Re: [PATCH] conf, pasta: Add --no-tap option

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: Yumei Huang <yuhuang@redhat.com>, passt-dev@passt.top
Subject: Re: [PATCH] conf, pasta: Add --no-tap option
Date: Tue, 13 Jan 2026 23:13:15 +0100	[thread overview]
Message-ID: <20260113231315.2c5a7ad6@elisabeth> (raw)
In-Reply-To: <aWWwZpkZvwQCssXk@zatzit>

On Tue, 13 Jan 2026 13:39:34 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Tue, Jan 13, 2026 at 01:12:09AM +0100, Stefano Brivio wrote:
> > On Mon, 12 Jan 2026 15:26:14 +1100
> > David Gibson <david@gibson.dropbear.id.au> wrote:
> >   
> > > On Sat, Jan 10, 2026 at 07:12:19PM +0100, Stefano Brivio wrote:  
> > > > On Mon, 5 Jan 2026 16:53:49 +0800
> > > > Yumei Huang <yuhuang@redhat.com> wrote:
> > > >     
> > > > > On Mon, Jan 5, 2026 at 12:18 PM David Gibson
> > > > > <david@gibson.dropbear.id.au> wrote:    
> > > > > >
> > > > > > On Mon, Dec 29, 2025 at 05:55:58PM +0800, Yumei Huang wrote:    
> > > > > >  
> > > > > > > +             if (c->pasta_conf_ns)
> > > > > > > +                     die("--no-tap is incompatible with --config-net");      
> > > > > >
> > > > > > I don't think this is right.  We still can and should bring up 'lo' in
> > > > > > the --no-tap case.      
> > > > > 
> > > > > I see your point, but seems c->pasta_conf_ns is only used for tap as
> > > > > https://passt.top/passt/tree/pasta.c#n328, 'lo' is configured before
> > > > > that line.    
> > > > 
> > > > Right, and the reason is that there are basic bits of functionality
> > > > (probing pipe sizes if I recall correctly, or anyway probing for some
> > > > kind of capability) that need the loopback interface to be up.    
> > > 
> > > Ah, right.  Drat.  In general I don't like us touching the guest
> > > netlink at all if we don't have --config-net.  Hrm.. now what exactly
> > > needs this.  It's not anything in sock_probe_features() - that runs in
> > > the host ns.  Not pipe sizes, either - that also takes place in the
> > > host ns (and netns is irrelevant to pipes, anyway).   There could well
> > > be something, but I'm not sure what it is.  
> > 
> > Actually, I tried, and I don't get any trouble (but I think I had some
> > error when I added that in 2021).  
> 
> Ok.
> 
> > But we implicitly break any outbound forwarding because our listening
> > sockets will be unreachable (bind() succeeds though).  
> 
> Networking doesn't work until you configure networking, that's the
> normal state for !--config-net.  I don't see why that should be
> different for outbound forwards than anything else.

Yes, I understand your point, and even agree in general. I'm just
saying that that part worked until now without bringing the loopback
interface up, and we'd break it.

By the way, --config-net configures a lot of things, at least by
default, that might be done in a different way, even though it's not
the default simply because the functionality didn't exist at the
beginning, as I implemented passt with its DHCP server first.

Bringing up the loopback interface is much more universal than that.
I guess virtually all users would want to have it brought up. And
especially with --splice-only, *not* doing that would become quite a
nuisance I think. You would start pasta as:

  pasta --splice-only

and nothing would work, unless you do:

  pasta --splice-only --config-net

where "--config-net" now means... bring up the loopback interface.

It might be considered more correct, strictly speaking, but not really
intuitive. Just let users bring the loopback interface down I'd say,
if they really need that.

There's by the way a small asymmetry in all this: the kernel adds
all addresses one normally needs to the loopback interface as you
bring it up, without external intervention. It's not exactly
something we would "configure" separately.

> > So... I would be
> > wary of changing that at this point. There might be users relying on
> > it, and it's otherwise harmless I guess.  
> 
> I mean.. probably?  Almost certainly when pasta is creating the ns -
> but in that case there's very little reason not to use --config-net
> anyway.  The case I'm concerned about is attaching this to an existing
> netns: this can alter the existing network config there.

Strictly speaking, yes, but I can't really picture anybody using
namespaces relying on the fact that the loopback interface is down.
I mean, given the choice between:

  Bug 190 - Port forwarding doesn't work with --splice-only

and:

  Bug 190 - pasta unexpectedly brings up loopback interface in container

...the first one, you could explain why and close it. But the second one
would never be reported. Well, I guess.

-- 
Stefano

next prev parent reply	other threads:[~2026-01-13 22:13 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-29  9:55 Yumei Huang
2025-12-31 15:07 ` Stefano Brivio
2026-01-05  4:18 ` David Gibson
2026-01-05  8:53   ` Yumei Huang
2026-01-10 18:12     ` Stefano Brivio
2026-01-12  4:26       ` David Gibson
2026-01-13  0:12         ` Stefano Brivio
2026-01-13  2:39           ` David Gibson
2026-01-13 22:13             ` Stefano Brivio [this message]
2026-01-13  9:57       ` Yumei Huang
2026-01-13 23:34         ` Stefano Brivio
2026-01-05 13:48 ` Paul Holzinger
2026-01-05 21:10   ` Stefano Brivio
2026-01-07 15:20     ` Paul Holzinger
2026-01-10 18:12       ` Stefano Brivio
2026-01-12  8:20         ` Yumei Huang
2026-01-10 18:12 ` Stefano Brivio
2026-01-13 11:20   ` Yumei Huang
2026-01-13 23:34     ` Stefano Brivio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260113231315.2c5a7ad6@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=yuhuang@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).