From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Oh8MsAdf; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 638115A0271 for ; Wed, 14 Jan 2026 11:00:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768384839; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BWXiAQULWhlq9v6WT5kG1AkNuAHBteX+n8f57IHtkg4=; b=Oh8MsAdfj5mHR2CJvmYUxDDIevHUg25Sw+GZrVa0m/e237E0vltvRF+QIVpW5QIRoua96/ Em/4rpFWGR7xMdF1hG7pCKdFO2dF8KZl08HxlMa+osUT1mTM3wQeblg+pRIbLKYAXNh0JX fRI1bhoWgocAvmM6uZyHD1S7vBlQQUs= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-92-7q49fCIKPTSh6Ktu5JFRpA-1; Wed, 14 Jan 2026 05:00:37 -0500 X-MC-Unique: 7q49fCIKPTSh6Ktu5JFRpA-1 X-Mimecast-MFC-AGG-ID: 7q49fCIKPTSh6Ktu5JFRpA_1768384836 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-432c05971c6so476125f8f.1 for ; Wed, 14 Jan 2026 02:00:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768384836; x=1768989636; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=N7bOKVo5jiR+MexWrXs/hhxi3Zi/MclrUAvCqh3aVb0=; b=OmO6LX66bIPDojZnQhTVEZffmDqN7UBrU3I8YhrGWoIz04RzIVgt5vMN0hcSOmonC3 k/d7Fr/QDPfXxcs9JFxa9wHy1pUVqRkNeP7ilvMgdrIUvtMwBYa73NdLE+zBsom4822M CW0iQETF81BTciP3mJDOoUZpsjktpsJ464jsaqH7VGqiaAzu7O1wVNfTnn/LH7qAhPaR uVgjQsuA1k4+R6KCemM2fsw1SswKrOUeXAWl8EOdONNvvdJBbbwkRuYsEDTwuCPfIMk7 UG2HcZ1AUPsP0l/bSJesnnXjPh6YXU9YBOIE1lci02xDPzDSwpAec1B3AQNbVdo7htC7 l1hg== X-Gm-Message-State: AOJu0YyGTIT4FNNxd/BCHSsQcuhaj90n1S6/6SV3G0OSMSi2dSVm5BX7 vxLYwiAVpzMWex/8Dq1rHsRxIU1Al1/Df95JStjkzHZCQklwxddreUNH8w4g58qsNZC7mnHkFHf vMdHNa+S+IURkCGjgg9pTtgW7Ah2fBFATntZ6vCj1x/AmILS1eNr32w== X-Gm-Gg: AY/fxX5pnwsOPWsJ9BQAwzp2g/svX7Jy7NfatgQVfoPSwbvhU+T/OgK0m3JXyuGyACs vailYqTwXEr5Szs/TrxZoE/mCRs+yQUxvHC+SzxmxOzinUNbvl/NN++7SDZ+TFxJrtuxs7Lb1L5 rZv77qPa6zc89d/TSqCnmH4CWHW2rIMI2pW5uFrml5B7wIgfEKFY+D+Hf7P+8mhcv3xpSNHIK2x mKgwmf+4MA2YcqdbK5GDnv4SRpXHPGg8rsrja4MDRwFOPfxuPuIKNp4RpJijJMX8FJ1CYTI8dYD L6n12LlHGnWysQZBZaAG8GEW+F4MapW0XTd/71OOdHWAzfu6lNRAzArW0vVFFNX+iDyWBTvnb6l W0m9MjIt9Aau3jBYU3BpG X-Received: by 2002:a05:6000:1a8a:b0:430:fdc8:8bd6 with SMTP id ffacd0b85a97d-4342c0ff57cmr2746545f8f.31.1768384836236; Wed, 14 Jan 2026 02:00:36 -0800 (PST) X-Received: by 2002:a05:6000:1a8a:b0:430:fdc8:8bd6 with SMTP id ffacd0b85a97d-4342c0ff57cmr2746465f8f.31.1768384835605; Wed, 14 Jan 2026 02:00:35 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0daa84sm49043749f8f.2.2026.01.14.02.00.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 02:00:35 -0800 (PST) Date: Wed, 14 Jan 2026 11:00:33 +0100 From: Stefano Brivio To: Yumei Huang Subject: Re: [PATCH] conf, pasta: Add --no-tap option Message-ID: <20260114110033.151de4eb@elisabeth> In-Reply-To: References: <20251229095558.918055-1-yuhuang@redhat.com> <20260110191226.570a3f0b@elisabeth> <20260114003441.044df424@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: qp1ZWD-yQjsFtra-4_lVFGAGLyYLlXr0nBE_WNalmzU_1768384836 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: UD2CMQZ673QCGH2IPKLPVBGE4M4UE4MX X-Message-ID-Hash: UD2CMQZ673QCGH2IPKLPVBGE4M4UE4MX X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, david@gibson.dropbear.id.au X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 14 Jan 2026 15:28:31 +0800 Yumei Huang wrote: > On Wed, Jan 14, 2026 at 2:31=E2=80=AFPM Yumei Huang = wrote: > > > > On Wed, Jan 14, 2026 at 7:34=E2=80=AFAM Stefano Brivio wrote: =20 > > > > > > On Tue, 13 Jan 2026 19:20:47 +0800 > > > Yumei Huang wrote: > > > =20 > > > > On Sun, Jan 11, 2026 at 2:12=E2=80=AFAM Stefano Brivio wrote: =20 > > > > > > > > > > On Mon, 29 Dec 2025 17:55:58 +0800 > > > > > Yumei Huang wrote: > > > > > =20 > > > > > > This patch introduces a mode where we only forward loopback con= nections > > > > > > and traffic between two namespaces (via the loopback interface,= 'lo'), > > > > > > without a tap device. > > > > > > > > > > > > With this, podman can support forwarding ::1 in custom networks= when using > > > > > > rootlesskit for forwarding ports. > > > > > > > > > > > > In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is = automatically > > > > > > enabled. Options requiring a tap device (--ns-ifname, --ns-mac-= addr, > > > > > > --config-net, --outbound-if4/6) are rejected. > > > > > > > > > > > > Link: https://bugs.passt.top/show_bug.cgi?id=3D149 > > > > > > Signed-off-by: Yumei Huang > > > > > > --- > > > > > > conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------= ------- > > > > > > fwd.c | 3 +++ > > > > > > passt.1 | 5 +++++ > > > > > > passt.h | 2 ++ > > > > > > pasta.c | 3 +++ > > > > > > tap.c | 11 +++++++---- > > > > > > 6 files changed, 61 insertions(+), 19 deletions(-) > > > > > > > > > > > > diff --git a/conf.c b/conf.c > > > > > > index 84ae12b..353d0a5 100644 > > > > > > --- a/conf.c > > > > > > +++ b/conf.c > > > > > > @@ -1049,7 +1049,8 @@ pasta_opts: > > > > > > " --no-copy-addrs DEPRECATED:\n" > > > > > > " Don't copy all addresses = to namespace\n" > > > > > > " --ns-mac-addr ADDR Set MAC address on tap in= terface\n" > > > > > > - " --no-splice Disable inbound socket sp= licing\n"); > > > > > > + " --no-splice Disable inbound socket sp= licing\n" > > > > > > + " --no-tap Don't create tap device\n= "); > > > > > > > > > > > > passt_exit(status); > > > > > > } > > > > > > @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char *= *argv) > > > > > > {"no-ndp", no_argument, &c->no_nd= p, 1 }, > > > > > > {"no-ra", no_argument, &c->no_ra= , 1 }, > > > > > > {"no-splice", no_argument, &c->no_sp= lice, 1 }, > > > > > > + {"no-tap", no_argument, &c->no_ta= p, 1 }, > > > > > > {"freebind", no_argument, &c->freeb= ind, 1 }, > > > > > > {"no-map-gw", no_argument, &no_map_g= w, 1 }, > > > > > > {"ipv4-only", no_argument, NULL, = '4' }, > > > > > > @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char = **argv) > > > > > > } > > > > > > } while (name !=3D -1); > > > > > > > > > > > > - if (c->mode !=3D MODE_PASTA) > > > > > > + if (c->mode !=3D MODE_PASTA) { > > > > > > c->no_splice =3D 1; > > > > > > + if (c->no_tap) > > > > > > + die("--no-tap is for pasta mode only"); > > > > > > + } > > > > > > > > > > > > if (c->mode =3D=3D MODE_PASTA && !c->pasta_conf_ns) { > > > > > > if (copy_routes_opt) > > > > > > @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char = **argv) > > > > > > die("--no-copy-addrs needs --config-net")= ; > > > > > > } > > > > > > > > > > > > + if (c->mode =3D=3D MODE_PASTA && c->no_tap) { > > > > > > + if (c->no_splice) > > > > > > + die("--no-tap is incompatible with --no-s= plice"); =20 > > > > > > > > > > I'm not sure if you need this for other reasons, but as long as i= t's > > > > > called --no-tap, it's not really incompatible with --no-splice. = =20 > > > > > > > > I will update it to --splice-only > > > > =20 > > > > > > > > > > Maybe users just want to get a disconnected namespace for whateve= r > > > > > reason ('pasta' is shorter to type than 'unshare -rUn'). > > > > > =20 > > > > > > + if (*c->ip4.ifname_out || *c->ip6.ifname_out) > > > > > > + die("--no-tap is incompatible with --outb= ound-if4/6"); > > > > > > + if (*c->pasta_ifn) > > > > > > + die("--no-tap is incompatible with --ns-i= fname"); > > > > > > + if (*c->guest_mac) > > > > > > + die("--no-tap is incompatible with --ns-m= ac-addr"); > > > > > > + if (c->pasta_conf_ns) > > > > > > + die("--no-tap is incompatible with --conf= ig-net"); =20 > > > > > > > > > > I guess all these checks are to save some checks later, which loo= ks like > > > > > a good reason to have them here. > > > > > > > > > > If not, though, I don't think we *really* need to tell the user t= hat > > > > > --ns-ifname will be ignored with --no-tap. > > > > > > > > > > One thing that might confuse users, though, is this: > > > > > > > > > > $ ./pasta --no-tap --mtu 1500 -- ip l > > > > > 1: lo: mtu 65536 qdisc noqueue state UNKNO= WN mode DEFAULT group default qlen 1000 > > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > > > > > > > > or even this: > > > > > > > > > > $ ./pasta --no-tap -a 192.0.2.1 -- ip a > > > > > 1: lo: mtu 65536 qdisc noqueue state UNKNO= WN group default qlen 1000 > > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > > > inet 127.0.0.1/8 scope host lo > > > > > valid_lft forever preferred_lft forever > > > > > inet6 ::1/128 scope host proto kernel_lo > > > > > valid_lft forever preferred_lft forever > > > > > > > > > > but I would rather *not* add conditions and checks for those even= if > > > > > there's a *slight* potential for confusion, otherwise this become= s > > > > > really long. And it's really not worth it, I think. =20 > > > > > > > > Then I guess we only need the c->no_splice check, right? =20 > > > > > > ...maybe? About *needing*, yes, I guess so, but if other checks save > > > more checks later, I would keep them. > > > =20 > > > > > > + > > > > > > + c->host_lo_to_ns_lo =3D 1; > > > > > > + c->no_icmp =3D 1; > > > > > > + c->no_ra =3D 1; > > > > > > + c->no_dns =3D 1; > > > > > > + c->no_dns_search =3D 1; > > > > > > + } > > > > > > + > > > > > > if (!ifi4 && *c->ip4.ifname_out) > > > > > > ifi4 =3D if_nametoindex(c->ip4.ifname_out); > > > > > > > > > > > > @@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char *= *argv) > > > > > > log_conf_parsed =3D true; /* Stop printing everyt= hing */ > > > > > > > > > > > > nl_sock_init(c, false); > > > > > > - if (!v6_only) > > > > > > + if (!v6_only && !c->no_tap) > > > > > > c->ifi4 =3D conf_ip4(ifi4, &c->ip4); > > > > > > - if (!v4_only) > > > > > > + if (!v4_only && !c->no_tap) > > > > > > c->ifi6 =3D conf_ip6(ifi6, &c->ip6); > > > > > > > > > > > > if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { > > > > > > @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char= **argv) > > > > > > (*c->ip6.ifname_out && !c->ifi6)) > > > > > > die("External interface not usable"); > > > > > > > > > > > > - if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { > > > > > > + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap)= { =20 > > > > > > > > > > You already checked that !*c->pasta_ifn above. =20 > > > > > > > > I guess the check above (aka. if (*c->pasta_ifn && c->no_tap)) does= n't > > > > affect this one? If c->pasta_ifn is assigned, we won't come to the > > > > check !c->no_tap here. Otherwise, we do need to check !c->no_tap. = =20 > > > > > > Right, but you don't care about resetting c->pasta_ifn to the default > > > value if !c->no_tap, because in that case you know that c->pasta_ifn > > > wasn't set, so you can happily override it. =20 >=20 > I just realized that you probably meant when c->no_tap is set. > Actually it would affect conf_print, info("Namespace interface: %s", > c->pasta_ifn). But I will add a condition about c->splice_only before > this line, so yes, it doesn't matter whether reset it or not. I will > remove the check in v2. > > > > I'm not sure I fully understand it. If !c->no_tap, the condition is > > the same as before without this patch, which is to not reset it if > > it's specified in cmd line. We won't know if c->pasta_ifn is set > > until this check, do we? =20 Let's assume !c->ifi4 && !c->ifi6. Then we have 2 variables and 2^2 possible cases: 1. !*c->pasta_ifn && !c->no_tap: we need to override c->pasta_ifn 2. !*c->pasta_ifn && c->no_tap: we don't need to override c->pasta_ifn, *but it's harmless if we do* 3. *c->pasta_ifn && !c->no_tap: we must not override c->pasta_ifn 4. *c->pasta_ifn && c->no_tap: we must not override c->pasta_ifn Now, if we make 1. and 2. the same and decide to override c->pasta_ifn also in case 2. (when it's not necessary, but harmless), 1. and 2. as well as 3. and 4. are pairwise the same, so you don't strictly need to add a condition on c->no_tap, I think. On the other hand... if it's obvious just to me, maybe it's actually simpler to keep the check. :) I realise that my observation is not as clear as I initially thought. --=20 Stefano