diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2026-03-11 23:03:12 +1100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2026-03-11 22:11:30 +0100 |
| commit | ee0e20ebe3d689076701938a42f6d6f46d23f3af (patch) | |
| tree | 1829ea45304c0448647ef2cbc3b43e1920a1ed98 | |
| parent | d460ca3236bafa724686a5ad7f585d70962f7373 (diff) | |
| download | passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.tar passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.tar.gz passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.tar.bz2 passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.tar.lz passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.tar.xz passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.tar.zst passt-ee0e20ebe3d689076701938a42f6d6f46d23f3af.zip | |
fwd: Always open /proc/net{tcp,tcp6,udp,udp6} in pasta mode
Currently we open these files only if have forwarding rules based on the
scanning these are used for. We plan to allow dynamic updates to the
forwarding rules, which could add such a rule after the point
fwd_scan_ports_init() is called. We can't open the /proc files later,
because of our self-isolation.
In any case, not opening these files when unneeded doesn't have very much
advantage. So, in anticipation of dynamic updates, always open these files
when in pasta mode.
This also fixes an arguable small bug. To deal with certain protocols like
iperf3, we automatically forward UDP ports if the corresponding TCP ports
are open. However, we only open /proc/net/tcp* if we have TCP port scans.
That means that:
$ pasta --config-net -T none -U auto
might open different UDP ports than:
$ pasta --config-net -T auto -U auto
which is surprising behaviour. This change removes that buglet as a side
effect.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
| -rw-r--r-- | fwd.c | 20 |
1 files changed, 8 insertions, 12 deletions
@@ -877,23 +877,19 @@ void fwd_scan_ports_init(struct ctx *c) c->udp.scan_in.scan4 = c->udp.scan_in.scan6 = -1; c->udp.scan_out.scan4 = c->udp.scan_out.scan6 = -1; - if (has_scan_rules(&c->fwd_in, IPPROTO_TCP)) { - c->tcp.scan_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags); - c->tcp.scan_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags); - } - if (has_scan_rules(&c->fwd_in, IPPROTO_UDP)) { - c->udp.scan_in.scan4 = open_in_ns(c, "/proc/net/udp", flags); - c->udp.scan_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags); - } - if (has_scan_rules(&c->fwd_out, IPPROTO_TCP)) { + if (c->mode == MODE_PASTA) { c->tcp.scan_out.scan4 = open("/proc/net/tcp", flags); c->tcp.scan_out.scan6 = open("/proc/net/tcp6", flags); - } - if (has_scan_rules(&c->fwd_out, IPPROTO_UDP)) { c->udp.scan_out.scan4 = open("/proc/net/udp", flags); c->udp.scan_out.scan6 = open("/proc/net/udp6", flags); + + c->tcp.scan_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags); + c->tcp.scan_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags); + c->udp.scan_in.scan4 = open_in_ns(c, "/proc/net/udp", flags); + c->udp.scan_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags); + + fwd_scan_ports(c); } - fwd_scan_ports(c); } /* Last time we scanned for open ports */ |