From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Iuj6RZge; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 339525A0271 for ; Wed, 14 Jan 2026 11:59:34 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768388373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AoNCG7RdDN3yARd631qqwuzLCiqIwPJkDsxuGL/WQOU=; b=Iuj6RZgeIGS8ZSeXvyCGRhxISg4PhtlYl3QKIDoXrSXc2Q4hf2OAIiDjCcO+/EULgi/2hL nXCyYnfHj08SiCsC1rZFa90z7sDKidS0lvC/oQ7WpG0nu+AEQzCCY3He61fvDzm3J75S8w 9QD6QhhFiZyDM2VeUbkhCcvBJcWGd7M= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-625-J2B3MhJZO3u0S5w3ljeFGw-1; Wed, 14 Jan 2026 05:59:31 -0500 X-MC-Unique: J2B3MhJZO3u0S5w3ljeFGw-1 X-Mimecast-MFC-AGG-ID: J2B3MhJZO3u0S5w3ljeFGw_1768388371 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-47ee71f0244so2575375e9.0 for ; Wed, 14 Jan 2026 02:59:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768388371; x=1768993171; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AoNCG7RdDN3yARd631qqwuzLCiqIwPJkDsxuGL/WQOU=; b=l6PLdb2MIouyPRCXis0FWv3dTFw84kBzYYrJgJhB/CqRxSMfAzHOpocHvvJxtJXEPF Z+kSHMV0NvkPlgB+4no7NCtxIOrLTPC3l86eSbykGefPTTUJhWRJ/5phRjytKXzOBWfx AZooIwftRH+fjkPSd2Jtruj5wUwbM0NCV6zZXABOsbRQ9Mq3d7fchL8EWMTBMMEt7EIO yaemJB8KY7idB6ewwNA1G0BS1UB+JoyWmtloDEB/m+BiYTYBksQFX4K9iNRWkbm2fIpr rKZ+UyEuULVhPa9p8oTH7qmmWSRRmwT/AvzCArbGkJWBmBkIDG574V9iXdvXwqgOcJnn QXeg== X-Gm-Message-State: AOJu0Ywh8lwknHTzRijK6birVqs0udFMA6uqtLyobDZixziERb90jAJy vdrP3G5YiuLeCFF/nll5UC7ApTezAgjvO7w0DIrmK2cRaOJRh+QNDoplu7go2zcLcdQelU6Arnz Xly+O+kD0zb86NcnWrdbWeV3ZrWwm5NfRep6SYNG7z8t5VlWP3vGq2g== X-Gm-Gg: AY/fxX5bSzqsMFQDlDdzsL7czvHcJlaHfQAbRgopK8i3TTPnOvHPDkjVKsbnYdDxrMp lE0Yt1ns0KGfgVfvvsyXWaTiBVeRDdeX0QFSfI10tFEpc5GttfMMaLYba3oJMBIes5axMhRAie0 1uB5EYX1jbiMUZjNyCF1acE8fG6skpY8DWSM25tBt+zmdapvu/b+XMMN9i1L9CzgQ9Erp7kqXwB INLX8MFk9TfJ/GcwoGJyyxWTWsrupCRM0wLrlllGHH2KKd0U4dityBdeWY/E08gFPil8VIFdkIC +Fm9I1edt9LQui78RQyj/37PlibW7T4xgknYEv8IqMuArJ/fC4YgHMden3+RzmCR8UJ3UaXI2RP ygZimhsv6jbmO9em/PTzn X-Received: by 2002:a05:600c:a088:b0:47e:e20e:bbb4 with SMTP id 5b1f17b1804b1-47ee4825ebemr18085135e9.26.1768388370509; Wed, 14 Jan 2026 02:59:30 -0800 (PST) X-Received: by 2002:a05:600c:a088:b0:47e:e20e:bbb4 with SMTP id 5b1f17b1804b1-47ee4825ebemr18084855e9.26.1768388369955; Wed, 14 Jan 2026 02:59:29 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47ee562d7aasm22090045e9.11.2026.01.14.02.59.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 02:59:29 -0800 (PST) Date: Wed, 14 Jan 2026 11:59:28 +0100 From: Stefano Brivio To: Yumei Huang Subject: Re: [PATCH] conf, pasta: Add --no-tap option Message-ID: <20260114115928.12310896@elisabeth> In-Reply-To: References: <20251229095558.918055-1-yuhuang@redhat.com> <20260110191226.570a3f0b@elisabeth> <20260114003441.044df424@elisabeth> <20260114110033.151de4eb@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: LEM5nbePKXTpWlGiyvEqCHJK2M6AGNA2-yPoqKsGZGU_1768388371 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: NFQNKLTMGUXPDENAJQHCSBSGCJT3LWRM X-Message-ID-Hash: NFQNKLTMGUXPDENAJQHCSBSGCJT3LWRM X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, david@gibson.dropbear.id.au X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 14 Jan 2026 18:35:18 +0800 Yumei Huang wrote: > On Wed, Jan 14, 2026 at 6:00=E2=80=AFPM Stefano Brivio wrote: > > > > On Wed, 14 Jan 2026 15:28:31 +0800 > > Yumei Huang wrote: > > =20 > > > On Wed, Jan 14, 2026 at 2:31=E2=80=AFPM Yumei Huang wrote: =20 > > > > > > > > On Wed, Jan 14, 2026 at 7:34=E2=80=AFAM Stefano Brivio wrote: =20 > > > > > > > > > > On Tue, 13 Jan 2026 19:20:47 +0800 > > > > > Yumei Huang wrote: > > > > > =20 > > > > > > On Sun, Jan 11, 2026 at 2:12=E2=80=AFAM Stefano Brivio wrote: =20 > > > > > > > > > > > > > > On Mon, 29 Dec 2025 17:55:58 +0800 > > > > > > > Yumei Huang wrote: > > > > > > > =20 > > > > > > > > This patch introduces a mode where we only forward loopback= connections > > > > > > > > and traffic between two namespaces (via the loopback interf= ace, 'lo'), > > > > > > > > without a tap device. > > > > > > > > > > > > > > > > With this, podman can support forwarding ::1 in custom netw= orks when using > > > > > > > > rootlesskit for forwarding ports. > > > > > > > > > > > > > > > > In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra= is automatically > > > > > > > > enabled. Options requiring a tap device (--ns-ifname, --ns-= mac-addr, > > > > > > > > --config-net, --outbound-if4/6) are rejected. > > > > > > > > > > > > > > > > Link: https://bugs.passt.top/show_bug.cgi?id=3D149 > > > > > > > > Signed-off-by: Yumei Huang > > > > > > > > --- > > > > > > > > conf.c | 56 +++++++++++++++++++++++++++++++++++++++++----= ----------- > > > > > > > > fwd.c | 3 +++ > > > > > > > > passt.1 | 5 +++++ > > > > > > > > passt.h | 2 ++ > > > > > > > > pasta.c | 3 +++ > > > > > > > > tap.c | 11 +++++++---- > > > > > > > > 6 files changed, 61 insertions(+), 19 deletions(-) > > > > > > > > > > > > > > > > diff --git a/conf.c b/conf.c > > > > > > > > index 84ae12b..353d0a5 100644 > > > > > > > > --- a/conf.c > > > > > > > > +++ b/conf.c > > > > > > > > @@ -1049,7 +1049,8 @@ pasta_opts: > > > > > > > > " --no-copy-addrs DEPRECATED:\n" > > > > > > > > " Don't copy all addres= ses to namespace\n" > > > > > > > > " --ns-mac-addr ADDR Set MAC address on ta= p interface\n" > > > > > > > > - " --no-splice Disable inbound socke= t splicing\n"); > > > > > > > > + " --no-splice Disable inbound socke= t splicing\n" > > > > > > > > + " --no-tap Don't create tap devi= ce\n"); > > > > > > > > > > > > > > > > passt_exit(status); > > > > > > > > } > > > > > > > > @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, ch= ar **argv) > > > > > > > > {"no-ndp", no_argument, &c->n= o_ndp, 1 }, > > > > > > > > {"no-ra", no_argument, &c->n= o_ra, 1 }, > > > > > > > > {"no-splice", no_argument, &c->n= o_splice, 1 }, > > > > > > > > + {"no-tap", no_argument, &c->n= o_tap, 1 }, > > > > > > > > {"freebind", no_argument, &c->f= reebind, 1 }, > > > > > > > > {"no-map-gw", no_argument, &no_m= ap_gw, 1 }, > > > > > > > > {"ipv4-only", no_argument, NULL,= '4' }, > > > > > > > > @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, c= har **argv) > > > > > > > > } > > > > > > > > } while (name !=3D -1); > > > > > > > > > > > > > > > > - if (c->mode !=3D MODE_PASTA) > > > > > > > > + if (c->mode !=3D MODE_PASTA) { > > > > > > > > c->no_splice =3D 1; > > > > > > > > + if (c->no_tap) > > > > > > > > + die("--no-tap is for pasta mode only"= ); > > > > > > > > + } > > > > > > > > > > > > > > > > if (c->mode =3D=3D MODE_PASTA && !c->pasta_conf_ns) { > > > > > > > > if (copy_routes_opt) > > > > > > > > @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, c= har **argv) > > > > > > > > die("--no-copy-addrs needs --config-n= et"); > > > > > > > > } > > > > > > > > > > > > > > > > + if (c->mode =3D=3D MODE_PASTA && c->no_tap) { > > > > > > > > + if (c->no_splice) > > > > > > > > + die("--no-tap is incompatible with --= no-splice"); =20 > > > > > > > > > > > > > > I'm not sure if you need this for other reasons, but as long = as it's > > > > > > > called --no-tap, it's not really incompatible with --no-splic= e. =20 > > > > > > > > > > > > I will update it to --splice-only > > > > > > =20 > > > > > > > > > > > > > > Maybe users just want to get a disconnected namespace for wha= tever > > > > > > > reason ('pasta' is shorter to type than 'unshare -rUn'). > > > > > > > =20 > > > > > > > > + if (*c->ip4.ifname_out || *c->ip6.ifname_out) > > > > > > > > + die("--no-tap is incompatible with --= outbound-if4/6"); > > > > > > > > + if (*c->pasta_ifn) > > > > > > > > + die("--no-tap is incompatible with --= ns-ifname"); > > > > > > > > + if (*c->guest_mac) > > > > > > > > + die("--no-tap is incompatible with --= ns-mac-addr"); > > > > > > > > + if (c->pasta_conf_ns) > > > > > > > > + die("--no-tap is incompatible with --= config-net"); =20 > > > > > > > > > > > > > > I guess all these checks are to save some checks later, which= looks like > > > > > > > a good reason to have them here. > > > > > > > > > > > > > > If not, though, I don't think we *really* need to tell the us= er that > > > > > > > --ns-ifname will be ignored with --no-tap. > > > > > > > > > > > > > > One thing that might confuse users, though, is this: > > > > > > > > > > > > > > $ ./pasta --no-tap --mtu 1500 -- ip l > > > > > > > 1: lo: mtu 65536 qdisc noqueue state U= NKNOWN mode DEFAULT group default qlen 1000 > > > > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > > > > > > > > > > > > or even this: > > > > > > > > > > > > > > $ ./pasta --no-tap -a 192.0.2.1 -- ip a > > > > > > > 1: lo: mtu 65536 qdisc noqueue state U= NKNOWN group default qlen 1000 > > > > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > > > > > inet 127.0.0.1/8 scope host lo > > > > > > > valid_lft forever preferred_lft forever > > > > > > > inet6 ::1/128 scope host proto kernel_lo > > > > > > > valid_lft forever preferred_lft forever > > > > > > > > > > > > > > but I would rather *not* add conditions and checks for those = even if > > > > > > > there's a *slight* potential for confusion, otherwise this be= comes > > > > > > > really long. And it's really not worth it, I think. =20 > > > > > > > > > > > > Then I guess we only need the c->no_splice check, right? =20 > > > > > > > > > > ...maybe? About *needing*, yes, I guess so, but if other checks s= ave > > > > > more checks later, I would keep them. > > > > > =20 > > > > > > > > + > > > > > > > > + c->host_lo_to_ns_lo =3D 1; > > > > > > > > + c->no_icmp =3D 1; > > > > > > > > + c->no_ra =3D 1; > > > > > > > > + c->no_dns =3D 1; > > > > > > > > + c->no_dns_search =3D 1; > > > > > > > > + } > > > > > > > > + > > > > > > > > if (!ifi4 && *c->ip4.ifname_out) > > > > > > > > ifi4 =3D if_nametoindex(c->ip4.ifname_out); > > > > > > > > > > > > > > > > @@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, ch= ar **argv) > > > > > > > > log_conf_parsed =3D true; /* Stop printing ev= erything */ > > > > > > > > > > > > > > > > nl_sock_init(c, false); > > > > > > > > - if (!v6_only) > > > > > > > > + if (!v6_only && !c->no_tap) > > > > > > > > c->ifi4 =3D conf_ip4(ifi4, &c->ip4); > > > > > > > > - if (!v4_only) > > > > > > > > + if (!v4_only && !c->no_tap) > > > > > > > > c->ifi6 =3D conf_ip6(ifi6, &c->ip6); > > > > > > > > > > > > > > > > if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { > > > > > > > > @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, = char **argv) > > > > > > > > (*c->ip6.ifname_out && !c->ifi6)) > > > > > > > > die("External interface not usable"); > > > > > > > > > > > > > > > > - if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { > > > > > > > > + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_= tap) { =20 > > > > > > > > > > > > > > You already checked that !*c->pasta_ifn above. =20 > > > > > > > > > > > > I guess the check above (aka. if (*c->pasta_ifn && c->no_tap)) = doesn't > > > > > > affect this one? If c->pasta_ifn is assigned, we won't come to = the > > > > > > check !c->no_tap here. Otherwise, we do need to check !c->no_t= ap. =20 > > > > > > > > > > Right, but you don't care about resetting c->pasta_ifn to the def= ault > > > > > value if !c->no_tap, because in that case you know that c->pasta_= ifn > > > > > wasn't set, so you can happily override it. =20 > > > > > > I just realized that you probably meant when c->no_tap is set. > > > Actually it would affect conf_print, info("Namespace interface: %s", > > > c->pasta_ifn). But I will add a condition about c->splice_only before > > > this line, so yes, it doesn't matter whether reset it or not. I will > > > remove the check in v2. =20 > > > > > > > > I'm not sure I fully understand it. If !c->no_tap, the condition is > > > > the same as before without this patch, which is to not reset it if > > > > it's specified in cmd line. We won't know if c->pasta_ifn is set > > > > until this check, do we? =20 > > > > Let's assume !c->ifi4 && !c->ifi6. Then we have 2 variables and 2^2 > > possible cases: > > > > 1. !*c->pasta_ifn && !c->no_tap: we need to override c->pasta_ifn > > > > 2. !*c->pasta_ifn && c->no_tap: we don't need to override c->pasta_ifn, > > *but it's harmless if we do* =20 >=20 > This will lead conf_print to print "Namespace interface: tap0" which > is not correct. Well, but right now it's printed unconditionally, regardless of whether that's tap0 or not, so that doesn't make it more wrong. > But I plan to add a check with c->no_tap in conf_print, so it won't > be a problem. Right... but that's needed anyway, that was my point. --=20 Stefano