From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=RnvoWpdZ; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id ABB395A0271 for ; Wed, 14 Jan 2026 11:35:34 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768386933; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ihnGygHdo9OWyjga/wQYJAL3cAWUJIYW+JFCgBdHAJk=; b=RnvoWpdZH+BYzuhIZou2qPBugV8oOEq/ahynHjAqETN61EWcgvHi+HVUsf9wUYjwo8rGF+ JjJiXnkFZvtvSO3ncONrBxves5d2kiVkPufSYjow/6RH2dYywCVds38eYE6coRMK78sYDk NvKxQtliYDfLe6QghtSJXFBmi+WAgf8= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-58-M4EVqCtNNhisHhbMpFUpYQ-1; Wed, 14 Jan 2026 05:35:31 -0500 X-MC-Unique: M4EVqCtNNhisHhbMpFUpYQ-1 X-Mimecast-MFC-AGG-ID: M4EVqCtNNhisHhbMpFUpYQ_1768386931 Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-64cfbb4c464so10738836a12.2 for ; Wed, 14 Jan 2026 02:35:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768386930; x=1768991730; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ihnGygHdo9OWyjga/wQYJAL3cAWUJIYW+JFCgBdHAJk=; b=etACMn99UAjcIOroPpmM/7v03pdFUia8wOzL2yq+7Ie00Zcp56FYspP8qalszgg8Xv INOqksQU21K+dyOwk/u8E+7BXpgFSTKNJyF/05NBpDkfBtxO85fuHfZy7fkhbY3wcpjJ yDzO/WZ7+uuccoMATX8M7wjUge3hqPif7m/y5my8OU/U14R8VcERUnBZ1af6XsoTGW+S NYhIgsXcrx9mSaIbJ3eYcj08LcfhD/pkhHx1eTJ4U4v+HbuGKe84sYpDCpnKYV3veEhB o+m7kZ7K48/KQSPi434dEsWF3nlp0qXOFooWNE4FF5gNoHq78S8pwtHh7rQ8twKe/9W3 Z6xg== X-Gm-Message-State: AOJu0YySeXgGvnBaE8GsGF8xBpSvxYQSXH+OLVAmwpxfkNtMs0PZZPl0 bnMnyNN6rERSsZAhgWZ2WRkZMx8xpoGwqFnp8QqC6LWRnOWvQzhCC7dBgrOfPFxukulQM7mRnNd DBd3r4wew0oVjBU0JEYR0CbO0UOteVTirbzcggY8Sqegvn6gQ9ussFwqzKfpuDQAJ/R7QRRFc15 l1eYVPWAXKWjx8CHH3nUI6tuNIWNRP31W0pyUQ73g= X-Gm-Gg: AY/fxX7zkCKRskJEMP6+m6os15qgw82A+Db6oCyRIAVBsxhdeuIr9UQ9gte/gvuplzb KqKZrH5ELVdXMeM92YHjFy8x1cvkKGny44ArgnstE921AQVQezyQ3hYmONlNDp8FX6zaxKMnTOo IYQ5R2U+ZdjsiR/jSvC98jp3QtiWKdW65FnnR79hICe2YF3AyNdAN5mU82VxsRRl2hY5TVcwI90 x3Ijvhv24y/xk8FD5lI/4qa2iUan33kXkyv22uDwgt6UCnM1Lzyw2GqAa5y0U2x14UcJNYZUmK8 uww0LJOrYzGE X-Received: by 2002:a05:6402:2349:b0:64d:498b:aefd with SMTP id 4fb4d7f45d1cf-653ee14cc6bmr1464563a12.5.1768386930075; Wed, 14 Jan 2026 02:35:30 -0800 (PST) X-Received: by 2002:a05:6402:2349:b0:64d:498b:aefd with SMTP id 4fb4d7f45d1cf-653ee14cc6bmr1464501a12.5.1768386929557; Wed, 14 Jan 2026 02:35:29 -0800 (PST) MIME-Version: 1.0 References: <20251229095558.918055-1-yuhuang@redhat.com> <20260110191226.570a3f0b@elisabeth> <20260114003441.044df424@elisabeth> <20260114110033.151de4eb@elisabeth> In-Reply-To: <20260114110033.151de4eb@elisabeth> From: Yumei Huang Date: Wed, 14 Jan 2026 18:35:18 +0800 X-Gm-Features: AZwV_QgFYpbJwwBOpWNJVweD0iA0gBGcPcLEgFTEqScBJGFeeNGdt5bbKoRfSnM Message-ID: Subject: Re: [PATCH] conf, pasta: Add --no-tap option To: Stefano Brivio X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: lDUFCy-93D6vRkU_nQTlGkFZdOH1I_mVHwB9FSRE3eQ_1768386931 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: MA6I7DTR2NC5RCMM4UX3WJWUKA5XQISM X-Message-ID-Hash: MA6I7DTR2NC5RCMM4UX3WJWUKA5XQISM X-MailFrom: yuhuang@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, david@gibson.dropbear.id.au X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, Jan 14, 2026 at 6:00=E2=80=AFPM Stefano Brivio = wrote: > > On Wed, 14 Jan 2026 15:28:31 +0800 > Yumei Huang wrote: > > > On Wed, Jan 14, 2026 at 2:31=E2=80=AFPM Yumei Huang wrote: > > > > > > On Wed, Jan 14, 2026 at 7:34=E2=80=AFAM Stefano Brivio wrote: > > > > > > > > On Tue, 13 Jan 2026 19:20:47 +0800 > > > > Yumei Huang wrote: > > > > > > > > > On Sun, Jan 11, 2026 at 2:12=E2=80=AFAM Stefano Brivio wrote: > > > > > > > > > > > > On Mon, 29 Dec 2025 17:55:58 +0800 > > > > > > Yumei Huang wrote: > > > > > > > > > > > > > This patch introduces a mode where we only forward loopback c= onnections > > > > > > > and traffic between two namespaces (via the loopback interfac= e, 'lo'), > > > > > > > without a tap device. > > > > > > > > > > > > > > With this, podman can support forwarding ::1 in custom networ= ks when using > > > > > > > rootlesskit for forwarding ports. > > > > > > > > > > > > > > In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra i= s automatically > > > > > > > enabled. Options requiring a tap device (--ns-ifname, --ns-ma= c-addr, > > > > > > > --config-net, --outbound-if4/6) are rejected. > > > > > > > > > > > > > > Link: https://bugs.passt.top/show_bug.cgi?id=3D149 > > > > > > > Signed-off-by: Yumei Huang > > > > > > > --- > > > > > > > conf.c | 56 +++++++++++++++++++++++++++++++++++++++++------= --------- > > > > > > > fwd.c | 3 +++ > > > > > > > passt.1 | 5 +++++ > > > > > > > passt.h | 2 ++ > > > > > > > pasta.c | 3 +++ > > > > > > > tap.c | 11 +++++++---- > > > > > > > 6 files changed, 61 insertions(+), 19 deletions(-) > > > > > > > > > > > > > > diff --git a/conf.c b/conf.c > > > > > > > index 84ae12b..353d0a5 100644 > > > > > > > --- a/conf.c > > > > > > > +++ b/conf.c > > > > > > > @@ -1049,7 +1049,8 @@ pasta_opts: > > > > > > > " --no-copy-addrs DEPRECATED:\n" > > > > > > > " Don't copy all addresse= s to namespace\n" > > > > > > > " --ns-mac-addr ADDR Set MAC address on tap = interface\n" > > > > > > > - " --no-splice Disable inbound socket = splicing\n"); > > > > > > > + " --no-splice Disable inbound socket = splicing\n" > > > > > > > + " --no-tap Don't create tap device= \n"); > > > > > > > > > > > > > > passt_exit(status); > > > > > > > } > > > > > > > @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char= **argv) > > > > > > > {"no-ndp", no_argument, &c->no_= ndp, 1 }, > > > > > > > {"no-ra", no_argument, &c->no_= ra, 1 }, > > > > > > > {"no-splice", no_argument, &c->no_= splice, 1 }, > > > > > > > + {"no-tap", no_argument, &c->no_= tap, 1 }, > > > > > > > {"freebind", no_argument, &c->fre= ebind, 1 }, > > > > > > > {"no-map-gw", no_argument, &no_map= _gw, 1 }, > > > > > > > {"ipv4-only", no_argument, NULL, = '4' }, > > > > > > > @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, cha= r **argv) > > > > > > > } > > > > > > > } while (name !=3D -1); > > > > > > > > > > > > > > - if (c->mode !=3D MODE_PASTA) > > > > > > > + if (c->mode !=3D MODE_PASTA) { > > > > > > > c->no_splice =3D 1; > > > > > > > + if (c->no_tap) > > > > > > > + die("--no-tap is for pasta mode only"); > > > > > > > + } > > > > > > > > > > > > > > if (c->mode =3D=3D MODE_PASTA && !c->pasta_conf_ns) { > > > > > > > if (copy_routes_opt) > > > > > > > @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, cha= r **argv) > > > > > > > die("--no-copy-addrs needs --config-net= "); > > > > > > > } > > > > > > > > > > > > > > + if (c->mode =3D=3D MODE_PASTA && c->no_tap) { > > > > > > > + if (c->no_splice) > > > > > > > + die("--no-tap is incompatible with --no= -splice"); > > > > > > > > > > > > I'm not sure if you need this for other reasons, but as long as= it's > > > > > > called --no-tap, it's not really incompatible with --no-splice. > > > > > > > > > > I will update it to --splice-only > > > > > > > > > > > > > > > > > Maybe users just want to get a disconnected namespace for whate= ver > > > > > > reason ('pasta' is shorter to type than 'unshare -rUn'). > > > > > > > > > > > > > + if (*c->ip4.ifname_out || *c->ip6.ifname_out) > > > > > > > + die("--no-tap is incompatible with --ou= tbound-if4/6"); > > > > > > > + if (*c->pasta_ifn) > > > > > > > + die("--no-tap is incompatible with --ns= -ifname"); > > > > > > > + if (*c->guest_mac) > > > > > > > + die("--no-tap is incompatible with --ns= -mac-addr"); > > > > > > > + if (c->pasta_conf_ns) > > > > > > > + die("--no-tap is incompatible with --co= nfig-net"); > > > > > > > > > > > > I guess all these checks are to save some checks later, which l= ooks like > > > > > > a good reason to have them here. > > > > > > > > > > > > If not, though, I don't think we *really* need to tell the user= that > > > > > > --ns-ifname will be ignored with --no-tap. > > > > > > > > > > > > One thing that might confuse users, though, is this: > > > > > > > > > > > > $ ./pasta --no-tap --mtu 1500 -- ip l > > > > > > 1: lo: mtu 65536 qdisc noqueue state UNK= NOWN mode DEFAULT group default qlen 1000 > > > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > > > > > > > > > > or even this: > > > > > > > > > > > > $ ./pasta --no-tap -a 192.0.2.1 -- ip a > > > > > > 1: lo: mtu 65536 qdisc noqueue state UNK= NOWN group default qlen 1000 > > > > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > > > > inet 127.0.0.1/8 scope host lo > > > > > > valid_lft forever preferred_lft forever > > > > > > inet6 ::1/128 scope host proto kernel_lo > > > > > > valid_lft forever preferred_lft forever > > > > > > > > > > > > but I would rather *not* add conditions and checks for those ev= en if > > > > > > there's a *slight* potential for confusion, otherwise this beco= mes > > > > > > really long. And it's really not worth it, I think. > > > > > > > > > > Then I guess we only need the c->no_splice check, right? > > > > > > > > ...maybe? About *needing*, yes, I guess so, but if other checks sav= e > > > > more checks later, I would keep them. > > > > > > > > > > > + > > > > > > > + c->host_lo_to_ns_lo =3D 1; > > > > > > > + c->no_icmp =3D 1; > > > > > > > + c->no_ra =3D 1; > > > > > > > + c->no_dns =3D 1; > > > > > > > + c->no_dns_search =3D 1; > > > > > > > + } > > > > > > > + > > > > > > > if (!ifi4 && *c->ip4.ifname_out) > > > > > > > ifi4 =3D if_nametoindex(c->ip4.ifname_out); > > > > > > > > > > > > > > @@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char= **argv) > > > > > > > log_conf_parsed =3D true; /* Stop printing ever= ything */ > > > > > > > > > > > > > > nl_sock_init(c, false); > > > > > > > - if (!v6_only) > > > > > > > + if (!v6_only && !c->no_tap) > > > > > > > c->ifi4 =3D conf_ip4(ifi4, &c->ip4); > > > > > > > - if (!v4_only) > > > > > > > + if (!v4_only && !c->no_tap) > > > > > > > c->ifi6 =3D conf_ip6(ifi6, &c->ip6); > > > > > > > > > > > > > > if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { > > > > > > > @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, ch= ar **argv) > > > > > > > (*c->ip6.ifname_out && !c->ifi6)) > > > > > > > die("External interface not usable"); > > > > > > > > > > > > > > - if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { > > > > > > > + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_ta= p) { > > > > > > > > > > > > You already checked that !*c->pasta_ifn above. > > > > > > > > > > I guess the check above (aka. if (*c->pasta_ifn && c->no_tap)) do= esn't > > > > > affect this one? If c->pasta_ifn is assigned, we won't come to th= e > > > > > check !c->no_tap here. Otherwise, we do need to check !c->no_tap= . > > > > > > > > Right, but you don't care about resetting c->pasta_ifn to the defau= lt > > > > value if !c->no_tap, because in that case you know that c->pasta_if= n > > > > wasn't set, so you can happily override it. > > > > I just realized that you probably meant when c->no_tap is set. > > Actually it would affect conf_print, info("Namespace interface: %s", > > c->pasta_ifn). But I will add a condition about c->splice_only before > > this line, so yes, it doesn't matter whether reset it or not. I will > > remove the check in v2. > > > > > > I'm not sure I fully understand it. If !c->no_tap, the condition is > > > the same as before without this patch, which is to not reset it if > > > it's specified in cmd line. We won't know if c->pasta_ifn is set > > > until this check, do we? > > Let's assume !c->ifi4 && !c->ifi6. Then we have 2 variables and 2^2 > possible cases: > > 1. !*c->pasta_ifn && !c->no_tap: we need to override c->pasta_ifn > > 2. !*c->pasta_ifn && c->no_tap: we don't need to override c->pasta_ifn, > *but it's harmless if we do* This will lead conf_print to print "Namespace interface: tap0" which is not correct. But I plan to add a check with c->no_tap in conf_print, so it won't be a problem. > > 3. *c->pasta_ifn && !c->no_tap: we must not override c->pasta_ifn > > 4. *c->pasta_ifn && c->no_tap: we must not override c->pasta_ifn > > Now, if we make 1. and 2. the same and decide to override c->pasta_ifn > also in case 2. (when it's not necessary, but harmless), 1. and 2. as > well as 3. and 4. are pairwise the same, so you don't strictly need to > add a condition on c->no_tap, I think. > > On the other hand... if it's obvious just to me, maybe it's actually > simpler to keep the check. :) I realise that my observation is not as > clear as I initially thought. > > -- > Stefano > --=20 Thanks, Yumei Huang