From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=EDQS8gqu; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id E24CB5A026D for ; Tue, 21 Apr 2026 08:25:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202602; t=1776752718; bh=d62R0q5L9aCSTRgktAxc+FzOzdujuocG6MRpjaqW3k8=; h=From:To:Cc:Subject:Date:From; b=EDQS8gquAG55xIVCZnE7VSF8jBh1b2aG5M4V5iIJ7vdKlwEaH1RkoRru/N1UHZ9fl AuyOienWvjvI4aYQRI7Oknau1l0W/obXDc7cQBOEPTGIcT068F4HwcaqzHEvlfB/Xw jBCBEwBGcUvO5js9znTvqvvgaav5iYJw+jx8cUgBaZh1oJSaNh6QFevwPJO7/Pr7Ne h25JgYdZl83TC/7XEBLKRlL5TR7II9AnhLKSSKfNkemg2r/7mfoqj2yljv3dbHA7Oj qLj+xUCsDpzuapTYt+GRtpXqmf4Jqaa0iWJZ43DUZs7L6F89/m1JaiwTM3yEcF3Sz1 lBq9QQsj38hrg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4g0C5V1XDGz4wJP; Tue, 21 Apr 2026 16:25:18 +1000 (AEST) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH v5 00/18] RFC: Dynamic configuration update implementation Date: Tue, 21 Apr 2026 16:24:58 +1000 Message-ID: <20260421062516.2601204-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.53.0 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: DPQZUG2TRZU64O7YOVHZIDQ24HYB6D56 X-Message-ID-Hash: DPQZUG2TRZU64O7YOVHZIDQ24HYB6D56 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Here's the next draft of dynamic configuration updates. This now can successfully update rules, though I've not tested it very extensively. Patches 1..8/18 are preliminary reworks that make sense even without pesto - feel free to apply if you're happy with them. I don't think the rest should be applied yet; we need to at least harden it so passt can't be blocked indefinitely by a client which sends a partial update then waits. Based on my earlier series reworking static checking invocation. TODO: - Don't allow a client which sends a partial configuration then blocks also block passt - Allow pesto to clear existing configuration, not just add - Allow pesto selectively delete existing rules, not just add Changes in v5: * If multiple clients connect at once, they're now blocked until the first one finishes, instead of later ones being discarded Changes in v4: * Merged with remainder of forward rule parsing rework series * Fix some bugs in rule checking pointed out by Laurent * Significantly cleaned up option parsing code * Changed from replacing all existing rules to adding new rules (clear and remove still TBD) * Somewhat simplified protocol (pif names and rules sent in a single pass) * pesto is now allocation free * Fixed commit message and style nits pointed out by Stefano Changes in v3: * Removed already applied ASSERT() rename * Renamed serialisation functions * Incorporated Stefano's extensions, reworked and fixed * Several additional cleanups / preliminary reworks Changes in v2: * Removed already applied cleanups * Reworked assert() patch to handle -DNDEBUG properly * Numerous extra patches: * Factored out serialisation helpers and use them for migration as well * Reworked to allow ip.[ch] and inany.[ch] to be shared with pesto * Reworks to share some forwarding rule datatypes with pesto * Implemented sending pif names and current ruleset to pesto David Gibson (18): conf, fwd: Stricter rule checking in fwd_rule_add() fwd_rule: Move ephemeral port probing to fwd_rule.c fwd, conf: Move rule parsing code to fwd_rule.[ch] fwd_rule: Move conflict checking back within fwd_rule_add() fwd: Generalise fwd_rules_info() pif: Limit pif names to 128 bytes fwd_rule: Fix some format specifiers tap, repair: Use SOCK_NONBLOCK and SOCK_CLOEXEC on Unix sockets pesto: Introduce stub configuration tool pesto, log: Share log.h (but not log.c) with pesto tool pesto, conf: Have pesto connect to passt and check versions pesto: Expose list of pifs to pesto and optionally display ip: Prepare ip.[ch] for sharing with pesto tool inany: Prepare inany.[ch] for sharing with pesto tool pesto: Read current ruleset from passt/pasta and optionally display it pesto: Parse and add new rules from command line pesto, conf: Send updated rules from pesto back to passt/pasta conf, fwd: Allow switching to new rules received from pesto .gitignore | 2 + Makefile | 54 ++-- common.h | 122 +++++++++ conf.c | 686 ++++++++++++++++++++++----------------------------- conf.h | 2 + epoll_type.h | 4 + flow.c | 4 +- fwd.c | 169 ++++--------- fwd.h | 41 +-- fwd_rule.c | 603 ++++++++++++++++++++++++++++++++++++++++++-- fwd_rule.h | 66 ++++- inany.c | 19 +- inany.h | 17 +- ip.c | 56 +---- ip.h | 4 +- lineread.c | 2 +- log.h | 59 ++++- passt.1 | 5 + passt.c | 8 + passt.h | 8 + pesto.1 | 46 ++++ pesto.c | 470 +++++++++++++++++++++++++++++++++++ pesto.h | 55 +++++ pif.c | 2 +- pif.h | 8 +- repair.c | 9 +- serialise.c | 7 + serialise.h | 1 + siphash.h | 13 + tap.c | 64 ++++- util.c | 2 +- util.h | 110 +-------- 32 files changed, 1921 insertions(+), 797 deletions(-) create mode 100644 common.h create mode 100644 pesto.1 create mode 100644 pesto.c create mode 100644 pesto.h -- 2.53.0