1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
| | // SPDX-License-Identifier: GPL-2.0-or-later
/* PESTO - Programmable Extensible Socket Translation Orchestrator
* front-end for passt(1) and pasta(1) forwarding configuration
*
* pesto.c - Main program (it's not actually extensible)
*
* Copyright (c) 2026 Red Hat GmbH
* Author: Stefano Brivio <sbrivio@redhat.com>
*/
#include <arpa/inet.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <errno.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <unistd.h>
#include <linux/audit.h>
#include <linux/capability.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include "seccomp_pesto.h"
#include "pesto_util.h"
#include "pesto.h"
#define die(...) \
do { \
FPRINTF(stderr, __VA_ARGS__); \
FPRINTF(stderr, "\n"); \
exit(EXIT_FAILURE); \
} while (0)
/**
* main() - Entry point and whole program with loop
* @argc: Argument count
* @argv: Arguments: socket path, operation, port specifiers
*
* Return: 0 on success, won't return on failure
*
* #syscalls:pesto connect write close exit_group fstat brk
* #syscalls:pesto socket s390x:socketcall i686:socketcall
* #syscalls:pesto recvfrom recvmsg arm:recv ppc64le:recv
* #syscalls:pesto sendto sendmsg arm:send ppc64le:send
*/
int main(int argc, char **argv)
{
struct sockaddr_un a = { AF_UNIX, "" };
struct pesto_hello hello;
struct sock_fprog prog;
uint32_t s_version;
int ret, s;
prctl(PR_SET_DUMPABLE, 0);
prog.len = (unsigned short)sizeof(filter_pesto) /
sizeof(filter_pesto[0]);
prog.filter = filter_pesto;
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
die("Failed to apply seccomp filter");
if (argc < 2)
die("Usage: %s CONTROLPATH", argv[0]);
if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
die("Failed to create AF_UNIX socket: %s", strerror(errno));
ret = snprintf(a.sun_path, sizeof(a.sun_path), "%s", argv[1]);
if (ret <= 0 || ret >= (int)sizeof(a.sun_path))
die("Invalid socket path \"%s\"", argv[1]);
ret = connect(s, (struct sockaddr *)&a, sizeof(a));
if (ret < 0) {
die("Failed to connect to %s: %s",
a.sun_path, strerror(errno));
}
ret = read_all_buf(s, &hello, sizeof(hello));
if (ret < 0)
die("Couldn't read server greeting: %s", strerror(errno));
if (memcmp(hello.magic, PESTO_SERVER_MAGIC, sizeof(hello.magic)))
die("Bad magic number from server");
s_version = ntohl(hello.version);
if (s_version > PESTO_PROTOCOL_VERSION) {
die("Unknown server protocol version %"PRIu32" > %"PRIu32"\n",
s_version, PESTO_PROTOCOL_VERSION);
}
if (!s_version) {
if (PESTO_PROTOCOL_VERSION)
die("Unsupported experimental server protocol");
fprintf(stderr,
"Warning: Using experimental protocol version, client and server must match\n");
}
return 0;
}
|