From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Mzbh6Q8v;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id DEF535A0262
	for <passt-dev@passt.top>; Tue, 05 May 2026 12:04:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1777975448;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2HfrrqXCbwr0HCd2zp78wVxjwCKi8ulGlHHT6WcX0Vs=;
	b=Mzbh6Q8vcZ/cGVqcklJ47dXrgVdiuuVUDb3jwyYNhNjmM2vofKJGe1RQxb9kG1BqLJkdWH
	/u47IaEfI9LJ9DnkE6LLlro04DdlmxmRVCRG2KBA0kZYeJwCNIktpN3F9yuoLUl7XxZ388
	sruxojuQFzlSuzqoGXvqp+1mP5lA9+M=
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-12-b11Ygi1ZMZmNLxP9hzH7zA-1; Tue, 05 May 2026 06:04:07 -0400
X-MC-Unique: b11Ygi1ZMZmNLxP9hzH7zA-1
X-Mimecast-MFC-AGG-ID: b11Ygi1ZMZmNLxP9hzH7zA_1777975447
Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-44d68ed8f95so1522208f8f.1
        for <passt-dev@passt.top>; Tue, 05 May 2026 03:04:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777975446; x=1778580246;
        h=date:content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=2HfrrqXCbwr0HCd2zp78wVxjwCKi8ulGlHHT6WcX0Vs=;
        b=Je3EcdHZnoAOubBApWlM05mm4Ow2mhbxxNVtkY/HkxKmpC8Gg7pYijFvAJV+jEk5fk
         CxoaFCvDQWBkWDkDsNZ+M4fH0T8MPPH2i+qfBiRYq3BL08fff2uOlNi0HUqpTy4nJ0l1
         tbfiPTbepxMVMDKUa1EUy7LMhbY+MHhb3yRMKe3ozxBZZCGNDitaQoubsX0QiZy8nwGZ
         8Irmzoog4ylIjrcpHdCUl3uN5B5cPQHFmdAOoAWW1P8vpqvxPqAsxKgcFiQuE9X9eQJA
         uFGIUa7lMSAc3GlJienIvsb3dZCYo7yj8v7bNd1gvlrjXBrRbG6lqeeJFUypxy26axBO
         oBwQ==
X-Gm-Message-State: AOJu0YxVE/NL9TXUJHGznguVQz6aKJNGXFGv9cAxqadoo2B1XADnhZX1
	fNHmnsODqaZIapkX4ssfzmXMsj/YNDPAJ9BQZijaNdTeVU37wzq+TVkAdpcalh/DJ27OZcMzlen
	EsfTcVdlPq1RhOk3jnGPjsPpyWbjD4XqL1KZJKcMj51WwJ8wMiKRWmw==
X-Gm-Gg: AeBDietUMrg+rkmpsUoztoQqSNRKq7cH6/V7bNHvmWP0Qm+M0Z+O8mkH7sNhQVdtF2m
	beDcOp+VToIer0c5oOnZYnfjZ8JnhVpH/6xJwmcBOyk8cXjLooU/E8YFIgFTQj8I8AoCJrz7k5x
	Dwu6jN87pQBIMKApwKzt6gEot5j1LdFezq8eCuNXdVebPpRxBm/BniIkkf+jjA6HSBQ1o9NIma5
	n8hzF2J7RK/AKnRKq2AejjwhRbwHqpv+pPOCF178rko+SOx0gLjEu4/f8lyfv1jIbiIxfodQpcG
	JxynOi7q0SAUoY0+Nw1dZyQEF2lLmFPZpQmh0b23GsRvqa298VB4E1dZid2e0tBQJxBY8uLmtRo
	EYsKU6Wk71AI8w2MIxHN1uQi9TgpXfq1E+XqIEN3Z1nP9K7MkKAMs0JVHS+NO
X-Received: by 2002:a05:6000:2585:b0:43d:7512:6f7b with SMTP id ffacd0b85a97d-44fdbc50d76mr5509361f8f.5.1777975445723;
        Tue, 05 May 2026 03:04:05 -0700 (PDT)
X-Received: by 2002:a05:6000:2585:b0:43d:7512:6f7b with SMTP id ffacd0b85a97d-44fdbc50d76mr5509282f8f.5.1777975445035;
        Tue, 05 May 2026 03:04:05 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45055f2487dsm3333856f8f.35.2026.05.05.03.04.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 03:04:03 -0700 (PDT)
From: Stefano Brivio <sbrivio@redhat.com>
To: Laurent Vivier <lvivier@redhat.com>
Subject: Re: [PATCH v7 16/18] pesto, conf: Send updated rules from pesto
 back to passt/pasta
Message-ID: <20260505120401.5ab6a17f@elisabeth>
In-Reply-To: <cd3b32aa-c81d-45e0-b136-d7987f62f5dc@redhat.com>
References: <20260504231142.1118652-1-sbrivio@redhat.com>
	<20260504231142.1118652-17-sbrivio@redhat.com>
	<cd3b32aa-c81d-45e0-b136-d7987f62f5dc@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Date: Tue, 05 May 2026 12:04:03 +0200 (CEST)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: d0h0NOcIc07RXsy5Y8Q1QLkMhPXEPA6VVUr_tLfjXVE_1777975447
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: YS4ZGNXPA5FID2DO35HIHCPACPVXXBE5
X-Message-ID-Hash: YS4ZGNXPA5FID2DO35HIHCPACPVXXBE5
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Jon Maloy <jmaloy@redhat.com>, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260505120401.5ab6a17f@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/YS4ZGNXPA5FID2DO35HIHCPACPVXXBE5/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 5 May 2026 09:53:04 +0200
Laurent Vivier <lvivier@redhat.com> wrote:

> On 5/5/26 01:11, Stefano Brivio wrote:
> > From: David Gibson <david@gibson.dropbear.id.au>
> > 
> > Extend pesto to send the updated rule configuration back to passt/pasta.
> > Extend passt/pasta to read the new configuration and store the new rules in
> > a "pending" table.   We don't yet attempt to activate them.
> > 
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > [dwg: Based on an early draft from Stefano]
> > [sbrivio: Add redundant check on interface names being terminated in
> >   conf_recv_rules(), to make static checkers happy]
> > [sbrivio: Make conf_recv_rules() return -1 if fwd_rule_read() fails,
> >   as suggested by Jon Maloy]
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>  
> 
> Reviewed-by: Laurent Vivier <lvivier@redhat.com>
> 
> But one comment below
> 
> > ---
> >   Makefile |  5 ---
> >   conf.c   | 94 ++++++++++++++++++++++++++++++++++++++++++++++++--------
> >   fwd.c    | 10 +++++-
> >   passt.h  |  2 ++
> >   pesto.c  | 35 +++++++++++++++++++++
> >   5 files changed, 127 insertions(+), 19 deletions(-)
> > 
> > diff --git a/Makefile b/Makefile
> > index c746b55..ae755a0 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -224,10 +224,6 @@ cppcheck: passt.cppcheck passt-repair.cppcheck pesto.cppcheck qrap.cppcheck
> >   	$(CPPCHECK) $(CPPCHECK_FLAGS) $(BASE_CPPFLAGS) $^
> >   
> >   passt.cppcheck: BASE_CPPFLAGS += -UPESTO
> > -passt.cppcheck: CPPCHECK_FLAGS += \
> > -	--suppress=unusedFunction:fwd_rule.c \
> > -	--suppress=staticFunction:fwd_rule.c \
> > -	--suppress=unusedFunction:serialise.c
> >   passt.cppcheck: $(PASST_SRCS) $(PASST_HEADERS) seccomp.h
> >   
> >   passt-repair.cppcheck: $(PASST_REPAIR_SRCS) $(PASST_REPAIR_HEADERS) seccomp_repair.h
> > @@ -238,7 +234,6 @@ pesto.cppcheck: CPPCHECK_FLAGS += \
> >   	--suppress=unusedFunction:inany.h \
> >   	--suppress=unusedFunction:inany.c \
> >   	--suppress=unusedFunction:ip.h \
> > -	--suppress=unusedFunction:fwd_rule.c \
> >   	--suppress=staticFunction:fwd_rule.c \
> >   	--suppress=unusedFunction:serialise.c
> >   pesto.cppcheck: $(PESTO_SRCS) $(PESTO_HEADERS) seccomp_pesto.h
> > diff --git a/conf.c b/conf.c
> > index 5e4e81e..f035fd3 100644
> > --- a/conf.c
> > +++ b/conf.c
> > @@ -1971,6 +1971,62 @@ static int conf_send_rules(const struct ctx *c, int fd)
> >   	return 0;
> >   }
> >   
> > +/**
> > + * conf_recv_rules() - Receive forwarding rules from configuration client
> > + * @c:		Execution context
> > + * @fd:		Socket to the client
> > + *
> > + * Return: 0 on success, -1 on failure
> > + */
> > +static int conf_recv_rules(const struct ctx *c, int fd)
> > +{
> > +	while (1) {
> > +		struct fwd_table *fwd;
> > +		struct fwd_rule r;
> > +		uint32_t count;
> > +		uint8_t pif;
> > +		unsigned i;
> > +
> > +		if (read_u8(fd, &pif))
> > +			return -1;
> > +
> > +		if (pif == PIF_NONE)
> > +			break;
> > +
> > +		if (pif >= ARRAY_SIZE(c->fwd_pending) ||
> > +		    !(fwd = c->fwd_pending[pif])) {
> > +			err("Received rules for non-existent table");
> > +			return -1;
> > +		}
> > +
> > +		if (read_u32(fd, &count))
> > +			return -1;
> > +
> > +		if (count > MAX_FWD_RULES) {
> > +			err("Received %"PRIu32" rules (maximum %u)",
> > +			    count, MAX_FWD_RULES);
> > +			return -1;
> > +		}
> > +
> > +		for (i = 0; i < count; i++) {
> > +			if (fwd_rule_read(fd, &r))
> > +				return -1;
> > +
> > +			if (r.ifname[sizeof(r.ifname) - 1]) {
> > +				err("Interface name was not NULL terminated");
> > +				return -1;
> > +			}
> > +			/* Redundant, to make static checkers happy */
> > +			r.ifname[sizeof(r.ifname) - 1] = '\0';
> > +
> > +			if (fwd_rule_add(fwd, &r) < 0)
> > +				return -1;
> > +		}
> > +	}
> > +
> > +	return 0;
> > +}
> > +
> >   /**
> >    * conf_close() - Close configuration / control socket and clean up
> >    * @c:		Execution context
> > @@ -2075,21 +2131,33 @@ fail:
> >   void conf_handler(struct ctx *c, uint32_t events)
> >   {
> >   	if (events & EPOLLIN) {
> > -		char discard[BUFSIZ];
> > -		ssize_t n;
> > -
> > -		do {
> > -			n = read(c->fd_control, discard, sizeof(discard));
> > -			if (n > 0)
> > -				debug("Discarded %zd bytes of config data", n);
> > -		} while (n > 0);
> > -		if (n == 0) {
> > -			debug("Configuration client EOF");
> > -			goto close;
> > +		unsigned pif;
> > +
> > +		/* Clear pending tables */
> > +		for (pif = 0; pif < PIF_NUM_TYPES; pif++) {
> > +			struct fwd_table *fwd = c->fwd_pending[pif];
> > +
> > +			if (!fwd)
> > +				continue;
> > +			fwd->count = 0;
> > +			fwd->sock_count = 0;
> >   		}
> > -		if (errno != EAGAIN && errno != EWOULDBLOCK) {
> > -			err_perror("Error reading config data");
> > +
> > +		/* FIXME: this could block indefinitely if the client doesn't
> > +		 * write as much as it should
> > +		 */
> > +		if (conf_recv_rules(c, c->fd_control) < 0)
> >   			goto close;
> > +
> > +		for (pif = 0; pif < PIF_NUM_TYPES; pif++) {
> > +			struct fwd_table *fwd = c->fwd_pending[pif];
> > +
> > +			if (!fwd)
> > +				continue;
> > +
> > +			info("New forwarding rules for %s:", pif_name(pif));
> > +			fwd_rules_dump(info, fwd->rules, fwd->count,
> > +				       "    ", "");
> >   		}
> >   	}
> >   
> > diff --git a/fwd.c b/fwd.c
> > index 8849cfc..d93d2e5 100644
> > --- a/fwd.c
> > +++ b/fwd.c
> > @@ -247,6 +247,9 @@ void fwd_neigh_table_init(const struct ctx *c)
> >   static struct fwd_table fwd_in;
> >   static struct fwd_table fwd_out;
> >   
> > +static struct fwd_table fwd_in_pending;
> > +static struct fwd_table fwd_out_pending;
> > +
> >   /**
> >    * fwd_rule_init() - Initialise forwarding tables
> >    * @c:		Execution context
> > @@ -269,10 +272,15 @@ void fwd_rule_init(struct ctx *c)
> >   		caps |= FWD_CAP_IFNAME;
> >   
> >   	fwd_in.caps = fwd_out.caps = caps;
> > +	fwd_in_pending.caps = fwd_out_pending.caps = caps;
> >   
> >   	c->fwd[PIF_HOST] = &fwd_in;
> > -	if (c->mode == MODE_PASTA)
> > +	c->fwd_pending[PIF_HOST] = &fwd_in_pending;
> > +
> > +	if (c->mode == MODE_PASTA) {
> >   		c->fwd[PIF_SPLICE] = &fwd_out;
> > +		c->fwd_pending[PIF_SPLICE] = &fwd_out_pending;
> > +	}
> >   }
> >   
> >   /**
> > diff --git a/passt.h b/passt.h
> > index b3f049d..1726965 100644
> > --- a/passt.h
> > +++ b/passt.h
> > @@ -188,6 +188,7 @@ struct ip6_ctx {
> >    * @pasta_ifi:		Index of namespace interface for pasta
> >    * @pasta_conf_ns:	Configure namespace after creating it
> >    * @fwd:		Forwarding tables
> > + * @fwd_pending:	Pending forward tables
> >    * @no_tcp:		Disable TCP operation
> >    * @tcp:		Context for TCP protocol handler
> >    * @no_udp:		Disable UDP operation
> > @@ -270,6 +271,7 @@ struct ctx {
> >   	int pasta_conf_ns;
> >   
> >   	struct fwd_table *fwd[PIF_NUM_TYPES];
> > +	struct fwd_table *fwd_pending[PIF_NUM_TYPES];
> >   
> >   	int no_tcp;
> >   	struct tcp_ctx tcp;
> > diff --git a/pesto.c b/pesto.c
> > index 16b3a5a..73fdc39 100644
> > --- a/pesto.c
> > +++ b/pesto.c
> > @@ -230,6 +230,39 @@ static bool read_pif_conf(int fd, struct configuration *conf)
> >   	return true;
> >   }
> >   
> > +/**
> > + * send_conf() - Send updated configuration to passt/pasta
> > + * @fd:		Control socket
> > + * @conf:	Updated configuration
> > + */
> > +static void send_conf(int fd, const struct configuration *conf)
> > +{
> > +	unsigned i;
> > +  
> 
> Perhaps it could be interesting to send a magic number (or a type id) if we want to be 
> able to update something else than the rules in the future?
> We also can send the length of the data if we want to be able to ignore it if the type id 
> is not supported?
> (Something like the chunks in IFF or PNG file format... but perhaps it's overcomplicated 
> for our purpose...)

I think eventually we will need something like that (we might want to
change addresses, options, etc.), but the idea for the moment is to
keep the complexity to a minimum by hiding everything behind the
protocol version number.

The day we want to support something on top of forwarding rules we'll
just bump the version and add type identifiers (I guess with length as
you mentioned).

Right now we're pretty much failing to deliver something that Podman
can still use for their 6.0 plans (hopefully 6.1 is still in scope but
I wouldn't take that for granted), so I'd definitely keep this kind of
stuff for later.

-- 
Stefano