From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=YFH2vM49; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id A80235A0262 for ; Tue, 05 May 2026 09:31:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777966292; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=NC7wnUCEChmq5UNokeCE+YHDlVfGM8KZszF6oI1hYn0=; b=YFH2vM49VyfSnM3J9J7iS9GKyDFvqkTVVXIXZJqcJWF6xQL+8cIUfvCdYqlmA0iq9dHoz0 HsdppwudMK2nG6EGEYAUqUqUbY4h6xJA2GTTKOpLSf/BqIo3si0PlUk/Lyaah52+ZPwQoP iZPTsO0pMeYTdsQT63LJsAmOt63LnfM= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-518-8-mlw4jbNmqdmKHqAJQ-GA-1; Tue, 05 May 2026 03:31:31 -0400 X-MC-Unique: 8-mlw4jbNmqdmKHqAJQ-GA-1 X-Mimecast-MFC-AGG-ID: 8-mlw4jbNmqdmKHqAJQ-GA_1777966290 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-488c0fcc6deso27642645e9.2 for ; Tue, 05 May 2026 00:31:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777966290; x=1778571090; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=NC7wnUCEChmq5UNokeCE+YHDlVfGM8KZszF6oI1hYn0=; b=GnacQVxRgXpEHZOYmVrdj3uro4CE2VzTR5Pfvrfw3la7ZXYZAEehYqkEM9xSVGQpsE qIPyKmsDj2b0oBxohJidMMdQbtboxYVj3StTRNqYSABNO+VuFAr1icZQR8ePAMJ0vwVj bmAQ2Nqpj/h7V3aFNWkgnKaFqKp3ZLXS/lYFqh+cKXlLTIZ1EBR24D9Sdk7SZFOJ9Y0P IjN40NmvofVIrrnKpKNlS8kyXkL5h035670KPwQi/7p6NdqzpLdEnNNNtMxtrAj9VdLp yT2xM2IdvI1+BcRBf7Q0PrwOEwWTEyHIUA+RrVSPPtbjYIEdUGGMV1T5a+JWN2waqZkN DUsQ== X-Forwarded-Encrypted: i=1; AFNElJ/q5Y3gRQ/GYyYcVx1/s1t0thbNefAxd6c0T1V3UNlabsXGixup9GTAY6NtQ6BqoB8CXYXroVVpwxc=@passt.top X-Gm-Message-State: AOJu0Yw85vPnuTm/BLfP8GqEd25pvCD9VrtOtiyXo9iI+oEumHUwYgB1 lsAX46sAeQNo6uf/qupA9BqC7hrwTyUQepn+No4X3BY5wH+4Rzu1DBXYPAqupIdSzLJYzlDa8Xh Mozjwf2GDUKOW2LYMjhudoYpprXiNT2f1hGvZyBci5vfD/GRKXeor3w== X-Gm-Gg: AeBDievQXGyLb4rolTSY4OiC6xVAf4K14hEl3DFVXpDL2fwEAVoS6n88257Sh3FIU1r S7d9knsUVzoWJ09ONIKdXG45lhnDaMAJzFFbcxyF9g9HzGozJDYetJ97oHOm3l3oKM5zj6+4y3w 5M3Rxz8gjtxE7mPJAyWIYmT/UXEgXZ4TuXw7nwG/3Lqnf7NKQkypfp9dLgLJaV6/HfDKDzAyU97 ZN90FtJsy1W1marQl6g/6l+MJJ/cKqOUf+eS7Rh+Nercn+Qz38KeVaHnJMgnR5wMqe73bzvjlQR ehYTOmvW3xzmOpDQL2RnajwTwhSxkMbBihxXbfVvl6bNtBfm/cI+5yMnV1R7P4d3TBtuCAd5k6M FUiQyHFmtbLkwK07Jes7YyG+XgPaNTrA//DT2bPsmNKIvTjS5HpzyOqaJE74WkN8ytg== X-Received: by 2002:a05:600c:4e15:b0:485:ae14:8191 with SMTP id 5b1f17b1804b1-48d186dc89emr29117315e9.5.1777966289779; Tue, 05 May 2026 00:31:29 -0700 (PDT) X-Received: by 2002:a05:600c:4e15:b0:485:ae14:8191 with SMTP id 5b1f17b1804b1-48d186dc89emr29116675e9.5.1777966289147; Tue, 05 May 2026 00:31:29 -0700 (PDT) Received: from [192.168.100.100] (82-64-211-94.subs.proxad.net. [82.64.211.94]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a8ebb3dc1sm347593205e9.14.2026.05.05.00.31.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 May 2026 00:31:28 -0700 (PDT) Message-ID: <8a902129-d32c-4dd5-b138-7765b7d137bf@redhat.com> Date: Tue, 5 May 2026 09:31:27 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v7 15/18] pesto: Parse and add new rules from command line To: Stefano Brivio , passt-dev@passt.top References: <20260504231142.1118652-1-sbrivio@redhat.com> <20260504231142.1118652-16-sbrivio@redhat.com> From: Laurent Vivier Autocrypt: addr=lvivier@redhat.com; keydata= xsFNBFYFJhkBEAC2me7w2+RizYOKZM+vZCx69GTewOwqzHrrHSG07MUAxJ6AY29/+HYf6EY2 WoeuLWDmXE7A3oJoIsRecD6BXHTb0OYS20lS608anr3B0xn5g0BX7es9Mw+hV/pL+63EOCVm SUVTEQwbGQN62guOKnJJJfphbbv82glIC/Ei4Ky8BwZkUuXd7d5NFJKC9/GDrbWdj75cDNQx UZ9XXbXEKY9MHX83Uy7JFoiFDMOVHn55HnncflUncO0zDzY7CxFeQFwYRbsCXOUL9yBtqLer Ky8/yjBskIlNrp0uQSt9LMoMsdSjYLYhvk1StsNPg74+s4u0Q6z45+l8RAsgLw5OLtTa+ePM JyS7OIGNYxAX6eZk1+91a6tnqfyPcMbduxyBaYXn94HUG162BeuyBkbNoIDkB7pCByed1A7q q9/FbuTDwgVGVLYthYSfTtN0Y60OgNkWCMtFwKxRaXt1WFA5ceqinN/XkgA+vf2Ch72zBkJL RBIhfOPFv5f2Hkkj0MvsUXpOWaOjatiu0fpPo6Hw14UEpywke1zN4NKubApQOlNKZZC4hu6/ 8pv2t4HRi7s0K88jQYBRPObjrN5+owtI51xMaYzvPitHQ2053LmgsOdN9EKOqZeHAYG2SmRW LOxYWKX14YkZI5j/TXfKlTpwSMvXho+efN4kgFvFmP6WT+tPnwARAQABzSNMYXVyZW50IFZp dmllciA8bHZpdmllckByZWRoYXQuY29tPsLBeAQTAQIAIgUCVgVQgAIbAwYLCQgHAwIGFQgC CQoLBBYCAwECHgECF4AACgkQ8ww4vT8vvjwpgg//fSGy0Rs/t8cPFuzoY1cex4limJQfReLr SJXCANg9NOWy/bFK5wunj+h/RCFxIFhZcyXveurkBwYikDPUrBoBRoOJY/BHK0iZo7/WQkur 6H5losVZtrotmKOGnP/lJYZ3H6OWvXzdz8LL5hb3TvGOP68K8Bn8UsIaZJoeiKhaNR0sOJyI YYbgFQPWMHfVwHD/U+/gqRhD7apVysxv5by/pKDln1I5v0cRRH6hd8M8oXgKhF2+rAOL7gvh jEHSSWKUlMjC7YwwjSZmUkL+TQyE18e2XBk85X8Da3FznrLiHZFHQ/NzETYxRjnOzD7/kOVy gKD/o7asyWQVU65mh/ECrtjfhtCBSYmIIVkopoLaVJ/kEbVJQegT2P6NgERC/31kmTF69vn8 uQyW11Hk8tyubicByL3/XVBrq4jZdJW3cePNJbTNaT0d/bjMg5zCWHbMErUib2Nellnbg6bc 2HLDe0NLVPuRZhHUHM9hO/JNnHfvgiRQDh6loNOUnm9Iw2YiVgZNnT4soUehMZ7au8PwSl4I KYE4ulJ8RRiydN7fES3IZWmOPlyskp1QMQBD/w16o+lEtY6HSFEzsK3o0vuBRBVp2WKnssVH qeeV01ZHw0bvWKjxVNOksP98eJfWLfV9l9e7s6TaAeySKRRubtJ+21PRuYAxKsaueBfUE7ZT 7zfOwU0EVgUmGQEQALxSQRbl/QOnmssVDxWhHM5TGxl7oLNJms2zmBpcmlrIsn8nNz0rRyxT 460k2niaTwowSRK8KWVDeAW6ZAaWiYjLlTunoKwvF8vP3JyWpBz0diTxL5o+xpvy/Q6YU3BN efdq8Vy3rFsxgW7mMSrI/CxJ667y8ot5DVugeS2NyHfmZlPGE0Nsy7hlebS4liisXOrN3jFz asKyUws3VXek4V65lHwB23BVzsnFMn/bw/rPliqXGcwl8CoJu8dSyrCcd1Ibs0/Inq9S9+t0 VmWiQWfQkz4rvEeTQkp/VfgZ6z98JRW7S6l6eophoWs0/ZyRfOm+QVSqRfFZdxdP2PlGeIFM C3fXJgygXJkFPyWkVElr76JTbtSHsGWbt6xUlYHKXWo+xf9WgtLeby3cfSkEchACrxDrQpj+ Jt/JFP+q997dybkyZ5IoHWuPkn7uZGBrKIHmBunTco1+cKSuRiSCYpBIXZMHCzPgVDjk4viP brV9NwRkmaOxVvye0vctJeWvJ6KA7NoAURplIGCqkCRwg0MmLrfoZnK/gRqVJ/f6adhU1oo6 z4p2/z3PemA0C0ANatgHgBb90cd16AUxpdEQmOCmdNnNJF/3Zt3inzF+NFzHoM5Vwq6rc1JP jfC3oqRLJzqAEHBDjQFlqNR3IFCIAo4SYQRBdAHBCzkM4rWyRhuVABEBAAHCwV8EGAECAAkF AlYFJhkCGwwACgkQ8ww4vT8vvjwg9w//VQrcnVg3TsjEybxDEUBm8dBmnKqcnTBFmxN5FFtI WlEuY8+YMiWRykd8Ln9RJ/98/ghABHz9TN8TRo2b6WimV64FmlVn17Ri6FgFU3xNt9TTEChq AcNg88eYryKsYpFwegGpwUlaUaaGh1m9OrTzcQy+klVfZWaVJ9Nw0keoGRGb8j4XjVpL8+2x OhXKrM1fzzb8JtAuSbuzZSQPDwQEI5CKKxp7zf76J21YeRrEW4WDznPyVcDTa+tz++q2S/Bp P4W98bXCBIuQgs2m+OflERv5c3Ojldp04/S4NEjXEYRWdiCxN7ca5iPml5gLtuvhJMSy36gl U6IW9kn30IWuSoBpTkgV7rLUEhh9Ms82VWW/h2TxL8enfx40PrfbDtWwqRID3WY8jLrjKfTd R3LW8BnUDNkG+c4FzvvGUs8AvuqxxyHbXAfDx9o/jXfPHVRmJVhSmd+hC3mcQ+4iX5bBPBPM oDqSoLt5w9GoQQ6gDVP2ZjTWqwSRMLzNr37rJjZ1pt0DCMMTbiYIUcrhX8eveCJtY7NGWNyx FCRkhxRuGcpwPmRVDwOl39MB3iTsRighiMnijkbLXiKoJ5CDVvX5yicNqYJPKh5MFXN1bvsB kmYiStMRbrD0HoY1kx5/VozBtc70OU0EB8Wrv9hZD+Ofp0T3KOr1RUHvCZoLURfFhSQ= In-Reply-To: <20260504231142.1118652-16-sbrivio@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 474BBEcdvQIG0f5FvSwJdpc4gPFtcHNw5th-vd0-tGU_1777966290 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: 3PMNNSCFA3ETNWYUKTHASTHPZNJETQJY X-Message-ID-Hash: 3PMNNSCFA3ETNWYUKTHASTHPZNJETQJY X-MailFrom: lvivier@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Jon Maloy , David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 5/5/26 01:11, Stefano Brivio wrote: > From: David Gibson > > This adds parsing of options using fwd_rule_parse(), validates them and > adds them to the existing rules. It doesn't yet send those rules back to > passt or pasta. > > Message-ID: <20260322141843.4095972-3-sbrivio@redhat.com> > [dwg: Based on an early draft by Stefano] > Signed-off-by: David Gibson > [sbrivio: Recycled usage messages for -T and -U from conf.c as > suggested by Laurent, dropped unrelated whitespace change] > [sbrivio: Add description of -t, -u, -T, -U to pesto.1] -T, -U, -s are still missing in pesto.1 otherwise: Reviewed-by: Laurent Vivier Thanks, Laurent > Signed-off-by: Stefano Brivio > --- > Makefile | 1 + > fwd_rule.c | 2 +- > fwd_rule.h | 1 + > pesto.1 | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++ > pesto.c | 111 ++++++++++++++++++++++++++++++++++++++++++++++++-- > 5 files changed, 227 insertions(+), 5 deletions(-) > > diff --git a/Makefile b/Makefile > index 9e99dd1..c746b55 100644 > --- a/Makefile > +++ b/Makefile > @@ -226,6 +226,7 @@ cppcheck: passt.cppcheck passt-repair.cppcheck pesto.cppcheck qrap.cppcheck > passt.cppcheck: BASE_CPPFLAGS += -UPESTO > passt.cppcheck: CPPCHECK_FLAGS += \ > --suppress=unusedFunction:fwd_rule.c \ > + --suppress=staticFunction:fwd_rule.c \ > --suppress=unusedFunction:serialise.c > passt.cppcheck: $(PASST_SRCS) $(PASST_HEADERS) seccomp.h > > diff --git a/fwd_rule.c b/fwd_rule.c > index c2824d5..b55e4df 100644 > --- a/fwd_rule.c > +++ b/fwd_rule.c > @@ -187,7 +187,7 @@ static bool fwd_rule_conflicts(const struct fwd_rule *a, const struct fwd_rule * > * > * Return: 0 on success, negative error code on failure > */ > -static int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new) > +int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new) > { > /* Flags which can be set from the caller */ > const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN | FWD_DUAL_STACK_ANY; > diff --git a/fwd_rule.h b/fwd_rule.h > index 330d49e..f43b37d 100644 > --- a/fwd_rule.h > +++ b/fwd_rule.h > @@ -103,6 +103,7 @@ const char *fwd_rule_fmt(const struct fwd_rule *rule, char *dst, size_t size); > void fwd_rule_parse(char optname, const char *optarg, struct fwd_table *fwd); > int fwd_rule_read(int fd, struct fwd_rule *rule); > int fwd_rule_write(int fd, const struct fwd_rule *rule); > +int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new); > > /** > * fwd_rules_dump() - Dump forwarding rules > diff --git a/pesto.1 b/pesto.1 > index b06433d..32d6ed1 100644 > --- a/pesto.1 > +++ b/pesto.1 > @@ -31,6 +31,123 @@ Be verbose. > .BR \-h ", " \-\-help > Display a help message and exit. > > +.TP > +.BR \-t ", " \-\-tcp-ports " " \fIspec > +Configure TCP port forwarding to guest or namespace. \fIspec\fR can be one of: > +.RS > + > +.TP > +.BR none > +Don't forward any ports > + > +.TP > +[\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ... > +Specific ports to forward. Optionally, a specific listening address > +and interface name (since Linux 5.7) can be specified. \fIports\fR > +may be either: > +.RS > +.TP > +\fBall\fR > +Forward all unbound, non-ephemeral ports, as permitted by current capabilities. > +No failures are reported for unavailable ports, unless no ports could be > +forwarded at all. > +.RE > + > +.RS > +or a comma-separated list of entries which may be any of: > +.TP > +\fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\fR]] > +Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR > +(inclusive) to ports between \fItofirst\fR and \fItolast\fR. If > +\fItofirst\fR and \fItolast\fR are omitted, assume the same as > +\fIfirst\fR and \fIlast\fR. If \fIlast\fR is omitted, assume the same > +as \fIfirst\fR. > + > +.TP > +\fB~\fR\fIfirst\fR[\fB-\fR\fIlast\fR] > +Exclude range. Don't forward port numbers between \fIfirst\fR and > +\fIlast\fR. This takes precedences over include ranges. > + > +.TP > +.BR auto > +\fBpasta\fR only. Only forward ports in the specified set if the > +target ports are bound in the namespace. The list of ports is > +periodically derived (every second) from listening sockets reported by > +\fI/proc/net/tcp\fR and \fI/proc/net/tcp6\fR, see \fBproc\fR(5). > +.RE > + > +Specifying excluded ranges only implies that all other non-ephemeral > +ports are forwarded. Specifying no ranges at all implies forwarding > +all non-ephemeral ports permitted by current capabilities. In this > +case, no failures are reported for unavailable ports, unless no ports > +could be forwarded at all. > + > +Examples: > +.RS > +.TP > +-t all > +Forward all unbound, non-ephemeral ports as permitted by current > +capabilities to the corresponding port on the guest or namespace > +.TP > +-t ::1/all > +For the local address ::1, forward all unbound, non-ephemeral ports as > +permitted by current capabilities > +.TP > +-t 22 > +Forward local port 22 to port 22 on the guest or namespace > +.TP > +-t 22:23 > +Forward local port 22 to port 23 on the guest or namespace > +.TP > +-t 22,25 > +Forward local ports 22 and 25 to ports 22 and 25 on the guest or namespace > +.TP > +-t 22-80 > +Forward local ports between 22 and 80 to corresponding ports on the guest or > +namespace > +.TP > +-t 22-80:32-90 > +Forward local ports between 22 and 80 to ports between 32 and 90 on the guest or > +namespace > +.TP > +-t 192.0.2.1/22 > +Forward local port 22, bound to 192.0.2.1, to port 22 on the guest or namespace > +.TP > +-t 192.0.2.1%eth0/22 > +Forward local port 22, bound to 192.0.2.1 and interface eth0, to port 22 > +.TP > +-t %eth0/22 > +Forward local port 22, bound to any address on interface eth0, to port 22 > +.TP > +-t 2000-5000,~3000-3010 > +Forward local ports between 2000 and 5000, except for those between 3000 and > +3010 > +.TP > +-t 192.0.2.1/20-30,~25 > +For the local address 192.0.2.1, forward ports between 20 and 24 and between 26 > +and 30 > +.TP > +-t ~20000-20010 > +Forward all ports to the guest, except for the range from 20000 to 20010 > +.TP > +-t auto > +Automatically forward any ports which are bound in the namespace > +.TP > +-t ::1/auto > +Automatically forward any ports which are bound in the namespace, > +listening only on local port ::1 > +.TP > +-t 8000-8010,auto > +Forward ports in the range 8000-8010 if and only if they are bound in > +the namespace > +.RE > +.RE > + > +.TP > +.BR \-u ", " \-\-udp-ports " " \fIspec > +Configure UDP port forwarding to guest. \fIspec\fR is as described for TCP > +above. > + > .TP > .BR \-\-version > Show version and exit. > diff --git a/pesto.c b/pesto.c > index 92a8cb2..16b3a5a 100644 > --- a/pesto.c > +++ b/pesto.c > @@ -55,6 +55,43 @@ static void usage(const char *name, FILE *f, int status) > FPRINTF(f, "Usage: %s [OPTION]... PATH\n", name); > FPRINTF(f, > "\n" > + " -t, --tcp-ports SPEC TCP inbound port forwarding\n" > + " can be specified multiple times\n" > + " SPEC can be:\n" > + " 'none': don't forward any ports\n" > + " [ADDR[%%IFACE]/]PORTS: forward specific ports\n" > + " PORTS is either 'all' (forward all unbound, non-ephemeral\n" > + " ports), or a comma-separated list of ports, optionally\n" > + " ranged with '-' and optional target ports after ':'.\n" > + " Ranges can be reduced by excluding ports or ranges\n" > + " prefixed by '~'.\n" > + " The 'auto' keyword may be given to only forward\n" > + " ports which are bound in the target namespace\n" > + " Examples:\n" > + " -t all Forward all ports\n" > + " -t 127.0.0.1/all Forward all ports from local address\n" > + " 127.0.0.1\n" > + " -t 22 Forward local port 22 to 22\n" > + " -t 22:23 Forward local port 22 to 23\n" > + " -t 22,25 Forward ports 22, 25 to ports 22, 25\n" > + " -t 22-80 Forward ports 22 to 80\n" > + " -t 22-80:32-90 Forward ports 22 to 80 to\n" > + " corresponding port numbers plus 10\n" > + " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1\n" > + " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > + " -t ~25 Forward all ports except for 25\n" > + " -t auto Forward all ports bound in namespace\n" > + " -t 192.0.2.2/auto Forward ports from 192.0.2.2 if\n" > + " they are bound in the namespace\n" > + " -t 8000-8010,auto Forward ports 8000-8010 if they\n" > + " are bound in the namespace\n" > + " -u, --udp-ports SPEC UDP inbound port forwarding\n" > + " SPEC is as described for TCP above\n" > + " -T, --tcp-ns SPEC TCP port forwarding to init namespace\n" > + " SPEC is as described above\n" > + " -U, --udp-ns SPEC UDP port forwarding to init namespace\n" > + " SPEC is as described above\n" > + " -s, --show Show configuration before and after\n" > " -d, --debug Print debugging messages\n" > " -h, --help Display this help message and exit\n" > " --version Show version and exit\n"); > @@ -207,6 +244,8 @@ static void show_conf(const struct configuration *conf) > fwd_rules_dump(printf, pc->fwd.rules, pc->fwd.count, > " ", "\n"); > } > + /* Flush stdout, so this doesn't get misordered with later debug()s */ > + (void)fflush(stdout); > } > > /** > @@ -218,7 +257,7 @@ static void show_conf(const struct configuration *conf) > * > * #syscalls:pesto socket s390x:socketcall i686:socketcall > * #syscalls:pesto connect shutdown close > - * #syscalls:pesto exit_group fstat read write > + * #syscalls:pesto exit_group fstat read write openat > */ > int main(int argc, char **argv) > { > @@ -226,11 +265,18 @@ int main(int argc, char **argv) > {"debug", no_argument, NULL, 'd' }, > {"help", no_argument, NULL, 'h' }, > {"version", no_argument, NULL, 1 }, > + {"tcp-ports", required_argument, NULL, 't' }, > + {"udp-ports", required_argument, NULL, 'u' }, > + {"tcp-ns", required_argument, NULL, 'T' }, > + {"udp-ns", required_argument, NULL, 'U' }, > + {"show", no_argument, NULL, 's' }, > { 0 }, > }; > + struct pif_configuration *inbound, *outbound; > struct sockaddr_un a = { AF_UNIX, "" }; > + const char *optstring = "dht:u:T:U:s"; > struct configuration conf = { 0 }; > - const char *optstring = "dh"; > + bool update = false, show = false; > struct pesto_hello hello; > struct sock_fprog prog; > int optname, ret, s; > @@ -251,6 +297,8 @@ int main(int argc, char **argv) > if (setvbuf(stdout, stdout_buf, _IOFBF, sizeof(stdout_buf))) > die_perror("Failed to set stdout buffer"); > > + fwd_probe_ephemeral(); > + > do { > optname = getopt_long(argc, argv, optstring, options, NULL); > > @@ -258,6 +306,16 @@ int main(int argc, char **argv) > case -1: > case 0: > break; > + case 't': > + case 'u': > + case 'T': > + case 'U': > + /* Parse these options after we've read state from passt/pasta */ > + update = true; > + break; > + case 's': > + show = true; > + break; > case 'h': > usage(argv[0], stdout, EXIT_SUCCESS); > break; > @@ -290,6 +348,8 @@ int main(int argc, char **argv) > die_perror("Failed to connect to %s", a.sun_path); > } > > + debug("Connected to passt/pasta control socket"); > + > ret = read_all_buf(s, &hello, sizeof(hello)); > if (ret < 0) > die_perror("Couldn't read server greeting"); > @@ -327,9 +387,52 @@ int main(int argc, char **argv) > while (read_pif_conf(s, &conf)) > ; > > - printf("passt/pasta configuration (%s)\n", a.sun_path); > - show_conf(&conf); > + if (!update) { > + printf("passt/pasta configuration (%s)\n", a.sun_path); > + show_conf(&conf); > + goto noupdate; > + } > + > + if (show) { > + printf("Previous configuration (%s)\n", a.sun_path); > + show_conf(&conf); > + } > + > + inbound = pif_conf_by_name(&conf, "HOST"); > + outbound = pif_conf_by_name(&conf, "SPLICE"); > + > + optind = 0; > + do { > + optname = getopt_long(argc, argv, optstring, options, NULL); > + > + switch (optname) { > + case 't': > + case 'u': > + if (!inbound) { > + die("Can't use -%c, no inbound interface", > + optname); > + } > + fwd_rule_parse(optname, optarg, &inbound->fwd); > + break; > + case 'T': > + case 'U': > + if (!outbound) { > + die("Can't use -%c, no outbound interface", > + optname); > + } > + fwd_rule_parse(optname, optarg, &outbound->fwd); > + break; > + default: > + continue; > + } > + } while (optname != -1); > + > + if (show) { > + printf("Updated configuration (%s)\n", a.sun_path); > + show_conf(&conf); > + } > > +noupdate: > if (shutdown(s, SHUT_RDWR) < 0 || close(s) < 0) > die_perror("Error shutting down control socket"); >