From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VwIscW6t; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id A82F05A0627 for ; Tue, 05 May 2026 01:18:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777936718; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=q6U18atdJBiU4b62o4n0AANYseSLys3C6aELrBKGYl0=; b=VwIscW6t37SI1wWspX6+NvfLge95R7ym2cCzYU1iEzfPzMe1ZWwnvAOISJ7sT7aJdZQNe4 09UIuqzv3PWyzEDvgogT8Q9mdUVhavvET1QYdRbwIOvxNmxdWjqSk2zxWSEwe1uaDqaMeB Gl7bjafjjJG+dyanSwJc/KB628vhZXY= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-306-OJEo--ceMSeKrxN95Yln8g-1; Mon, 04 May 2026 19:18:37 -0400 X-MC-Unique: OJEo--ceMSeKrxN95Yln8g-1 X-Mimecast-MFC-AGG-ID: OJEo--ceMSeKrxN95Yln8g_1777936716 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4891f97aef0so29568095e9.2 for ; Mon, 04 May 2026 16:18:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777936716; x=1778541516; h=date:content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=q6U18atdJBiU4b62o4n0AANYseSLys3C6aELrBKGYl0=; b=kTrET5b+cMoESv7092xIUuaWjgtaSBsDabWx5/3zwqIK2Os7mxHfEmN+WSHtrFPF1B 6pjdDJg21y0ME+fIbkrG53gu1w7ZfWP2vJ0UlPZ2w7DwUpoNrvtnSZdiKm7af0J9ZpqG RGrZraPfB6gDzPXurWffyuhqnzKpgqHd82oI4w3t4sRDGM3kaGextBcyYk3NyaqLwzqu wylWa38cfPERyfe0mt+Ocjhkw/dgi2Sm6yGaPS1D/C1yi4UJnV9CFMVtBhosmSvGxLo5 lNJWHgtDIvv3x61aZzWgKhbpISojfv81w/ZUZMjNLTC3yV8ZZ+aEqGDLIst6S+tID9ol LYCQ== X-Gm-Message-State: AOJu0YwSsQ+TrzCUAJa5v4S/WdmzAOuUZ5H5qkdjKa91slzT4Z9gVh1a 61UtkTbW5hcajdxfDzZlOZul4IRd+Q1XspRkuMZcFSUja6xJfU9c4ovUwvLwviLCbgOJi5CShdO LnT2gkJ6t8maBudyZvpfkTnaqSaR5Kg0eHdsVeLwcWNHVvnEzD9Fzvg== X-Gm-Gg: AeBDietnmIiKT89fi3LrzsHLXkLkgLSZlCr9LGPl8ukKNG7gm4pfrPiDBVgxJewYcpF yeUGS13E6AZZEw4x1tJM97QYh1QdXDmE9ZHfPPNOL0TII3x686qEEd87PuM5BN1+U/YOVr7/1dg lx7nhVaFR3Oc0bhVWqCW1sddEyxBqgz4VDh67fQh0GCSzgAGCABJK/SJOZyvcMi8m6LcGZ4DC33 qN/PwpUjKoqztCw3+X66XQgYf0Pb96zMDHJpb83gY2wP+2dpRbB1VT7FAbaxFCh515qmboPWa1E GpJiweivaChpis1jQQQemB3QkHstvapHlJdQSGkFQw22+UcXH/0q12EmTUTog3rwGNV6uN///J6 uwc61jpKFlfkOOCcr/4DbBZvVqed51BLggD4wnHDafdIGjwnRrj0mRrtdGjQg X-Received: by 2002:a05:600c:698d:b0:489:ad:7b5b with SMTP id 5b1f17b1804b1-48a9866e8a5mr192320505e9.24.1777936715975; Mon, 04 May 2026 16:18:35 -0700 (PDT) X-Received: by 2002:a05:600c:698d:b0:489:ad:7b5b with SMTP id 5b1f17b1804b1-48a9866e8a5mr192320265e9.24.1777936715470; Mon, 04 May 2026 16:18:35 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48d149eafafsm8457495e9.2.2026.05.04.16.18.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 16:18:34 -0700 (PDT) From: Stefano Brivio To: Laurent Vivier Subject: Re: [PATCH v6 15/18] pesto: Parse and add new rules from command line Message-ID: <20260505011833.38beb26b@elisabeth> In-Reply-To: <20260505011117.6668a4f2@elisabeth> References: <20260503215601.823029-1-sbrivio@redhat.com> <20260503215601.823029-16-sbrivio@redhat.com> <20260505011117.6668a4f2@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Date: Tue, 05 May 2026 01:18:34 +0200 (CEST) X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: aGAdRKOUxpOL4lkKGq-I4136Zoimla4MiN4xUXhFI5w_1777936716 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: TQSS327CL3HY46BNKRIOBFMV5SYMJIDL X-Message-ID-Hash: TQSS327CL3HY46BNKRIOBFMV5SYMJIDL X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Jon Maloy , David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, 5 May 2026 01:11:17 +0200 Stefano Brivio wrote: > On Mon, 4 May 2026 18:44:29 +0200 > Laurent Vivier wrote: > > > On 5/3/26 23:55, Stefano Brivio wrote: > > > From: David Gibson > > > > > > This adds parsing of options using fwd_rule_parse(), validates them and > > > adds them to the existing rules. It doesn't yet send those rules back to > > > passt or pasta. > > > > > > Signed-off-by: Stefano Brivio > > > Message-ID: <20260322141843.4095972-3-sbrivio@redhat.com> > > > [dwg: Based on an early draft by Stefano] > > > Signed-off-by: David Gibson > > > --- > > > Makefile | 1 + > > > fwd_rule.c | 2 +- > > > fwd_rule.h | 1 + > > > pesto.c | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++--- > > > 4 files changed, 111 insertions(+), 6 deletions(-) > > > > > > diff --git a/Makefile b/Makefile > > > index 057e4eb..125ec01 100644 > > > --- a/Makefile > > > +++ b/Makefile > > > @@ -227,6 +227,7 @@ cppcheck: passt.cppcheck passt-repair.cppcheck pesto.cppcheck qrap.cppcheck > > > passt.cppcheck: BASE_CPPFLAGS += -UPESTO > > > passt.cppcheck: CPPCHECK_FLAGS += \ > > > --suppress=unusedFunction:fwd_rule.c \ > > > + --suppress=staticFunction:fwd_rule.c \ > > > --suppress=unusedFunction:serialise.c > > > passt.cppcheck: $(PASST_SRCS) $(PASST_HEADERS) seccomp.h > > > > > > diff --git a/fwd_rule.c b/fwd_rule.c > > > index da9d893..3c1eaa4 100644 > > > --- a/fwd_rule.c > > > +++ b/fwd_rule.c > > > @@ -187,7 +187,7 @@ static bool fwd_rule_conflicts(const struct fwd_rule *a, const struct fwd_rule * > > > * > > > * Return: 0 on success, negative error code on failure > > > */ > > > -static int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new) > > > +int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new) > > > { > > > /* Flags which can be set from the caller */ > > > const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN | FWD_DUAL_STACK_ANY; > > > diff --git a/fwd_rule.h b/fwd_rule.h > > > index 330d49e..f43b37d 100644 > > > --- a/fwd_rule.h > > > +++ b/fwd_rule.h > > > @@ -103,6 +103,7 @@ const char *fwd_rule_fmt(const struct fwd_rule *rule, char *dst, size_t size); > > > void fwd_rule_parse(char optname, const char *optarg, struct fwd_table *fwd); > > > int fwd_rule_read(int fd, struct fwd_rule *rule); > > > int fwd_rule_write(int fd, const struct fwd_rule *rule); > > > +int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new); > > > > > > /** > > > * fwd_rules_dump() - Dump forwarding rules > > > diff --git a/pesto.c b/pesto.c > > > index 4bf9bd8..95aecad 100644 > > > --- a/pesto.c > > > +++ b/pesto.c > > > @@ -55,6 +55,43 @@ static void usage(const char *name, FILE *f, int status) > > > FPRINTF(f, "Usage: %s [OPTION]... PATH\n", name); > > > FPRINTF(f, > > > "\n" > > > + " -t, --tcp-ports SPEC TCP inbound port forwarding\n" > > > + " can be specified multiple times\n" > > > + " SPEC can be:\n" > > > + " 'none': don't forward any ports\n" > > > + " [ADDR[%%IFACE]/]PORTS: forward specific ports\n" > > > + " PORTS is either 'all' (forward all unbound, non-ephemeral\n" > > > + " ports), or a comma-separated list of ports, optionally\n" > > > + " ranged with '-' and optional target ports after ':'.\n" > > > + " Ranges can be reduced by excluding ports or ranges\n" > > > + " prefixed by '~'.\n" > > > + " The 'auto' keyword may be given to only forward\n" > > > + " ports which are bound in the target namespace\n" > > > + " Examples:\n" > > > + " -t all Forward all ports\n" > > > + " -t 127.0.0.1/all Forward all ports from local address\n" > > > + " 127.0.0.1\n" > > > + " -t 22 Forward local port 22 to 22\n" > > > + " -t 22:23 Forward local port 22 to 23\n" > > > + " -t 22,25 Forward ports 22, 25 to ports 22, 25\n" > > > + " -t 22-80 Forward ports 22 to 80\n" > > > + " -t 22-80:32-90 Forward ports 22 to 80 to\n" > > > + " corresponding port numbers plus 10\n" > > > + " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1\n" > > > + " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > > > + " -t ~25 Forward all ports except for 25\n" > > > + " -t auto Forward all ports bound in namespace\n" > > > + " -t 192.0.2.2/auto Forward ports from 192.0.2.2 if\n" > > > + " they are bound in the namespace\n" > > > + " -t 8000-8010,auto Forward ports 8000-8010 if they\n" > > > + " are bound in the namespace\n" > > > + " -u, --udp-ports SPEC UDP inbound port forwarding\n" > > > + " SPEC is as described for TCP above\n" > > > + " -T, --tcp-ns SPEC TCP outbound port forwarding\n" > > > + " SPEC is as described above\n" > > > + " -U, --udp-ns SPEC UDP outbound port forwarding\n" > > > + " SPEC is as described above\n" > > > > I think description from conf.c is clearer: > > > > " -T, --tcp-ns SPEC TCP port forwarding to init namespace\n" > > " -U, --udp-ns SPEC UDP port forwarding to init namespace\n" > > Changed in v7. > > > Is it possible to define a common usage description between passt/pasta/pesto? > > A "#define COMMON_OPTS" ? > > I gave it a quick try, but note that there are options that are shared > between passt and pesto, as well as between pasta and pesto, but not > between passt and pasta, because the "namespace" options don't make > sense for pasta. ^^^ don't make sense for passt, I meant. > Due to that, a COMMON_OPTS macro (or several of them) makes things > pretty hard to follow because it makes it even harder to spot which > parts are for which tool. > > > > + " -s, --show Show configuration before and after\n" > > > > Update pesto.1 > > Done in v7, and I updated it throughout the whole series (other options > were already added before this point but not documented). > > > > " -d, --debug Print debugging messages\n" > > > " -h, --help Display this help message and exit\n" > > > " --version Show version and exit\n"); > > > @@ -204,6 +241,8 @@ static void show_conf(const struct configuration *conf) > > > fwd_rules_dump(printf, pc->fwd.rules, pc->fwd.count, > > > " ", "\n"); > > > } > > > + /* Flush stdout, so this doesn't get misordered with later debug()s */ > > > + (void)fflush(stdout); > > > } > > > > > > /** > > > @@ -215,7 +254,7 @@ static void show_conf(const struct configuration *conf) > > > * > > > * #syscalls:pesto socket s390x:socketcall i686:socketcall > > > * #syscalls:pesto connect shutdown close > > > - * #syscalls:pesto exit_group fstat read write > > > + * #syscalls:pesto exit_group fstat read write openat > > > */ > > > int main(int argc, char **argv) > > > { > > > @@ -223,11 +262,18 @@ int main(int argc, char **argv) > > > {"debug", no_argument, NULL, 'd' }, > > > {"help", no_argument, NULL, 'h' }, > > > {"version", no_argument, NULL, 1 }, > > > + {"tcp-ports", required_argument, NULL, 't' }, > > > + {"udp-ports", required_argument, NULL, 'u' }, > > > + {"tcp-ns", required_argument, NULL, 'T' }, > > > + {"udp-ns", required_argument, NULL, 'U' }, > > > + {"show", no_argument, NULL, 's' }, > > > { 0 }, > > > }; > > > + struct pif_configuration *inbound, *outbound; > > > struct sockaddr_un a = { AF_UNIX, "" }; > > > + const char *optstring = "dht:u:T:U:s"; > > > struct configuration conf = { 0 }; > > > - const char *optstring = "dh"; > > > + bool update = false, show = false; > > > struct pesto_hello hello; > > > struct sock_fprog prog; > > > int optname, ret, s; > > > @@ -248,6 +294,8 @@ int main(int argc, char **argv) > > > if (setvbuf(stdout, stdout_buf, _IOFBF, sizeof(stdout_buf))) > > > die_perror("Failed to set stdout buffer"); > > > > > > + fwd_probe_ephemeral(); > > > + > > > do { > > > optname = getopt_long(argc, argv, optstring, options, NULL); > > > > > > @@ -255,6 +303,16 @@ int main(int argc, char **argv) > > > case -1: > > > case 0: > > > break; > > > + case 't': > > > + case 'u': > > > + case 'T': > > > + case 'U': > > > + /* Parse these options after we've read state from passt/pasta */ > > > + update = true; > > > + break; > > > + case 's': > > > + show = true; > > > + break; > > > case 'h': > > > usage(argv[0], stdout, EXIT_SUCCESS); > > > break; > > > @@ -287,6 +345,8 @@ int main(int argc, char **argv) > > > die_perror("Failed to connect to %s", a.sun_path); > > > } > > > > > > + debug("Connected to passt/pasta control socket"); > > > + > > > ret = read_all_buf(s, &hello, sizeof(hello)); > > > if (ret < 0) > > > die_perror("Couldn't read server greeting"); > > > @@ -324,11 +384,54 @@ int main(int argc, char **argv) > > > while (read_pif_conf(s, &conf)) > > > ; > > > > > > - printf("passt/pasta configuration (%s)\n", a.sun_path); > > > - show_conf(&conf); > > > + if (!update) { > > > + printf("passt/pasta configuration (%s)\n", a.sun_path); > > > + show_conf(&conf); > > > + goto noupdate; > > > + } > > > + > > > + if (show) { > > > + printf("Previous configuration (%s)\n", a.sun_path); > > > + show_conf(&conf); > > > + } > > > + > > > + inbound = pif_conf_by_name(&conf, "HOST"); > > > + outbound = pif_conf_by_name(&conf, "SPLICE"); > > > + > > > + optind = 0; > > > + do { > > > + optname = getopt_long(argc, argv, optstring, options, NULL); > > > > > > + switch (optname) { > > > + case 't': > > > + case 'u': > > > + if (!inbound) { > > > + die("Can't use -%c, no inbound interface", > > > + optname); > > > + } > > > + fwd_rule_parse(optname, optarg, &inbound->fwd); > > > + break; > > > + case 'T': > > > + case 'U': > > > + if (!outbound) { > > > + die("Can't use -%c, no outbound interface", > > > + optname); > > > + } > > > + fwd_rule_parse(optname, optarg, &outbound->fwd); > > > + break; > > > + default: > > > + continue; > > > + } > > > + } while (optname != -1); > > > + > > > + if (show) { > > > + printf("Updated configuration (%s)\n", a.sun_path); > > > + show_conf(&conf); > > > + } > > > + > > > +noupdate: > > > if (shutdown(s, SHUT_RDWR) < 0 || close(s) < 0) > > > die_perror("Error shutting down control socket"); > > > - > > > + > > > > Unrelated change. > > Dropped in v7. > > > > exit(0); > > > } -- Stefano