) dhcp_init(); diff --git a/passt.h b/passt.h index 4cfd6eb..2c5b3e1 100644 --- a/passt.h +++ b/passt.h @@ -324,7 +324,6 @@ struct ctx { bool migrate_exit; }; -void proto_update_l2_buf(const unsigned char *eth_d, - const unsigned char *eth_s); +void proto_update_l2_buf(const unsigned char *eth_d); #endif /* PASST_H */ diff --git a/pasta.c b/pasta.c index 687406b..a42cfd8 100644 --- a/pasta.c +++ b/pasta.c @@ -411,7 +411,7 @@ void pasta_ns_conf(struct ctx *c) } } - proto_update_l2_buf(c->guest_mac, NULL); + proto_update_l2_buf(c->guest_mac); } /** diff --git a/tap.c b/tap.c index 7ba6399..74557e1 100644 --- a/tap.c +++ b/tap.c @@ -1097,7 +1097,7 @@ void tap_add_packet(struct ctx *c, struct iov_tail *data, if (memcmp(c->guest_mac, eh->h_source, ETH_ALEN)) { memcpy(c->guest_mac, eh->h_source, ETH_ALEN); - proto_update_l2_buf(c->guest_mac, NULL); + proto_update_l2_buf(c->guest_mac); } switch (ntohs(eh->h_proto)) { diff --git a/tcp.c b/tcp.c index dba5fdc..76fc0e4 100644 --- a/tcp.c +++ b/tcp.c @@ -919,6 +919,7 @@ static void tcp_fill_header(struct tcphdr *th, /** * tcp_fill_headers() - Fill 802.3, IP, TCP headers + * @c: Execution context * @conn: Connection pointer * @taph: tap backend specific header * @ip4h: Pointer to IPv4 header, or NULL @@ -929,14 +930,15 @@ static void tcp_fill_header(struct tcphdr *th, * @seq: Sequence number for this segment * @no_tcp_csum: Do not set TCP checksum */ -void tcp_fill_headers(const struct tcp_tap_conn *conn, - struct tap_hdr *taph, +void tcp_fill_headers(const struct ctx *c, struct tcp_tap_conn *conn, + struct tap_hdr *taph, struct ethhdr *eh, struct iphdr *ip4h, struct ipv6hdr *ip6h, struct tcphdr *th, struct iov_tail *payload, const uint16_t *ip4_check, uint32_t seq, bool no_tcp_csum) { const struct flowside *tapside = TAPFLOW(conn); size_t l4len = iov_tail_size(payload) + sizeof(*th); + uint8_t *omac = conn->f.tap_omac; size_t l3len = l4len; uint32_t psum = 0; @@ -962,6 +964,7 @@ void tcp_fill_headers(const struct tcp_tap_conn *conn, psum = proto_ipv4_header_psum(l4len, IPPROTO_TCP, *src4, *dst4); } + eh->h_proto = htons_constant(ETH_P_IP); } if (ip6h) { @@ -982,8 +985,14 @@ void tcp_fill_headers(const struct tcp_tap_conn *conn, &ip6h->saddr, &ip6h->daddr); } + eh->h_proto = htons_constant(ETH_P_IPV6); } + /* Make one attempt to find true MAC address in ARP/NDP table */ + if (MAC_IS_ZERO(omac)) + fwd_neigh_mac_get(c, &tapside->oaddr, omac); + eth_update_mac(eh, NULL, omac); + tcp_fill_header(th, conn, seq); if (no_tcp_csum) diff --git a/tcp.h b/tcp.h index 234a803..c1b8385 100644 --- a/tcp.h +++ b/tcp.h @@ -24,7 +24,7 @@ int tcp_init(struct ctx *c); void tcp_timer(struct ctx *c, const struct timespec *now); void tcp_defer_handler(struct ctx *c); -void tcp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s); +void tcp_update_l2_buf(const unsigned char *eth_d); extern bool peek_offset_cap; diff --git a/tcp_buf.c b/tcp_buf.c index bc898de..7d8746e 100644 --- a/tcp_buf.c +++ b/tcp_buf.c @@ -40,8 +40,7 @@ /* Static buffers */ /* Ethernet header for IPv4 and IPv6 frames */ -static struct ethhdr tcp4_eth_src; -static struct ethhdr tcp6_eth_src; +static struct ethhdr tcp_eth_hdr[TCP_FRAMES_MEM]; static struct tap_hdr tcp_payload_tap_hdr[TCP_FRAMES_MEM]; @@ -67,12 +66,13 @@ static struct iovec tcp_l2_iov[TCP_FRAMES_MEM][TCP_NUM_IOVS]; /** * tcp_update_l2_buf() - Update Ethernet header buffers with addresses * @eth_d: Ethernet destination address, NULL if unchanged - * @eth_s: Ethernet source address, NULL if unchanged */ -void tcp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s) +void tcp_update_l2_buf(const unsigned char *eth_d) { - eth_update_mac(&tcp4_eth_src, eth_d, eth_s); - eth_update_mac(&tcp6_eth_src, eth_d, eth_s); + int i; + + for (i = 0; i < TCP_FRAMES_MEM; i++) + eth_update_mac(&tcp_eth_hdr[i], eth_d, NULL); } /** @@ -85,9 +85,6 @@ void tcp_sock_iov_init(const struct ctx *c) struct iphdr iph = L2_BUF_IP4_INIT(IPPROTO_TCP); int i; - tcp6_eth_src.h_proto = htons_constant(ETH_P_IPV6); - tcp4_eth_src.h_proto = htons_constant(ETH_P_IP); - for (i = 0; i < ARRAY_SIZE(tcp_payload); i++) { tcp6_payload_ip[i] = ip6; tcp4_payload_ip[i] = iph; @@ -149,13 +146,15 @@ void tcp_payload_flush(const struct ctx *c) /** * tcp_l2_buf_fill_headers() - Fill 802.3, IP, TCP headers in pre-cooked buffers + * @c: Execution context * @conn: Connection pointer * @iov: Pointer to an array of iovec of TCP pre-cooked buffers * @check: Checksum, if already known * @seq: Sequence number for this segment * @no_tcp_csum: Do not set TCP checksum */ -static void tcp_l2_buf_fill_headers(const struct tcp_tap_conn *conn, +static void tcp_l2_buf_fill_headers(const struct ctx *c, + struct tcp_tap_conn *conn, struct iovec *iov, const uint16_t *check, uint32_t seq, bool no_tcp_csum) { @@ -164,6 +163,7 @@ static void tcp_l2_buf_fill_headers(const struct tcp_tap_conn *conn, struct tap_hdr *taph = iov[TCP_IOV_TAP].iov_base; const struct flowside *tapside = TAPFLOW(conn); const struct in_addr *a4 = inany_v4(&tapside->oaddr); + struct ethhdr *eh = iov[TCP_IOV_ETH].iov_base; struct ipv6hdr *ip6h = NULL; struct iphdr *ip4h = NULL; @@ -172,7 +172,7 @@ static void tcp_l2_buf_fill_headers(const struct tcp_tap_conn *conn, else ip6h = iov[TCP_IOV_IP].iov_base; - tcp_fill_headers(conn, taph, ip4h, ip6h, th, &tail, + tcp_fill_headers(c, conn, taph, eh, ip4h, ip6h, th, &tail, check, seq, no_tcp_csum); } @@ -194,14 +194,12 @@ int tcp_buf_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) int ret; iov = tcp_l2_iov[tcp_payload_used]; - if (CONN_V4(conn)) { + if (CONN_V4(conn)) iov[TCP_IOV_IP] = IOV_OF_LVALUE(tcp4_payload_ip[tcp_payload_used]); - iov[TCP_IOV_ETH].iov_base = &tcp4_eth_src; - } else { + else iov[TCP_IOV_IP] = IOV_OF_LVALUE(tcp6_payload_ip[tcp_payload_used]); - iov[TCP_IOV_ETH].iov_base = &tcp6_eth_src; - } + iov[TCP_IOV_ETH] = IOV_OF_LVALUE(tcp_eth_hdr[tcp_payload_used]); payload = iov[TCP_IOV_PAYLOAD].iov_base; seq = conn->seq_to_tap; ret = tcp_prepare_flags(c, conn, flags, &payload->th, @@ -212,7 +210,7 @@ int tcp_buf_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) tcp_payload_used++; l4len = optlen + sizeof(struct tcphdr); iov[TCP_IOV_PAYLOAD].iov_len = l4len; - tcp_l2_buf_fill_headers(conn, iov, NULL, seq, false); + tcp_l2_buf_fill_headers(c, conn, iov, NULL, seq, false); if (flags & DUP_ACK) { struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used++]; @@ -259,11 +257,10 @@ static void tcp_data_to_tap(const struct ctx *c, struct tcp_tap_conn *conn, check = &iph->check; } iov[TCP_IOV_IP] = IOV_OF_LVALUE(tcp4_payload_ip[tcp_payload_used]); - iov[TCP_IOV_ETH].iov_base = &tcp4_eth_src; } else if (CONN_V6(conn)) { iov[TCP_IOV_IP] = IOV_OF_LVALUE(tcp6_payload_ip[tcp_payload_used]); - iov[TCP_IOV_ETH].iov_base = &tcp6_eth_src; } + iov[TCP_IOV_ETH].iov_base = &tcp_eth_hdr[tcp_payload_used]; payload = iov[TCP_IOV_PAYLOAD].iov_base; payload->th.th_off = sizeof(struct tcphdr) / 4; payload->th.th_x2 = 0; @@ -271,7 +268,7 @@ static void tcp_data_to_tap(const struct ctx *c, struct tcp_tap_conn *conn, payload->th.ack = 1; payload->th.psh = push; iov[TCP_IOV_PAYLOAD].iov_len = dlen + sizeof(struct tcphdr); - tcp_l2_buf_fill_headers(conn, iov, check, seq, false); + tcp_l2_buf_fill_headers(c, conn, iov, check, seq, false); if (++tcp_payload_used > TCP_FRAMES_MEM - 1) tcp_payload_flush(c); } diff --git a/tcp_internal.h b/tcp_internal.h index 36c6533..25f4cae 100644 --- a/tcp_internal.h +++ b/tcp_internal.h @@ -166,8 +166,8 @@ void tcp_rst_do(const struct ctx *c, struct tcp_tap_conn *conn); struct tcp_info_linux; -void tcp_fill_headers(const struct tcp_tap_conn *conn, - struct tap_hdr *taph, +void tcp_fill_headers(const struct ctx *c, struct tcp_tap_conn *conn, + struct tap_hdr *taph, struct ethhdr *eh, struct iphdr *ip4h, struct ipv6hdr *ip6h, struct tcphdr *th, struct iov_tail *payload, const uint16_t *ip4_check, uint32_t seq, bool no_tcp_csum); diff --git a/tcp_vu.c b/tcp_vu.c index cb39bc2..c7e289d 100644 --- a/tcp_vu.c +++ b/tcp_vu.c @@ -135,7 +135,7 @@ int tcp_vu_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) flags_elem[0].in_sg[0].iov_len = hdrlen + optlen; payload = IOV_TAIL(flags_elem[0].in_sg, 1, hdrlen); - tcp_fill_headers(conn, NULL, ip4h, ip6h, th, &payload, + tcp_fill_headers(c, conn, NULL, eh, ip4h, ip6h, th, &payload, NULL, seq, !*c->pcap); if (*c->pcap) { @@ -315,7 +315,6 @@ static void tcp_vu_prepare(const struct ctx *c, struct tcp_tap_conn *conn, eh = vu_eth(base); memcpy(eh->h_dest, c->guest_mac, sizeof(eh->h_dest)); - memcpy(eh->h_source, c->our_tap_mac, sizeof(eh->h_source)); /* initialize header */ @@ -339,7 +338,7 @@ static void tcp_vu_prepare(const struct ctx *c, struct tcp_tap_conn *conn, th->ack = 1; th->psh = push; - tcp_fill_headers(conn, NULL, ip4h, ip6h, th, &payload, + tcp_fill_headers(c, conn, NULL, eh, ip4h, ip6h, th, &payload, *check, conn->seq_to_tap, no_tcp_csum); if (ip4h) *check = &ip4h->check; -- 2.50.1

Jon Maloy

5:03 p.m.

New subject: [PATCH v7 7/8] tap: change signature of function tap_push_l2h()

In the next commit it must be possible for the callers of function tap_push_l2h() to specify which source MAC address should be added to the ethernet header sent over the tap interface. As a preparation, we now add a new argument to that function, still without any logical changes. Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: -Improved comment for src_mac argument, as suggested by Stefano. v4: -Re-added comment in tap.c and remove redundant argument check in tap_push_l2() v5: -Ensured that MAC argument to tap_push_l2h() never is NULL. v6: -Clarification of comment about ARP lookup --- tap.c | 16 +++++++++------- tap.h | 3 ++- tcp.c | 5 +++-- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/tap.c b/tap.c index 74557e1..a390be8 100644 --- a/tap.c +++ b/tap.c @@ -171,17 +171,19 @@ const struct in6_addr *tap_ip6_daddr(const struct ctx *c, * tap_push_l2h() - Build an L2 header for an inbound packet * @c: Execution context * @buf: Buffer address at which to generate header + * @src_mac: MAC address to be used as source for message. * @proto: Ethernet protocol number for L3 * * Return: pointer at which to write the packet's payload */ -void *tap_push_l2h(const struct ctx *c, void *buf, uint16_t proto) +void *tap_push_l2h(const struct ctx *c, void *buf, + const void *src_mac, uint16_t proto) { struct ethhdr *eh = (struct ethhdr *)buf; - /* TODO: ARP table lookup */ + /* TODO: ARP lookup on tap side */ memcpy(eh->h_dest, c->guest_mac, ETH_ALEN); - memcpy(eh->h_source, c->our_tap_mac, ETH_ALEN); + memcpy(eh->h_source, src_mac, ETH_ALEN); eh->h_proto = ntohs(proto); return eh + 1; } @@ -261,7 +263,7 @@ void tap_udp4_send(const struct ctx *c, struct in_addr src, in_port_t sport, { size_t l4len = dlen + sizeof(struct udphdr); char buf[USHRT_MAX]; - struct iphdr *ip4h = tap_push_l2h(c, buf, ETH_P_IP); + struct iphdr *ip4h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IP); struct udphdr *uh = tap_push_ip4h(ip4h, src, dst, l4len, IPPROTO_UDP); char *data = tap_push_uh4(uh, src, sport, dst, dport, in, dlen); @@ -281,7 +283,7 @@ void tap_icmp4_send(const struct ctx *c, struct in_addr src, struct in_addr dst, const void *in, size_t l4len) { char buf[USHRT_MAX]; - struct iphdr *ip4h = tap_push_l2h(c, buf, ETH_P_IP); + struct iphdr *ip4h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IP); struct icmphdr *icmp4h = tap_push_ip4h(ip4h, src, dst, l4len, IPPROTO_ICMP); @@ -367,7 +369,7 @@ void tap_udp6_send(const struct ctx *c, { size_t l4len = dlen + sizeof(struct udphdr); char buf[USHRT_MAX]; - struct ipv6hdr *ip6h = tap_push_l2h(c, buf, ETH_P_IPV6); + struct ipv6hdr *ip6h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IPV6); struct udphdr *uh = tap_push_ip6h(ip6h, src, dst, l4len, IPPROTO_UDP, flow); char *data = tap_push_uh6(uh, src, sport, dst, dport, in, dlen); @@ -389,7 +391,7 @@ void tap_icmp6_send(const struct ctx *c, const void *in, size_t l4len) { char buf[USHRT_MAX]; - struct ipv6hdr *ip6h = tap_push_l2h(c, buf, ETH_P_IPV6); + struct ipv6hdr *ip6h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IPV6); struct icmp6hdr *icmp6h = tap_push_ip6h(ip6h, src, dst, l4len, IPPROTO_ICMPV6, 0); diff --git a/tap.h b/tap.h index 21db4d2..02f7761 100644 --- a/tap.h +++ b/tap.h @@ -70,7 +70,8 @@ static inline void tap_hdr_update(struct tap_hdr *thdr, size_t l2len) } unsigned long tap_l2_max_len(const struct ctx *c); -void *tap_push_l2h(const struct ctx *c, void *buf, uint16_t proto); +void *tap_push_l2h(const struct ctx *c, void *buf, + const void *src_mac, uint16_t proto); void *tap_push_ip4h(struct iphdr *ip4h, struct in_addr src, struct in_addr dst, size_t l4len, uint8_t proto); void *tap_push_uh4(struct udphdr *uh, struct in_addr src, in_port_t sport, diff --git a/tcp.c b/tcp.c index 76fc0e4..b44fa62 100644 --- a/tcp.c +++ b/tcp.c @@ -1922,7 +1922,8 @@ static void tcp_rst_no_conn(const struct ctx *c, int af, return; if (af == AF_INET) { - struct iphdr *ip4h = tap_push_l2h(c, buf, ETH_P_IP); + struct iphdr *ip4h = tap_push_l2h(c, buf, c->our_tap_mac, + ETH_P_IP); const struct in_addr *rst_src = daddr; const struct in_addr *rst_dst = saddr; @@ -1932,7 +1933,7 @@ static void tcp_rst_no_conn(const struct ctx *c, int af, *rst_src, *rst_dst); } else { - struct ipv6hdr *ip6h = tap_push_l2h(c, buf, ETH_P_IPV6); + struct ipv6hdr *ip6h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IPV6); const struct in6_addr *rst_src = daddr; const struct in6_addr *rst_dst = saddr; -- 2.50.1

Jon Maloy

5:03 p.m.

New subject: [PATCH v7 8/8] icmp: let icmp use mac address from flowside structure

Even ICMP needs to be updated to use the external MAC address instead of just the own tap address when applicable. We do that here. Signed-off-by: Jon Maloy Reviewed-by: David Gibson --- v3: - Adapted to the move of external MAC address from struct flowside to struct flow_common v4: - Adapted to name changes in previous commits in this series v5: - Added conditional lookup in ARP/NDP if the flow's tap_omac is undefined v6: - Looking up MAC of ICMP generating node in udp_send_tap_icmp4/6() when available, instead trusting the contents of flow->tap_omac. --- icmp.c | 8 ++++++-- ndp.c | 2 +- tap.c | 10 ++++++---- tap.h | 4 ++-- udp.c | 12 ++++++++++-- 5 files changed, 25 insertions(+), 11 deletions(-) diff --git a/icmp.c b/icmp.c index 6dffafb..1d99632 100644 --- a/icmp.c +++ b/icmp.c @@ -125,17 +125,21 @@ void icmp_sock_handler(const struct ctx *c, union epoll_ref ref) flow_dbg(pingf, "echo reply to tap, ID: %"PRIu16", seq: %"PRIu16, ini->eport, seq); + /* Try to find true MAC address in ARP/NDP table if needed */ + if (MAC_IS_ZERO(pingf->f.tap_omac)) + fwd_neigh_mac_get(c, &ini->oaddr, pingf->f.tap_omac); + if (pingf->f.type == FLOW_PING4) { const struct in_addr *saddr = inany_v4(&ini->oaddr); const struct in_addr *daddr = inany_v4(&ini->eaddr); ASSERT(saddr && daddr); /* Must have IPv4 addresses */ - tap_icmp4_send(c, *saddr, *daddr, buf, n); + tap_icmp4_send(c, *saddr, *daddr, buf, pingf->f.tap_omac, n); } else if (pingf->f.type == FLOW_PING6) { const struct in6_addr *saddr = &ini->oaddr.a6; const struct in6_addr *daddr = &ini->eaddr.a6; - tap_icmp6_send(c, saddr, daddr, buf, n); + tap_icmp6_send(c, saddr, daddr, buf, pingf->f.tap_omac, n); } return; diff --git a/ndp.c b/ndp.c index 944371c..1e9d0f4 100644 --- a/ndp.c +++ b/ndp.c @@ -184,7 +184,7 @@ static void ndp_send(const struct ctx *c, const struct in6_addr *dst, { const struct in6_addr *src = &c->ip6.our_tap_ll; - tap_icmp6_send(c, src, dst, buf, l4len); + tap_icmp6_send(c, src, dst, buf, c->our_tap_mac, l4len); } /** diff --git a/tap.c b/tap.c index a390be8..8b10e14 100644 --- a/tap.c +++ b/tap.c @@ -277,13 +277,14 @@ void tap_udp4_send(const struct ctx *c, struct in_addr src, in_port_t sport, * @src: IPv4 source address * @dst: IPv4 destination address * @in: ICMP packet, including ICMP header + * @src_mac: MAC address to be used as source for message * @l4len: ICMP packet length, including ICMP header */ void tap_icmp4_send(const struct ctx *c, struct in_addr src, struct in_addr dst, - const void *in, size_t l4len) + const void *in, const void *src_mac, size_t l4len) { char buf[USHRT_MAX]; - struct iphdr *ip4h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IP); + struct iphdr *ip4h = tap_push_l2h(c, buf, src_mac, ETH_P_IP); struct icmphdr *icmp4h = tap_push_ip4h(ip4h, src, dst, l4len, IPPROTO_ICMP); @@ -384,14 +385,15 @@ void tap_udp6_send(const struct ctx *c, * @src: IPv6 source address * @dst: IPv6 destination address * @in: ICMP packet, including ICMP header + * @src_mac: MAC address to be used as source for message * @l4len: ICMP packet length, including ICMP header */ void tap_icmp6_send(const struct ctx *c, const struct in6_addr *src, const struct in6_addr *dst, - const void *in, size_t l4len) + const void *in, const void *src_mac, size_t l4len) { char buf[USHRT_MAX]; - struct ipv6hdr *ip6h = tap_push_l2h(c, buf, c->our_tap_mac, ETH_P_IPV6); + struct ipv6hdr *ip6h = tap_push_l2h(c, buf, src_mac, ETH_P_IPV6); struct icmp6hdr *icmp6h = tap_push_ip6h(ip6h, src, dst, l4len, IPPROTO_ICMPV6, 0); diff --git a/tap.h b/tap.h index 02f7761..1864173 100644 --- a/tap.h +++ b/tap.h @@ -91,7 +91,7 @@ void tap_udp4_send(const struct ctx *c, struct in_addr src, in_port_t sport, struct in_addr dst, in_port_t dport, const void *in, size_t dlen); void tap_icmp4_send(const struct ctx *c, struct in_addr src, struct in_addr dst, - const void *in, size_t l4len); + const void *in, const void *src_mac, size_t l4len); const struct in6_addr *tap_ip6_daddr(const struct ctx *c, const struct in6_addr *src); void *tap_push_ip6h(struct ipv6hdr *ip6h, @@ -103,7 +103,7 @@ void tap_udp6_send(const struct ctx *c, uint32_t flow, void *in, size_t dlen); void tap_icmp6_send(const struct ctx *c, const struct in6_addr *src, const struct in6_addr *dst, - const void *in, size_t l4len); + const void *in, const void *src_mac, size_t l4len); void tap_send_single(const struct ctx *c, const void *data, size_t l2len); size_t tap_send_frames(const struct ctx *c, const struct iovec *iov, size_t bufs_per_frame, size_t nframes); diff --git a/udp.c b/udp.c index eb57f05..ff15e37 100644 --- a/udp.c +++ b/udp.c @@ -400,6 +400,8 @@ static void udp_send_tap_icmp4(const struct ctx *c, struct in_addr eaddr = toside->eaddr.v4mapped.a4; in_port_t eport = toside->eport; in_port_t oport = toside->oport; + union inany_addr saddr_any; + uint8_t tap_omac[ETH_ALEN]; struct { struct icmphdr icmp4h; struct iphdr ip4h; @@ -421,7 +423,10 @@ static void udp_send_tap_icmp4(const struct ctx *c, tap_push_uh4(&msg.uh, eaddr, eport, oaddr, oport, in, dlen); memcpy(&msg.data, in, dlen); - tap_icmp4_send(c, saddr, eaddr, &msg, msglen); + /* Try to obtain the MAC address of the generating node */ + saddr_any = inany_from_v4(saddr); + fwd_neigh_mac_get(c, &saddr_any, tap_omac); + tap_icmp4_send(c, saddr, eaddr, &msg, tap_omac, msglen); } @@ -445,6 +450,7 @@ static void udp_send_tap_icmp6(const struct ctx *c, const struct in6_addr *eaddr = &toside->eaddr.a6; in_port_t eport = toside->eport; in_port_t oport = toside->oport; + uint8_t tap_omac[ETH_ALEN]; struct { struct icmp6_hdr icmp6h; struct ipv6hdr ip6h; @@ -466,7 +472,9 @@ static void udp_send_tap_icmp6(const struct ctx *c, tap_push_uh6(&msg.uh, eaddr, eport, oaddr, oport, in, dlen); memcpy(&msg.data, in, dlen); - tap_icmp6_send(c, saddr, eaddr, &msg, msglen); + /* Try to obtain the MAC address of the generating node */ + fwd_neigh_mac_get(c, (union inany_addr *) saddr, tap_omac); + tap_icmp6_send(c, saddr, eaddr, &msg, tap_omac, msglen); } /** -- 2.50.1

Age (days ago)

Last active (days ago)

List overview

Download

9 comments

2 participants

participants (2)

David Gibson
Jon Maloy

[PATCH v7 0/8] Use true MAC address of LAN local remote hosts

tags

participants (2)