Handling of each protocol needs some degree of tracking of the
addresses and ports at the end of each connection or flow.  Sometimes
that's explicit (as in the guest visible addresses for TCP
connections), sometimes implicit (the bound and connected addresses of
sockets).

To allow more consistent handling across protocols we want to
uniformly track the address and port at each end of the connection.
Furthermore, because we allow port remapping, and we sometimes need to
apply NAT, the addresses and ports can be different as seen by the
guest/namespace and as by the host.

Introduce 'struct flowside' to keep track of address and port
information related to one side of a flow. Store two of these in the
common fields of a flow to track that information for both sides.

For now we only populate the initiating side, requiring that
information be completed when a flows enter INI.  Later patches will
populate the target side.

For now this leaves some information redundantly recorded in both generic
and type specific fields.  We'll fix that in later patches.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 flow.c       | 96 +++++++++++++++++++++++++++++++++++++++++++++++++---
 flow.h       | 16 +++++++++
 flow_table.h |  8 ++++-
 icmp.c       |  9 +++--
 passt.h      |  3 ++
 tcp.c        |  6 ++--
 6 files changed, 127 insertions(+), 11 deletions(-)

diff --git a/flow.c b/flow.c
index d05aa495..1819111d 100644
--- a/flow.c
+++ b/flow.c
@@ -108,6 +108,31 @@ static const union flow *flow_new_entry; /* = NULL */
 /* Last time the flow timers ran */
 static struct timespec flow_timer_run;
 
+/** flowside_from_af() - Initialise flowside from addresses
+ * @fside:	flowside to initialise
+ * @af:		Address family (AF_INET or AF_INET6)
+ * @eaddr:	Endpoint address (pointer to in_addr or in6_addr)
+ * @eport:	Endpoint port
+ * @faddr:	Forwarding address (pointer to in_addr or in6_addr)
+ * @fport:	Forwarding port
+ */
+static void flowside_from_af(struct flowside *fside, sa_family_t af,
+			     const void *eaddr, in_port_t eport,
+			     const void *faddr, in_port_t fport)
+{
+	if (faddr)
+		inany_from_af(&fside->faddr, af, faddr);
+	else
+		fside->faddr = inany_any6;
+	fside->fport = fport;
+
+	if (eaddr)
+		inany_from_af(&fside->eaddr, af, eaddr);
+	else
+		fside->eaddr = inany_any6;
+	fside->eport = eport;
+}
+
 /** flow_log_ - Log flow-related message
  * @f:		flow the message is related to
  * @pri:	Log priority
@@ -140,6 +165,8 @@ void flow_log_(const struct flow_common *f, int pri, const char *fmt,
...)
  */
 static void flow_set_state(struct flow_common *f, enum flow_state state)
 {
+	char estr[INANY_ADDRSTRLEN], fstr[INANY_ADDRSTRLEN];
+	const struct flowside *ini = &f->side[INISIDE];
 	uint8_t oldstate = f->state;
 
 	ASSERT(state < FLOW_NUM_STATES);
@@ -150,18 +177,28 @@ static void flow_set_state(struct flow_common *f, enum flow_state
state)
 		  FLOW_STATE(f));
 
 	if (MAX(state, oldstate) >= FLOW_STATE_TGT)
-		flow_log_(f, LOG_DEBUG, "%s => %s", pif_name(f->pif[INISIDE]),
-			                            pif_name(f->pif[TGTSIDE]));
+		flow_log_(f, LOG_DEBUG, "%s [%s]:%hu -> [%s]:%hu => %s",
+			  pif_name(f->pif[INISIDE]),
+			  inany_ntop(&ini->eaddr, estr, sizeof(estr)),
+			  ini->eport,
+			  inany_ntop(&ini->faddr, fstr, sizeof(fstr)),
+			  ini->fport,
+			  pif_name(f->pif[TGTSIDE]));
 	else if (MAX(state, oldstate) >= FLOW_STATE_INI)
-		flow_log_(f, LOG_DEBUG, "%s => ?", pif_name(f->pif[INISIDE]));
+		flow_log_(f, LOG_DEBUG, "%s [%s]:%hu -> [%s]:%hu => ?",
+			  pif_name(f->pif[INISIDE]),
+			  inany_ntop(&ini->eaddr, estr, sizeof(estr)),
+			  ini->eport,
+			  inany_ntop(&ini->faddr, fstr, sizeof(fstr)),
+			  ini->fport);
 }
 
 /**
- * flow_initiate() - Move flow to INI, setting INISIDE details
+ * flow_initiate_() - Move flow to INI, setting setting pif[INISIDE]
  * @flow:	Flow to change state
  * @pif:	pif of the initiating side
  */
-void flow_initiate(union flow *flow, uint8_t pif)
+static void flow_initiate_(union flow *flow, uint8_t pif)
 {
 	struct flow_common *f = &flow->f;
 
@@ -174,6 +211,55 @@ void flow_initiate(union flow *flow, uint8_t pif)
 	flow_set_state(f, FLOW_STATE_INI);
 }
 
+/**
+ * flow_initiate_af() - Move flow to INI, setting INISIDE details
+ * @flow:	Flow to change state
+ * @pif:	pif of the initiating side
+ * @af:		Address family of @eaddr and @faddr
+ * @saddr:	Source address (pointer to in_addr or in6_addr)
+ * @sport:	Endpoint port
+ * @daddr:	Destination address (pointer to in_addr or in6_addr)
+ * @dport:	Destination port
+ *
+ * Return: pointer to the initiating flowside information
+ */
+const struct flowside *flow_initiate_af(union flow *flow, uint8_t pif,
+					sa_family_t af,
+					const void *saddr, in_port_t sport,
+					const void *daddr, in_port_t dport)
+{
+	struct flowside *ini = &flow->f.side[INISIDE];
+
+	flowside_from_af(ini, af, saddr, sport, daddr, dport);
+	flow_initiate_(flow, pif);
+	return ini;
+}
+
+/**
+ * flow_initiate_sa() - Move flow to INI, setting INISIDE details
+ * @flow:	Flow to change state
+ * @pif:	pif of the initiating side
+ * @ssa:	Source socket address
+ * @dport:	Destination port
+ *
+ * Return: pointer to the initiating flowside information
+ */
+const struct flowside *flow_initiate_sa(union flow *flow, uint8_t pif,
+					const union sockaddr_inany *ssa,
+					in_port_t dport)
+{
+	struct flowside *ini = &flow->f.side[INISIDE];
+
+	inany_from_sockaddr(&ini->eaddr, &ini->eport, ssa);
+	if (inany_v4(&ini->eaddr))
+		ini->faddr = inany_any4;
+	else
+		ini->faddr = inany_any6;
+	ini->fport = dport;
+	flow_initiate_(flow, pif);
+	return ini;
+}
+
 /**
  * flow_target() - Move flow to TGT, setting TGTSIDE details
  * @flow:	Flow to change state
diff --git a/flow.h b/flow.h
index 29ef9f12..b873ea7f 100644
--- a/flow.h
+++ b/flow.h
@@ -135,11 +135,26 @@ extern const uint8_t flow_proto[];
 #define INISIDE			0	/* Initiating side */
 #define TGTSIDE			1	/* Target side */
 
+/**
+ * struct flowside - Address information for one side of a flow
+ * @eaddr:	Endpoint address (remote address from passt's PoV)
+ * @faddr:	Forwarding address (local address from passt's PoV)
+ * @eport:	Endpoint port
+ * @fport:	Forwarding port
+ */
+struct flowside {
+	union inany_addr	faddr;
+	union inany_addr	eaddr;
+	in_port_t		fport;
+	in_port_t		eport;
+};
+
 /**
  * struct flow_common - Common fields for packet flows
  * @state:	State of the flow table entry
  * @type:	Type of packet flow
  * @pif[]:	Interface for each side of the flow
+ * @side[]:	Information for each side of the flow
  */
 struct flow_common {
 #ifdef __GNUC__
@@ -154,6 +169,7 @@ struct flow_common {
 		      "Not enough bits for type field");
 #endif
 	uint8_t		pif[SIDES];
+	struct flowside	side[SIDES];
 };
 
 #define FLOW_INDEX_BITS		17	/* 128k - 1 */
diff --git a/flow_table.h b/flow_table.h
index 1b163491..2e912532 100644
--- a/flow_table.h
+++ b/flow_table.h
@@ -107,7 +107,13 @@ static inline flow_sidx_t flow_sidx(const struct flow_common *f,
 union flow *flow_alloc(void);
 void flow_alloc_cancel(union flow *flow);
 
-void flow_initiate(union flow *flow, uint8_t pif);
+const struct flowside *flow_initiate_af(union flow *flow, uint8_t pif,
+					sa_family_t af,
+					const void *saddr, in_port_t sport,
+					const void *daddr, in_port_t dport);
+const struct flowside *flow_initiate_sa(union flow *flow, uint8_t pif,
+					const union sockaddr_inany *ssa,
+					in_port_t dport);
 void flow_target(union flow *flow, uint8_t pif);
 
 union flow *flow_set_type(union flow *flow, enum flow_type type);
diff --git a/icmp.c b/icmp.c
index 80330f6f..38d1deeb 100644
--- a/icmp.c
+++ b/icmp.c
@@ -146,12 +146,15 @@ static void icmp_ping_close(const struct ctx *c,
  * @id_sock:	Pointer to ping flow entry slot in icmp_id_map[] to update
  * @af:		Address family, AF_INET or AF_INET6
  * @id:		ICMP id for the new socket
+ * @saddr:	Source address
+ * @daddr:	Destination address
  *
  * Return: Newly opened ping flow, or NULL on failure
  */
 static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c,
 					    struct icmp_ping_flow **id_sock,
-					    sa_family_t af, uint16_t id)
+					    sa_family_t af, uint16_t id,
+					    const void *saddr, const void *daddr)
 {
 	uint8_t flowtype = af == AF_INET ? FLOW_PING4 : FLOW_PING6;
 	union epoll_ref ref = { .type = EPOLL_TYPE_PING };
@@ -163,7 +166,7 @@ static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c,
 	if (!flow)
 		return NULL;
 
-	flow_initiate(flow, PIF_TAP);
+	flow_initiate_af(flow, PIF_TAP, af, saddr, id, daddr, id);
 	flow_target(flow, PIF_HOST);
 	pingf = FLOW_SET_TYPE(flow, flowtype, ping);
 
@@ -269,7 +272,7 @@ int icmp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t
af,
 	}
 
 	if (!(pingf = *id_sock))
-		if (!(pingf = icmp_ping_new(c, id_sock, af, id)))
+		if (!(pingf = icmp_ping_new(c, id_sock, af, id, saddr, daddr)))
 			return 1;
 
 	pingf->ts = now->tv_sec;
diff --git a/passt.h b/passt.h
index 46d073a2..76810867 100644
--- a/passt.h
+++ b/passt.h
@@ -17,6 +17,9 @@ union epoll_ref;
 
 #include "pif.h"
 #include "packet.h"
+#include "siphash.h"
+#include "ip.h"
+#include "inany.h"
 #include "flow.h"
 #include "icmp.h"
 #include "fwd.h"
diff --git a/tcp.c b/tcp.c
index 68524235..07a2eb1c 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1629,7 +1629,7 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 	if (!(flow = flow_alloc()))
 		return;
 
-	flow_initiate(flow, PIF_TAP);
+	flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, daddr, dstport);
 
 	if (af == AF_INET) {
 		if (IN4_IS_ADDR_UNSPECIFIED(saddr) ||
@@ -2288,7 +2288,9 @@ void tcp_listen_handler(struct ctx *c, union epoll_ref ref,
 	if (s < 0)
 		goto cancel;
 
-	flow_initiate(flow, ref.tcp_listen.pif);
+	/* FIXME: When listening port has a specific bound address, record that
+	 * as the forwarding address */
+	flow_initiate_sa(flow, ref.tcp_listen.pif, &sa, ref.tcp_listen.port);
 
 	if (sa.sa_family == AF_INET) {
 		const struct in_addr *addr = &sa.sa4.sin_addr;
-- 
2.45.2

Some information we explicitly store in the TCP connection is now
duplicated in the common flow structure.  Access it from there instead, and
remove it from the TCP specific structure.   With that done we can reorder
both the "tap" and "splice" TCP structures a bit to get better packing
for
the new combined flow table entries.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 tcp.c          | 52 ++++++++++++++++++++++++++------------------------
 tcp_conn.h     | 40 +++++++++++++++-----------------------
 tcp_internal.h |  6 +++++-
 3 files changed, 47 insertions(+), 51 deletions(-)

diff --git a/tcp.c b/tcp.c
index c6cd0c72..30ad3dd4 100644
--- a/tcp.c
+++ b/tcp.c
@@ -333,8 +333,6 @@
 
 #define ACK_IF_NEEDED	0		/* See tcp_send_flag() */
 
-#define TAPSIDE(conn_)	((conn_)->f.pif[1] == PIF_TAP)
-
 #define CONN_IS_CLOSING(conn)						\
 	(((conn)->events & ESTABLISHED) &&				\
 	 ((conn)->events & (SOCK_FIN_RCVD | TAP_FIN_RCVD)))
@@ -635,10 +633,11 @@ void conn_event_do(const struct ctx *c, struct tcp_tap_conn *conn,
  */
 static int tcp_rtt_dst_low(const struct tcp_tap_conn *conn)
 {
+	const struct flowside *tapside = TAPFLOW(conn);
 	int i;
 
 	for (i = 0; i < LOW_RTT_TABLE_SIZE; i++)
-		if (inany_equals(&conn->faddr, low_rtt_dst + i))
+		if (inany_equals(&tapside->faddr, low_rtt_dst + i))
 			return 1;
 
 	return 0;
@@ -653,6 +652,7 @@ static void tcp_rtt_dst_check(const struct tcp_tap_conn *conn,
 			      const struct tcp_info *tinfo)
 {
 #ifdef HAS_MIN_RTT
+	const struct flowside *tapside = TAPFLOW(conn);
 	int i, hole = -1;
 
 	if (!tinfo->tcpi_min_rtt ||
@@ -660,7 +660,7 @@ static void tcp_rtt_dst_check(const struct tcp_tap_conn *conn,
 		return;
 
 	for (i = 0; i < LOW_RTT_TABLE_SIZE; i++) {
-		if (inany_equals(&conn->faddr, low_rtt_dst + i))
+		if (inany_equals(&tapside->faddr, low_rtt_dst + i))
 			return;
 		if (hole == -1 && IN6_IS_ADDR_UNSPECIFIED(low_rtt_dst + i))
 			hole = i;
@@ -672,7 +672,7 @@ static void tcp_rtt_dst_check(const struct tcp_tap_conn *conn,
 	if (hole == -1)
 		return;
 
-	low_rtt_dst[hole++] = conn->faddr;
+	low_rtt_dst[hole++] = tapside->faddr;
 	if (hole == LOW_RTT_TABLE_SIZE)
 		hole = 0;
 	inany_from_af(low_rtt_dst + hole, AF_INET6, &in6addr_any);
@@ -827,8 +827,10 @@ static int tcp_hash_match(const struct tcp_tap_conn *conn,
 			  const union inany_addr *faddr,
 			  in_port_t eport, in_port_t fport)
 {
-	if (inany_equals(&conn->faddr, faddr) &&
-	    conn->eport == eport && conn->fport == fport)
+	const struct flowside *tapside = TAPFLOW(conn);
+
+	if (inany_equals(&tapside->faddr, faddr) &&
+	    tapside->eport == eport && tapside->fport == fport)
 		return 1;
 
 	return 0;
@@ -862,7 +864,10 @@ static uint64_t tcp_hash(const struct ctx *c, const union inany_addr
*faddr,
 static uint64_t tcp_conn_hash(const struct ctx *c,
 			      const struct tcp_tap_conn *conn)
 {
-	return tcp_hash(c, &conn->faddr, conn->eport, conn->fport);
+	const struct flowside *tapside = TAPFLOW(conn);
+
+	return tcp_hash(c, &tapside->faddr, tapside->eport,
+			tapside->fport);
 }
 
 /**
@@ -998,10 +1003,12 @@ void tcp_defer_handler(struct ctx *c)
  * @seq:	Sequence number
  */
 static void tcp_fill_header(struct tcphdr *th,
-			       const struct tcp_tap_conn *conn, uint32_t seq)
+			    const struct tcp_tap_conn *conn, uint32_t seq)
 {
-	th->source = htons(conn->fport);
-	th->dest = htons(conn->eport);
+	const struct flowside *tapside = TAPFLOW(conn);
+
+	th->source = htons(tapside->fport);
+	th->dest = htons(tapside->eport);
 	th->seq = htonl(seq);
 	th->ack_seq = htonl(conn->seq_ack_to_tap);
 	if (conn->events & ESTABLISHED)	{
@@ -1033,7 +1040,8 @@ static size_t tcp_fill_headers4(const struct ctx *c,
 				size_t dlen, const uint16_t *check,
 				uint32_t seq)
 {
-	const struct in_addr *a4 = inany_v4(&conn->faddr);
+	const struct flowside *tapside = TAPFLOW(conn);
+	const struct in_addr *a4 = inany_v4(&tapside->faddr);
 	size_t l4len = dlen + sizeof(*th);
 	size_t l3len = l4len + sizeof(*iph);
 
@@ -1075,10 +1083,11 @@ static size_t tcp_fill_headers6(const struct ctx *c,
 				struct ipv6hdr *ip6h, struct tcphdr *th,
 				size_t dlen, uint32_t seq)
 {
+	const struct flowside *tapside = TAPFLOW(conn);
 	size_t l4len = dlen + sizeof(*th);
 
 	ip6h->payload_len = htons(l4len);
-	ip6h->saddr = conn->faddr.a6;
+	ip6h->saddr = tapside->faddr.a6;
 	if (IN6_IS_ADDR_LINKLOCAL(&ip6h->saddr))
 		ip6h->daddr = c->ip6.addr_ll_seen;
 	else
@@ -1117,7 +1126,8 @@ size_t tcp_l2_buf_fill_headers(const struct ctx *c,
 			       struct iovec *iov, size_t dlen,
 			       const uint16_t *check, uint32_t seq)
 {
-	const struct in_addr *a4 = inany_v4(&conn->faddr);
+	const struct flowside *tapside = TAPFLOW(conn);
+	const struct in_addr *a4 = inany_v4(&tapside->faddr);
 
 	if (a4) {
 		return tcp_fill_headers4(c, conn, iov[TCP_IOV_TAP].iov_base,
@@ -1420,6 +1430,7 @@ static void tcp_seq_init(const struct ctx *c, struct tcp_tap_conn
*conn,
 			 const struct timespec *now)
 {
 	struct siphash_state state = SIPHASH_INIT(c->hash_secret);
+	const struct flowside *tapside = TAPFLOW(conn);
 	union inany_addr aany;
 	uint64_t hash;
 	uint32_t ns;
@@ -1429,10 +1440,10 @@ static void tcp_seq_init(const struct ctx *c, struct tcp_tap_conn
*conn,
 	else
 		inany_from_af(&aany, AF_INET6, &c->ip6.addr);
 
-	inany_siphash_feed(&state, &conn->faddr);
+	inany_siphash_feed(&state, &tapside->faddr);
 	inany_siphash_feed(&state, &aany);
 	hash = siphash_final(&state, 36,
-			     (uint64_t)conn->fport << 16 | conn->eport);
+			     (uint64_t)tapside->fport << 16 | tapside->eport);
 
 	/* 32ns ticks, overflows 32 bits every 137s */
 	ns = (now->tv_sec * 1000000000 + now->tv_nsec) >> 5;
@@ -1707,11 +1718,6 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 	if (!(conn->wnd_from_tap = (htons(th->window) >> conn->ws_from_tap)))
 		conn->wnd_from_tap = 1;
 
-	inany_from_af(&conn->faddr, af, daddr);
-
-	conn->fport = dstport;
-	conn->eport = srcport;
-
 	conn->seq_init_from_tap = ntohl(th->seq);
 	conn->seq_from_tap = conn->seq_init_from_tap + 1;
 	conn->seq_ack_to_tap = conn->seq_from_tap;
@@ -2254,10 +2260,6 @@ static void tcp_tap_conn_from_sock(struct ctx *c, in_port_t
dstport,
 	conn->ws_to_tap = conn->ws_from_tap = 0;
 	conn_event(c, conn, SOCK_ACCEPTED);
 
-	conn->faddr = saddr;
-	conn->fport = srcport;
-	conn->eport = dstport;
-
 	tcp_seq_init(c, conn, now);
 	tcp_hash_insert(c, conn);
 
diff --git a/tcp_conn.h b/tcp_conn.h
index 5f8c8fb6..b741ce32 100644
--- a/tcp_conn.h
+++ b/tcp_conn.h
@@ -13,19 +13,16 @@
  * struct tcp_tap_conn - Descriptor for a TCP connection (not spliced)
  * @f:			Generic flow information
  * @in_epoll:		Is the connection in the epoll set?
+ * @retrans:		Number of retransmissions occurred due to ACK_TIMEOUT
+ * @ws_from_tap:	Window scaling factor advertised from tap/guest
+ * @ws_to_tap:		Window scaling factor advertised to tap/guest
  * @tap_mss:		MSS advertised by tap/guest, rounded to 2 ^ TCP_MSS_BITS
  * @sock:		Socket descriptor number
  * @events:		Connection events, implying connection states
  * @timer:		timerfd descriptor for timeout events
  * @flags:		Connection flags representing internal attributes
- * @retrans:		Number of retransmissions occurred due to ACK_TIMEOUT
- * @ws_from_tap:	Window scaling factor advertised from tap/guest
- * @ws_to_tap:		Window scaling factor advertised to tap/guest
  * @sndbuf:		Sending buffer in kernel, rounded to 2 ^ SNDBUF_BITS
  * @seq_dup_ack_approx:	Last duplicate ACK number sent to tap
- * @faddr:		Guest side forwarding address (guest's remote address)
- * @eport:		Guest side endpoint port (guest's local port)
- * @fport:		Guest side forwarding port (guest's remote port)
  * @wnd_from_tap:	Last window size from tap, unscaled (as received)
  * @wnd_to_tap:		Sending window advertised to tap, unscaled (as sent)
  * @seq_to_tap:		Next sequence for packets to tap
@@ -49,6 +46,10 @@ struct tcp_tap_conn {
 	unsigned int	ws_from_tap	:TCP_WS_BITS;
 	unsigned int	ws_to_tap	:TCP_WS_BITS;
 
+#define TCP_MSS_BITS			14
+	unsigned int	tap_mss		:TCP_MSS_BITS;
+#define MSS_SET(conn, mss)	(conn->tap_mss = (mss >> (16 - TCP_MSS_BITS)))
+#define MSS_GET(conn)		(conn->tap_mss << (16 - TCP_MSS_BITS))
 
 	int		sock		:FD_REF_BITS;
 
@@ -77,13 +78,6 @@ struct tcp_tap_conn {
 #define ACK_TO_TAP_DUE		BIT(3)
 #define ACK_FROM_TAP_DUE	BIT(4)
 
-
-#define TCP_MSS_BITS			14
-	unsigned int	tap_mss		:TCP_MSS_BITS;
-#define MSS_SET(conn, mss)	(conn->tap_mss = (mss >> (16 - TCP_MSS_BITS)))
-#define MSS_GET(conn)		(conn->tap_mss << (16 - TCP_MSS_BITS))
-
-
 #define SNDBUF_BITS		24
 	unsigned int	sndbuf		:SNDBUF_BITS;
 #define SNDBUF_SET(conn, bytes)	(conn->sndbuf = ((bytes) >> (32 -
SNDBUF_BITS)))
@@ -91,11 +85,6 @@ struct tcp_tap_conn {
 
 	uint8_t		seq_dup_ack_approx;
 
-
-	union inany_addr faddr;
-	in_port_t	eport;
-	in_port_t	fport;
-
 	uint16_t	wnd_from_tap;
 	uint16_t	wnd_to_tap;
 
@@ -109,22 +98,24 @@ struct tcp_tap_conn {
 /**
  * struct tcp_splice_conn - Descriptor for a spliced TCP connection
  * @f:			Generic flow information
- * @in_epoll:		Is the connection in the epoll set?
  * @s:			File descriptor for sockets
  * @pipe:		File descriptors for pipes
- * @events:		Events observed/actions performed on connection
- * @flags:		Connection flags (attributes, not events)
  * @read:		Bytes read (not fully written to other side in one shot)
  * @written:		Bytes written (not fully written from one other side read)
-*/
+ * @events:		Events observed/actions performed on connection
+ * @flags:		Connection flags (attributes, not events)
+ * @in_epoll:		Is the connection in the epoll set?
+ */
 struct tcp_splice_conn {
 	/* Must be first element */
 	struct flow_common f;
 
-	bool in_epoll	:1;
 	int s[SIDES];
 	int pipe[SIDES][2];
 
+	uint32_t read[SIDES];
+	uint32_t written[SIDES];
+
 	uint8_t events;
 #define SPLICE_CLOSED			0
 #define SPLICE_CONNECT			BIT(0)
@@ -144,8 +135,7 @@ struct tcp_splice_conn {
 #define RCVLOWAT_ACT_1			BIT(4)
 #define CLOSING				BIT(5)
 
-	uint32_t read[SIDES];
-	uint32_t written[SIDES];
+		bool in_epoll	:1;
 };
 
 /* Socket pools */
diff --git a/tcp_internal.h b/tcp_internal.h
index 51aaa169..4f61e5c3 100644
--- a/tcp_internal.h
+++ b/tcp_internal.h
@@ -39,7 +39,11 @@
 #define OPT_SACKP	4
 #define OPT_SACK	5
 #define OPT_TS		8
-#define CONN_V4(conn)		(!!inany_v4(&(conn)->faddr))
+
+#define TAPSIDE(conn_)	((conn_)->f.pif[1] == PIF_TAP)
+#define TAPFLOW(conn_)	(&((conn_)->f.side[TAPSIDE(conn_)]))
+
+#define CONN_V4(conn)		(!!inany_v4(&TAPFLOW(conn)->faddr))
 #define CONN_V6(conn)		(!CONN_V4(conn))
 
 /*
-- 
2.45.2

For now when we forward a connection to the host we leave the host side
forwarding address and port blank since we don't necessarily know what
source address and port will be used by the kernel.  When the outbound
address option is active, though, we do know the address at least, so we
can record it in the flowside.

Having done that, use it as the primary source of truth, binding the
outgoing socket based on the information in there.  This allows the
possibility of more complex rules for what outbound address and/or port
we use in future.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 tcp.c | 93 ++++++++++++++++++++++++++++++-----------------------------
 1 file changed, 47 insertions(+), 46 deletions(-)

diff --git a/tcp.c b/tcp.c
index df625751..74883312 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1536,53 +1536,48 @@ static uint16_t tcp_conn_tap_mss(const struct tcp_tap_conn *conn,
 /**
  * tcp_bind_outbound() - Bind socket to outbound address and interface if given
  * @c:		Execution context
+ * @conn:	Connection entry for socket to bind
  * @s:		Outbound TCP socket
- * @af:		Address family
  */
-static void tcp_bind_outbound(const struct ctx *c, int s, sa_family_t af)
+static void tcp_bind_outbound(const struct ctx *c,
+			      const struct tcp_tap_conn *conn, int s)
 {
-	if (af == AF_INET) {
-		if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out)) {
-			struct sockaddr_in addr4 = {
-				.sin_family = AF_INET,
-				.sin_port = 0,
-				.sin_addr = c->ip4.addr_out,
-			};
-
-			if (bind(s, (struct sockaddr *)&addr4, sizeof(addr4))) {
-				debug("Can't bind IPv4 TCP socket address: %s",
-				      strerror(errno));
-			}
+	const struct flowside *tgt = &conn->f.side[TGTSIDE];
+	union sockaddr_inany bind_sa;
+	socklen_t sl;
+
+	sockaddr_from_inany(&bind_sa, &sl,
+			    &tgt->faddr, tgt->fport, c->ifi6);
+
+	if (!inany_is_unspecified(&tgt->faddr) || tgt->fport) {
+		if (bind(s, &bind_sa.sa, sl)) {
+			char sstr[INANY_ADDRSTRLEN];
+
+			flow_dbg(conn,
+				 "Can't bind TCP outbound socket to %s:%hu: %s",
+				 inany_ntop(&tgt->faddr, sstr, sizeof(sstr)),
+				 tgt->fport, strerror(errno));
 		}
+	}
 
+	if (bind_sa.sa_family == AF_INET) {
 		if (*c->ip4.ifname_out) {
 			if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
 				       c->ip4.ifname_out,
 				       strlen(c->ip4.ifname_out))) {
-				debug("Can't bind IPv4 TCP socket to interface:"
-				      " %s", strerror(errno));
-			}
-		}
-	} else if (af == AF_INET6) {
-		if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) {
-			struct sockaddr_in6 addr6 = {
-				.sin6_family = AF_INET6,
-				.sin6_port = 0,
-				.sin6_addr = c->ip6.addr_out,
-			};
-
-			if (bind(s, (struct sockaddr *)&addr6, sizeof(addr6))) {
-				debug("Can't bind IPv6 TCP socket address: %s",
-				      strerror(errno));
+				flow_dbg(conn, "Can't bind IPv4 TCP socket to"
+					 " interface %s: %s", c->ip4.ifname_out,
+					 strerror(errno));
 			}
 		}
-
+	} else if (bind_sa.sa_family == AF_INET6) {
 		if (*c->ip6.ifname_out) {
 			if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
 				       c->ip6.ifname_out,
 				       strlen(c->ip6.ifname_out))) {
-				debug("Can't bind IPv6 TCP socket to interface:"
-				      " %s", strerror(errno));
+				flow_dbg(conn, "Can't bind IPv6 TCP socket to"
+					 " interface %s: %s", c->ip6.ifname_out,
+					 strerror(errno));
 			}
 		}
 	}
@@ -1606,9 +1601,9 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 {
 	in_port_t srcport = ntohs(th->source);
 	in_port_t dstport = ntohs(th->dest);
+	union inany_addr srcaddr, dstaddr; /* FIXME: Avoid bulky temporaries */
 	const struct flowside *ini, *tgt;
 	struct tcp_tap_conn *conn;
-	union inany_addr dstaddr; /* FIXME: Avoid bulky temporary */
 	union sockaddr_inany sa;
 	union flow *flow;
 	int s = -1, mss;
@@ -1666,23 +1661,27 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 			dstaddr = inany_loopback6;
 	}
 
+	if (inany_is_linklocal6(&dstaddr)) {
+		srcaddr.a6 = c->ip6.addr_ll;
+	} else if (inany_is_loopback(&dstaddr)) {
+		srcaddr = dstaddr;
+	} else if (inany_v4(&dstaddr)) {
+		if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out))
+			srcaddr = inany_from_v4(c->ip4.addr_out);
+		else
+			srcaddr = inany_any4;
+	} else {
+		if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out))
+			srcaddr.a6 = c->ip6.addr_out;
+		else
+			srcaddr = inany_any6;
+	}
+
 	/* FIXME: Record outbound source address when known */
 	tgt = flow_target_af(flow, PIF_HOST, AF_INET6,
-			     NULL, 0, /* Kernel decides source address */
+			     &srcaddr, 0, /* Kernel decides source port */
 			     &dstaddr, dstport);
 
-	if (inany_is_linklocal6(&tgt->eaddr)) {
-		struct sockaddr_in6 addr6_ll = {
-			.sin6_family = AF_INET6,
-			.sin6_addr = c->ip6.addr_ll,
-			.sin6_scope_id = c->ifi6,
-		};
-		if (bind(s, (struct sockaddr *)&addr6_ll, sizeof(addr6_ll)))
-			goto cancel;
-	} else if (!inany_is_loopback(&tgt->eaddr)) {
-		tcp_bind_outbound(c, s, af);
-	}
-
 	conn = FLOW_SET_TYPE(flow, FLOW_TCP, tcp);
 	conn->sock = s;
 	conn->timer = -1;
@@ -1721,6 +1720,8 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 	if (errno != EADDRNOTAVAIL && errno != EACCES)
 		conn_flag(c, conn, LOCAL);
 
+	tcp_bind_outbound(c, conn, s);
+
 	if (connect(s, &sa.sa, sl)) {
 		if (errno != EINPROGRESS) {
 			tcp_rst(c, conn);
-- 
2.45.2

Since we're now constructing socket addresses based on information in the
flowside, we no longer need an explicit flag to tell if we're dealing with
an IPv4 or IPv6 connection.  Hence, drop the now unused SPLICE_V6 flag.

As well as just simplifying the code, this allows for possible future
extensions where we could splice an IPv4 connection to an IPv6 connection
or vice versa.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 tcp_conn.h   | 11 +++++------
 tcp_splice.c |  3 ---
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/tcp_conn.h b/tcp_conn.h
index b741ce32..08d58d6e 100644
--- a/tcp_conn.h
+++ b/tcp_conn.h
@@ -128,12 +128,11 @@ struct tcp_splice_conn {
 #define FIN_SENT_1			BIT(7)
 
 	uint8_t flags;
-#define SPLICE_V6			BIT(0)
-#define RCVLOWAT_SET_0			BIT(1)
-#define RCVLOWAT_SET_1			BIT(2)
-#define RCVLOWAT_ACT_0			BIT(3)
-#define RCVLOWAT_ACT_1			BIT(4)
-#define CLOSING				BIT(5)
+#define RCVLOWAT_SET_0			BIT(0)
+#define RCVLOWAT_SET_1			BIT(1)
+#define RCVLOWAT_ACT_0			BIT(2)
+#define RCVLOWAT_ACT_1			BIT(3)
+#define CLOSING				BIT(4)
 
 		bool in_epoll	:1;
 };
diff --git a/tcp_splice.c b/tcp_splice.c
index bcb42c97..d829d753 100644
--- a/tcp_splice.c
+++ b/tcp_splice.c
@@ -73,8 +73,6 @@ static int ns_sock_pool6	[TCP_SOCK_POOL_SIZE];
 /* Pool of pre-opened pipes */
 static int splice_pipe_pool		[TCP_SPLICE_PIPE_POOL_SIZE][2];
 
-#define CONN_V6(x)			((x)->flags & SPLICE_V6)
-#define CONN_V4(x)			(!CONN_V6(x))
 #define CONN_HAS(conn, set)		(((conn)->events & (set)) == (set))
 #define CONN(idx)			(&FLOW(idx)->tcp_splice)
 
@@ -463,7 +461,6 @@ bool tcp_splice_conn_from_sock(const struct ctx *c,
 			       NULL, 0, &in6addr_loopback, dstport);
 	conn = FLOW_SET_TYPE(flow, FLOW_TCP_SPLICE, tcp_splice);
 
-	conn->flags = af == AF_INET ? 0 : SPLICE_V6;
 	conn->s[0] = s0;
 	conn->s[1] = -1;
 	conn->pipe[0][0] = conn->pipe[0][1] = -1;
-- 
2.45.2

Move the data structures and helper functions for the TCP hash table to
flow.c, making it a general hash table indexing sides of flows.  This is
largely code motion and straightforward renames.  There are two semantic
changes:

 * flow_lookup_af() now needs to verify that the entry has a matching
   protocol and interface as well as matching addresses and ports.

 * We double the size of the hash table, because it's now at least
   theoretically possible for both sides of each flow to be hashed.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 flow.c         | 155 +++++++++++++++++++++++++++++++++++++++++++++++--
 flow.h         |  11 ++--
 flow_table.h   |   3 -
 tcp.c          | 148 +++++-----------------------------------------
 tcp_internal.h |   1 +
 5 files changed, 171 insertions(+), 147 deletions(-)

diff --git a/flow.c b/flow.c
index 8ed9c1ae..e7503dbd 100644
--- a/flow.c
+++ b/flow.c
@@ -105,6 +105,16 @@ unsigned flow_first_free;
 union flow flowtab[FLOW_MAX];
 static const union flow *flow_new_entry; /* = NULL */
 
+/* Hash table to index it */
+#define FLOW_HASH_LOAD		70		/* % */
+#define FLOW_HASH_SIZE		((2 * FLOW_MAX * 100 / FLOW_HASH_LOAD))
+
+/* Table for lookup from flowside information */
+static flow_sidx_t flow_hashtab[FLOW_HASH_SIZE];
+
+static_assert(ARRAY_SIZE(flow_hashtab) >= 2 * FLOW_MAX,
+"Safe linear probing requires hash table with more entries than the number of sides
in the flow table");
+
 /* Last time the flow timers ran */
 static struct timespec flow_timer_run;
 
@@ -116,9 +126,9 @@ static struct timespec flow_timer_run;
  * @faddr:	Forwarding address (pointer to in_addr or in6_addr)
  * @fport:	Forwarding port
  */
-void flowside_from_af(struct flowside *fside, sa_family_t af,
-		      const void *eaddr, in_port_t eport,
-		      const void *faddr, in_port_t fport)
+static void flowside_from_af(struct flowside *fside, sa_family_t af,
+			     const void *eaddr, in_port_t eport,
+			     const void *faddr, in_port_t fport)
 {
 	if (faddr)
 		inany_from_af(&fside->faddr, af, faddr);
@@ -410,8 +420,8 @@ void flow_alloc_cancel(union flow *flow)
  *
  * Return: hash value
  */
-uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
-		   const struct flowside *fside)
+static uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
+			  const struct flowside *fside)
 {
 	struct siphash_state state = SIPHASH_INIT(c->hash_secret);
 
@@ -430,6 +440,136 @@ uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
 			     (uint64_t)fside->eport);
 }
 
+/**
+ * flow_sidx_hash() - Calculate hash value for given side of a given flow
+ * @c:		Execution context
+ * @sidx:	Flow & side index to get hash for
+ *
+ * Return: hash value, of the flow & side represented by @sidx
+ */
+static uint64_t flow_sidx_hash(const struct ctx *c, flow_sidx_t sidx)
+{
+	const struct flow_common *f = &flow_at_sidx(sidx)->f;
+	return flow_hash(c, FLOW_PROTO(f),
+			 f->pif[sidx.side], &f->side[sidx.side]);
+}
+
+/**
+ * flow_hash_probe() - Find hash bucket for a flow
+ * @c:		Execution context
+ * @sidx:	Flow and side to find bucket for
+ *
+ * Return: If @sidx is in the hash table, its current bucket, otherwise a
+ *         suitable free bucket for it.
+ */
+static inline unsigned flow_hash_probe(const struct ctx *c, flow_sidx_t sidx)
+{
+	unsigned b = flow_sidx_hash(c, sidx) % FLOW_HASH_SIZE;
+
+	/* Linear probing */
+	while (!flow_sidx_eq(flow_hashtab[b], FLOW_SIDX_NONE) &&
+	       !flow_sidx_eq(flow_hashtab[b], sidx))
+		b = mod_sub(b, 1, FLOW_HASH_SIZE);
+
+	return b;
+}
+
+/**
+ * flow_hash_insert() - Insert side of a flow into into hash table
+ * @c:		Execution context
+ * @sidx:	Flow & side index
+ */
+void flow_hash_insert(const struct ctx *c, flow_sidx_t sidx)
+{
+	unsigned b = flow_hash_probe(c, sidx);
+
+	flow_hashtab[b] = sidx;
+	flow_dbg(flow_at_sidx(sidx), "Side %u hash table insert: bucket: %u",
+		 sidx.side, b);
+}
+
+/**
+ * flow_hash_remove() - Drop side of a flow from the hash table
+ * @c:		Execution context
+ * @sidx:	Side of flow to remove
+ */
+void flow_hash_remove(const struct ctx *c, flow_sidx_t sidx)
+{
+	unsigned b = flow_hash_probe(c, sidx), s;
+
+	if (flow_sidx_eq(flow_hashtab[b], FLOW_SIDX_NONE))
+		return; /* Redundant remove */
+
+	flow_dbg(flow_at_sidx(sidx), "Side %u hash table remove: bucket: %u",
+		 sidx.side, b);
+
+	/* Scan the remainder of the cluster */
+	for (s = mod_sub(b, 1, FLOW_HASH_SIZE);
+	     !flow_sidx_eq(flow_hashtab[s], FLOW_SIDX_NONE);
+	     s = mod_sub(s, 1, FLOW_HASH_SIZE)) {
+		unsigned h = flow_sidx_hash(c, flow_hashtab[s]) % FLOW_HASH_SIZE;
+
+		if (!mod_between(h, s, b, FLOW_HASH_SIZE)) {
+			/* flow_hashtab[s] can live in flow_hashtab[b]'s slot */
+			debug("hash table remove: shuffle %u -> %u", s, b);
+			flow_hashtab[b] = flow_hashtab[s];
+			b = s;
+		}
+	}
+
+	flow_hashtab[b] = FLOW_SIDX_NONE;
+}
+
+/**
+ * flowside_lookup() - Look for a matching flowside in the flow table
+ * @c:		Execution context
+ * @proto:	Protocol of the flow (IP L4 protocol number)
+ * @pif:	pif to look for in the table
+ * @fside:	Flowside to look for in the table
+ *
+ * Return: sidx of the matching flow & side, FLOW_SIDX_NONE if not found
+ */
+static flow_sidx_t flowside_lookup(const struct ctx *c, uint8_t proto,
+				   uint8_t pif, const struct flowside *fside)
+{
+	flow_sidx_t sidx;
+	union flow *flow;
+	unsigned b;
+
+	b = flow_hash(c, proto, pif, fside) % FLOW_HASH_SIZE;
+	while ((sidx = flow_hashtab[b], flow = flow_at_sidx(sidx)) &&
+	       !(FLOW_PROTO(&flow->f) == proto &&
+		 flow->f.pif[sidx.side] == pif &&
+		 flowside_eq(&flow->f.side[sidx.side], fside)))
+		b = (b + 1) % FLOW_HASH_SIZE;
+
+	return flow_hashtab[b];
+}
+
+/**
+ * flow_lookup_af() - Look up a flow given addressing information
+ * @c:		Execution context
+ * @proto:	Protocol of the flow (IP L4 protocol number)
+ * @pif:	Interface of the flow
+ * @af:		Address family, AF_INET or AF_INET6
+ * @eaddr:	Guest side endpoint address (guest local address)
+ * @faddr:	Guest side forwarding address (guest remote address)
+ * @eport:	Guest side endpoint port (guest local port)
+ * @fport:	Guest side forwarding port (guest remote port)
+ *
+ * Return: sidx of the matching flow & side, FLOW_SIDX_NONE if not found
+ */
+flow_sidx_t flow_lookup_af(const struct ctx *c,
+			   uint8_t proto, uint8_t pif, sa_family_t af,
+			   const void *eaddr, const void *faddr,
+			   in_port_t eport, in_port_t fport)
+{
+	struct flowside fside;
+
+	flowside_from_af(&fside, af, eaddr, eport, faddr, fport);
+	return flowside_lookup(c, proto, pif, &fside);
+}
+
 /**
  * flow_defer_handler() - Handler for per-flow deferred and timed tasks
  * @c:		Execution context
@@ -543,7 +683,12 @@ void flow_defer_handler(const struct ctx *c, const struct timespec
*now)
  */
 void flow_init(void)
 {
+	unsigned b;
+
 	/* Initial state is a single free cluster containing the whole table */
 	flowtab[0].free.n = FLOW_MAX;
 	flowtab[0].free.next = FLOW_MAX;
+
+	for (b = 0; b < FLOW_HASH_SIZE; b++)
+		flow_hashtab[b] = FLOW_SIDX_NONE;
 }
diff --git a/flow.h b/flow.h
index 6c9eaf60..c29d0312 100644
--- a/flow.h
+++ b/flow.h
@@ -164,10 +164,6 @@ static inline bool flowside_eq(const struct flowside *left,
 	       left->fport == right->fport;
 }
 
-void flowside_from_af(struct flowside *fside, sa_family_t af,
-		      const void *eaddr, in_port_t eport,
-		      const void *faddr, in_port_t fport);
-
 /**
  * struct flow_common - Common fields for packet flows
  * @state:	State of the flow table entry
@@ -222,6 +218,13 @@ static inline bool flow_sidx_eq(flow_sidx_t a, flow_sidx_t b)
 	return (a.flow == b.flow) && (a.side == b.side);
 }
 
+void flow_hash_insert(const struct ctx *c, flow_sidx_t sidx);
+void flow_hash_remove(const struct ctx *c, flow_sidx_t sidx);
+flow_sidx_t flow_lookup_af(const struct ctx *c,
+			   uint8_t proto, uint8_t pif, sa_family_t af,
+			   const void *eaddr, const void *faddr,
+			   in_port_t eport, in_port_t fport);
+
 union flow;
 
 void flow_init(void);
diff --git a/flow_table.h b/flow_table.h
index 34f4e6cc..7af32c6a 100644
--- a/flow_table.h
+++ b/flow_table.h
@@ -126,7 +126,4 @@ void flow_activate(struct flow_common *f);
 #define FLOW_ACTIVATE(flow_)			\
 	(flow_activate(&(flow_)->f))
 
-uint64_t flow_hash(const struct ctx *c, uint8_t proto, uint8_t pif,
-		   const struct flowside *fside);
-
 #endif /* FLOW_TABLE_H */
diff --git a/tcp.c b/tcp.c
index 531cba2d..e92f6850 100644
--- a/tcp.c
+++ b/tcp.c
@@ -305,9 +305,6 @@
 #include "tcp_internal.h"
 #include "tcp_buf.h"
 
-#define TCP_HASH_TABLE_LOAD		70		/* % */
-#define TCP_HASH_TABLE_SIZE		(FLOW_MAX * 100 / TCP_HASH_TABLE_LOAD)
-
 /* MSS rounding: see SET_MSS() */
 #define MSS_DEFAULT			536
 #define WINDOW_DEFAULT			14600		/* RFC 6928 */
@@ -376,12 +373,6 @@ static struct iovec	tcp_iov			[UIO_MAXIOV];
 
 #define CONN(idx)		(&(FLOW(idx)->tcp))
 
-/* Table for lookup from flowside information */
-static flow_sidx_t tc_hash[TCP_HASH_TABLE_SIZE];
-
-static_assert(ARRAY_SIZE(tc_hash) >= FLOW_MAX,
-	"Safe linear probing requires hash table larger than connection table");
-
 /* Pools for pre-opened sockets (in init) */
 int init_sock_pool4		[TCP_SOCK_POOL_SIZE];
 int init_sock_pool6		[TCP_SOCK_POOL_SIZE];
@@ -567,9 +558,6 @@ void conn_flag_do(const struct ctx *c, struct tcp_tap_conn *conn,
 		tcp_timer_ctl(c, conn);
 }
 
-static void tcp_hash_remove(const struct ctx *c,
-			    const struct tcp_tap_conn *conn);
-
 /**
  * conn_event_do() - Set and log connection events, update epoll state
  * @c:		Execution context
@@ -615,7 +603,7 @@ void conn_event_do(const struct ctx *c, struct tcp_tap_conn *conn,
 			 num == -1 	       ? "CLOSED" : tcp_event_str[num]);
 
 	if (event == CLOSED)
-		tcp_hash_remove(c, conn);
+		flow_hash_remove(c, TAP_SIDX(conn));
 	else if ((event == TAP_FIN_RCVD) && !(conn->events & SOCK_FIN_RCVD))
 		conn_flag(c, conn, ACTIVE_CLOSE);
 	else
@@ -814,118 +802,6 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t
type_find,
 	return -1;
 }
 
-/**
- * tcp_conn_hash() - Calculate hash bucket of an existing connection
- * @c:		Execution context
- * @conn:	Connection
- *
- * Return: hash value, needs to be adjusted for table size
- */
-static uint64_t tcp_conn_hash(const struct ctx *c,
-			      const struct tcp_tap_conn *conn)
-{
-	const struct flowside *tapside = TAPFLOW(conn);
-
-	return flow_hash(c, IPPROTO_TCP, conn->f.pif[TAPSIDE(conn)], tapside);
-}
-
-/**
- * tcp_hash_probe() - Find hash bucket for a connection
- * @c:		Execution context
- * @conn:	Connection to find bucket for
- *
- * Return: If @conn is in the table, its current bucket, otherwise a suitable
- *         free bucket for it.
- */
-static inline unsigned tcp_hash_probe(const struct ctx *c,
-				      const struct tcp_tap_conn *conn)
-{
-	unsigned b = tcp_conn_hash(c, conn) % TCP_HASH_TABLE_SIZE;
-	flow_sidx_t sidx = FLOW_SIDX(conn, TAPSIDE(conn));
-
-	/* Linear probing */
-	while (!flow_sidx_eq(tc_hash[b], FLOW_SIDX_NONE) &&
-	       !flow_sidx_eq(tc_hash[b], sidx))
-		b = mod_sub(b, 1, TCP_HASH_TABLE_SIZE);
-
-	return b;
-}
-
-/**
- * tcp_hash_insert() - Insert connection into hash table, chain link
- * @c:		Execution context
- * @conn:	Connection pointer
- */
-static void tcp_hash_insert(const struct ctx *c, struct tcp_tap_conn *conn)
-{
-	unsigned b = tcp_hash_probe(c, conn);
-
-	tc_hash[b] = FLOW_SIDX(conn, TAPSIDE(conn));
-	flow_dbg(conn, "hash table insert: sock %i, bucket: %u", conn->sock, b);
-}
-
-/**
- * tcp_hash_remove() - Drop connection from hash table, chain unlink
- * @c:		Execution context
- * @conn:	Connection pointer
- */
-static void tcp_hash_remove(const struct ctx *c,
-			    const struct tcp_tap_conn *conn)
-{
-	unsigned b = tcp_hash_probe(c, conn), s;
-	union flow *flow = flow_at_sidx(tc_hash[b]);
-
-	if (!flow)
-		return; /* Redundant remove */
-
-	flow_dbg(conn, "hash table remove: sock %i, bucket: %u", conn->sock, b);
-
-	/* Scan the remainder of the cluster */
-	for (s = mod_sub(b, 1, TCP_HASH_TABLE_SIZE);
-	     (flow = flow_at_sidx(tc_hash[s]));
-	     s = mod_sub(s, 1, TCP_HASH_TABLE_SIZE)) {
-		unsigned h = tcp_conn_hash(c, &flow->tcp) % TCP_HASH_TABLE_SIZE;
-
-		if (!mod_between(h, s, b, TCP_HASH_TABLE_SIZE)) {
-			/* tc_hash[s] can live in tc_hash[b]'s slot */
-			debug("hash table remove: shuffle %u -> %u", s, b);
-			tc_hash[b] = tc_hash[s];
-			b = s;
-		}
-	}
-
-	tc_hash[b] = FLOW_SIDX_NONE;
-}
-
-/**
- * tcp_hash_lookup() - Look up connection given remote address and ports
- * @c:		Execution context
- * @af:		Address family, AF_INET or AF_INET6
- * @eaddr:	Guest side endpoint address (guest local address)
- * @faddr:	Guest side forwarding address (guest remote address)
- * @eport:	Guest side endpoint port (guest local port)
- * @fport:	Guest side forwarding port (guest remote port)
- *
- * Return: connection pointer, if found, -ENOENT otherwise
- */
-static struct tcp_tap_conn *tcp_hash_lookup(const struct ctx *c, sa_family_t af,
-					    const void *eaddr, const void *faddr,
-					    in_port_t eport, in_port_t fport)
-{
-	struct flowside fside;
-	union flow *flow;
-	unsigned b;
-
-	flowside_from_af(&fside, af, eaddr, eport, faddr, fport);
-
-	b = flow_hash(c, IPPROTO_TCP, PIF_TAP, &fside) % TCP_HASH_TABLE_SIZE;
-	while ((flow = flow_at_sidx(tc_hash[b])) &&
-	       !flowside_eq(&flow->f.side[TAPSIDE(flow)], &fside))
-		b = mod_sub(b, 1, TCP_HASH_TABLE_SIZE);
-
-	return &flow->tcp;
-}
-
 /**
  * tcp_flow_defer() - Deferred per-flow handling (clean up closed connections)
  * @conn:	Connection to handle
@@ -1645,7 +1521,7 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
 	tcp_seq_init(c, conn, now);
 	conn->seq_ack_from_tap = conn->seq_to_tap;
 
-	tcp_hash_insert(c, conn);
+	flow_hash_insert(c, TAP_SIDX(conn));
 
 	sockaddr_from_inany(&sa, &sl, &tgt->eaddr, tgt->eport, c->ifi6);
 
@@ -1983,6 +1859,8 @@ int tcp_tap_handler(struct ctx *c, uint8_t pif, sa_family_t af,
 	const struct tcphdr *th;
 	size_t optlen, len;
 	const char *opts;
+	union flow *flow;
+	flow_sidx_t sidx;
 	int ack_due = 0;
 	int count;
 
@@ -1998,17 +1876,22 @@ int tcp_tap_handler(struct ctx *c, uint8_t pif, sa_family_t af,
 	optlen = MIN(optlen, ((1UL << 4) /* from doff width */ - 6) * 4UL);
 	opts = packet_get(p, idx, sizeof(*th), optlen, NULL);
 
-	conn = tcp_hash_lookup(c, af, saddr, daddr,
-			       ntohs(th->source), ntohs(th->dest));
+	sidx = flow_lookup_af(c, IPPROTO_TCP, PIF_TAP, af, saddr, daddr,
+			      ntohs(th->source), ntohs(th->dest));
+	flow = flow_at_sidx(sidx);
 
 	/* New connection from tap */
-	if (!conn) {
+	if (!flow) {
 		if (opts && th->syn && !th->ack)
 			tcp_conn_from_tap(c, af, saddr, daddr, th,
 					  opts, optlen, now);
 		return 1;
 	}
 
+	ASSERT(flow->f.type == FLOW_TCP);
+	ASSERT(flow->f.pif[sidx.side] == PIF_TAP);
+	conn = &flow->tcp;
+
 	flow_trace(conn, "packet length %zu from tap", len);
 
 	if (th->rst) {
@@ -2184,7 +2067,7 @@ static void tcp_tap_conn_from_sock(struct ctx *c, in_port_t
dstport,
 	conn_event(c, conn, SOCK_ACCEPTED);
 
 	tcp_seq_init(c, conn, now);
-	tcp_hash_insert(c, conn);
+	flow_hash_insert(c, TAP_SIDX(conn));
 
 	conn->seq_ack_from_tap = conn->seq_to_tap;
 
@@ -2576,11 +2459,6 @@ static void tcp_sock_refill_init(const struct ctx *c)
  */
 int tcp_init(struct ctx *c)
 {
-	unsigned b;
-
-	for (b = 0; b < TCP_HASH_TABLE_SIZE; b++)
-		tc_hash[b] = FLOW_SIDX_NONE;
-
 	if (c->ifi4)
 		tcp_sock4_iov_init(c);
 
diff --git a/tcp_internal.h b/tcp_internal.h
index ac6d4b21..8b60aabc 100644
--- a/tcp_internal.h
+++ b/tcp_internal.h
@@ -42,6 +42,7 @@
 
 #define TAPSIDE(conn_)	((conn_)->f.pif[1] == PIF_TAP)
 #define TAPFLOW(conn_)	(&((conn_)->f.side[TAPSIDE(conn_)]))
+#define TAP_SIDX(conn_)	(FLOW_SIDX((conn_), TAPSIDE(conn_)))
 
 #define CONN_V4(conn)		(!!inany_v4(&TAPFLOW(conn)->faddr))
 #define CONN_V6(conn)		(!CONN_V4(conn))
-- 
2.45.2

struct icmp_ping_flow contains a field for the ICMP id of the ping, but
this is now redundant, since the id is also stored as the "port" in the
common flowsides.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 icmp.c      | 10 +++++-----
 icmp_flow.h |  2 --
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/icmp.c b/icmp.c
index c86c54c3..deb13c96 100644
--- a/icmp.c
+++ b/icmp.c
@@ -58,6 +58,7 @@ static struct icmp_ping_flow *icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS];
 void icmp_sock_handler(const struct ctx *c, union epoll_ref ref)
 {
 	struct icmp_ping_flow *pingf = PINGF(ref.flowside.flow);
+	const struct flowside *ini = &pingf->f.side[INISIDE];
 	union sockaddr_inany sr;
 	socklen_t sl = sizeof(sr);
 	char buf[USHRT_MAX];
@@ -83,7 +84,7 @@ void icmp_sock_handler(const struct ctx *c, union epoll_ref ref)
 			goto unexpected;
 
 		/* Adjust packet back to guest-side ID */
-		ih4->un.echo.id = htons(pingf->id);
+		ih4->un.echo.id = htons(ini->eport);
 		seq = ntohs(ih4->un.echo.sequence);
 	} else if (pingf->f.type == FLOW_PING6) {
 		struct icmp6hdr *ih6 = (struct icmp6hdr *)buf;
@@ -93,7 +94,7 @@ void icmp_sock_handler(const struct ctx *c, union epoll_ref ref)
 			goto unexpected;
 
 		/* Adjust packet back to guest-side ID */
-		ih6->icmp6_identifier = htons(pingf->id);
+		ih6->icmp6_identifier = htons(ini->eport);
 		seq = ntohs(ih6->icmp6_sequence);
 	} else {
 		ASSERT(0);
@@ -108,7 +109,7 @@ void icmp_sock_handler(const struct ctx *c, union epoll_ref ref)
 	}
 
 	flow_dbg(pingf, "echo reply to tap, ID: %"PRIu16", seq: %"PRIu16,
-		 pingf->id, seq);
+		 ini->eport, seq);
 
 	if (pingf->f.type == FLOW_PING4)
 		tap_icmp4_send(c, sr.sa4.sin_addr, tap_ip4_daddr(c), buf, n);
@@ -129,7 +130,7 @@ unexpected:
 static void icmp_ping_close(const struct ctx *c,
 			    const struct icmp_ping_flow *pingf)
 {
-	uint16_t id = pingf->id;
+	uint16_t id = pingf->f.side[INISIDE].eport;
 
 	epoll_ctl(c->epollfd, EPOLL_CTL_DEL, pingf->sock, NULL);
 	close(pingf->sock);
@@ -172,7 +173,6 @@ static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c,
 	pingf = FLOW_SET_TYPE(flow, flowtype, ping);
 
 	pingf->seq = -1;
-	pingf->id = id;
 
 	if (af == AF_INET) {
 		bind_addr = &c->ip4.addr_out;
diff --git a/icmp_flow.h b/icmp_flow.h
index c9847eae..fb93801d 100644
--- a/icmp_flow.h
+++ b/icmp_flow.h
@@ -13,7 +13,6 @@
  * @seq:	Last sequence number sent to tap, host order, -1: not sent yet
  * @sock:	"ping" socket
  * @ts:		Last associated activity from tap, seconds
- * @id:		ICMP id for the flow as seen by the guest
  */
 struct icmp_ping_flow {
 	/* Must be first element */
@@ -22,7 +21,6 @@ struct icmp_ping_flow {
 	int seq;
 	int sock;
 	time_t ts;
-	uint16_t id;
 };
 
 bool icmp_ping_timer(const struct ctx *c, const struct icmp_ping_flow *pingf,
-- 
2.45.2

When we receive a ping packet from the tap interface, we currently locate
the correct flow entry (if present) using an anciliary data structure, the
icmp_id_map[] tables.  However, we can look this up using the flow hash
table - that's what it's for.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 icmp.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/icmp.c b/icmp.c
index 88813fbc..d11de1aa 100644
--- a/icmp.c
+++ b/icmp.c
@@ -141,6 +141,7 @@ static void icmp_ping_close(const struct ctx *c,
 
 	epoll_ctl(c->epollfd, EPOLL_CTL_DEL, pingf->sock, NULL);
 	close(pingf->sock);
+	flow_hash_remove(c, FLOW_SIDX(pingf, INISIDE));
 
 	if (pingf->f.type == FLOW_PING4)
 		icmp_id_map[V4][id] = NULL;
@@ -205,6 +206,7 @@ static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c,
 
 	flow_dbg(pingf, "new socket %i for echo ID %"PRIu16, pingf->sock, id);
 
+	flow_hash_insert(c, FLOW_SIDX(pingf, INISIDE));
 	*id_sock = pingf;
 
 	FLOW_ACTIVATE(pingf);
@@ -237,6 +239,8 @@ int icmp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t
af,
 	union sockaddr_inany sa;
 	size_t dlen, l4len;
 	uint16_t id, seq;
+	union flow *flow;
+	uint8_t proto;
 	socklen_t sl;
 	void *pkt;
 
@@ -255,6 +259,7 @@ int icmp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t
af,
 		if (ih->type != ICMP_ECHO)
 			return 1;
 
+		proto = IPPROTO_ICMP;
 		id = ntohs(ih->un.echo.id);
 		id_sock = &icmp_id_map[V4][id];
 		seq = ntohs(ih->un.echo.sequence);
@@ -270,6 +275,7 @@ int icmp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t
af,
 		if (ih->icmp6_type != ICMPV6_ECHO_REQUEST)
 			return 1;
 
+		proto = IPPROTO_ICMPV6;
 		id = ntohs(ih->icmp6_identifier);
 		id_sock = &icmp_id_map[V6][id];
 		seq = ntohs(ih->icmp6_sequence);
@@ -277,11 +283,17 @@ int icmp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t
af,
 		ASSERT(0);
 	}
 
-	if (!(pingf = *id_sock))
-		if (!(pingf = icmp_ping_new(c, id_sock, af, id, saddr, daddr)))
-			return 1;
+	flow = flow_at_sidx(flow_lookup_af(c, proto, PIF_TAP,
+					   af, saddr, daddr, id, id));
+
+	if (flow)
+		pingf = &flow->ping;
+	else if (!(pingf = icmp_ping_new(c, id_sock, af, id, saddr, daddr)))
+		return 1;
 
 	tgt = &pingf->f.side[TGTSIDE];
+
+	ASSERT(flow_proto[pingf->f.type] == proto);
 	pingf->ts = now->tv_sec;
 
 	sockaddr_from_inany(&sa, &sl, &tgt->eaddr, 0, c->ifi6);
-- 
2.45.2

For now when we forward a ping to the host we leave the host side
forwarding address and port blank since we don't necessarily know what
source address and id will be used by the kernel.  When the outbound
address option is active, though, we do know the address at least, so we
can record it in the flowside.

Having done that, use it as the primary source of truth, binding the
outgoing socket based on the information in there.  This allows the
possibility of more complex rules for what outbound address and/or id
we use in future.

To implement this we create a new helper which sets up a new socket based
on information in a flowside, which will also have future uses.  It
behaves slightly differently from the existing ICMP code, in that it
doesn't bind to a specific interface if given a loopback address.  This is
logically correct - the loopback address means we need to operate through
the host's loopback interface, not ifname_out.  We didn't need it in ICMP
because ICMP will never generate a loopback address at this point, however
we intend to change that in future.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 flow.c | 32 ++++++++++++++++++++++++++++++++
 flow.h |  3 +++
 icmp.c | 23 ++++++++++-------------
 util.c |  6 +++---
 util.h |  3 +++
 5 files changed, 51 insertions(+), 16 deletions(-)

diff --git a/flow.c b/flow.c
index c94351d7..3770af37 100644
--- a/flow.c
+++ b/flow.c
@@ -143,6 +143,38 @@ static void flowside_from_af(struct flowside *fside, sa_family_t af,
 	fside->eport = eport;
 }
 
+/** flowside_sock_l4() - Create and bind socket based on flowside
+ * @c:		Execution context
+ * @proto:	Protocol number
+ * @pif:	Interface for this socket
+ * @tgt:	Target flowside
+ * @data:	epoll reference portion for protocol handlers
+ *
+ * Return: socket fd of protocol @proto bound to the forwarding address and port
+ *         from @tgt (if specified).
+ */
+int flowside_sock_l4(const struct ctx *c, uint8_t proto, uint8_t pif,
+		     const struct flowside *tgt, uint32_t data)
+{
+	const char *ifname = NULL;
+	union sockaddr_inany sa;
+	socklen_t sl;
+
+	ASSERT(pif == PIF_HOST); /* TODO: support other pifs */
+
+	sockaddr_from_inany(&sa, &sl, &tgt->faddr, tgt->fport, c->ifi6);
+
+	if (inany_is_loopback(&tgt->faddr))
+		ifname = NULL;
+	else if (sa.sa_family == AF_INET)
+		ifname = c->ip4.ifname_out;
+	else if (sa.sa_family == AF_INET6)
+		ifname = c->ip6.ifname_out;
+
+	return sock_l4_sa(c, proto, &sa, sl, ifname, sa.sa_family == AF_INET6,
+			  data);
+}
+
 /** flow_log_ - Log flow-related message
  * @f:		flow the message is related to
  * @pri:	Log priority
diff --git a/flow.h b/flow.h
index 90389a5e..948f2ea9 100644
--- a/flow.h
+++ b/flow.h
@@ -164,6 +164,9 @@ static inline bool flowside_eq(const struct flowside *left,
 	       left->fport == right->fport;
 }
 
+int flowside_sock_l4(const struct ctx *c, uint8_t proto, uint8_t pif,
+		     const struct flowside *tgt, uint32_t data);
+
 /**
  * struct flow_common - Common fields for packet flows
  * @state:	State of the flow table entry
diff --git a/icmp.c b/icmp.c
index b297b9ac..cb3278e9 100644
--- a/icmp.c
+++ b/icmp.c
@@ -157,30 +157,27 @@ static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c,
 	union epoll_ref ref = { .type = EPOLL_TYPE_PING };
 	union flow *flow = flow_alloc();
 	struct icmp_ping_flow *pingf;
+	const struct flowside *tgt;
 	const void *bind_addr;
-	const char *bind_if;
 
 	if (!flow)
 		return NULL;
 
 	flow_initiate_af(flow, PIF_TAP, af, saddr, id, daddr, id);
-	/* FIXME: Record outbound source address when known */
-	flow_target_af(flow, PIF_HOST,	af, NULL, 0, daddr, 0);
-	pingf = FLOW_SET_TYPE(flow, flowtype, ping);
-
-	pingf->seq = -1;
 
-	if (af == AF_INET) {
+	if (af == AF_INET)
 		bind_addr = &c->ip4.addr_out;
-		bind_if = c->ip4.ifname_out;
-	} else {
+	else if (af == AF_INET6)
 		bind_addr = &c->ip6.addr_out;
-		bind_if = c->ip6.ifname_out;
-	}
+
+	tgt = flow_target_af(flow, PIF_HOST, af, bind_addr, 0, daddr, 0);
+	pingf = FLOW_SET_TYPE(flow, flowtype, ping);
+
+	pingf->seq = -1;
 
 	ref.flowside = FLOW_SIDX(flow, TGTSIDE);
-	pingf->sock = sock_l4(c, af, flow_proto[flowtype], bind_addr, bind_if,
-			      0, ref.data);
+	pingf->sock = flowside_sock_l4(c, flow_proto[flowtype], PIF_HOST,
+				       tgt, ref.data);
 
 	if (pingf->sock < 0) {
 		warn("Cannot open \"ping\" socket. You might need to:");
diff --git a/util.c b/util.c
index 4e3d84a1..9ba9908d 100644
--- a/util.c
+++ b/util.c
@@ -44,9 +44,9 @@
  *
  * Return: newly created socket, negative error code on failure
  */
-static int sock_l4_sa(const struct ctx *c, uint8_t proto,
-		      const void *sa, socklen_t sl,
-		      const char *ifname, bool v6only, uint32_t data)
+int sock_l4_sa(const struct ctx *c, uint8_t proto,
+	       const void *sa, socklen_t sl,
+	       const char *ifname, bool v6only, uint32_t data)
 {
 	sa_family_t af = ((const struct sockaddr *)sa)->sa_family;
 	union epoll_ref ref = { .data = data };
diff --git a/util.h b/util.h
index eebb027b..bbf10778 100644
--- a/util.h
+++ b/util.h
@@ -143,6 +143,9 @@ struct ctx;
 
 /* cppcheck-suppress funcArgNamesDifferent */
 __attribute__ ((weak)) int ffsl(long int i) { return __builtin_ffsl(i); }
+int sock_l4_sa(const struct ctx *c, uint8_t proto,
+	       const void *sa, socklen_t sl,
+	       const char *ifname, bool v6only, uint32_t data);
 int sock_l4(const struct ctx *c, sa_family_t af, uint8_t proto,
 	    const void *bind_addr, const char *ifname, uint16_t port,
 	    uint32_t data);
-- 
2.45.2

Current ICMP hard codes its forwarding rules, and never applies any
translations.  Change it to use the flow_target() function, so that
it's translated the same as TCP (excluding TCP specific port
redirection).

This means that gw mapping now applies to ICMP so "ping <gw address>"
will
now ping the host's loopback instead of the actual gw machine.  This
removes the surprising behaviour that the target you ping might not be the
same as you connect to with TCP.

This removes the last user of flow_target_af(), so that's removed as well.

Signed-off-by: David Gibson &lt;david(a)gibson.dropbear.id.au&gt;
---
 flow.c | 32 --------------------------------
 icmp.c | 16 ++++++++++------
 2 files changed, 10 insertions(+), 38 deletions(-)

diff --git a/flow.c b/flow.c
index dc600eca..cf799082 100644
--- a/flow.c
+++ b/flow.c
@@ -309,38 +309,6 @@ const struct flowside *flow_initiate_sa(union flow *flow, uint8_t
pif,
 	return ini;
 }
 
-/**
- * flow_target_af() - Move flow to TGT, setting TGTSIDE details
- * @flow:	Flow to change state
- * @pif:	pif of the target side
- * @af:		Address family for @eaddr and @faddr
- * @saddr:	Source address (pointer to in_addr or in6_addr)
- * @sport:	Endpoint port
- * @daddr:	Destination address (pointer to in_addr or in6_addr)
- * @dport:	Destination port
- *
- * Return: pointer to the target flowside information
- */
-const struct flowside *flow_target_af(union flow *flow, uint8_t pif,
-				      sa_family_t af,
-				      const void *saddr, in_port_t sport,
-				      const void *daddr, in_port_t dport)
-{
-	struct flow_common *f = &flow->f;
-	struct flowside *tgt = &f->side[TGTSIDE];
-
-	ASSERT(pif != PIF_NONE);
-	ASSERT(flow_new_entry == flow && f->state == FLOW_STATE_INI);
-	ASSERT(f->type == FLOW_TYPE_NONE);
-	ASSERT(f->pif[INISIDE] != PIF_NONE && f->pif[TGTSIDE] == PIF_NONE);
-
-	flowside_from_af(tgt, af, daddr, dport, saddr, sport);
-	f->pif[TGTSIDE] = pif;
-	flow_set_state(f, FLOW_STATE_TGT);
-	return tgt;
-}
-
-
 /**
  * flow_target() - Determine where flow should forward to, and move to TGT
  * @c:		Execution context
diff --git a/icmp.c b/icmp.c
index cb3278e9..45d71efd 100644
--- a/icmp.c
+++ b/icmp.c
@@ -153,24 +153,28 @@ static struct icmp_ping_flow *icmp_ping_new(const struct ctx *c,
 					    sa_family_t af, uint16_t id,
 					    const void *saddr, const void *daddr)
 {
+	uint8_t proto = af == AF_INET ? IPPROTO_ICMP : IPPROTO_ICMPV6;
 	uint8_t flowtype = af == AF_INET ? FLOW_PING4 : FLOW_PING6;
 	union epoll_ref ref = { .type = EPOLL_TYPE_PING };
 	union flow *flow = flow_alloc();
 	struct icmp_ping_flow *pingf;
 	const struct flowside *tgt;
-	const void *bind_addr;
 
 	if (!flow)
 		return NULL;
 
 	flow_initiate_af(flow, PIF_TAP, af, saddr, id, daddr, id);
+	if (!(tgt = flow_target(c, flow, proto)))
+		goto cancel;
 
-	if (af == AF_INET)
-		bind_addr = &c->ip4.addr_out;
-	else if (af == AF_INET6)
-		bind_addr = &c->ip6.addr_out;
+	if (flow->f.pif[TGTSIDE] != PIF_HOST) {
+		flow_err(flow, "No support for forwarding %s from %s to %s",
+			 proto == IPPROTO_ICMP ? "ICMP" : "ICMPv6",
+			 pif_name(flow->f.pif[INISIDE]),
+			 pif_name(flow->f.pif[TGTSIDE]));
+		goto cancel;
+	}
 
-	tgt = flow_target_af(flow, PIF_HOST, af, bind_addr, 0, daddr, 0);
 	pingf = FLOW_SET_TYPE(flow, flowtype, ping);
 
 	pingf->seq = -1;
-- 
2.45.2

Currently UDP only has a very rudimentary (and buggy) form of connection
tracking implemented with per-port flags.  Make a start on converting this
to more robust tracking via the flow table.

Start matching UDP packets to flow table entries, creating them when
necessary.  We also add a timer so that the flows will expire.  For now
don't actually use the information in the flow table, that will come later.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 Makefile     |   2 +-
 flow.c       |  31 +++++++
 flow.h       |   4 +
 flow_table.h |   2 +
 udp.c        | 228 ++++++++++++++++++++++++++++++++++++++++++++++++---
 udp_flow.h   |  25 ++++++
 6 files changed, 278 insertions(+), 14 deletions(-)
 create mode 100644 udp_flow.h

diff --git a/Makefile b/Makefile
index 09fc461d..92cbd5a6 100644
--- a/Makefile
+++ b/Makefile
@@ -57,7 +57,7 @@ PASST_HEADERS = arch.h arp.h checksum.h conf.h dhcp.h dhcpv6.h flow.h
fwd.h \
 	flow_table.h icmp.h icmp_flow.h inany.h iov.h ip.h isolation.h \
 	lineread.h log.h ndp.h netlink.h packet.h passt.h pasta.h pcap.h pif.h \
 	siphash.h tap.h tcp.h tcp_buf.h tcp_conn.h tcp_internal.h tcp_splice.h \
-	udp.h util.h
+	udp.h udp_flow.h util.h
 HEADERS = $(PASST_HEADERS) seccomp.h
 
 C := \#include <linux/tcp.h>\nstruct tcp_info x = { .tcpi_snd_wnd = 0 };
diff --git a/flow.c b/flow.c
index cf799082..c3d54f6e 100644
--- a/flow.c
+++ b/flow.c
@@ -35,6 +35,7 @@ const char *flow_type_str[] = {
 	[FLOW_TCP_SPLICE]	= "TCP connection (spliced)",
 	[FLOW_PING4]		= "ICMP ping sequence",
 	[FLOW_PING6]		= "ICMPv6 ping sequence",
+	[FLOW_UDP]		= "UDP flow",
 };
 static_assert(ARRAY_SIZE(flow_type_str) == FLOW_NUM_TYPES,
 	      "flow_type_str[] doesn't match enum flow_type");
@@ -44,6 +45,7 @@ const uint8_t flow_proto[] = {
 	[FLOW_TCP_SPLICE]	= IPPROTO_TCP,
 	[FLOW_PING4]		= IPPROTO_ICMP,
 	[FLOW_PING6]		= IPPROTO_ICMPV6,
+	[FLOW_UDP]		= IPPROTO_UDP,
 };
 static_assert(ARRAY_SIZE(flow_proto) == FLOW_NUM_TYPES,
 	      "flow_proto[] doesn't match enum flow_type");
@@ -641,6 +643,31 @@ flow_sidx_t flow_lookup_af(const struct ctx *c,
 	return flowside_lookup(c, proto, pif, &fside);
 }
 
+/**
+ * flow_lookup_sa() - Look up a flow given and endpoint socket address
+ * @c:		Execution context
+ * @proto:	Protocol of the flow (IP L4 protocol number)
+ * @pif:	Interface of the flow
+ * @esa:	Socket address of the endpoint
+ * @fport:	Forwarding port number
+ *
+ * Return: sidx of the matching flow & side, FLOW_SIDX_NONE if not found
+ */
+flow_sidx_t flow_lookup_sa(const struct ctx *c, uint8_t proto, uint8_t pif,
+			   const void *esa, in_port_t fport)
+{
+	struct flowside fside = {
+		.fport = fport,
+	};
+
+	inany_from_sockaddr(&fside.eaddr, &fside.eport, esa);
+	if (inany_v4(&fside.eaddr))
+		fside.faddr = inany_any4;
+	else
+		fside.faddr = inany_any6;
+	return flowside_lookup(c, proto, pif, &fside);
+}
+
 /**
  * flow_defer_handler() - Handler for per-flow deferred and timed tasks
  * @c:		Execution context
@@ -720,6 +747,10 @@ void flow_defer_handler(const struct ctx *c, const struct timespec
*now)
 			if (timer)
 				closed = icmp_ping_timer(c, &flow->ping, now);
 			break;
+		case FLOW_UDP:
+			if (timer)
+				closed = udp_flow_timer(c, &flow->udp, now);
+			break;
 		default:
 			/* Assume other flow types don't need any handling */
 			;
diff --git a/flow.h b/flow.h
index 948f2ea9..b5ca2792 100644
--- a/flow.h
+++ b/flow.h
@@ -115,6 +115,8 @@ enum flow_type {
 	FLOW_PING4,
 	/* ICMPv6 echo requests from guest to host and matching replies back */
 	FLOW_PING6,
+	/* UDP packets with the matching unicast endpoints */
+	FLOW_UDP,
 
 	FLOW_NUM_TYPES,
 };
@@ -227,6 +229,8 @@ flow_sidx_t flow_lookup_af(const struct ctx *c,
 			   uint8_t proto, uint8_t pif, sa_family_t af,
 			   const void *eaddr, const void *faddr,
 			   in_port_t eport, in_port_t fport);
+flow_sidx_t flow_lookup_sa(const struct ctx *c, uint8_t proto, uint8_t pif,
+			   const void *esa, in_port_t fport);
 
 union flow;
 
diff --git a/flow_table.h b/flow_table.h
index 07c59041..6cf4f2b7 100644
--- a/flow_table.h
+++ b/flow_table.h
@@ -9,6 +9,7 @@
 
 #include "tcp_conn.h"
 #include "icmp_flow.h"
+#include "udp_flow.h"
 
 /**
  * struct flow_free_cluster - Information about a cluster of free entries
@@ -35,6 +36,7 @@ union flow {
 	struct tcp_tap_conn tcp;
 	struct tcp_splice_conn tcp_splice;
 	struct icmp_ping_flow ping;
+	struct udp_flow udp;
 };
 
 /* Global Flow Table */
diff --git a/udp.c b/udp.c
index e79ca938..cb6db5c5 100644
--- a/udp.c
+++ b/udp.c
@@ -15,10 +15,49 @@
 /**
  * DOC: Theory of Operation
  *
+ * Flow Table
+ * ==========
  *
- * For UDP, a reduced version of port-based connection tracking is implemented
- * with two purposes:
- * - binding ephemeral ports when they're used as source port by the guest, so
+ * UDP does not have connections, but to reliably forward reply packets back to
+ * the original requested, we must keep track of pseudo-connections.  We do this
+ * via the generic flow table.
+ *
+ * - Finding an existing flow
+ *
+ *   When we receive a datagram we attempt to match it to an existing flow: one
+ *   with matching interface, addresses and ports (both forwarding and
+ *   endpoint).  For socket interfaces, we treat the forwarding address as the
+ *   bound address of the receiving socket, which may be unspecified, rather
+ *   than the datagram's actual destination address (which is awkward to
+ *   determine for unbound sockets).
+ *
+ * - Creating a new flow
+ *
+ *   If no matching flow exists, and the datagram comes either from the tap
+ *   interface, or from a socket with the 'orig' flag set we create a new one.
+ *   The initiating side records the interface, endpoint and forwarding
+ *   addresses and ports of this first datagram.  Again, we treat the forwarding
+ *   address for sockets as the socket's bound address, regardless of the
+ *   datagram's actual destination.
+ *
+ *   The target side interface and addresses are assigned by the general code in
+ *   fwd.c.  When the target is a socket interface, the target forwarding
+ *   address may be left unspecified - in this case, the kernel will determine
+ *   the source address when we send the datagram.
+ *
+ * - Flow expiry
+ *
+ *   Every time a datagram is received that matches a flow (or creates a new
+ *   one), we update the flow's timestamp to the current time.  Periodically we
+ *   scan flows and those which are older than UDP_CONN_TIMEOUT (180s) are
+ *   removed.
+ *
+ * Port Tracking
+ * =============
+ *
+ * For datagrams not handled by the flow table, a reduced version of port-based
+ * connection tracking is implemented with two purposes:
+  * - binding ephemeral ports when they're used as source port by the guest, so
  *   that replies on those ports can be forwarded back to the guest, with a
  *   fixed timeout for this binding
  * - packets received from the local host get their source changed to a local
@@ -121,6 +160,7 @@
 #include "tap.h"
 #include "pcap.h"
 #include "log.h"
+#include "flow_table.h"
 
 #define UDP_CONN_TIMEOUT	180 /* s, timeout for ephemeral or local bind */
 #define UDP_MAX_FRAMES		32  /* max # of frames to receive at once */
@@ -199,6 +239,7 @@ static struct ethhdr udp6_eth_hdr;
  * @taph:	Tap backend specific header
  * @s_in:	Source socket address, filled in by recvmmsg()
  * @splicesrc:	Source port for splicing, or -1 if not spliceable
+ * @tosidx:	sidx for the destination side of this datagram's flow
  */
 static struct udp_meta_t {
 	struct ipv6hdr ip6h;
@@ -207,6 +248,7 @@ static struct udp_meta_t {
 
 	union sockaddr_inany s_in;
 	int splicesrc;
+	flow_sidx_t tosidx;
 }
 #ifdef __AVX2__
 __attribute__ ((aligned(32)))
@@ -253,6 +295,17 @@ static struct sockaddr_in6 udp6_localname = {
 static struct mmsghdr	udp4_mh_splice		[UDP_MAX_FRAMES];
 static struct mmsghdr	udp6_mh_splice		[UDP_MAX_FRAMES];
 
+struct udp_flow *udp_at_sidx(flow_sidx_t sidx)
+{
+	union flow *flow = flow_at_sidx(sidx);
+
+	if (!flow)
+		return NULL;
+
+	ASSERT(flow->f.type == FLOW_UDP);
+	return &flow->udp;
+}
+
 /**
  * udp_portmap_clear() - Clear UDP port map before configuration
  */
@@ -492,6 +545,67 @@ static int udp_mmh_splice_port(union udp_epoll_ref uref,
 	return -1;
 }
 
+/**
+ * udp_flow_from_sock() - Find or create UDP flow for datagrams from socket
+ * @c:		Execution context
+ * @uref:	UDP epoll reference of the originating socket
+ * @meta:	Metadata buffer for the datagram
+ *
+ * Return: sidx for the destination side of the flow for this packet, or
+ *         FLOW_SIDX_NONE if we couldn't find or create a flow.
+ */
+flow_sidx_t udp_flow_from_sock(const struct ctx *c, union udp_epoll_ref uref,
+			       struct udp_meta_t *meta)
+{
+	char sstr[INANY_ADDRSTRLEN];
+	const struct flowside *ini;
+	struct udp_flow *uflow;
+	union flow *flow;
+	flow_sidx_t sidx;
+
+	sidx = flow_lookup_sa(c, IPPROTO_UDP, uref.pif, &meta->s_in, uref.port);
+	if ((flow = flow_at_sidx(sidx)))
+		return FLOW_SIDX(flow, !sidx.side);
+
+	if (!uref.orig)
+		return FLOW_SIDX_NONE;
+
+	if (!(flow = flow_alloc())) {
+		char sastr[SOCKADDR_STRLEN];
+
+		debug("Couldn't allocate flow for UDP datagram from %s %s",
+		      pif_name(uref.pif),
+		      sockaddr_ntop(&meta->s_in, sastr, sizeof(sastr)));
+		return FLOW_SIDX_NONE;
+	}
+
+	ini = flow_initiate_sa(flow, uref.pif, &meta->s_in, uref.port);
+
+	if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0) {
+		flow_dbg(flow, "Invalid endpoint on UDP recv()");
+		/* Invalid endpoint */
+		goto cancel;
+	}
+
+	if (!flow_target(c, flow, IPPROTO_UDP))
+		goto cancel;
+
+	uflow = FLOW_SET_TYPE(flow, FLOW_UDP, udp);
+	flow_hash_insert(c, FLOW_SIDX(uflow, INISIDE));
+	flow_hash_insert(c, FLOW_SIDX(uflow, TGTSIDE));
+	FLOW_ACTIVATE(uflow);
+
+	return FLOW_SIDX(uflow, TGTSIDE);
+
+cancel:
+	flow_dbg(flow, "Couldn't create UDP flow for %s [%s]:%hu -> ?:%hu",
+		 pif_name(uref.pif),
+		 inany_ntop(&ini->eaddr, sstr, sizeof(sstr)),
+		 ini->eport, ini->fport);
+	flow_alloc_cancel(flow);
+	return FLOW_SIDX_NONE;
+}
+
 /**
  * udp_splice_send() - Send datagrams from socket to socket
  * @c:		Execution context
@@ -536,6 +650,7 @@ static unsigned udp_splice_send(const struct ctx *c, size_t start,
size_t n,
 			break;
 
 		udp_meta[i].splicesrc = udp_mmh_splice_port(uref, &mmh_recv[i]);
+		udp_meta[i].tosidx = udp_flow_from_sock(c, uref, &udp_meta[i]);
 	} while (udp_meta[i].splicesrc == src);
 
 	if (uref.pif == PIF_SPLICE) {
@@ -758,6 +873,7 @@ static unsigned udp_tap_send(const struct ctx *c, size_t start, size_t
n,
 			break;
 
 		udp_meta[i].splicesrc = udp_mmh_splice_port(uref, &mmh_recv[i]);
+		udp_meta[i].tosidx = udp_flow_from_sock(c, uref, &udp_meta[i]);
 	} while (udp_meta[i].splicesrc == -1);
 
 	tap_send_frames(c, &tap_iov[start][0], UDP_NUM_IOVS, i - start);
@@ -786,8 +902,8 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 	 */
 	ssize_t n = (c->mode == MODE_PASTA ? 1 : UDP_MAX_FRAMES);
 	in_port_t dstport = ref.udp.port;
-	bool v6 = ref.udp.v6;
 	struct mmsghdr *mmh_recv;
+	bool v6 = ref.udp.v6;
 	int i, m;
 
 	if (c->no_udp || !(events & EPOLLIN))
@@ -797,6 +913,8 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 		dstport += c->udp.fwd_out.f.delta[dstport];
 	else if (ref.udp.pif == PIF_HOST)
 		dstport += c->udp.fwd_in.f.delta[dstport];
+	else
+		ASSERT(0);
 
 	if (v6)
 		mmh_recv = udp6_l2_mh_sock;
@@ -809,12 +927,13 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 
 	/* We divide things into batches based on how we need to send them,
 	 * determined by udp_meta[i].splicesrc.  To avoid either two passes
-	 * through the array, or recalculating splicesrc for a single entry, we
-	 * have to populate it one entry *ahead* of the loop counter (if
-	 * present).  So we fill in entry 0 before the loop, then udp_*_send()
-	 * populate one entry past where they consume.
+	 * through the array, or recalculating splicesrc and tosidx for a single
+	 * entry, we have to populate them one entry *ahead* of the loop counter
+	 * (if present).  So we fill in entry 0 before the loop, then
+	 * udp_*_send() populate one entry past where they consume.
 	 */
 	udp_meta[0].splicesrc = udp_mmh_splice_port(ref.udp, mmh_recv);
+	udp_meta[0].tosidx = udp_flow_from_sock(c, ref.udp, &udp_meta[0]);
 	for (i = 0; i < n; i += m) {
 		if (udp_meta[i].splicesrc >= 0)
 			m = udp_splice_send(c, i, n, dstport, ref.udp, now);
@@ -823,6 +942,74 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 	}
 }
 
+/**
+ * udp_flow_from_tap() - Find or create UDP flow for tap packets
+ * @c:		Execution context
+ * @pif:	pif on which the packet is arriving
+ * @af:		Address family, AF_INET or AF_INET6
+ * @saddr:	Source address on guest side
+ * @daddr:	Destination address guest side
+ * @srcport:	Source port on guest side
+ * @dstport:	Destination port on guest side
+ *
+ * Return: sidx for the destination side of the flow for this packet, or
+ *         FLOW_SIDX_NONE if we couldn't find or create a flow.
+ */
+flow_sidx_t udp_flow_from_tap(const struct ctx *c,
+			      uint8_t pif, sa_family_t af,
+			      const void *saddr, const void *daddr,
+			      in_port_t srcport, in_port_t dstport)
+{
+	const struct flowside *ini;
+	struct udp_flow *uflow;
+	union flow *flow;
+	flow_sidx_t sidx;
+
+	ASSERT(pif == PIF_TAP);
+
+	sidx = flow_lookup_af(c, IPPROTO_UDP, pif, af, saddr, daddr,
+			      srcport, dstport);
+	if ((flow = flow_at_sidx(sidx)))
+		return FLOW_SIDX(flow, !sidx.side);
+
+	if (!(flow = flow_alloc()))
+		return FLOW_SIDX_NONE;
+
+	ini = flow_initiate_af(flow, PIF_TAP, af,
+			       saddr, srcport, daddr, dstport);
+
+	if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0 ||
+	    !inany_is_unicast(&ini->faddr) || ini->fport == 0) {
+		char sstr[INANY_ADDRSTRLEN], dstr[INANY_ADDRSTRLEN];
+
+		debug("Invalid UDP endpoint from %s: %s:%hu -> %s:%hu",
+		      pif_name(pif),
+		      inany_ntop(&ini->eaddr, sstr, sizeof(sstr)), ini->eport,
+		      inany_ntop(&ini->faddr, dstr, sizeof(dstr)), ini->fport);
+		goto cancel;
+	}
+
+	if (!flow_target(c, flow, IPPROTO_UDP))
+		goto cancel;
+
+	if (flow->f.pif[TGTSIDE] != PIF_HOST) {
+		flow_err(flow, "No support for forwarding UDP from %s to %s",
+			 pif_name(flow->f.pif[INISIDE]),
+			 pif_name(flow->f.pif[TGTSIDE]));
+		goto cancel;
+	}
+
+	uflow = FLOW_SET_TYPE(flow, FLOW_UDP, udp);
+	flow_hash_insert(c, FLOW_SIDX(uflow, INISIDE));
+	flow_hash_insert(c, FLOW_SIDX(uflow, TGTSIDE));
+	FLOW_ACTIVATE(uflow);
+	return FLOW_SIDX(uflow, TGTSIDE);
+
+cancel:
+	flow_alloc_cancel(flow);
+	return FLOW_SIDX_NONE;
+}
+
 /**
  * udp_tap_handler() - Handle packets from tap
  * @c:		Execution context
@@ -847,15 +1034,13 @@ int udp_tap_handler(struct ctx *c, uint8_t pif,
 	struct sockaddr_in6 s_in6;
 	struct sockaddr_in s_in;
 	const struct udphdr *uh;
+	struct udp_flow *uflow;
 	struct sockaddr *sa;
 	int i, s, count = 0;
 	in_port_t src, dst;
+	flow_sidx_t sidx;
 	socklen_t sl;
 
-	(void)c;
-	(void)saddr;
-	(void)pif;
-
 	uh = packet_get(p, idx, 0, sizeof(*uh), NULL);
 	if (!uh)
 		return 1;
@@ -864,8 +1049,14 @@ int udp_tap_handler(struct ctx *c, uint8_t pif,
 	 * and destination, so we can just take those from the first message.
 	 */
 	src = ntohs(uh->source);
-	src += c->udp.fwd_in.rdelta[src];
 	dst = ntohs(uh->dest);
+	sidx = udp_flow_from_tap(c, pif, af, saddr, daddr, src, dst);
+	if ((uflow = udp_at_sidx(sidx)))
+		uflow->ts = now->tv_sec;
+	else
+		debug("UDP from tap without flow");
+
+	src += c->udp.fwd_in.rdelta[src];
 
 	if (af == AF_INET) {
 		s_in = (struct sockaddr_in) {
@@ -1211,6 +1402,17 @@ static int udp_port_rebind_outbound(void *arg)
 	return 0;
 }
 
+bool udp_flow_timer(const struct ctx *c, const struct udp_flow *uflow,
+		    const struct timespec *now)
+{
+	if (now->tv_sec - uflow->ts <= UDP_CONN_TIMEOUT)
+		return false;
+
+	flow_hash_remove(c, FLOW_SIDX(uflow, INISIDE));
+	flow_hash_remove(c, FLOW_SIDX(uflow, TGTSIDE));
+	return true;
+}
+
 /**
  * udp_timer() - Scan activity bitmaps for ports with associated timed events
  * @c:		Execution context
diff --git a/udp_flow.h b/udp_flow.h
new file mode 100644
index 00000000..18af9ac4
--- /dev/null
+++ b/udp_flow.h
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ * Copyright Red Hat
+ * Author: David Gibson &lt;david(a)gibson.dropbear.id.au&gt;
+ *
+ * UDP flow tracking data structures
+ */
+#ifndef UDP_FLOW_H
+#define UDP_FLOW_H
+
+/**
+ * struct udp - Descriptor for a flow of UDP packets
+ * @f:		Generic flow information
+ * @ts:		Activity timestamp
+ */
+struct udp_flow {
+	/* Must be first element */
+	struct flow_common f;
+
+	time_t ts;
+};
+
+bool udp_flow_timer(const struct ctx *c, const struct udp_flow *uflow,
+		    const struct timespec *now);
+
+#endif /* UDP_FLOW_H */
-- 
2.45.2

Currently although we associate a flow with traffic coming from a socket,
we don't use that flow to determine how to forward the traffic.  Fix this
for the case of traffic going from socket to tap (i.e. host to guest).

Determine first that we should be sending to tap from the pif in the flow
entry, rather than with separate logic.  Also use the addresses and ports
in the flow entry to construct the headers for the tap interface.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 flow_table.h |  28 +++++++++
 udp.c        | 158 +++++++++++++++++----------------------------------
 2 files changed, 81 insertions(+), 105 deletions(-)

diff --git a/flow_table.h b/flow_table.h
index 6cf4f2b7..3f1e81b9 100644
--- a/flow_table.h
+++ b/flow_table.h
@@ -80,6 +80,34 @@ static inline union flow *flow_at_sidx(flow_sidx_t sidx)
 	return FLOW(sidx.flow);
 }
 
+/** flowside_at_sidx - Flow side for a given sidx
+ * @sidx:	Flow & side index
+ *
+ * Return: pointer to the corresponding flowside, or NULL
+ */
+static inline struct flowside *flowside_at_sidx(flow_sidx_t sidx)
+{
+	union flow *flow = flow_at_sidx(sidx);
+
+	if (!flow)
+		return NULL;
+	return &flow->f.side[sidx.side];
+}
+
+/** pif_at_sidx - Interface id for a given sidx
+ * @sidx:	Flow & side index
+ *
+ * Return: pif for the given flow & side, or PIF_NONE if the sidx is invalid
+ */
+static inline uint8_t pif_at_sidx(flow_sidx_t sidx)
+{
+	union flow *flow = flow_at_sidx(sidx);
+
+	if (!flow)
+		return PIF_NONE;
+	return flow->f.pif[sidx.side];
+}
+
 /** flow_sidx_t - Index of one side of a flow from common structure
  * @f:		Common flow fields pointer
  * @side:	Which side to refer to (0 or 1)
diff --git a/udp.c b/udp.c
index 4668690e..29f3ba85 100644
--- a/udp.c
+++ b/udp.c
@@ -711,118 +711,53 @@ out:
 }
 
 /**
- * udp_update_hdr4() - Update headers for one IPv4 datagram
- * @c:		Execution context
+ * udp_update_hdr4) - Update headers for one IPv4 datagram
  * @ip4h:	Pre-filled IPv4 header (except for tot_len and saddr)
- * @s_in:	Source socket address, filled in by recvmmsg()
  * @bp:		Pointer to udp_payload_t to update
- * @dstport:	Destination port number
+ * @fside:	Flowside with addresses to direct the datagram
  * @dlen:	Length of UDP payload
- * @now:	Current timestamp
  *
  * Return: size of IPv4 payload (UDP header + data)
  */
-static size_t udp_update_hdr4(const struct ctx *c,
-			      struct iphdr *ip4h, const struct sockaddr_in *s_in,
-			      struct udp_payload_t *bp,
-			      in_port_t dstport, size_t dlen,
-			      const struct timespec *now)
+static size_t udp_update_hdr4(struct iphdr *ip4h, struct udp_payload_t *bp,
+			      const struct flowside *fside, size_t dlen)
 {
-	const struct in_addr dst = c->ip4.addr_seen;
-	in_port_t srcport = ntohs(s_in->sin_port);
+	const struct in_addr *src = inany_v4(&fside->faddr);
+	const struct in_addr *dst = inany_v4(&fside->eaddr);
 	size_t l4len = dlen + sizeof(bp->uh);
 	size_t l3len = l4len + sizeof(*ip4h);
-	struct in_addr src = s_in->sin_addr;
-
-	if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match) &&
-	    IN4_ARE_ADDR_EQUAL(&src, &c->ip4.dns_host) && srcport == 53
&&
-	    (udp_tap_map[V4][dstport].flags & PORT_DNS_FWD)) {
-		src = c->ip4.dns_match;
-	} else if (IN4_IS_ADDR_LOOPBACK(&src) ||
-		   IN4_ARE_ADDR_EQUAL(&src, &c->ip4.addr_seen)) {
-		udp_tap_map[V4][srcport].ts = now->tv_sec;
-		udp_tap_map[V4][srcport].flags |= PORT_LOCAL;
-
-		if (IN4_IS_ADDR_LOOPBACK(&src))
-			udp_tap_map[V4][srcport].flags |= PORT_LOOPBACK;
-		else
-			udp_tap_map[V4][srcport].flags &= ~PORT_LOOPBACK;
 
-		bitmap_set(udp_act[V4][UDP_ACT_TAP], srcport);
-
-		src = c->ip4.gw;
-	}
+	ASSERT(src && dst);
 
 	ip4h->tot_len = htons(l3len);
-	ip4h->daddr = dst.s_addr;
-	ip4h->saddr = src.s_addr;
-	ip4h->check = csum_ip4_header(l3len, IPPROTO_UDP, src, dst);
+	ip4h->daddr = dst->s_addr;
+	ip4h->saddr = src->s_addr;
+	ip4h->check = csum_ip4_header(l3len, IPPROTO_UDP, *src, *dst);
 
-	bp->uh.source = s_in->sin_port;
-	bp->uh.dest = htons(dstport);
+	bp->uh.source = htons(fside->fport);
+	bp->uh.dest = htons(fside->eport);
 	bp->uh.len = htons(l4len);
-	csum_udp4(&bp->uh, src, dst, bp->data, dlen);
+	csum_udp4(&bp->uh, *src, *dst, bp->data, dlen);
 
 	return l4len;
 }
 
 /**
  * udp_update_hdr6() - Update headers for one IPv6 datagram
- * @c:		Execution context
  * @ip6h:	Pre-filled IPv6 header (except for payload_len and addresses)
- * @s_in:	Source socket address, filled in by recvmmsg()
  * @bp:		Pointer to udp_payload_t to update
- * @dstport:	Destination port number
+ * @fside:	Flowside with addresses to direct the datagram
  * @dlen:	Length of UDP payload
- * @now:	Current timestamp
  *
  * Return: size of IPv6 payload (UDP header + data)
  */
-static size_t udp_update_hdr6(const struct ctx *c,
-			      struct ipv6hdr *ip6h, struct sockaddr_in6 *s_in6,
-			      struct udp_payload_t *bp,
-			      in_port_t dstport, size_t dlen,
-			      const struct timespec *now)
+static size_t udp_update_hdr6(struct ipv6hdr *ip6h, struct udp_payload_t *bp,
+			      const struct flowside *fside, size_t dlen)
 {
-	const struct in6_addr *src = &s_in6->sin6_addr;
-	const struct in6_addr *dst = &c->ip6.addr_seen;
-	in_port_t srcport = ntohs(s_in6->sin6_port);
+	const struct in6_addr *src = &fside->faddr.a6;
+	const struct in6_addr *dst = &fside->eaddr.a6;
 	uint16_t l4len = dlen + sizeof(bp->uh);
 
-	if (IN6_IS_ADDR_LINKLOCAL(src)) {
-		dst = &c->ip6.addr_ll_seen;
-	} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match) &&
-		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.dns_host) &&
-		   srcport == 53 &&
-		   (udp_tap_map[V4][dstport].flags & PORT_DNS_FWD)) {
-		src = &c->ip6.dns_match;
-	} else if (IN6_IS_ADDR_LOOPBACK(src)			||
-		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr_seen)	||
-		   IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr)) {
-		udp_tap_map[V6][srcport].ts = now->tv_sec;
-		udp_tap_map[V6][srcport].flags |= PORT_LOCAL;
-
-		if (IN6_IS_ADDR_LOOPBACK(src))
-			udp_tap_map[V6][srcport].flags |= PORT_LOOPBACK;
-		else
-			udp_tap_map[V6][srcport].flags &= ~PORT_LOOPBACK;
-
-		if (IN6_ARE_ADDR_EQUAL(src, &c->ip6.addr))
-			udp_tap_map[V6][srcport].flags |= PORT_GUA;
-		else
-			udp_tap_map[V6][srcport].flags &= ~PORT_GUA;
-
-		bitmap_set(udp_act[V6][UDP_ACT_TAP], srcport);
-
-		dst = &c->ip6.addr_ll_seen;
-
-		if (IN6_IS_ADDR_LINKLOCAL(&c->ip6.gw))
-			src = &c->ip6.gw;
-		else
-			src = &c->ip6.addr_ll;
-
-	}
-
 	ip6h->payload_len = htons(l4len);
 	ip6h->daddr = *dst;
 	ip6h->saddr = *src;
@@ -830,8 +765,8 @@ static size_t udp_update_hdr6(const struct ctx *c,
 	ip6h->nexthdr = IPPROTO_UDP;
 	ip6h->hop_limit = 255;
 
-	bp->uh.source = s_in6->sin6_port;
-	bp->uh.dest = htons(dstport);
+	bp->uh.source = htons(fside->fport);
+	bp->uh.dest = htons(fside->eport);
 	bp->uh.len = ip6h->payload_len;
 	csum_udp6(&bp->uh, src, dst, bp->data, dlen);
 
@@ -843,26 +778,23 @@ static size_t udp_update_hdr6(const struct ctx *c,
  * @c:		Execution context
  * @start:	Index of first datagram in udp[46]_l2_buf pool
  * @n:		Total number of datagrams in udp[46]_l2_buf pool
- * @dstport:	Destination port number on destination side
  * @uref:	UDP epoll reference for origin socket
  * @now:	Current timestamp
  *
  * This consumes as many frames as are sendable via tap.  It requires that
- * udp_meta[(a)start].splicesrc is initialised, and will initialise
- * udp_meta[].splicesrc for each frame it consumes *and one more* (if present).
+ * udp_meta[(a)start].tosidx is initialised, and will initialise udp_meta[].tosidx
+ * for each frame it consumes *and one more* (if present).
  *
  * Return: Number of frames sent via tap
  */
 static unsigned udp_tap_send(const struct ctx *c, size_t start, size_t n,
-			     in_port_t dstport, union udp_epoll_ref uref,
+			     union udp_epoll_ref uref,
 			     const struct timespec *now)
 {
 	struct iovec (*tap_iov)[UDP_NUM_IOVS];
 	struct mmsghdr *mmh_recv;
 	size_t i = start;
 
-	ASSERT(udp_meta[start].splicesrc == -1);
-
 	if (uref.v6) {
 		tap_iov = udp6_l2_iov_tap;
 		mmh_recv = udp6_l2_mh_sock;
@@ -874,18 +806,19 @@ static unsigned udp_tap_send(const struct ctx *c, size_t start,
size_t n,
 	do {
 		struct udp_payload_t *bp = &udp_payload[i];
 		struct udp_meta_t *bm = &udp_meta[i];
+		const struct flowside *toside = flowside_at_sidx(bm->tosidx);
 		size_t l4len;
 
 		if (uref.v6) {
-			l4len = udp_update_hdr6(c, &bm->ip6h,
-						&bm->s_in.sa6, bp, dstport,
-						udp6_l2_mh_sock[i].msg_len, now);
+			udp_tap_map[V6][toside->fport].ts = now->tv_sec;
+			l4len = udp_update_hdr6(&bm->ip6h, bp, toside,
+						udp6_l2_mh_sock[i].msg_len);
 			tap_hdr_update(&bm->taph, l4len + sizeof(bm->ip6h) +
 						  sizeof(udp6_eth_hdr));
 		} else {
-			l4len = udp_update_hdr4(c, &bm->ip4h,
-						&bm->s_in.sa4, bp, dstport,
-						udp4_l2_mh_sock[i].msg_len, now);
+			udp_tap_map[V4][toside->fport].ts = now->tv_sec;
+			l4len = udp_update_hdr4(&bm->ip4h, bp, toside,
+						udp4_l2_mh_sock[i].msg_len);
 			tap_hdr_update(&bm->taph, l4len + sizeof(bm->ip4h) +
 						  sizeof(udp4_eth_hdr));
 		}
@@ -896,7 +829,7 @@ static unsigned udp_tap_send(const struct ctx *c, size_t start, size_t
n,
 
 		udp_meta[i].splicesrc = udp_mmh_splice_port(uref, &mmh_recv[i]);
 		udp_meta[i].tosidx = udp_flow_from_sock(c, uref, &udp_meta[i]);
-	} while (udp_meta[i].splicesrc == -1);
+	} while (pif_at_sidx(udp_meta[i].tosidx) == PIF_TAP);
 
 	tap_send_frames(c, &tap_iov[start][0], UDP_NUM_IOVS, i - start);
 	return i - start;
@@ -948,19 +881,34 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 		return;
 
 	/* We divide things into batches based on how we need to send them,
-	 * determined by udp_meta[i].splicesrc.  To avoid either two passes
-	 * through the array, or recalculating splicesrc and tosidx for a single
-	 * entry, we have to populate them one entry *ahead* of the loop counter
-	 * (if present).  So we fill in entry 0 before the loop, then
+	 * determined by udp_meta[i].splicesrc or tosidx.  To avoid either two
+	 * passes through the array, or recalculating splicesrc and tosidx for a
+	 * single entry, we have to populate them one entry *ahead* of the loop
+	 * counter (if present).  So we fill in entry 0 before the loop, then
 	 * udp_*_send() populate one entry past where they consume.
 	 */
 	udp_meta[0].splicesrc = udp_mmh_splice_port(ref.udp, mmh_recv);
 	udp_meta[0].tosidx = udp_flow_from_sock(c, ref.udp, &udp_meta[0]);
 	for (i = 0; i < n; i += m) {
-		if (udp_meta[i].splicesrc >= 0)
+		flow_sidx_t tosidx = udp_meta[i].tosidx;
+		uint8_t topif = pif_at_sidx(tosidx);
+
+		if (topif == PIF_TAP) {
+			m = udp_tap_send(c, i, n, ref.udp, now);
+		} else if (udp_meta[i].splicesrc >= 0) {
 			m = udp_splice_send(c, i, n, dstport, ref.udp, now);
-		else
-			m = udp_tap_send(c, i, n, dstport, ref.udp, now);
+		} else {
+			char sstr[SOCKADDR_STRLEN];
+
+			debug("Dropping UDP packet without usable flow from %s %s -> ?:%hu",
+			      pif_name(ref.udp.pif),
+			      sockaddr_ntop(&udp_meta[i].s_in, sstr, sizeof(sstr)),
+			      dstport);
+
+			m = 1;
+			udp_meta[i].splicesrc = udp_mmh_splice_port(ref.udp, mmh_recv);
+			udp_meta[i].tosidx = udp_flow_from_sock(c, ref.udp, &udp_meta[i]);
+		}
 	}
 }
 
-- 
2.45.2

This field in udp_meta_t was used to work out whether and how we're
splicing datagrams.  However, that role has been taken over by the flow
table, so this field is updated, but never used.  Eliminate it.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 udp.c | 48 ++++++------------------------------------------
 1 file changed, 6 insertions(+), 42 deletions(-)

diff --git a/udp.c b/udp.c
index 89dc0307..3b30306a 100644
--- a/udp.c
+++ b/udp.c
@@ -205,7 +205,6 @@ static struct ethhdr udp6_eth_hdr;
  * @ip4h:	Pre-filled IPv4 header (except for tot_len and saddr)
  * @taph:	Tap backend specific header
  * @s_in:	Source socket address, filled in by recvmmsg()
- * @splicesrc:	Source port for splicing, or -1 if not spliceable
  * @tosidx:	sidx for the destination side of this datagram's flow
  */
 static struct udp_meta_t {
@@ -214,7 +213,6 @@ static struct udp_meta_t {
 	struct tap_hdr taph;
 
 	union sockaddr_inany s_in;
-	int splicesrc;
 	flow_sidx_t tosidx;
 }
 #ifdef __AVX2__
@@ -479,32 +477,6 @@ static int udp_splice_new_ns(void *arg)
 	return 0;
 }
 
-/**
- * udp_mmh_splice_port() - Is source address of message suitable for splicing?
- * @uref:	UDP epoll reference for incoming message's origin socket
- * @mmh:	mmsghdr of incoming message
- *
- * Return: if source address of message in @mmh refers to localhost (127.0.0.1
- *         or ::1) its source port (host order), otherwise -1.
- */
-static int udp_mmh_splice_port(union udp_epoll_ref uref,
-			       const struct mmsghdr *mmh)
-{
-	const struct sockaddr_in6 *sa6 = mmh->msg_hdr.msg_name;
-	const struct sockaddr_in *sa4 = mmh->msg_hdr.msg_name;
-
-	if (!uref.splice)
-		return -1;
-
-	if (uref.v6 && IN6_IS_ADDR_LOOPBACK(&sa6->sin6_addr))
-		return ntohs(sa6->sin6_port);
-
-	if (!uref.v6 && IN4_IS_ADDR_LOOPBACK(&sa4->sin_addr))
-		return ntohs(sa4->sin_port);
-
-	return -1;
-}
-
 /**
  * udp_flow_from_sock() - Find or create UDP flow for datagrams from socket
  * @c:		Execution context
@@ -610,7 +582,6 @@ static unsigned udp_splice_send(const struct ctx *c, size_t start,
size_t n,
 		if (++i >= n)
 			break;
 
-		udp_meta[i].splicesrc = udp_mmh_splice_port(uref, &mmh_recv[i]);
 		udp_meta[i].tosidx = udp_flow_from_sock(c, uref, &udp_meta[i]);
 	} while (flow_sidx_eq(udp_meta[i].tosidx, startsidx));
 
@@ -729,16 +700,12 @@ static unsigned udp_tap_send(const struct ctx *c, size_t start,
size_t n,
 			     const struct timespec *now)
 {
 	struct iovec (*tap_iov)[UDP_NUM_IOVS];
-	struct mmsghdr *mmh_recv;
 	size_t i = start;
 
-	if (uref.v6) {
+	if (uref.v6)
 		tap_iov = udp6_l2_iov_tap;
-		mmh_recv = udp6_l2_mh_sock;
-	} else {
-		mmh_recv = udp4_l2_mh_sock;
+	else
 		tap_iov = udp4_l2_iov_tap;
-	}
 
 	do {
 		struct udp_payload_t *bp = &udp_payload[i];
@@ -764,7 +731,6 @@ static unsigned udp_tap_send(const struct ctx *c, size_t start, size_t
n,
 		if (++i >= n)
 			break;
 
-		udp_meta[i].splicesrc = udp_mmh_splice_port(uref, &mmh_recv[i]);
 		udp_meta[i].tosidx = udp_flow_from_sock(c, uref, &udp_meta[i]);
 	} while (pif_at_sidx(udp_meta[i].tosidx) == PIF_TAP);
 
@@ -819,12 +785,11 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 
 	/* We divide things into batches based on how we need to send them,
 	 * determined by udp_meta[i].tosidx.  To avoid either two passes through
-	 * the array, or recalculating splicesrc and tosidx for a single entry,
-	 * we have to populate them one entry *ahead* of the loop counter (if
-	 * present).  So we fill in entry 0 before the loop, then udp_*_send()
-	 * populate one entry past where they consume.
+	 * the array, or recalculating tosidx for a single entry, we have to
+	 * populate it one entry *ahead* of the loop counter (if present).  So
+	 * we fill in entry 0 before the loop, then udp_*_send() populate one
+	 * entry past where they consume.
 	 */
-	udp_meta[0].splicesrc = udp_mmh_splice_port(ref.udp, mmh_recv);
 	udp_meta[0].tosidx = udp_flow_from_sock(c, ref.udp, &udp_meta[0]);
 	for (i = 0; i < n; i += m) {
 		flow_sidx_t tosidx = udp_meta[i].tosidx;
@@ -843,7 +808,6 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 			      dstport);
 
 			m = 1;
-			udp_meta[i].splicesrc = udp_mmh_splice_port(ref.udp, mmh_recv);
 			udp_meta[i].tosidx = udp_flow_from_sock(c, ref.udp, &udp_meta[i]);
 		}
 	}
-- 
2.45.2

In addition to the struct fwd_ports used by both UDP and TCP to track
port forwarding, UDP also included an 'rdelta' field, which contained the
reverse mapping of the main port map.  This was used so that we could
properly direct reply packets to a forwarded packet where we change the
destination port.  This has now been taken over by the flow table: reply
packets will match the flow of the originating packet, and that gives the
correct ports on the originating side.

So, eliminate the rdelta field, and with it struct udp_fwd_ports, which
now has no additional information over struct fwd_ports.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 conf.c | 14 +++++++-------
 fwd.c  | 24 ++++++++++++------------
 udp.c  | 37 ++++++++-----------------------------
 udp.h  | 14 ++------------
 4 files changed, 29 insertions(+), 60 deletions(-)

diff --git a/conf.c b/conf.c
index 94b3ed6f..d1891479 100644
--- a/conf.c
+++ b/conf.c
@@ -1248,7 +1248,7 @@ void conf(struct ctx *c, int argc, char **argv)
 	}
 
 	c->tcp.fwd_in.mode = c->tcp.fwd_out.mode = FWD_UNSET;
-	c->udp.fwd_in.f.mode = c->udp.fwd_out.f.mode = FWD_UNSET;
+	c->udp.fwd_in.mode = c->udp.fwd_out.mode = FWD_UNSET;
 
 	do {
 		name = getopt_long(argc, argv, optstring, options, NULL);
@@ -1733,7 +1733,7 @@ void conf(struct ctx *c, int argc, char **argv)
 		if (name == 't')
 			conf_ports(c, name, optarg, &c->tcp.fwd_in);
 		else if (name == 'u')
-			conf_ports(c, name, optarg, &c->udp.fwd_in.f);
+			conf_ports(c, name, optarg, &c->udp.fwd_in);
 	} while (name != -1);
 
 	if (c->mode == MODE_PASTA)
@@ -1768,7 +1768,7 @@ void conf(struct ctx *c, int argc, char **argv)
 		if (name == 'T')
 			conf_ports(c, name, optarg, &c->tcp.fwd_out);
 		else if (name == 'U')
-			conf_ports(c, name, optarg, &c->udp.fwd_out.f);
+			conf_ports(c, name, optarg, &c->udp.fwd_out);
 	} while (name != -1);
 
 	if (!c->ifi4)
@@ -1795,10 +1795,10 @@ void conf(struct ctx *c, int argc, char **argv)
 		c->tcp.fwd_in.mode = fwd_default;
 	if (!c->tcp.fwd_out.mode)
 		c->tcp.fwd_out.mode = fwd_default;
-	if (!c->udp.fwd_in.f.mode)
-		c->udp.fwd_in.f.mode = fwd_default;
-	if (!c->udp.fwd_out.f.mode)
-		c->udp.fwd_out.f.mode = fwd_default;
+	if (!c->udp.fwd_in.mode)
+		c->udp.fwd_in.mode = fwd_default;
+	if (!c->udp.fwd_out.mode)
+		c->udp.fwd_out.mode = fwd_default;
 
 	fwd_scan_ports_init(c);
 
diff --git a/fwd.c b/fwd.c
index cd66eaee..69b0f535 100644
--- a/fwd.c
+++ b/fwd.c
@@ -129,18 +129,18 @@ void fwd_scan_ports_init(struct ctx *c)
 
 	c->tcp.fwd_in.scan4 = c->tcp.fwd_in.scan6 = -1;
 	c->tcp.fwd_out.scan4 = c->tcp.fwd_out.scan6 = -1;
-	c->udp.fwd_in.f.scan4 = c->udp.fwd_in.f.scan6 = -1;
-	c->udp.fwd_out.f.scan4 = c->udp.fwd_out.f.scan6 = -1;
+	c->udp.fwd_in.scan4 = c->udp.fwd_in.scan6 = -1;
+	c->udp.fwd_out.scan4 = c->udp.fwd_out.scan6 = -1;
 
 	if (c->tcp.fwd_in.mode == FWD_AUTO) {
 		c->tcp.fwd_in.scan4 = open_in_ns(c, "/proc/net/tcp", flags);
 		c->tcp.fwd_in.scan6 = open_in_ns(c, "/proc/net/tcp6", flags);
 		fwd_scan_ports_tcp(&c->tcp.fwd_in, &c->tcp.fwd_out);
 	}
-	if (c->udp.fwd_in.f.mode == FWD_AUTO) {
-		c->udp.fwd_in.f.scan4 = open_in_ns(c, "/proc/net/udp", flags);
-		c->udp.fwd_in.f.scan6 = open_in_ns(c, "/proc/net/udp6", flags);
-		fwd_scan_ports_udp(&c->udp.fwd_in.f, &c->udp.fwd_out.f,
+	if (c->udp.fwd_in.mode == FWD_AUTO) {
+		c->udp.fwd_in.scan4 = open_in_ns(c, "/proc/net/udp", flags);
+		c->udp.fwd_in.scan6 = open_in_ns(c, "/proc/net/udp6", flags);
+		fwd_scan_ports_udp(&c->udp.fwd_in, &c->udp.fwd_out,
 				   &c->tcp.fwd_in, &c->tcp.fwd_out);
 	}
 	if (c->tcp.fwd_out.mode == FWD_AUTO) {
@@ -148,10 +148,10 @@ void fwd_scan_ports_init(struct ctx *c)
 		c->tcp.fwd_out.scan6 = open("/proc/net/tcp6", flags);
 		fwd_scan_ports_tcp(&c->tcp.fwd_out, &c->tcp.fwd_in);
 	}
-	if (c->udp.fwd_out.f.mode == FWD_AUTO) {
-		c->udp.fwd_out.f.scan4 = open("/proc/net/udp", flags);
-		c->udp.fwd_out.f.scan6 = open("/proc/net/udp6", flags);
-		fwd_scan_ports_udp(&c->udp.fwd_out.f, &c->udp.fwd_in.f,
+	if (c->udp.fwd_out.mode == FWD_AUTO) {
+		c->udp.fwd_out.scan4 = open("/proc/net/udp", flags);
+		c->udp.fwd_out.scan6 = open("/proc/net/udp6", flags);
+		fwd_scan_ports_udp(&c->udp.fwd_out, &c->udp.fwd_in,
 				   &c->tcp.fwd_out, &c->tcp.fwd_in);
 	}
 }
@@ -235,7 +235,7 @@ uint8_t fwd_nat_from_splice(const struct ctx *c, uint8_t proto,
 	if (proto == IPPROTO_TCP)
 		tgt->eport += c->tcp.fwd_out.delta[tgt->eport];
 	else if (proto == IPPROTO_UDP)
-		tgt->eport += c->udp.fwd_out.f.delta[tgt->eport];
+		tgt->eport += c->udp.fwd_out.delta[tgt->eport];
 
 	/* Let the kernel pick a host side source port */
 	tgt->fport = 0;
@@ -264,7 +264,7 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
 	if (proto == IPPROTO_TCP)
 		tgt->eport += c->tcp.fwd_in.delta[tgt->eport];
 	else if (proto == IPPROTO_UDP)
-		tgt->eport += c->udp.fwd_in.f.delta[tgt->eport];
+		tgt->eport += c->udp.fwd_in.delta[tgt->eport];
 
 	if (c->mode == MODE_PASTA && inany_is_loopback(&ini->eaddr)
&&
 	    (proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {
diff --git a/udp.c b/udp.c
index 489e2095..c170b0be 100644
--- a/udp.c
+++ b/udp.c
@@ -261,24 +261,6 @@ void udp_portmap_clear(void)
 	}
 }
 
-/**
- * udp_invert_portmap() - Compute reverse port translations for return packets
- * @fwd:	Port forwarding configuration to compute reverse map for
- */
-static void udp_invert_portmap(struct udp_fwd_ports *fwd)
-{
-	unsigned int i;
-
-	static_assert(ARRAY_SIZE(fwd->f.delta) == ARRAY_SIZE(fwd->rdelta),
-		      "Forward and reverse delta arrays must have same size");
-	for (i = 0; i < ARRAY_SIZE(fwd->f.delta); i++) {
-		in_port_t delta = fwd->f.delta[i];
-
-		if (delta)
-			fwd->rdelta[i + delta] = NUM_PORTS - delta;
-	}
-}
-
 /**
  * udp_update_l2_buf() - Update L2 buffers with Ethernet and IPv4 addresses
  * @eth_d:	Ethernet destination address, NULL if unchanged
@@ -751,9 +733,9 @@ void udp_buf_sock_handler(const struct ctx *c, union epoll_ref ref,
uint32_t eve
 		return;
 
 	if (ref.udp.pif == PIF_SPLICE)
-		dstport += c->udp.fwd_out.f.delta[dstport];
+		dstport += c->udp.fwd_out.delta[dstport];
 	else if (ref.udp.pif == PIF_HOST)
-		dstport += c->udp.fwd_in.f.delta[dstport];
+		dstport += c->udp.fwd_in.delta[dstport];
 	else
 		ASSERT(0);
 
@@ -1139,9 +1121,9 @@ static void udp_timer_one(struct ctx *c, int v6, enum udp_act_type
type,
 static void udp_port_rebind(struct ctx *c, bool outbound)
 {
 	const uint8_t *fmap
-		= outbound ? c->udp.fwd_out.f.map : c->udp.fwd_in.f.map;
+		= outbound ? c->udp.fwd_out.map : c->udp.fwd_in.map;
 	const uint8_t *rmap
-		= outbound ? c->udp.fwd_in.f.map : c->udp.fwd_out.f.map;
+		= outbound ? c->udp.fwd_in.map : c->udp.fwd_out.map;
 	struct udp_bound_port (*socks)[NUM_PORTS]
 		= outbound ? udp_splice_ns : udp_splice_init;
 	unsigned port;
@@ -1212,14 +1194,14 @@ void udp_timer(struct ctx *c, const struct timespec *now)
 	long *word, tmp;
 
 	if (c->mode == MODE_PASTA) {
-		if (c->udp.fwd_out.f.mode == FWD_AUTO) {
-			fwd_scan_ports_udp(&c->udp.fwd_out.f, &c->udp.fwd_in.f,
+		if (c->udp.fwd_out.mode == FWD_AUTO) {
+			fwd_scan_ports_udp(&c->udp.fwd_out, &c->udp.fwd_in,
 					   &c->tcp.fwd_out, &c->tcp.fwd_in);
 			NS_CALL(udp_port_rebind_outbound, c);
 		}
 
-		if (c->udp.fwd_in.f.mode == FWD_AUTO) {
-			fwd_scan_ports_udp(&c->udp.fwd_in.f, &c->udp.fwd_out.f,
+		if (c->udp.fwd_in.mode == FWD_AUTO) {
+			fwd_scan_ports_udp(&c->udp.fwd_in, &c->udp.fwd_out,
 					   &c->tcp.fwd_in, &c->tcp.fwd_out);
 			udp_port_rebind(c, false);
 		}
@@ -1256,9 +1238,6 @@ int udp_init(struct ctx *c)
 {
 	udp_iov_init(c);
 
-	udp_invert_portmap(&c->udp.fwd_in);
-	udp_invert_portmap(&c->udp.fwd_out);
-
 	if (c->mode == MODE_PASTA) {
 		udp_splice_iov_init();
 		NS_CALL(udp_port_rebind_outbound, c);
diff --git a/udp.h b/udp.h
index d25e66cb..4ae65723 100644
--- a/udp.h
+++ b/udp.h
@@ -42,16 +42,6 @@ union udp_epoll_ref {
 };
 
 
-/**
- * udp_fwd_ports - UDP specific port forwarding configuration
- * @f:		Generic forwarding configuration
- * @rdelta:	Reversed delta map to translate source ports on return packets
- */
-struct udp_fwd_ports {
-	struct fwd_ports f;
-	in_port_t rdelta[NUM_PORTS];
-};
-
 /**
  * struct udp_ctx - Execution context for UDP
  * @fwd_in:		Port forwarding configuration for inbound packets
@@ -59,8 +49,8 @@ struct udp_fwd_ports {
  * @timer_run:		Timestamp of most recent timer run
  */
 struct udp_ctx {
-	struct udp_fwd_ports fwd_in;
-	struct udp_fwd_ports fwd_out;
+	struct fwd_ports fwd_in;
+	struct fwd_ports fwd_out;
 	struct timespec timer_run;
 };
 
-- 
2.45.2