diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2021-04-29 16:59:20 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2021-04-29 17:15:26 +0200 |
commit | 605af213c5e0fa047f6d8caef5bcef61a0987c8d (patch) | |
tree | 45615e603964adee64bfecdc40e119bd33d77859 | |
parent | 50bcddabc9e2c0dbd313a61cda1606045a67a8de (diff) | |
download | passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.tar passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.tar.gz passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.tar.bz2 passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.tar.lz passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.tar.xz passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.tar.zst passt-605af213c5e0fa047f6d8caef5bcef61a0987c8d.zip |
udp: Connection tracking for ephemeral, local ports, and related fixes
As we support UDP forwarding for packets that are sent to local
ports, we actually need some kind of connection tracking for UDP.
While at it, this commit introduces a number of vaguely related fixes
for issues observed while trying this out. In detail:
- implement an explicit, albeit minimalistic, connection tracking
for UDP, to allow usage of ephemeral ports by the guest and by
the host at the same time, by binding them dynamically as needed,
and to allow mapping address changes for packets with a loopback
address as destination
- set the guest MAC address whenever we receive a packet from tap
instead of waiting for an ARP request, and set it to broadcast on
start, otherwise DHCPv6 might not work if all DHCPv6 requests time
out before the guest starts talking IPv4
- split context IPv6 address into address we assign, global or site
address seen on tap, and link-local address seen on tap, and make
sure we use the addresses we've seen as destination (link-local
choice depends on source address). Similarly, for IPv4, split into
address we assign and address we observe, and use the address we
observe as destination
- introduce a clock_gettime() syscall right after epoll_wait() wakes
up, so that we can remove all the other ones and pass the current
timestamp to tap and socket handlers -- this is additionally needed
by UDP to time out bindings to ephemeral ports and mappings between
loopback address and a local address
- rename sock_l4_add() to sock_l4(), no semantic changes intended
- include <arpa/inet.h> in passt.c before kernel headers so that we
can use <netinet/in.h> macros to check IPv6 address types, and
remove a duplicate <linux/ip.h> inclusion
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r-- | README.md | 17 | ||||
-rw-r--r-- | arp.c | 2 | ||||
-rw-r--r-- | dhcpv6.c | 3 | ||||
-rw-r--r-- | icmp.c | 13 | ||||
-rw-r--r-- | icmp.h | 5 | ||||
-rw-r--r-- | passt.c | 100 | ||||
-rw-r--r-- | passt.h | 35 | ||||
-rw-r--r-- | tap.c | 7 | ||||
-rw-r--r-- | tcp.c | 72 | ||||
-rw-r--r-- | tcp.h | 9 | ||||
-rw-r--r-- | udp.c | 278 | ||||
-rw-r--r-- | udp.h | 10 | ||||
-rw-r--r-- | util.c | 16 | ||||
-rw-r--r-- | util.h | 8 |
14 files changed, 440 insertions, 135 deletions
@@ -188,7 +188,8 @@ can't practically run on the host: For IPv4, the guest is assigned, via DHCP, the same address as the upstream interface of the host, and the same default gateway as the default gateway of -the host. Addresses are never translated. +the host. Addresses are translated in case the guest is seen using a different +address from the assigned one. For IPv6, the guest is assigned, via SLAAC, the same prefix as the upstream interface of the host, the same default route as the default route of the @@ -197,6 +198,12 @@ the upstream address of the host. This means that, with a DHCPv6 client on the guest, addresses don't need to be translated. Should the client use a different address, the destination address is translated for packets going to the guest. +For UDP and TCP, for both IPv4 and IPv6, packets addressed to a loopback address +are forwarded to the guest with their source address changed to the address of +the gateway or first hop of the default route. This mapping is reversed as the +guest replies to those packets (on the same TCP connection, or using destination +port and address that were used as source for UDP). + ## Protocols _passt_ supports TCP, UDP and ICMP/ICMPv6 echo (requests and replies). More @@ -209,9 +216,11 @@ An IGMP proxy is currently work in progress. ## Ports To avoid the need for explicit port mapping configuration, _passt_ binds to all -unbound non-ephemeral (0-49152) TCP ports and all unbound (0-65536) UDP ports. -Binding to low ports (0-1023) will fail without additional capabilities, and -ports already bound (service proxies, etc.) will also not be used. +unbound non-ephemeral (0-49152) TCP and UDP ports. Binding to low ports (0-1023) +will fail without additional capabilities, and ports already bound (service +proxies, etc.) will also not be used. + +UDP ephemeral ports are bound dynamically, as the guest uses them. Service proxies and other services running in the container need to be started before _passt_ starts. @@ -77,8 +77,6 @@ int arp(struct ctx *c, struct ethhdr *eh, size_t len) len = sizeof(*eh) + sizeof(*ah) + sizeof(*am); memcpy(eh->h_dest, eh->h_source, ETH_ALEN); - /* HACK */ - memcpy(c->mac_guest, eh->h_source, ETH_ALEN); memcpy(eh->h_source, c->mac, ETH_ALEN); if (tap_send(c->fd_unix, eh, len, 0) < 0) @@ -383,7 +383,7 @@ int dhcpv6(struct ctx *c, struct ethhdr *eh, size_t len) mlen < sizeof(struct msg_hdr)) return -1; - c->addr6_guest = ip6h->saddr; + c->addr6_ll_seen = ip6h->saddr; mh = (struct msg_hdr *)(uh + 1); mlen -= sizeof(struct msg_hdr); @@ -483,6 +483,7 @@ int dhcpv6(struct ctx *c, struct ethhdr *eh, size_t len) resp.hdr.xid = mh->xid; tap_ip_send(c, &c->gw6, IPPROTO_UDP, (char *)&resp, n); + c->addr6_seen = c->addr6; return 1; } @@ -38,8 +38,10 @@ * @c: Execution context * @s: File descriptor number for socket * @events: epoll events bitmap + * @now: Current timestamp, unused */ -void icmp_sock_handler(struct ctx *c, int s, uint32_t events) +void icmp_sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now) { struct in6_addr a6 = { .s6_addr = { 0, 0, 0, 0, 0, 0, 0, 0, @@ -51,6 +53,7 @@ void icmp_sock_handler(struct ctx *c, int s, uint32_t events) ssize_t n; (void)events; + (void)now; n = recvfrom(s, buf, sizeof(buf), MSG_DONTWAIT, (struct sockaddr *)&sr, &slen); @@ -79,13 +82,15 @@ void icmp_sock_handler(struct ctx *c, int s, uint32_t events) * @af: Address family, AF_INET or AF_INET6 * @msg: Input message * @count: Message count (always 1 for ICMP) + * @now: Current timestamp, unused * * Return: count of consumed packets (always 1, even if malformed) */ int icmp_tap_handler(struct ctx *c, int af, void *addr, - struct tap_msg *msg, int count) + struct tap_msg *msg, int count, struct timespec *now) { (void)count; + (void)now; if (af == AF_INET) { struct icmphdr *ih = (struct icmphdr *)msg[0].l4h; @@ -138,10 +143,10 @@ int icmp_sock_init(struct ctx *c) c->icmp.fd_min = INT_MAX; c->icmp.fd_max = 0; - if (c->v4 && (c->icmp.s4 = sock_l4_add(c, 4, IPPROTO_ICMP, 0)) < 0) + if (c->v4 && (c->icmp.s4 = sock_l4(c, AF_INET, IPPROTO_ICMP, 0)) < 0) return -1; - if (c->v6 && (c->icmp.s6 = sock_l4_add(c, 6, IPPROTO_ICMPV6, 0)) < 0) + if (c->v6 && (c->icmp.s6 = sock_l4(c, AF_INET6, IPPROTO_ICMPV6, 0)) < 0) return -1; return 0; @@ -3,9 +3,10 @@ struct ctx; -void icmp_sock_handler(struct ctx *c, int s, uint32_t events); +void icmp_sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now); int icmp_tap_handler(struct ctx *c, int af, void *addr, - struct tap_msg *msg, int count); + struct tap_msg *msg, int count, struct timespec *now); int icmp_sock_init(struct ctx *c); /** @@ -24,6 +24,7 @@ #include <ifaddrs.h> #include <linux/if_ether.h> #include <linux/if_packet.h> +#include <arpa/inet.h> #include <linux/ip.h> #include <linux/ipv6.h> #include <linux/tcp.h> @@ -33,12 +34,10 @@ #include <net/ethernet.h> #include <stdlib.h> #include <unistd.h> -#include <arpa/inet.h> #include <net/if.h> #include <netdb.h> #include <string.h> #include <errno.h> -#include <linux/ip.h> #include <linux/netlink.h> #include <linux/rtnetlink.h> #include <time.h> @@ -61,7 +60,7 @@ #define TAP_BUF_FILL (TAP_BUF_BYTES - ETH_MAX_MTU - sizeof(uint32_t)) #define TAP_MSGS (TAP_BUF_BYTES / sizeof(struct ethhdr) + 1) -#define TIMER_INTERVAL 20 /* ms, for protocol periodic handlers */ +#define TIMER_INTERVAL MIN(TCP_TIMER_INTERVAL, UDP_TIMER_INTERVAL) /** * sock_unix() - Create and bind AF_UNIX socket, add to epoll list @@ -232,7 +231,7 @@ static void get_addrs(struct ctx *c) if (ifa->ifa_addr->sa_family == AF_INET && !v4) { in_addr = (struct sockaddr_in *)ifa->ifa_addr; - c->addr4 = in_addr->sin_addr.s_addr; + c->addr4_seen = c->addr4 = in_addr->sin_addr.s_addr; in_addr = (struct sockaddr_in *)ifa->ifa_netmask; c->mask4 = in_addr->sin_addr.s_addr; v4 = 1; @@ -240,6 +239,10 @@ static void get_addrs(struct ctx *c) in6_addr = (struct sockaddr_in6 *)ifa->ifa_addr; memcpy(&c->addr6, &in6_addr->sin6_addr, sizeof(c->addr6)); + memcpy(&c->addr6_seen, &in6_addr->sin6_addr, + sizeof(c->addr6_seen)); + memcpy(&c->addr6_ll_seen, &in6_addr->sin6_addr, + sizeof(c->addr6_seen)); v6 = 1; } @@ -310,10 +313,12 @@ static void get_dns(struct ctx *c) * @c: Execution context * @msg: Array of messages with the same L3 protocol * @count: Count of messages with the same L3 protocol + * @now: Current timestamp * * Return: count of packets consumed by handlers */ -static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count) +static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count, + struct timespec *now) { char buf_s[INET_ADDRSTRLEN] __attribute((__unused__)); char buf_d[INET_ADDRSTRLEN] __attribute((__unused__)); @@ -342,6 +347,8 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count) iph = (struct iphdr *)(eh + 1); l4h = (char *)iph + iph->ihl * 4; + c->addr4_seen = iph->saddr; + msg[i].l4h = l4h; msg[i].l4_len = len - ((intptr_t)l4h - (intptr_t)eh); @@ -397,13 +404,13 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count) } if (iph->protocol == IPPROTO_TCP) - return tcp_tap_handler(c, AF_INET, &iph->daddr, msg, i); + return tcp_tap_handler(c, AF_INET, &iph->daddr, msg, i, now); if (iph->protocol == IPPROTO_UDP) - return udp_tap_handler(c, AF_INET, &iph->daddr, msg, i); + return udp_tap_handler(c, AF_INET, &iph->daddr, msg, i, now); if (iph->protocol == IPPROTO_ICMP) - icmp_tap_handler(c, AF_INET, &iph->daddr, msg, 1); + icmp_tap_handler(c, AF_INET, &iph->daddr, msg, 1, now); return 1; } @@ -413,8 +420,10 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count) * @c: Execution context * @msg: Array of messages with the same L3 protocol * @count: Count of messages with the same L3 protocol + * @now: Current timestamp */ -static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count) +static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count, + struct timespec *now) { char buf_s[INET6_ADDRSTRLEN] __attribute((__unused__)); char buf_d[INET6_ADDRSTRLEN] __attribute((__unused__)); @@ -449,7 +458,11 @@ static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count) msg[i].l4h = l4h; msg[i].l4_len = len - ((intptr_t)l4h - (intptr_t)eh); - c->addr6_guest = ip6h->saddr; + if (IN6_IS_ADDR_LINKLOCAL(&ip6h->saddr)) + c->addr6_ll_seen = ip6h->saddr; + else + c->addr6_seen = ip6h->saddr; + ip6h->saddr = c->addr6; if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) @@ -506,13 +519,13 @@ static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count) } if (proto == IPPROTO_TCP) - return tcp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i); + return tcp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i, now); if (proto == IPPROTO_UDP) - return udp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i); + return udp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, i, now); if (proto == IPPROTO_ICMPV6) - icmp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, 1); + icmp_tap_handler(c, AF_INET6, &ip6h->daddr, msg, 1, now); return 1; } @@ -522,10 +535,11 @@ static char tap_buf[TAP_BUF_BYTES]; /** * tap_handler() - Packet handler for tap file descriptor * @c: Execution context + * @now: Current timestamp * * Return: -ECONNRESET if tap connection was lost, 0 otherwise */ -static int tap_handler(struct ctx *c) +static int tap_handler(struct ctx *c, struct timespec *now) { struct tap_msg msg[TAP_MSGS]; int msg_count, same, i; @@ -563,9 +577,12 @@ static int tap_handler(struct ctx *c) i = 0; while (i < msg_count) { eh = (struct ethhdr *)msg[i].start; + + memcpy(c->mac_guest, eh->h_source, ETH_ALEN); + switch (ntohs(eh->h_proto)) { case ETH_P_ARP: - tap4_handler(c, msg + i, 1); + tap4_handler(c, msg + i, 1, now); i++; break; case ETH_P_IP: @@ -578,7 +595,7 @@ static int tap_handler(struct ctx *c) break; } - i += tap4_handler(c, msg + i, same); + i += tap4_handler(c, msg + i, same, now); break; case ETH_P_IPV6: for (same = 1; i + same < msg_count && @@ -590,7 +607,7 @@ static int tap_handler(struct ctx *c) break; } - i += tap6_handler(c, msg + i, same); + i += tap6_handler(c, msg + i, same, now); break; default: i++; @@ -614,9 +631,11 @@ static int tap_handler(struct ctx *c) * sock_handler() - Event handler for L4 sockets * @c: Execution context * @s: Socket associated to event - * @events epoll events + * @events: epoll events + * @now: Current timestamp */ -static void sock_handler(struct ctx *c, int s, uint32_t events) +static void sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now) { socklen_t sl; int proto; @@ -641,29 +660,29 @@ static void sock_handler(struct ctx *c, int s, uint32_t events) debug("%s: packet from socket %i", getprotobynumber(proto)->p_name, s); if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) - icmp_sock_handler(c, s, events); + icmp_sock_handler(c, s, events, now); else if (proto == IPPROTO_TCP) - tcp_sock_handler(c, s, events); + tcp_sock_handler(c, s, events, now); else if (proto == IPPROTO_UDP) - udp_sock_handler(c, s, events); + udp_sock_handler(c, s, events, now); } /** * timer_handler() - Run periodic tasks for L4 protocol handlers * @c: Execution context - * @last: Timestamp of last run, updated on return + * @now: Current timestamp */ -static void timer_handler(struct ctx *c, struct timespec *last) +static void timer_handler(struct ctx *c, struct timespec *now) { - struct timespec tmp; - - clock_gettime(CLOCK_MONOTONIC, &tmp); - if (timespec_diff_ms(&tmp, last) < TIMER_INTERVAL) - return; - - tcp_timer(c, &tmp); + if (timespec_diff_ms(now, &c->tcp.timer_run) >= TCP_TIMER_INTERVAL) { + tcp_timer(c, now); + c->tcp.timer_run = *now; + } - *last = tmp; + if (timespec_diff_ms(now, &c->udp.timer_run) >= UDP_TIMER_INTERVAL) { + udp_timer(c, now); + c->udp.timer_run = *now; + } } /** @@ -690,15 +709,15 @@ int main(int argc, char **argv) char buf6[3][INET6_ADDRSTRLEN]; char buf4[4][INET_ADDRSTRLEN]; struct epoll_event ev = { 0 }; - struct timespec last_time; struct ctx c = { 0 }; int nfds, i, fd_unix; struct rlimit limit; + struct timespec now; if (argc != 1) usage(argv[0]); - if (clock_gettime(CLOCK_MONOTONIC, &last_time)) { + if (clock_gettime(CLOCK_MONOTONIC, &now)) { perror("clock_gettime"); exit(EXIT_FAILURE); } @@ -741,6 +760,8 @@ int main(int argc, char **argv) if (c.v6) dhcpv6_init(&c); + memset(&c.mac_guest, 0xff, sizeof(c.mac_guest)); + if (c.v4) { info("ARP:"); info(" address: %02x:%02x:%02x:%02x:%02x:%02x from %s", @@ -781,8 +802,6 @@ listen: ev.data.fd = c.fd_unix; epoll_ctl(c.epollfd, EPOLL_CTL_ADD, c.fd_unix, &ev); - clock_gettime(CLOCK_MONOTONIC, &last_time); - loop: nfds = epoll_wait(c.epollfd, events, EPOLL_EVENTS, TIMER_INTERVAL); if (nfds == -1 && errno != EINTR) { @@ -790,19 +809,22 @@ loop: exit(EXIT_FAILURE); } + clock_gettime(CLOCK_MONOTONIC, &now); + for (i = 0; i < nfds; i++) { if (events[i].data.fd == c.fd_unix) { if (events[i].events & EPOLLRDHUP || events[i].events & EPOLLHUP || events[i].events & EPOLLERR || - tap_handler(&c)) + tap_handler(&c, &now)) goto listen; } else { - sock_handler(&c, events[i].data.fd, events[i].events); + sock_handler(&c, events[i].data.fd, events[i].events, + &now); } } - timer_handler(&c, &last_time); + timer_handler(&c, &now); goto loop; @@ -20,20 +20,23 @@ struct tap_msg { /** * struct ctx - Execution context - * @epollfd: file descriptor for epoll instance - * @fd_unix: AF_UNIX socket for tap file descriptor - * @v4: Enable IPv4 transport - * @mac: Host MAC address - * @mac_guest: Guest MAC address - * @addr4: IPv4 address for external, routable interface - * @mask4: IPv4 netmask, network order - * @gw4: Default IPv4 gateway, network order - * @dns4: IPv4 DNS address, network order - * @v6: Enable IPv6 transport - * @addr6: IPv6 address for external, routable interface - * @gw6: Default IPv6 gateway - * @dns4: IPv6 DNS address - * @ifn: Name of routable interface + * @epollfd: file descriptor for epoll instance + * @fd_unix: AF_UNIX socket for tap file descriptor + * @v4: Enable IPv4 transport + * @mac: Host MAC address + * @mac_guest: Guest MAC address + * @addr4: IPv4 address for external, routable interface + * @addr4_seen: Latest IPv4 address seen as source from tap + * @mask4: IPv4 netmask, network order + * @gw4: Default IPv4 gateway, network order + * @dns4: IPv4 DNS address, network order + * @v6: Enable IPv6 transport + * @addr6: IPv6 address for external, routable interface + * @addr6_seen: Latest IPv6 global/site address seen as source from tap + * @addr6_ll_seen: Latest IPv6 link-local address seen as source from tap + * @gw6: Default IPv6 gateway + * @dns4: IPv6 DNS address + * @ifn: Name of routable interface */ struct ctx { int epollfd; @@ -43,13 +46,15 @@ struct ctx { int v4; uint32_t addr4; + uint32_t addr4_seen; uint32_t mask4; uint32_t gw4; uint32_t dns4; int v6; struct in6_addr addr6; - struct in6_addr addr6_guest; + struct in6_addr addr6_seen; + struct in6_addr addr6_ll_seen; struct in6_addr gw6; struct in6_addr dns6; @@ -76,7 +76,7 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto, iph->frag_off = 0; iph->ttl = 255; iph->protocol = proto; - iph->daddr = c->addr4; + iph->daddr = c->addr4_seen; memcpy(&iph->saddr, &src->s6_addr[12], 4); iph->check = 0; @@ -104,7 +104,10 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto, ip6h->priority = 0; ip6h->saddr = *src; - ip6h->daddr = c->addr6_guest; + if (IN6_IS_ADDR_LINKLOCAL(src)) + ip6h->daddr = c->addr6_ll_seen; + else + ip6h->daddr = c->addr6_seen; memcpy(data, in, len); @@ -846,17 +846,16 @@ static void tcp_clamp_window(int s, struct tcphdr *th, int len, int init) * @addr: Remote address, pointer to sin_addr or sin6_addr * @dstport: Destination port, connection-wise, network order * @srcport: Source port, connection-wise, network order + * @now: Current timestamp * * Return: initial TCP sequence */ static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr, - in_port_t dstport, in_port_t srcport) + in_port_t dstport, in_port_t srcport, + struct timespec *now) { - struct timespec ts = { 0 }; uint32_t ns, seq = 0; - clock_gettime(CLOCK_MONOTONIC, &ts); - if (af == AF_INET) { struct { struct in_addr src; @@ -887,8 +886,8 @@ static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr, seq = siphash_36b((uint8_t *)&in, c->tcp.hash_secret); } - ns = ts.tv_sec * 1E9; - ns += ts.tv_nsec >> 5; /* 32ns ticks, overflows 32 bits every 137s */ + ns = now->tv_sec * 1E9; + ns += now->tv_nsec >> 5; /* 32ns ticks, overflows 32 bits every 137s */ return seq + ns; } @@ -900,9 +899,11 @@ static uint32_t tcp_seq_init(struct ctx *c, int af, void *addr, * @addr: Remote address, pointer to sin_addr or sin6_addr * @th: TCP header from tap * @len: Packet length at L4 + * @now: Current timestamp */ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr, - struct tcphdr *th, size_t len) + struct tcphdr *th, size_t len, + struct timespec *now) { struct sockaddr_in addr4 = { .sin_family = AF_INET, @@ -948,9 +949,7 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr, tc[s].sock_port = th->dest; tc[s].tap_port = th->source; - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_sock); - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_tap); - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_ack_tap); + tc[s].ts_sock = tc[s].ts_tap = tc[s].ts_ack_tap = *now; tcp_act_set(s); @@ -961,7 +960,7 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr, tc[s].seq_from_tap = tc[s].seq_init_from_tap + 1; tc[s].seq_ack_to_tap = tc[s].seq_from_tap; - tc[s].seq_to_tap = tcp_seq_init(c, af, addr, th->dest, th->source); + tc[s].seq_to_tap = tcp_seq_init(c, af, addr, th->dest, th->source, now); tc[s].seq_ack_from_tap = tc[s].seq_to_tap + 1; tcp_sock_hash_insert(c, s, af, addr, th->source, th->dest); @@ -988,8 +987,9 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr, * tcp_conn_from_sock() - Handle new connection request from listening socket * @c: Execution context * @fd: File descriptor number for listening socket + * @now: Current timestamp */ -static void tcp_conn_from_sock(struct ctx *c, int fd) +static void tcp_conn_from_sock(struct ctx *c, int fd, struct timespec *now) { struct sockaddr_storage sa_r, sa_l; socklen_t sa_len = sizeof(sa_l); @@ -1023,7 +1023,8 @@ static void tcp_conn_from_sock(struct ctx *c, int fd) tc[s].seq_to_tap = tcp_seq_init(c, AF_INET, &sa4->sin_addr, tc[s].sock_port, - tc[s].tap_port); + tc[s].tap_port, + now); tcp_sock_hash_insert(c, s, AF_INET, &sa4->sin_addr, tc[s].tap_port, tc[s].sock_port); @@ -1040,7 +1041,8 @@ static void tcp_conn_from_sock(struct ctx *c, int fd) tc[s].seq_to_tap = tcp_seq_init(c, AF_INET6, &sa6->sin6_addr, tc[s].sock_port, - tc[s].tap_port); + tc[s].tap_port, + now); tcp_sock_hash_insert(c, s, AF_INET6, &sa6->sin6_addr, tc[s].tap_port, tc[s].sock_port); @@ -1051,9 +1053,7 @@ static void tcp_conn_from_sock(struct ctx *c, int fd) tc[s].tap_window = WINDOW_DEFAULT; tc[s].ws_allowed = 1; - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_sock); - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_tap); - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_ack_tap); + tc[s].ts_sock = tc[s].ts_tap = tc[s].ts_ack_tap = *now; tcp_act_set(s); @@ -1143,10 +1143,11 @@ static void tcp_sock_consume(int s, uint32_t ack_seq) * tcp_data_from_sock() - Handle new data from socket, queue to tap, in window * @c: Execution context * @s: File descriptor number for socket + * @now: Current timestamp * * Return: negative on connection reset, 1 on pending data, 0 otherwise */ -static int tcp_data_from_sock(struct ctx *c, int s) +static int tcp_data_from_sock(struct ctx *c, int s, struct timespec *now) { int len, err, offset, left, send; @@ -1188,7 +1189,7 @@ static int tcp_data_from_sock(struct ctx *c, int s) } out: - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_sock); + tc[s].ts_sock = *now; return !!left; } @@ -1199,11 +1200,12 @@ out: * @af: Address family, AF_INET or AF_INET6 * @msg: Input messages * @count: Message count + * @now: Current timestamp * * Return: count of consumed packets */ int tcp_tap_handler(struct ctx *c, int af, void *addr, - struct tap_msg *msg, int count) + struct tap_msg *msg, int count, struct timespec *now) { /* TODO: Implement message batching for TCP */ struct tcphdr *th = (struct tcphdr *)msg[0].l4h; @@ -1224,7 +1226,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr, if ((s = tcp_sock_hash_lookup(c, af, addr, th->source, th->dest)) < 0) { if (th->syn) - tcp_conn_from_tap(c, af, addr, th, len); + tcp_conn_from_tap(c, af, addr, th, len, now); return 1; } @@ -1235,7 +1237,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr, tcp_clamp_window(s, th, len, th->syn && th->ack); - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_tap); + tc[s].ts_tap = *now; if (ntohl(th->seq) < tc[s].seq_from_tap) skip = tc[s].seq_from_tap - ntohl(th->seq); @@ -1275,7 +1277,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr, /* The client might have sent data already, which we didn't * dequeue waiting for SYN,ACK from tap -- check now. */ - tcp_data_from_sock(c, s); + tcp_data_from_sock(c, s, now); ev.events = EPOLLIN | EPOLLET | EPOLLRDHUP | EPOLLHUP; ev.data.fd = s; @@ -1298,7 +1300,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr, break; case ESTABLISHED: case ESTABLISHED_SOCK_FIN: - clock_gettime(CLOCK_MONOTONIC, &tc[s].ts_ack_tap); + tc[s].ts_ack_tap = *now; if (ntohl(th->seq) > tc[s].seq_from_tap) { tc[s].seq_from_tap = tc[s].seq_ack_to_tap; @@ -1318,7 +1320,7 @@ int tcp_tap_handler(struct ctx *c, int af, void *addr, tc[s].seq_to_tap = tc[s].seq_ack_from_tap; if (tc[s].s == ESTABLISHED_SOCK_FIN) { - if (!tcp_data_from_sock(c, s)) + if (!tcp_data_from_sock(c, s, now)) tcp_set_state(s, CLOSE_WAIT); } } @@ -1400,8 +1402,10 @@ static void tcp_connect_finish(struct ctx *c, int s) * @c: Execution context * @s: File descriptor number for socket * @events: epoll events bitmap + * @now: Current timestamp */ -void tcp_sock_handler(struct ctx *c, int s, uint32_t events) +void tcp_sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now) { socklen_t sl; int accept; @@ -1434,7 +1438,7 @@ void tcp_sock_handler(struct ctx *c, int s, uint32_t events) } if (accept) { - tcp_conn_from_sock(c, s); + tcp_conn_from_sock(c, s, now); return; } @@ -1444,18 +1448,18 @@ void tcp_sock_handler(struct ctx *c, int s, uint32_t events) } if (tc[s].s == ESTABLISHED) - tcp_data_from_sock(c, s); + tcp_data_from_sock(c, s, now); if (events & EPOLLRDHUP || events & EPOLLHUP) { if (tc[s].s == ESTABLISHED) { tcp_set_state(s, ESTABLISHED_SOCK_FIN); shutdown(s, SHUT_RD); - tcp_data_from_sock(c, s); + tcp_data_from_sock(c, s, now); tcp_send_to_tap(c, s, FIN | ACK, NULL, 0); } else if (tc[s].s == FIN_WAIT_1) { tcp_set_state(s, FIN_WAIT_1_SOCK_FIN); shutdown(s, SHUT_RD); - tcp_data_from_sock(c, s); + tcp_data_from_sock(c, s, now); tcp_send_to_tap(c, s, FIN | ACK, NULL, 0); tcp_sock_consume(s, tc[s].seq_ack_from_tap); } @@ -1477,15 +1481,15 @@ int tcp_sock_init(struct ctx *c) c->tcp.fd_max = c->tcp.fd_listen_max = c->tcp.fd_conn_max = 0; CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s); - for (port = 0; port < (1 << 15) + (1 << 14); port++) { + for (port = 0; !PORT_IS_EPHEMERAL(port); port++) { if (c->v4) { - if ((s = sock_l4_add(c, 4, IPPROTO_TCP, port)) < 0) + if ((s = sock_l4(c, AF_INET, IPPROTO_TCP, port)) < 0) return -1; CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s); } if (c->v6) { - if ((s = sock_l4_add(c, 6, IPPROTO_TCP, port)) < 0) + if ((s = sock_l4(c, AF_INET6, IPPROTO_TCP, port)) < 0) return -1; CHECK_SET_MIN_MAX(c->tcp.fd_listen_, s); } @@ -1540,7 +1544,7 @@ static void tcp_timer_one(struct ctx *c, int s, struct timespec *ts) if (tc[s].seq_ack_from_tap < tc[s].seq_to_tap) { tc[s].seq_to_tap = tc[s].seq_ack_from_tap; tc[s].ts_ack_tap = *ts; - tcp_data_from_sock(c, s); + tcp_data_from_sock(c, s, ts); } } @@ -1,11 +1,14 @@ #ifndef TCP_H #define TCP_H +#define TCP_TIMER_INTERVAL 20 /* ms */ + struct ctx; -void tcp_sock_handler(struct ctx *c, int s, uint32_t events); +void tcp_sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now); int tcp_tap_handler(struct ctx *c, int af, void *addr, - struct tap_msg *msg, int count); + struct tap_msg *msg, int count, struct timespec *now); int tcp_sock_init(struct ctx *c); void tcp_timer(struct ctx *c, struct timespec *ts); @@ -18,6 +21,7 @@ void tcp_timer(struct ctx *c, struct timespec *ts); * @fd_listen_max: Highest file descriptor number for listening sockets * @fd_conn_min: Lowest file descriptor number for connected sockets * @fd_conn_max: Highest file descriptor number for connected sockets + * @timer_run: Timestamp of most recent timer run */ struct tcp_ctx { uint64_t hash_secret[2]; @@ -27,6 +31,7 @@ struct tcp_ctx { int fd_listen_max; int fd_conn_min; int fd_conn_max; + struct timespec timer_run; }; #endif /* TCP_H */ @@ -13,10 +13,20 @@ * DOC: Theory of Operation * * - * For UDP, no state machine or any particular tracking is required. Try to - * create and bind sets of 2^16 sockets, one for IPv4 and one for IPv6. Binding - * will fail on ports that are already bound, or low ports depending on - * capabilities. + * For UDP, a reduced version of port-based connection tracking is implemented + * with two purposes: + * - binding ephemeral ports when they're used as source port by the guest, so + * that replies on those ports can be forwarded back to the guest, with a + * fixed 180s timeout for this binding + * - packets received from the local host get their source changed to a local + * address (gateway address) so that they can be forwarded to the guest, and + * packets sent as replies by the guest need their destination address to + * be changed back to the address of the local host. This is dynamic to allow + * connections from the gateway as well, and uses the same fixed 180s timeout + * + * Sockets for ephemeral and non-ephemeral ports are created and at + * initialisation time, one set for IPv4 and one for IPv6. Non-ephemeral ports + * are bound at initialisation time, ephemeral ports are bound dynamically. * * Packets are forwarded back and forth, by prepending and stripping UDP headers * in the obvious way, with no port translation. @@ -47,16 +57,82 @@ #include "tap.h" #include "util.h" -static int udp4_sock_port[USHRT_MAX]; -static int udp6_sock_port[USHRT_MAX]; +#define UDP_CONN_TIMEOUT 180 /* s, timeout for ephemeral or local bind */ + +struct udp_port { + int s; + time_t ts_ephemeral; + time_t ts_local; +}; + +static struct udp_port up4[USHRT_MAX]; +static struct udp_port up6[USHRT_MAX]; + +/* Bitmaps, activity monitoring needed for port */ +static uint8_t udp4_act[USHRT_MAX / 8]; +static uint8_t udp6_act[USHRT_MAX / 8]; + +/** + * udp_act_set() - Set port in bitmap for timed events + * @af: Protocol family + * @s: Port number + */ +static void udp_act_set(int af, int p) +{ + if (af == AF_INET) + udp4_act[p / 8] |= 1 << (p % 8); + else + udp6_act[p / 8] |= 1 << (p % 8); +} + +/** + * udp_act_clear() - Clear port from bitmap for timed events + * @af: Protocol family + * @s: Port number + */ +static void udp_act_clear(int af, int p) +{ + if (af == AF_INET) + udp4_act[p / 8] &= ~(1 << (p % 8)); + else + udp6_act[p / 8] &= ~(1 << (p % 8)); +} + +/** + * udp_sock_handler_local() - Replace address if local, update timestamp + * @c: Execution context + * @sa: Socket address as struct sockaddr_in or sockaddr_in6 + * @now: Current timestamp + */ +static void udp_sock_handler_local(struct ctx *c, int af, void *sa, + struct timespec *now) +{ + if (af == AF_INET) { + struct sockaddr_in *s_in = (struct sockaddr_in *)sa; + + s_in->sin_addr.s_addr = c->gw4; + + up4[ntohs(s_in->sin_port)].ts_local = now->tv_sec; + udp_act_set(AF_INET, ntohs(s_in->sin_port)); + } else { + struct sockaddr_in6 *s_in6 = (struct sockaddr_in6 *)sa; + + memcpy(&s_in6->sin6_addr, &c->gw6, sizeof(c->gw6)); + + up6[ntohs(s_in6->sin6_port)].ts_local = now->tv_sec; + udp_act_set(AF_INET6, ntohs(s_in6->sin6_port)); + } +} /** * udp_sock_handler() - Handle new data from socket * @c: Execution context * @s: File descriptor number for socket * @events: epoll events bitmap + * @now: Current timestamp */ -void udp_sock_handler(struct ctx *c, int s, uint32_t events) +void udp_sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now) { struct in6_addr a6 = { .s6_addr = { 0, 0, 0, 0, 0, 0, 0, 0, @@ -87,7 +163,7 @@ void udp_sock_handler(struct ctx *c, int s, uint32_t events) if (ntohl(sr4->sin_addr.s_addr) == INADDR_LOOPBACK || ntohl(sr4->sin_addr.s_addr) == INADDR_ANY) - sr4->sin_addr.s_addr = c->gw4; + udp_sock_handler_local(c, AF_INET, sr4, now); memcpy(&a6.s6_addr[12], &sr4->sin_addr, sizeof(sr4->sin_addr)); uh->source = sr4->sin_port; @@ -100,7 +176,7 @@ void udp_sock_handler(struct ctx *c, int s, uint32_t events) struct sockaddr_in6 *sl6 = (struct sockaddr_in6 *)&sl; if (IN6_IS_ADDR_LOOPBACK(&sr6->sin6_addr)) - memcpy(&sr6->sin6_addr, &c->gw6, sizeof(c->gw6)); + udp_sock_handler_local(c, AF_INET6, sr6, now); uh->source = sr6->sin6_port; uh->dest = sl6->sin6_port; @@ -112,16 +188,94 @@ void udp_sock_handler(struct ctx *c, int s, uint32_t events) } /** + * udp_tap_handler_ephemeral() - Bind ephemeral source port, update timestamp + * @af: Address family, AF_INET or AF_INET6 + * @src: Source port, host order + * @now: Current timestamp + */ +static void udp_tap_handler_ephemeral(int af, in_port_t src, + struct timespec *now) +{ + struct sockaddr *addr = NULL; + struct sockaddr_in6 s_in6 = { + .sin6_family = AF_INET6, + .sin6_port = htons(src), + .sin6_addr = IN6ADDR_ANY_INIT, + }; + struct sockaddr_in s_in = { + .sin_family = AF_INET, + .sin_port = htons(src), + .sin_addr = { .s_addr = INADDR_ANY }, + }; + socklen_t sl; + int s; + + if (af == AF_INET) { + if (!up4[src].ts_ephemeral) { + s = up4[src].s; + addr = (struct sockaddr *)&s_in; + sl = sizeof(s_in); + } + } else { + if (!up6[src].ts_ephemeral) { + s = up6[src].s; + addr = (struct sockaddr *)&s_in6; + sl = sizeof(s_in6); + } + } + + if (addr) { + if (bind(s, addr, sl)) + return; + + udp_act_set(af, src); + } + + if (af == AF_INET) + up4[src].ts_ephemeral = now->tv_sec; + else + up6[src].ts_ephemeral = now->tv_sec; +} + +/** + * udp_tap_handler_local() - Set address to local if needed, update timestamp + * @af: Address family, AF_INET or AF_INET6 + * @dst: Destination port, host order + * @sa: Socket address as struct sockaddr_in or sockaddr_in6 to modify + * @now: Current timestamp + */ +static void udp_tap_handler_local(int af, in_port_t dst, void *sa, + struct timespec *now) +{ + if (af == AF_INET) { + if (up4[dst].ts_local) { + struct sockaddr_in *s_in = (struct sockaddr_in *)sa; + + s_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK); + up4[dst].ts_local = now->tv_sec; + } + } else { + if (up6[dst].ts_local) { + struct sockaddr_in6 *s_in6 = (struct sockaddr_in6 *)sa; + + s_in6->sin6_addr = in6addr_loopback; + up6[dst].ts_local = now->tv_sec; + } + } +} + +/** * udp_tap_handler() - Handle packets from tap * @c: Execution context * @af: Address family, AF_INET or AF_INET6 * @msg: Input messages * @count: Message count + * @now: Current timestamp * * Return: count of consumed packets */ int udp_tap_handler(struct ctx *c, int af, void *addr, - struct tap_msg *msg, int count) + struct tap_msg *msg, int count, struct timespec *now) { /* The caller already checks that all the messages have the same source * and destination, so we can just take those from the first message. @@ -132,11 +286,18 @@ int udp_tap_handler(struct ctx *c, int af, void *addr, struct sockaddr_in6 s_in6; struct sockaddr_in s_in; struct sockaddr *sa; + in_port_t src, dst; socklen_t sl; int i, s; (void)c; + if (msg[0].l4_len < sizeof(*uh)) + return 1; + + src = ntohs(uh->source); + dst = ntohs(uh->dest); + if (af == AF_INET) { s_in = (struct sockaddr_in) { .sin_family = AF_INET, @@ -171,15 +332,22 @@ int udp_tap_handler(struct ctx *c, int af, void *addr, } if (af == AF_INET) { - if (!(s = udp4_sock_port[ntohs(uh->source)])) - return count; - } else if (af == AF_INET6) { - if (!(s = udp6_sock_port[ntohs(uh->source)])) + if (!(s = up4[src].s)) return count; + + if (s_in.sin_addr.s_addr == c->gw4) + udp_tap_handler_local(AF_INET, dst, &s_in, now); } else { - return count; + if (!(s = up6[src].s)) + return count; + + if (!memcmp(addr, &c->gw6, sizeof(c->gw6))) + udp_tap_handler_local(AF_INET6, dst, &s_in6, now); } + if (PORT_IS_EPHEMERAL(src)) + udp_tap_handler_ephemeral(af, src, now); + count = sendmmsg(s, mm, count, MSG_DONTWAIT | MSG_NOSIGNAL); if (count < 0) return 1; @@ -203,19 +371,91 @@ int udp_sock_init(struct ctx *c) for (port = 0; port < USHRT_MAX; port++) { if (c->v4) { - if ((s = sock_l4_add(c, 4, IPPROTO_UDP, port)) < 0) + if ((s = sock_l4(c, AF_INET, IPPROTO_UDP, port)) < 0) return -1; - udp4_sock_port[port] = s; + up4[port].s = s; } if (c->v6) { - if ((s = sock_l4_add(c, 6, IPPROTO_UDP, port)) < 0) + if ((s = sock_l4(c, AF_INET6, IPPROTO_UDP, port)) < 0) return -1; - udp6_sock_port[port] = s; + up6[port].s = s; } } return 0; } + +/** + * udp_timer_one() - Handler for timed events on one port + * @af: Address family, AF_INET or AF_INET6 + * @p: Port number, host order + * @ts: Timestamp from caller + */ +static void udp_timer_one(struct ctx *c, int af, in_port_t p, + struct timespec *ts) +{ + int s = -1; + + if (af == AF_INET) { + if (ts->tv_sec - up4[p].ts_ephemeral > UDP_CONN_TIMEOUT) + up4[p].ts_ephemeral = 0; + if (ts->tv_sec - up4[p].ts_local > UDP_CONN_TIMEOUT) + up4[p].ts_local = 0; + + if (!up4[p].ts_ephemeral && !up4[p].ts_local) { + udp_act_clear(AF_INET, p); + s = up4[p].s; + } + } else { + if (ts->tv_sec - up6[p].ts_ephemeral > UDP_CONN_TIMEOUT) + up6[p].ts_ephemeral = 0; + if (ts->tv_sec - up6[p].ts_local > UDP_CONN_TIMEOUT) + up6[p].ts_local = 0; + + if (!up6[p].ts_ephemeral && !up6[p].ts_local) { + udp_act_clear(AF_INET6, p); + s = up6[p].s; + } + } + + if (s != -1) { + epoll_ctl(c->epollfd, EPOLL_CTL_DEL, s, NULL); + close(s); + sock_l4(c, af, IPPROTO_UDP, p); + } +} + +/** + * udp_timer() - Scan activity bitmap for ports with associated timed events + * @c: Execution context + * @ts: Timestamp from caller + */ +void udp_timer(struct ctx *c, struct timespec *ts) +{ + long *word, tmp; + unsigned int i; + int n; + + word = (long *)udp4_act; + for (i = 0; i < sizeof(udp4_act) / sizeof(long); i++, word++) { + tmp = *word; + while ((n = ffsl(tmp))) { + tmp &= ~(1UL << (n - 1)); + udp_timer_one(c, AF_INET, + i * sizeof(long) * 8 + n - 1, ts); + } + } + + word = (long *)udp6_act; + for (i = 0; i < sizeof(udp6_act) / sizeof(long); i++, word++) { + tmp = *word; + while ((n = ffsl(tmp))) { + tmp &= ~(1UL << (n - 1)); + udp_timer_one(c, AF_INET6, + i * sizeof(long) * 8 + n - 1, ts); + } + } +} @@ -1,19 +1,25 @@ #ifndef UDP_H #define UDP_H -void udp_sock_handler(struct ctx *c, int s, uint32_t events); +#define UDP_TIMER_INTERVAL 1000 /* ms */ + +void udp_sock_handler(struct ctx *c, int s, uint32_t events, + struct timespec *now); int udp_tap_handler(struct ctx *c, int af, void *addr, - struct tap_msg *msg, int count); + struct tap_msg *msg, int count, struct timespec *now); int udp_sock_init(struct ctx *c); +void udp_timer(struct ctx *c, struct timespec *ts); /** * struct udp_ctx - Execution context for UDP * @fd_min: Lowest file descriptor number for UDP ever used * @fd_max: Highest file descriptor number for UDP ever used + * @timer_run: Timestamp of most recent timer run */ struct udp_ctx { int fd_min; int fd_max; + struct timespec timer_run; }; #endif /* UDP_H */ @@ -155,15 +155,15 @@ char *ipv6_l4hdr(struct ipv6hdr *ip6h, uint8_t *proto) } /** - * sock_l4_add() - Create and bind socket for given L4, add to epoll list + * sock_l4() - Create and bind socket for given L4, add to epoll list * @c: Execution context - * @v: IP protocol, 4 or 6 + * @af: Address family, AF_INET or AF_INET6 * @proto: Protocol number, host order - * @port: Port, network order + * @port: Port, host order * * Return: newly created socket, -1 on error */ -int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port) +int sock_l4(struct ctx *c, int af, uint16_t proto, uint16_t port) { struct sockaddr_in addr4 = { .sin_family = AF_INET, @@ -183,8 +183,7 @@ int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port) proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6) return -1; /* Not implemented. */ - fd = socket(v == 4 ? AF_INET : AF_INET6, - proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, proto); + fd = socket(af, proto == IPPROTO_TCP ? SOCK_STREAM : SOCK_DGRAM, proto); if (fd < 0) { perror("L4 socket"); return -1; @@ -198,7 +197,7 @@ int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port) if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) goto epoll_add; - if (v == 4) { + if (af == AF_INET) { sa = (const struct sockaddr *)&addr4; sl = sizeof(addr4); } else { @@ -208,6 +207,9 @@ int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port) setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof(one)); } + if (proto == IPPROTO_UDP && PORT_IS_EPHEMERAL(port)) + goto epoll_add; + if (bind(fd, sa, sl) < 0) { /* We'll fail to bind to low ports if we don't have enough * capabilities, and we'll fail to bind on already bound ports, @@ -22,14 +22,18 @@ void debug(const char *format, ...); CHECK_SET_MIN_MAX(c->proto_ctx.fd_, (fd)); \ } while (0) -#define IN_INTERVAL(a, b, x) ((x) >= (a) && (x) <= (b)) +#define MIN(x, y) (((x) < (y)) ? (x) : (y)) + +#define IN_INTERVAL(a, b, x) ((x) >= (a) && (x) <= (b)) #define FD_PROTO(x, proto) \ (IN_INTERVAL(c->proto.fd_min, c->proto.fd_max, (x))) +#define PORT_IS_EPHEMERAL(port) ((port) >= (1 << 15) + (1 << 14)) /* RFC 6335 */ + uint16_t csum_fold(uint32_t sum); uint16_t csum_ip4(void *buf, size_t len); void csum_tcp4(struct iphdr *iph); char *ipv6_l4hdr(struct ipv6hdr *ip6h, uint8_t *proto); -int sock_l4_add(struct ctx *c, int v, uint16_t proto, uint16_t port); +int sock_l4(struct ctx *c, int af, uint16_t proto, uint16_t port); int timespec_diff_ms(struct timespec *a, struct timespec *b); |