From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VHWNyidN;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id BD9E15A0269
	for <passt-dev@passt.top>; Tue, 05 May 2026 12:04:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1777975455;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=BmNFjbeoR2cbTxkUjXeilEVItm6LKfUYM9uCvUQJH2I=;
	b=VHWNyidNPRykh4RkFLTxmHvxlgY9iCH3pfWkVH/gULsq3fXPeVSkM65gScoyE89LfkFtjj
	V5PMgKD7CaMEp3Q2iAS0qb83T8n0M1juWKi0X/VLGIjldj0RP3yaXbysHlJVS+Mxp+Tdqn
	szIURygczV01Wbx5bK/bXun1IEbpnEM=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-650-JjtspZZtO7Gj9PMml0nDzA-1; Tue, 05 May 2026 06:04:14 -0400
X-MC-Unique: JjtspZZtO7Gj9PMml0nDzA-1
X-Mimecast-MFC-AGG-ID: JjtspZZtO7Gj9PMml0nDzA_1777975453
Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-4411a36715dso3579342f8f.2
        for <passt-dev@passt.top>; Tue, 05 May 2026 03:04:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777975453; x=1778580253;
        h=date:content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=BmNFjbeoR2cbTxkUjXeilEVItm6LKfUYM9uCvUQJH2I=;
        b=FqXp263ZupgGlvASbAWiDibvmfop6B/LOcO1Cfap6kINB5fjNIvDhvSpKyzFjVuJTk
         GQEof5d26L6PBZvib3r16vJEpezD4N/tY+TAQeB/5RmIK+pqyD0QSYV4RXC7grWYPcd7
         Hlhzt5wM/OH5WZOKDOZb77PYSCECPGVuI1GpdwtA6XxxTrOMt0jXHUXGQHR+W06Xumdy
         mKRS7+CnRScdAKbNXo4AO5dWLESKP3qkP9n9Idh25IEYmE7WRSjtFIh7RpAdgYV4Nh9j
         H9XOa/BQQTbEDe5W0zV9PcDhDZtlHJTgzhtLgvnC5ojc7fIh0pRv59cMmtcaVYeV/b0z
         lR+g==
X-Gm-Message-State: AOJu0YwET0OzXGHGknJil21Y3XdlzYpCxHnqZh2jyOHzWwehgHAw6E3U
	Rru14DeYLHQgfqF1Qmq9UzqPHg20qQKVnSReljWvsP1vWdnr8Mvl5GWysGWZ1zS1Ys3cKd2kLrZ
	AJh7/d7LSa+pbhCqKI/FY6Rw2yYk9+ABJZDdg4IF32+diPBFVvSC8Hw==
X-Gm-Gg: AeBDieuYQmzGZPbh+xmg4u/qRds+/ruFWSjxAcZ3NQ0iuuql4VNXcJMI4ztjSq4+Pwe
	/Bdqcg5EBuh8HkKPjNIMOLEwfGNIGcgFQD2S6CZbtIIwVd2L0tzXuo8r38vcoI2c1Bige74MSKP
	5yx4Crkr8cW6U1UZw7OaKaVawtov3f+WINr8GWjCHkeFcRefrwFJnlXm506kDmpzltE1i3CKFmM
	Ugx82xjJHfqamWgH6iba0/RN0MbvzonMKA7eZ2v8bMldnINO8AuN2uC4ze9OvZYlTNrbULEp0nP
	zihaGL04sSzM1xQDYUXgjHT+z3H6nr7lh6/ClgwKVoeOE1dZDTyuEpxgsYcGGPC7pCDBbO8BEyQ
	a3vtNyLyb6xTd98e/2zgsS3VpF0NHDkXMY/UIjTfcJgw=
X-Received: by 2002:a05:600c:4f8e:b0:486:fbdb:b718 with SMTP id 5b1f17b1804b1-48d18ce4b2amr36055515e9.25.1777975452765;
        Tue, 05 May 2026 03:04:12 -0700 (PDT)
X-Received: by 2002:a05:600c:4f8e:b0:486:fbdb:b718 with SMTP id 5b1f17b1804b1-48d18ce4b2amr36054945e9.25.1777975452248;
        Tue, 05 May 2026 03:04:12 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45055960fd6sm3637471f8f.31.2026.05.05.03.04.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 03:04:10 -0700 (PDT)
From: Stefano Brivio <sbrivio@redhat.com>
To: Laurent Vivier <lvivier@redhat.com>
Subject: Re: [PATCH v7 17/18] conf, fwd: Allow switching to new rules
 received from pesto
Message-ID: <20260505120408.6f14cc15@elisabeth>
In-Reply-To: <ad2e9153-f024-41a0-999b-32c0e7696fca@redhat.com>
References: <20260504231142.1118652-1-sbrivio@redhat.com>
	<20260504231142.1118652-18-sbrivio@redhat.com>
	<ad2e9153-f024-41a0-999b-32c0e7696fca@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Date: Tue, 05 May 2026 12:04:09 +0200 (CEST)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: H10oQ8N_DLDzx2WpIz150hxzfi3MnKseDRTguiLQnkU_1777975453
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: DNZPISVB3ZAY7F52JJNWTSQ6QZBVOWRD
X-Message-ID-Hash: DNZPISVB3ZAY7F52JJNWTSQ6QZBVOWRD
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Jon Maloy <jmaloy@redhat.com>, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260505120408.6f14cc15@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/DNZPISVB3ZAY7F52JJNWTSQ6QZBVOWRD/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 5 May 2026 11:08:27 +0200
Laurent Vivier <lvivier@redhat.com> wrote:

> On 5/5/26 01:11, Stefano Brivio wrote:
> > From: David Gibson <david@gibson.dropbear.id.au>
> > 
> > We can now receive updates to the forwarding rules from the pesto client
> > and store them in a "pending" copy of the forwarding tables.  Implement
> > switching to using the new rules.
> > 
> > The logic is in a new fwd_listen_switch().  For now this closes all
> > listening sockets related to the old tables, swaps the active and pending
> > tables, then listens based on the new tables.  In future we look to improve
> > this so that we don't temporarily stop listening on ports that both the
> > old and new tables specify.
> > 
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > ---
> >   conf.c |  5 ++---
> >   fwd.c  | 34 ++++++++++++++++++++++++++++++++++
> >   fwd.h  |  1 +
> >   3 files changed, 37 insertions(+), 3 deletions(-)
> > 
> > diff --git a/conf.c b/conf.c
> > index f035fd3..75b8291 100644
> > --- a/conf.c
> > +++ b/conf.c
> > @@ -2159,15 +2159,14 @@ void conf_handler(struct ctx *c, uint32_t events)
> >   			fwd_rules_dump(info, fwd->rules, fwd->count,
> >   				       "    ", "");
> >   		}
> > +
> > +		fwd_listen_switch(c);
> >   	}
> >   
> >   	if (events & EPOLLHUP) {
> >   		debug("Configuration client hangup");
> > -		goto close;
> >   	}
> >   
> > -	return;
> > -
> >   close:
> >   	conf_close(c);
> >   
> > diff --git a/fwd.c b/fwd.c
> > index d93d2e5..35b9e2b 100644
> > --- a/fwd.c
> > +++ b/fwd.c
> > @@ -534,6 +534,40 @@ int fwd_listen_init(const struct ctx *c)
> >   	return 0;
> >   }
> >   
> > +/**
> > + * fwd_listen_switch() - Switch from current to pending rules table
> > + * @c:		Execution context
> > + */
> > +void fwd_listen_switch(struct ctx *c)
> > +{
> > +	struct fwd_table *tmp[PIF_NUM_TYPES];
> > +	unsigned i;
> > +
> > +	/* Stop listening on the old tables */
> > +	for (i = 0; i < PIF_NUM_TYPES; i++) {
> > +		struct fwd_table *fwd = c->fwd[i];
> > +
> > +		if (!fwd)
> > +			continue;
> > +
> > +		debug("Flushing %u old %s rules", fwd->count, pif_name(i));
> > +		fwd_listen_close(fwd);
> > +		fwd->count = fwd->sock_count = 0;  
> 
> Perhaps we can reset fwd->count and fwd->sock_count in fwd_listen_close() as after 
> fwd_listen_close() these values are wrong?

Right, while not strictly necessary it still looks like a good idea,
I'll change that.

> > +	}
> > +
> > +	/* Swap active and pending tables */
> > +	static_assert(sizeof(tmp) == sizeof(c->fwd) &&
> > +		      sizeof(tmp) == sizeof(c->fwd_pending),
> > +		      "Temporary has wrong size");
> > +	memcpy(&tmp, (void *)c->fwd, sizeof(tmp));
> > +	memcpy((void *)c->fwd, (void *)c->fwd_pending, sizeof(tmp));
> > +	memcpy((void *)c->fwd_pending, &tmp, sizeof(tmp));  
> 
> I know we have the static_assert(), but with memcpy() we usually use the sizeof() of the 
> destination to avoid write overflow.

I'll change this as well.

> Why do we keep the old active table? Do we plan to have a "--restore" option?

It's just to add and delete rules using a temporary table so that we
can abort cleanly and atomically on errors.

Are you asking why we don't wipe the old table afterwards? No
particular reason for that, even though I'm not sure if it's useful.

Actually some kind of --restore option might be desirable, even though
we would probably need to re-validate all the rules, or keep a "dirty"
bit that's set on other types of changes and would tell us that the
previous table can't be used as it is anymore.

-- 
Stefano


> > +
> > +	/* Start listening on the new tables */
> > +	if (fwd_listen_init(c) < 0)
> > +		err("Error switching to new forwarding rules");
> > +}
> > +
> >   /* See enum in kernel's include/net/tcp_states.h */
> >   #define UDP_LISTEN	0x07
> >   #define TCP_LISTEN	0x0a
> > diff --git a/fwd.h b/fwd.h
> > index ac24782..b60697d 100644
> > --- a/fwd.h
> > +++ b/fwd.h
> > @@ -61,6 +61,7 @@ int fwd_listen_sync(const struct ctx *c, uint8_t pif,
> >   		    const struct fwd_scan *tcp, const struct fwd_scan *udp);
> >   void fwd_listen_close(const struct fwd_table *fwd);
> >   int fwd_listen_init(const struct ctx *c);
> > +void fwd_listen_switch(struct ctx *c);
> >   
> >   bool nat_inbound(const struct ctx *c, const union inany_addr *addr,
> >   		 union inany_addr *translated);  
>