tcp, udp: Split IPv4 and IPv6 bound port sets
Allow to bind IPv4 and IPv6 ports to tap, namespace or init separately. Port numbers of TCP ports that are bound in a namespace are also bound for UDP for convenience (e.g. iperf3), and IPv4 ports are always bound if the corresponding IPv6 port is bound (socket might not have the IPV6_V6ONLY option set). This will also be configurable later. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
b508079c4c
commit
49631a38a6
5 changed files with 131 additions and 79 deletions
44
passt.c
44
passt.c
|
@ -326,13 +326,21 @@ static int get_bound_ports_ns(void *arg)
|
||||||
ns_enter(c->pasta_pid);
|
ns_enter(c->pasta_pid);
|
||||||
|
|
||||||
if (c->v4) {
|
if (c->v4) {
|
||||||
procfs_scan_listen("tcp", c->tcp.port_to_ns);
|
procfs_scan_listen("tcp", c->tcp.port4_to_tap);
|
||||||
procfs_scan_listen("udp", c->udp.port_to_ns);
|
procfs_scan_listen("tcp", c->udp.port4_to_tap);
|
||||||
|
procfs_scan_listen("udp", c->udp.port4_to_tap);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (c->v6) {
|
if (c->v6) {
|
||||||
procfs_scan_listen("tcp6", c->tcp.port_to_ns);
|
if (c->v4) {
|
||||||
procfs_scan_listen("udp6", c->udp.port_to_ns);
|
procfs_scan_listen("tcp6", c->tcp.port4_to_ns);
|
||||||
|
procfs_scan_listen("tcp6", c->udp.port4_to_ns);
|
||||||
|
procfs_scan_listen("udp6", c->udp.port4_to_ns);
|
||||||
|
}
|
||||||
|
|
||||||
|
procfs_scan_listen("tcp6", c->tcp.port6_to_ns);
|
||||||
|
procfs_scan_listen("tcp6", c->udp.port6_to_ns);
|
||||||
|
procfs_scan_listen("udp6", c->udp.port6_to_ns);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -346,23 +354,23 @@ static void get_bound_ports(struct ctx *c)
|
||||||
{
|
{
|
||||||
char ns_fn_stack[NS_FN_STACK_SIZE];
|
char ns_fn_stack[NS_FN_STACK_SIZE];
|
||||||
|
|
||||||
if (c->mode == MODE_PASST) {
|
|
||||||
memset(c->tcp.port_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8);
|
|
||||||
memset(c->udp.port_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
clone(get_bound_ports_ns, ns_fn_stack + sizeof(ns_fn_stack) / 2,
|
clone(get_bound_ports_ns, ns_fn_stack + sizeof(ns_fn_stack) / 2,
|
||||||
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, (void *)c);
|
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD, (void *)c);
|
||||||
|
|
||||||
if (c->v4) {
|
if (c->v4) {
|
||||||
procfs_scan_listen("tcp", c->tcp.port_to_init);
|
procfs_scan_listen("tcp", c->tcp.port4_to_init);
|
||||||
procfs_scan_listen("udp", c->udp.port_to_init);
|
procfs_scan_listen("udp", c->udp.port4_to_init);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (c->v6) {
|
if (c->v6) {
|
||||||
procfs_scan_listen("tcp6", c->tcp.port_to_init);
|
if (c->v4) {
|
||||||
procfs_scan_listen("udp6", c->udp.port_to_init);
|
procfs_scan_listen("tcp6", c->tcp.port4_to_init);
|
||||||
|
procfs_scan_listen("udp6", c->udp.port4_to_init);
|
||||||
|
}
|
||||||
|
|
||||||
|
procfs_scan_listen("tcp6", c->tcp.port6_to_init);
|
||||||
|
procfs_scan_listen("udp6", c->udp.port6_to_init);
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -509,7 +517,15 @@ int main(int argc, char **argv)
|
||||||
get_routes(&c);
|
get_routes(&c);
|
||||||
get_addrs(&c);
|
get_addrs(&c);
|
||||||
get_dns(&c);
|
get_dns(&c);
|
||||||
|
|
||||||
|
if (c.mode == MODE_PASST) {
|
||||||
|
memset(&c.tcp.port4_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8);
|
||||||
|
memset(&c.tcp.port6_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8);
|
||||||
|
memset(&c.udp.port4_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8);
|
||||||
|
memset(&c.udp.port6_to_tap, 0xff, PORT_EPHEMERAL_MIN / 8);
|
||||||
|
} else {
|
||||||
get_bound_ports(&c);
|
get_bound_ports(&c);
|
||||||
|
}
|
||||||
|
|
||||||
proto_update_l2_buf(c.mac_guest, c.mac, &c.addr4);
|
proto_update_l2_buf(c.mac_guest, c.mac, &c.addr4);
|
||||||
|
|
||||||
|
|
39
tcp.c
39
tcp.c
|
@ -1770,7 +1770,8 @@ static int tcp_splice_new(struct ctx *c, struct tcp_splice_conn *conn,
|
||||||
struct tcp_splice_connect_ns_arg ns_arg = { c, conn, v6, port, 0 };
|
struct tcp_splice_connect_ns_arg ns_arg = { c, conn, v6, port, 0 };
|
||||||
char ns_fn_stack[NS_FN_STACK_SIZE];
|
char ns_fn_stack[NS_FN_STACK_SIZE];
|
||||||
|
|
||||||
if (bitmap_isset(c->tcp.port_to_ns, port)) {
|
if ((!v6 && bitmap_isset(c->tcp.port4_to_ns, port)) ||
|
||||||
|
(v6 && bitmap_isset(c->tcp.port6_to_ns, port))) {
|
||||||
clone(tcp_splice_connect_ns,
|
clone(tcp_splice_connect_ns,
|
||||||
ns_fn_stack + sizeof(ns_fn_stack) / 2,
|
ns_fn_stack + sizeof(ns_fn_stack) / 2,
|
||||||
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,
|
CLONE_VM | CLONE_VFORK | CLONE_FILES | SIGCHLD,
|
||||||
|
@ -2082,19 +2083,24 @@ static int tcp_sock_init_ns(void *arg)
|
||||||
|
|
||||||
ns_enter(c->pasta_pid);
|
ns_enter(c->pasta_pid);
|
||||||
|
|
||||||
for (port = 0; !PORT_IS_EPHEMERAL(port); port++) {
|
if (c->v4) {
|
||||||
if (!bitmap_isset(c->tcp.port_to_init, port))
|
tref.v6 = 0;
|
||||||
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
|
if (!bitmap_isset(c->tcp.port4_to_init, port))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
tref.index = port;
|
tref.index = port;
|
||||||
|
|
||||||
if (c->v4) {
|
|
||||||
tref.v6 = 0;
|
|
||||||
sock_l4(c, AF_INET, IPPROTO_TCP, port, 1, tref.u32);
|
sock_l4(c, AF_INET, IPPROTO_TCP, port, 1, tref.u32);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (c->v6) {
|
if (c->v6) {
|
||||||
tref.v6 = 1;
|
tref.v6 = 1;
|
||||||
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
|
if (!bitmap_isset(c->tcp.port6_to_init, port))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
tref.index = port;
|
||||||
sock_l4(c, AF_INET6, IPPROTO_TCP, port, 1, tref.u32);
|
sock_l4(c, AF_INET6, IPPROTO_TCP, port, 1, tref.u32);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -2116,24 +2122,33 @@ int tcp_sock_init(struct ctx *c)
|
||||||
|
|
||||||
getrandom(&c->tcp.hash_secret, sizeof(c->tcp.hash_secret), GRND_RANDOM);
|
getrandom(&c->tcp.hash_secret, sizeof(c->tcp.hash_secret), GRND_RANDOM);
|
||||||
|
|
||||||
for (port = 0; !PORT_IS_EPHEMERAL(port); port++) {
|
if (c->v4) {
|
||||||
if (bitmap_isset(c->tcp.port_to_ns, port))
|
tref.v6 = 0;
|
||||||
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
|
if (bitmap_isset(c->tcp.port4_to_ns, port))
|
||||||
tref.splice = 1;
|
tref.splice = 1;
|
||||||
else if (bitmap_isset(c->tcp.port_to_tap, port))
|
else if (bitmap_isset(c->tcp.port4_to_tap, port))
|
||||||
tref.splice = 0;
|
tref.splice = 0;
|
||||||
else
|
else
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
tref.index = port;
|
tref.index = port;
|
||||||
|
|
||||||
if (c->v4) {
|
|
||||||
tref.v6 = 0;
|
|
||||||
sock_l4(c, AF_INET, IPPROTO_TCP, port, tref.splice,
|
sock_l4(c, AF_INET, IPPROTO_TCP, port, tref.splice,
|
||||||
tref.u32);
|
tref.u32);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (c->v6) {
|
if (c->v6) {
|
||||||
tref.v6 = 1;
|
tref.v6 = 1;
|
||||||
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
|
if (bitmap_isset(c->tcp.port6_to_ns, port))
|
||||||
|
tref.splice = 1;
|
||||||
|
else if (bitmap_isset(c->tcp.port6_to_tap, port))
|
||||||
|
tref.splice = 0;
|
||||||
|
else
|
||||||
|
continue;
|
||||||
|
|
||||||
|
tref.index = port;
|
||||||
sock_l4(c, AF_INET6, IPPROTO_TCP, port, tref.splice,
|
sock_l4(c, AF_INET6, IPPROTO_TCP, port, tref.splice,
|
||||||
tref.u32);
|
tref.u32);
|
||||||
}
|
}
|
||||||
|
|
18
tcp.h
18
tcp.h
|
@ -38,18 +38,24 @@ union tcp_epoll_ref {
|
||||||
* @hash_secret: 128-bit secret for hash functions, ISN and hash table
|
* @hash_secret: 128-bit secret for hash functions, ISN and hash table
|
||||||
* @tap_conn_count: Count of tap connections in connection table
|
* @tap_conn_count: Count of tap connections in connection table
|
||||||
* @splice_conn_count: Count of spliced connections in connection table
|
* @splice_conn_count: Count of spliced connections in connection table
|
||||||
* @port_to_tap: Ports bound host/init-side, packets to guest/tap
|
* @port4_to_tap: IPv4 ports bound host/init-side, packets to guest/tap
|
||||||
* @port_to_init: Ports bound namespace-side, spliced to init
|
* @port6_to_tap: IPv6 ports bound host/init-side, packets to guest/tap
|
||||||
* @port_to_ns: Ports bound init-side, spliced to namespace
|
* @port4_to_init: IPv4 ports bound namespace-side, spliced to init
|
||||||
|
* @port6_to_init: IPv6 ports bound namespace-side, spliced to init
|
||||||
|
* @port4_to_ns: IPv4 ports bound init-side, spliced to namespace
|
||||||
|
* @port6_to_ns: IPv6 ports bound init-side, spliced to namespace
|
||||||
* @timer_run: Timestamp of most recent timer run
|
* @timer_run: Timestamp of most recent timer run
|
||||||
*/
|
*/
|
||||||
struct tcp_ctx {
|
struct tcp_ctx {
|
||||||
uint64_t hash_secret[2];
|
uint64_t hash_secret[2];
|
||||||
int tap_conn_count;
|
int tap_conn_count;
|
||||||
int splice_conn_count;
|
int splice_conn_count;
|
||||||
uint8_t port_to_tap [USHRT_MAX / 8];
|
uint8_t port4_to_tap [USHRT_MAX / 8];
|
||||||
uint8_t port_to_init [USHRT_MAX / 8];
|
uint8_t port6_to_tap [USHRT_MAX / 8];
|
||||||
uint8_t port_to_ns [USHRT_MAX / 8];
|
uint8_t port4_to_init [USHRT_MAX / 8];
|
||||||
|
uint8_t port6_to_init [USHRT_MAX / 8];
|
||||||
|
uint8_t port4_to_ns [USHRT_MAX / 8];
|
||||||
|
uint8_t port6_to_ns [USHRT_MAX / 8];
|
||||||
struct timespec timer_run;
|
struct timespec timer_run;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
42
udp.c
42
udp.c
|
@ -890,19 +890,24 @@ int udp_sock_init_ns(void *arg)
|
||||||
|
|
||||||
ns_enter(c->pasta_pid);
|
ns_enter(c->pasta_pid);
|
||||||
|
|
||||||
|
if (c->v4) {
|
||||||
|
uref.v6 = 0;
|
||||||
for (port = 0; port < USHRT_MAX; port++) {
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
if (!bitmap_isset(c->udp.port_to_init, port))
|
if (!bitmap_isset(c->udp.port4_to_init, port))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
uref.port = port;
|
uref.port = port;
|
||||||
|
|
||||||
if (c->v4) {
|
|
||||||
uref.v6 = 0;
|
|
||||||
sock_l4(c, AF_INET, IPPROTO_UDP, port, 1, uref.u32);
|
sock_l4(c, AF_INET, IPPROTO_UDP, port, 1, uref.u32);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (c->v6) {
|
if (c->v6) {
|
||||||
uref.v6 = 1;
|
uref.v6 = 1;
|
||||||
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
|
if (!bitmap_isset(c->udp.port6_to_init, port))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
uref.port = port;
|
||||||
sock_l4(c, AF_INET6, IPPROTO_UDP, port, 1, uref.u32);
|
sock_l4(c, AF_INET6, IPPROTO_UDP, port, 1, uref.u32);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -976,40 +981,45 @@ int udp_sock_init(struct ctx *c)
|
||||||
in_port_t port;
|
in_port_t port;
|
||||||
int s;
|
int s;
|
||||||
|
|
||||||
|
if (c->v4) {
|
||||||
|
uref.v6 = 0;
|
||||||
for (port = 0; port < USHRT_MAX; port++) {
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
if (bitmap_isset(c->udp.port_to_ns, port))
|
if (bitmap_isset(c->udp.port4_to_ns, port))
|
||||||
uref.splice = UDP_TO_NS;
|
uref.splice = UDP_TO_NS;
|
||||||
else if (bitmap_isset(c->udp.port_to_tap, port))
|
else if (bitmap_isset(c->udp.port4_to_tap, port))
|
||||||
uref.splice = 0;
|
uref.splice = 0;
|
||||||
else
|
else
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
uref.port = port;
|
uref.port = port;
|
||||||
|
|
||||||
if (c->v4) {
|
|
||||||
uref.v6 = 0;
|
|
||||||
s = sock_l4(c, AF_INET, IPPROTO_UDP, port,
|
s = sock_l4(c, AF_INET, IPPROTO_UDP, port,
|
||||||
uref.splice == UDP_TO_NS, uref.u32);
|
uref.splice == UDP_TO_NS, uref.u32);
|
||||||
|
|
||||||
if (!uref.splice && s > 0)
|
if (!uref.splice && s > 0)
|
||||||
udp_tap_map[V4][port].sock = s;
|
udp_tap_map[V4][port].sock = s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
udp_sock4_iov_init();
|
||||||
|
}
|
||||||
|
|
||||||
if (c->v6) {
|
if (c->v6) {
|
||||||
uref.v6 = 1;
|
uref.v6 = 1;
|
||||||
|
for (port = 0; port < USHRT_MAX; port++) {
|
||||||
|
if (bitmap_isset(c->udp.port6_to_ns, port))
|
||||||
|
uref.splice = UDP_TO_NS;
|
||||||
|
else if (bitmap_isset(c->udp.port6_to_tap, port))
|
||||||
|
uref.splice = 0;
|
||||||
|
else
|
||||||
|
continue;
|
||||||
|
|
||||||
|
uref.port = port;
|
||||||
s = sock_l4(c, AF_INET6, IPPROTO_UDP, port,
|
s = sock_l4(c, AF_INET6, IPPROTO_UDP, port,
|
||||||
uref.splice == UDP_TO_NS, uref.u32);
|
uref.splice == UDP_TO_NS, uref.u32);
|
||||||
|
|
||||||
if (!uref.splice && s > 0)
|
if (!uref.splice && s > 0)
|
||||||
udp_tap_map[V6][port].sock = s;
|
udp_tap_map[V6][port].sock = s;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (c->v4)
|
|
||||||
udp_sock4_iov_init();
|
|
||||||
|
|
||||||
if (c->v6)
|
|
||||||
udp_sock6_iov_init();
|
udp_sock6_iov_init();
|
||||||
|
}
|
||||||
|
|
||||||
if (c->mode == MODE_PASTA) {
|
if (c->mode == MODE_PASTA) {
|
||||||
udp_splice_iov_init();
|
udp_splice_iov_init();
|
||||||
|
|
17
udp.h
17
udp.h
|
@ -38,15 +38,20 @@ union udp_epoll_ref {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct udp_ctx - Execution context for UDP
|
* struct udp_ctx - Execution context for UDP
|
||||||
* @port_to_tap: Ports bound host/init-side, packets to guest/tap
|
* @port6_to_tap: IPv6 ports bound host/init-side, packets to guest/tap
|
||||||
* @port_to_init: Ports bound namespace-side, spliced to init
|
* @port4_to_init: IPv4 ports bound namespace-side, spliced to init
|
||||||
* @port_to_ns: Ports bound init-side, spliced to namespace
|
* @port6_to_init: IPv6 ports bound namespace-side, spliced to init
|
||||||
|
* @port4_to_ns: IPv4 ports bound init-side, spliced to namespace
|
||||||
|
* @port6_to_ns: IPv6 ports bound init-side, spliced to namespace
|
||||||
* @timer_run: Timestamp of most recent timer run
|
* @timer_run: Timestamp of most recent timer run
|
||||||
*/
|
*/
|
||||||
struct udp_ctx {
|
struct udp_ctx {
|
||||||
uint8_t port_to_tap [USHRT_MAX / 8];
|
uint8_t port4_to_tap [USHRT_MAX / 8];
|
||||||
uint8_t port_to_init [USHRT_MAX / 8];
|
uint8_t port6_to_tap [USHRT_MAX / 8];
|
||||||
uint8_t port_to_ns [USHRT_MAX / 8];
|
uint8_t port4_to_init [USHRT_MAX / 8];
|
||||||
|
uint8_t port6_to_init [USHRT_MAX / 8];
|
||||||
|
uint8_t port4_to_ns [USHRT_MAX / 8];
|
||||||
|
uint8_t port6_to_ns [USHRT_MAX / 8];
|
||||||
struct timespec timer_run;
|
struct timespec timer_run;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue