diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2021-07-21 17:44:39 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2021-07-21 17:44:39 +0200 |
| commit | 49631a38a6ec550fb9254f2f9e4a049eea02ed6d (patch) | |
| tree | 1c1d294c156dd9bf2c0977bbbd6ba89a9c8ee95f | |
| parent | b508079c4c6ef3b79b253736eaeb654486922324 (diff) | |
| download | passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.tar passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.tar.gz passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.tar.bz2 passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.tar.lz passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.tar.xz passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.tar.zst passt-49631a38a6ec550fb9254f2f9e4a049eea02ed6d.zip | |
tcp, udp: Split IPv4 and IPv6 bound port sets
Allow to bind IPv4 and IPv6 ports to tap, namespace or init separately.
Port numbers of TCP ports that are bound in a namespace are also bound
for UDP for convenience (e.g. iperf3), and IPv4 ports are always bound
if the corresponding IPv6 port is bound (socket might not have the
IPV6_V6ONLY option set). This will also be configurable later.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
| -rw-r--r-- | passt.c | 46 | ||||
| -rw-r--r-- | tcp.c | 61 | ||||
| -rw-r--r-- | tcp.h | 18 | ||||
| -rw-r--r-- | udp.c | 68 | ||||
| -rw-r--r-- | udp.h | 17 |
5 files changed, 131 insertions, 79 deletions
@@ -326,13 +326,21 @@ static int get_bound_ports_ns(void *arg) ns_enter(c->pasta_pid); if (c->v4) { - procfs_scan_listen("tcp", c->tcp.port_to_ns); - procfs_scan_listen("udp", c->udp.port_to_ns); + procfs_scan_listen("tcp", c->tcp.port4_to_tap); + procfs_scan_listen("tcp", c->udp.port4_to_tap); + procfs_scan_listen("udp", c->udp.port4_to_tap); } if (c->v6) { - procfs_scan_listen("tcp6", c->tcp.port_to_ns); - procfs_scan_listen("udp6", c->udp.port_to_ns); + if (c->v4) { + procfs_scan_listen("tcp6", c->tcp.port4_to_ns); + procfs_scan_listen("tcp6", c->udp.port4_to_ns); + procfs_scan_listen("udp6", c->udp.port4_to_ns); + } + + procfs_scan_listen("tcp6", c->tcp.port6_to_ns); + procfs_scan_listen("tcp6", c->udp.port6_to_ns); + procfs_scan_listen("udp6", c->udp.port6_to_ns); } return 0; @@ -346,23 +354,23 @@ static void get_bound_ports(struct ctx *c) { char ns_fn_stack[NS_FN_STACK_SIZE]; - if (c->mode == MODE_PASST) { - memset(c->tcp.port_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8); - memset(c->udp.port_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8); - return; - } - clone(get_bound_ports_ns, ns_fn_stack + sizeof(ns_fn_stack) / 2, CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, (void *)c); if (c->v4) { - procfs_scan_listen("tcp", c->tcp.port_to_init); - procfs_scan_listen("udp", c->udp.port_to_init); + procfs_scan_listen("tcp", c->tcp.port4_to_init); + procfs_scan_listen("udp", c->udp.port4_to_init); } if (c->v6) { - procfs_scan_listen("tcp6", c->tcp.port_to_init); - procfs_scan_listen("udp6", c->udp.port_to_init); + if (c->v4) { + procfs_scan_listen("tcp6", c->tcp.port4_to_init); + procfs_scan_listen("udp6", c->udp.port4_to_init); + } + + procfs_scan_listen("tcp6", c->tcp.port6_to_init); + procfs_scan_listen("udp6", c->udp.port6_to_init); + } } @@ -509,7 +517,15 @@ int main(int argc, char **argv) get_routes(&c); get_addrs(&c); get_dns(&c); - get_bound_ports(&c); + + if (c.mode == MODE_PASST) { + memset(&c.tcp.port4_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8); + memset(&c.tcp.port6_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8); + memset(&c.udp.port4_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8); + memset(&c.udp.port6_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8); + } else { + get_bound_ports(&c); + } proto_update_l2_buf(c.mac_guest, c.mac, &c.addr4); @@ -1770,7 +1770,8 @@ static int tcp_splice_new(struct ctx *c, struct tcp_splice_conn *conn, struct tcp_splice_connect_ns_arg ns_arg = { c, conn, v6, port, 0 }; char ns_fn_stack[NS_FN_STACK_SIZE]; - if (bitmap_isset(c->tcp.port_to_ns, port)) { + if ((!v6 && bitmap_isset(c->tcp.port4_to_ns, port)) || + (v6 && bitmap_isset(c->tcp.port6_to_ns, port))) { clone(tcp_splice_connect_ns, ns_fn_stack + sizeof(ns_fn_stack) / 2, CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, @@ -2082,19 +2083,24 @@ static int tcp_sock_init_ns(void *arg) ns_enter(c->pasta_pid); - for (port = 0; !PORT_IS_EPHEMERAL(port); port++) { - if (!bitmap_isset(c->tcp.port_to_init, port)) - continue; + if (c->v4) { + tref.v6 = 0; + for (port = 0; port < USHRT_MAX; port++) { + if (!bitmap_isset(c->tcp.port4_to_init, port)) + continue; - tref.index = port; - - if (c->v4) { - tref.v6 = 0; + tref.index = port; sock_l4(c, AF_INET, IPPROTO_TCP, port, 1, tref.u32); } + } + + if (c->v6) { + tref.v6 = 1; + for (port = 0; port < USHRT_MAX; port++) { + if (!bitmap_isset(c->tcp.port6_to_init, port)) + continue; - if (c->v6) { - tref.v6 = 1; + tref.index = port; sock_l4(c, AF_INET6, IPPROTO_TCP, port, 1, tref.u32); } } @@ -2116,24 +2122,33 @@ int tcp_sock_init(struct ctx *c) getrandom(&c->tcp.hash_secret, sizeof(c->tcp.hash_secret), GRND_RANDOM); - for (port = 0; !PORT_IS_EPHEMERAL(port); port++) { - if (bitmap_isset(c->tcp.port_to_ns, port)) - tref.splice = 1; - else if (bitmap_isset(c->tcp.port_to_tap, port)) - tref.splice = 0; - else - continue; - - tref.index = port; + if (c->v4) { + tref.v6 = 0; + for (port = 0; port < USHRT_MAX; port++) { + if (bitmap_isset(c->tcp.port4_to_ns, port)) + tref.splice = 1; + else if (bitmap_isset(c->tcp.port4_to_tap, port)) + tref.splice = 0; + else + continue; - if (c->v4) { - tref.v6 = 0; + tref.index = port; sock_l4(c, AF_INET, IPPROTO_TCP, port, tref.splice, tref.u32); } + } + + if (c->v6) { + tref.v6 = 1; + for (port = 0; port < USHRT_MAX; port++) { + if (bitmap_isset(c->tcp.port6_to_ns, port)) + tref.splice = 1; + else if (bitmap_isset(c->tcp.port6_to_tap, port)) + tref.splice = 0; + else + continue; - if (c->v6) { - tref.v6 = 1; + tref.index = port; sock_l4(c, AF_INET6, IPPROTO_TCP, port, tref.splice, tref.u32); } @@ -38,18 +38,24 @@ union tcp_epoll_ref { * @hash_secret: 128-bit secret for hash functions, ISN and hash table * @tap_conn_count: Count of tap connections in connection table * @splice_conn_count: Count of spliced connections in connection table - * @port_to_tap: Ports bound host/init-side, packets to guest/tap - * @port_to_init: Ports bound namespace-side, spliced to init - * @port_to_ns: Ports bound init-side, spliced to namespace + * @port4_to_tap: IPv4 ports bound host/init-side, packets to guest/tap + * @port6_to_tap: IPv6 ports bound host/init-side, packets to guest/tap + * @port4_to_init: IPv4 ports bound namespace-side, spliced to init + * @port6_to_init: IPv6 ports bound namespace-side, spliced to init + * @port4_to_ns: IPv4 ports bound init-side, spliced to namespace + * @port6_to_ns: IPv6 ports bound init-side, spliced to namespace * @timer_run: Timestamp of most recent timer run */ struct tcp_ctx { uint64_t hash_secret[2]; int tap_conn_count; int splice_conn_count; - uint8_t port_to_tap [USHRT_MAX / 8]; - uint8_t port_to_init [USHRT_MAX / 8]; - uint8_t port_to_ns [USHRT_MAX / 8]; + uint8_t port4_to_tap [USHRT_MAX / 8]; + uint8_t port6_to_tap [USHRT_MAX / 8]; + uint8_t port4_to_init [USHRT_MAX / 8]; + uint8_t port6_to_init [USHRT_MAX / 8]; + uint8_t port4_to_ns [USHRT_MAX / 8]; + uint8_t port6_to_ns [USHRT_MAX / 8]; struct timespec timer_run; }; @@ -890,19 +890,24 @@ int udp_sock_init_ns(void *arg) ns_enter(c->pasta_pid); - for (port = 0; port < USHRT_MAX; port++) { - if (!bitmap_isset(c->udp.port_to_init, port)) - continue; - - uref.port = port; + if (c->v4) { + uref.v6 = 0; + for (port = 0; port < USHRT_MAX; port++) { + if (!bitmap_isset(c->udp.port4_to_init, port)) + continue; - if (c->v4) { - uref.v6 = 0; + uref.port = port; sock_l4(c, AF_INET, IPPROTO_UDP, port, 1, uref.u32); } + } + + if (c->v6) { + uref.v6 = 1; + for (port = 0; port < USHRT_MAX; port++) { + if (!bitmap_isset(c->udp.port6_to_init, port)) + continue; - if (c->v6) { - uref.v6 = 1; + uref.port = port; sock_l4(c, AF_INET6, IPPROTO_UDP, port, 1, uref.u32); } } @@ -976,40 +981,45 @@ int udp_sock_init(struct ctx *c) in_port_t port; int s; - for (port = 0; port < USHRT_MAX; port++) { - if (bitmap_isset(c->udp.port_to_ns, port)) - uref.splice = UDP_TO_NS; - else if (bitmap_isset(c->udp.port_to_tap, port)) - uref.splice = 0; - else - continue; - - uref.port = port; + if (c->v4) { + uref.v6 = 0; + for (port = 0; port < USHRT_MAX; port++) { + if (bitmap_isset(c->udp.port4_to_ns, port)) + uref.splice = UDP_TO_NS; + else if (bitmap_isset(c->udp.port4_to_tap, port)) + uref.splice = 0; + else + continue; - if (c->v4) { - uref.v6 = 0; + uref.port = port; s = sock_l4(c, AF_INET, IPPROTO_UDP, port, uref.splice == UDP_TO_NS, uref.u32); - if (!uref.splice && s > 0) udp_tap_map[V4][port].sock = s; } - if (c->v6) { - uref.v6 = 1; + udp_sock4_iov_init(); + } + + if (c->v6) { + uref.v6 = 1; + for (port = 0; port < USHRT_MAX; port++) { + if (bitmap_isset(c->udp.port6_to_ns, port)) + uref.splice = UDP_TO_NS; + else if (bitmap_isset(c->udp.port6_to_tap, port)) + uref.splice = 0; + else + continue; + + uref.port = port; s = sock_l4(c, AF_INET6, IPPROTO_UDP, port, uref.splice == UDP_TO_NS, uref.u32); - if (!uref.splice && s > 0) udp_tap_map[V6][port].sock = s; } - } - - if (c->v4) - udp_sock4_iov_init(); - if (c->v6) udp_sock6_iov_init(); + } if (c->mode == MODE_PASTA) { udp_splice_iov_init(); @@ -38,15 +38,20 @@ union udp_epoll_ref { /** * struct udp_ctx - Execution context for UDP - * @port_to_tap: Ports bound host/init-side, packets to guest/tap - * @port_to_init: Ports bound namespace-side, spliced to init - * @port_to_ns: Ports bound init-side, spliced to namespace + * @port6_to_tap: IPv6 ports bound host/init-side, packets to guest/tap + * @port4_to_init: IPv4 ports bound namespace-side, spliced to init + * @port6_to_init: IPv6 ports bound namespace-side, spliced to init + * @port4_to_ns: IPv4 ports bound init-side, spliced to namespace + * @port6_to_ns: IPv6 ports bound init-side, spliced to namespace * @timer_run: Timestamp of most recent timer run */ struct udp_ctx { - uint8_t port_to_tap [USHRT_MAX / 8]; - uint8_t port_to_init [USHRT_MAX / 8]; - uint8_t port_to_ns [USHRT_MAX / 8]; + uint8_t port4_to_tap [USHRT_MAX / 8]; + uint8_t port6_to_tap [USHRT_MAX / 8]; + uint8_t port4_to_init [USHRT_MAX / 8]; + uint8_t port6_to_init [USHRT_MAX / 8]; + uint8_t port4_to_ns [USHRT_MAX / 8]; + uint8_t port6_to_ns [USHRT_MAX / 8]; struct timespec timer_run; }; |