On Wed, 16 Apr 2025 19:07:03 +1000 David Gibson <david(a)gibson.dropbear.id.au> wrote:We now propagate ICMP errors on UDP flows back into ICMP packets on the tap interface. However, we don't always get the source address right for the synthesized message. Because ICMPs can be generated by intermediate routers, that source address might not be one of the endpoints, so the address translation we already have isn't sufficient. Implement properly translating ICMP addresses when we need to. This ended up a bit messier than I hoped, but it seems to work. A simple case to test this is: pasta --config-net --map-host-loopback=172.16.1.1 -- \ sh -c "echo hello | socat STDIO UDP4:172.16.1.1:10001" where 10001 is a port where nothing is listening on the host.Oh, that's convenient. I also checked this against the "bad resolver address" case I reported previously, everything "works": # nslookup passt.top 169.254.1.1 ;; communications error to 169.254.1.1#53: connection refused ;; communications error to 169.254.1.1#53: connection refused ;; communications error to 169.254.1.1#53: connection refused ;; no servers could be reached Except for those few comments to 2/4 and 3/4, everything else looks good to me. -- Stefano