From ee0e20ebe3d689076701938a42f6d6f46d23f3af Mon Sep 17 00:00:00 2001 From: David Gibson Date: Wed, 11 Mar 2026 23:03:12 +1100 Subject: fwd: Always open /proc/net{tcp,tcp6,udp,udp6} in pasta mode Currently we open these files only if have forwarding rules based on the scanning these are used for. We plan to allow dynamic updates to the forwarding rules, which could add such a rule after the point fwd_scan_ports_init() is called. We can't open the /proc files later, because of our self-isolation. In any case, not opening these files when unneeded doesn't have very much advantage. So, in anticipation of dynamic updates, always open these files when in pasta mode. This also fixes an arguable small bug. To deal with certain protocols like iperf3, we automatically forward UDP ports if the corresponding TCP ports are open. However, we only open /proc/net/tcp* if we have TCP port scans. That means that: $ pasta --config-net -T none -U auto might open different UDP ports than: $ pasta --config-net -T auto -U auto which is surprising behaviour. This change removes that buglet as a side effect. Signed-off-by: David Gibson Signed-off-by: Stefano Brivio --- fwd.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/fwd.c b/fwd.c index 1843ec8..bedbf98 100644 --- a/fwd.c +++ b/fwd.c @@ -877,23 +877,19 @@ void fwd_scan_ports_init(struct ctx *c) c->udp.scan_in.scan4 = c->udp.scan_in.scan6 = -1; c->udp.scan_out.scan4 = c->udp.scan_out.scan6 = -1; - if (has_scan_rules(&c->fwd_in, IPPROTO_TCP)) { - c->tcp.scan_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags); - c->tcp.scan_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags); - } - if (has_scan_rules(&c->fwd_in, IPPROTO_UDP)) { - c->udp.scan_in.scan4 = open_in_ns(c, "/proc/net/udp", flags); - c->udp.scan_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags); - } - if (has_scan_rules(&c->fwd_out, IPPROTO_TCP)) { + if (c->mode == MODE_PASTA) { c->tcp.scan_out.scan4 = open("/proc/net/tcp", flags); c->tcp.scan_out.scan6 = open("/proc/net/tcp6", flags); - } - if (has_scan_rules(&c->fwd_out, IPPROTO_UDP)) { c->udp.scan_out.scan4 = open("/proc/net/udp", flags); c->udp.scan_out.scan6 = open("/proc/net/udp6", flags); + + c->tcp.scan_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags); + c->tcp.scan_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags); + c->udp.scan_in.scan4 = open_in_ns(c, "/proc/net/udp", flags); + c->udp.scan_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags); + + fwd_scan_ports(c); } - fwd_scan_ports(c); } /* Last time we scanned for open ports */ -- cgit v1.2.3