From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=HPOnPqVj; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id BA62F5A0627 for ; Mon, 04 May 2026 18:44:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777913075; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=h6EpoeHq7a93+EvDJ2+Slw1xSS9igUBInYh+95EnKyo=; b=HPOnPqVj6q/arLcf7lomZKRIgiAB/33R6hxsFETBVfrYuZjqMv3ZWibEO4WS63fR7fkoKt 4/bpwUm1H7q3lOjsLXLlr2D7iyFZHTxc/CXvvf6538Cb5Nyt/ECki53+F4LWJLhj+ZRFmX 9rkwlQwoITdoZiBJ6tAGbNOp5RP71E8= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-207--wEB_QMoMgiwzA8qfpswWQ-1; Mon, 04 May 2026 12:44:34 -0400 X-MC-Unique: -wEB_QMoMgiwzA8qfpswWQ-1 X-Mimecast-MFC-AGG-ID: -wEB_QMoMgiwzA8qfpswWQ_1777913072 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-44b2b38648eso2352900f8f.3 for ; Mon, 04 May 2026 09:44:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777913072; x=1778517872; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=h6EpoeHq7a93+EvDJ2+Slw1xSS9igUBInYh+95EnKyo=; b=qo4mzikooC6G3QXCruKtf1NSaDVYTIsrgqlz6HZsgoexHeYgdwkmXisHkz4IUpXRFP 3jphKaWqjgcTAu1rWVsJTI/PhyD/M2fbBp2FtfuUsK2NnnDdB7QoiPcUCqFRSsy2x9w4 6I77t5Lfj9Lg0xsRTxeeqvH8PNItG+fjE4/Mv8Uzox8GWMgbiBxVJowxgggKy3roxLfP gyuoJXnymaOJtdBq7muZKkQm66xASaN1ybOlycxc9o+fdKWoP41QuloIBG/7h9jeHX/T JULt6YYVst0gB6NwIOpBGzRanLZubAhGU1LP9UsYcz4Dxx6wHPpOMbeYuK+TxRggoPyW ytYQ== X-Forwarded-Encrypted: i=1; AFNElJ9nn4XRxUXZpailTLKmiF/nZQKfqQM0nAj68KKVP7ku4XTtvLoJza1j9fDtnqhFB9IC7oxVbChH030=@passt.top X-Gm-Message-State: AOJu0Yx+1WxMScLvw0oEdAHRYXVmEp/9opS6dLI5d1DQvY4eSW44LGhD 3ZqoeOpEaw/uCAqG57lpUjPcwWpYMLsRBtdOgDpbgLKAPJeIJBWmUpqUqNw6lk0LFRpGUTl4IfO +nqhNSo20fSkLi6BUqySYztQiEIGgQvJyyTSQmpMY3bmVmdj5o2ux9A== X-Gm-Gg: AeBDieu5PcUG9mJoKDOQctdyQMk7RfTtOpQKuVmm3/8IuzBAVf0Kq4QHPg+9RlKJojf UhlKx75HxapqEA1+rhSLXFSWUztIyFclqdtq+LN9fsHcXLQzSugaHr/qDSdM9RFrOoLTIoK8YS9 rNIbrFJpjSJaRaBBdGX93VUItoWdCdkQMwIWBo3ghxoB2pPo582KsWskvAUwix/d1rOCyBvwn53 vhXna5iszIU83M9sRcWWIYzOo5/b2yRelbJj7h6bWqr7diuR4yEWrLhDj0vC0140C5x5Xye0XD+ 5HOFV0ZJSGN7DM7w8BM8UrsOFWdNSoKIy2qZB1Vho9d986rAV2/I8IncsPu8jLU47EiU9KmWEWq 5qy0XwChAC4B71OTZuN/jqV1whmgS/LoI8B8zJAbSl9RKZOLU3mcsQwgoZAjyJztIQg== X-Received: by 2002:a05:600c:1386:b0:489:1c1f:35f1 with SMTP id 5b1f17b1804b1-48a9852d361mr166094375e9.4.1777913072056; Mon, 04 May 2026 09:44:32 -0700 (PDT) X-Received: by 2002:a05:600c:1386:b0:489:1c1f:35f1 with SMTP id 5b1f17b1804b1-48a9852d361mr166093855e9.4.1777913071498; Mon, 04 May 2026 09:44:31 -0700 (PDT) Received: from [192.168.100.100] (82-64-211-94.subs.proxad.net. [82.64.211.94]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a822bf3ffsm367965265e9.7.2026.05.04.09.44.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 May 2026 09:44:30 -0700 (PDT) Message-ID: Date: Mon, 4 May 2026 18:44:29 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v6 15/18] pesto: Parse and add new rules from command line To: Stefano Brivio , passt-dev@passt.top References: <20260503215601.823029-1-sbrivio@redhat.com> <20260503215601.823029-16-sbrivio@redhat.com> From: Laurent Vivier Autocrypt: addr=lvivier@redhat.com; keydata= xsFNBFYFJhkBEAC2me7w2+RizYOKZM+vZCx69GTewOwqzHrrHSG07MUAxJ6AY29/+HYf6EY2 WoeuLWDmXE7A3oJoIsRecD6BXHTb0OYS20lS608anr3B0xn5g0BX7es9Mw+hV/pL+63EOCVm SUVTEQwbGQN62guOKnJJJfphbbv82glIC/Ei4Ky8BwZkUuXd7d5NFJKC9/GDrbWdj75cDNQx UZ9XXbXEKY9MHX83Uy7JFoiFDMOVHn55HnncflUncO0zDzY7CxFeQFwYRbsCXOUL9yBtqLer Ky8/yjBskIlNrp0uQSt9LMoMsdSjYLYhvk1StsNPg74+s4u0Q6z45+l8RAsgLw5OLtTa+ePM JyS7OIGNYxAX6eZk1+91a6tnqfyPcMbduxyBaYXn94HUG162BeuyBkbNoIDkB7pCByed1A7q q9/FbuTDwgVGVLYthYSfTtN0Y60OgNkWCMtFwKxRaXt1WFA5ceqinN/XkgA+vf2Ch72zBkJL RBIhfOPFv5f2Hkkj0MvsUXpOWaOjatiu0fpPo6Hw14UEpywke1zN4NKubApQOlNKZZC4hu6/ 8pv2t4HRi7s0K88jQYBRPObjrN5+owtI51xMaYzvPitHQ2053LmgsOdN9EKOqZeHAYG2SmRW LOxYWKX14YkZI5j/TXfKlTpwSMvXho+efN4kgFvFmP6WT+tPnwARAQABzSNMYXVyZW50IFZp dmllciA8bHZpdmllckByZWRoYXQuY29tPsLBeAQTAQIAIgUCVgVQgAIbAwYLCQgHAwIGFQgC CQoLBBYCAwECHgECF4AACgkQ8ww4vT8vvjwpgg//fSGy0Rs/t8cPFuzoY1cex4limJQfReLr SJXCANg9NOWy/bFK5wunj+h/RCFxIFhZcyXveurkBwYikDPUrBoBRoOJY/BHK0iZo7/WQkur 6H5losVZtrotmKOGnP/lJYZ3H6OWvXzdz8LL5hb3TvGOP68K8Bn8UsIaZJoeiKhaNR0sOJyI YYbgFQPWMHfVwHD/U+/gqRhD7apVysxv5by/pKDln1I5v0cRRH6hd8M8oXgKhF2+rAOL7gvh jEHSSWKUlMjC7YwwjSZmUkL+TQyE18e2XBk85X8Da3FznrLiHZFHQ/NzETYxRjnOzD7/kOVy gKD/o7asyWQVU65mh/ECrtjfhtCBSYmIIVkopoLaVJ/kEbVJQegT2P6NgERC/31kmTF69vn8 uQyW11Hk8tyubicByL3/XVBrq4jZdJW3cePNJbTNaT0d/bjMg5zCWHbMErUib2Nellnbg6bc 2HLDe0NLVPuRZhHUHM9hO/JNnHfvgiRQDh6loNOUnm9Iw2YiVgZNnT4soUehMZ7au8PwSl4I KYE4ulJ8RRiydN7fES3IZWmOPlyskp1QMQBD/w16o+lEtY6HSFEzsK3o0vuBRBVp2WKnssVH qeeV01ZHw0bvWKjxVNOksP98eJfWLfV9l9e7s6TaAeySKRRubtJ+21PRuYAxKsaueBfUE7ZT 7zfOwU0EVgUmGQEQALxSQRbl/QOnmssVDxWhHM5TGxl7oLNJms2zmBpcmlrIsn8nNz0rRyxT 460k2niaTwowSRK8KWVDeAW6ZAaWiYjLlTunoKwvF8vP3JyWpBz0diTxL5o+xpvy/Q6YU3BN efdq8Vy3rFsxgW7mMSrI/CxJ667y8ot5DVugeS2NyHfmZlPGE0Nsy7hlebS4liisXOrN3jFz asKyUws3VXek4V65lHwB23BVzsnFMn/bw/rPliqXGcwl8CoJu8dSyrCcd1Ibs0/Inq9S9+t0 VmWiQWfQkz4rvEeTQkp/VfgZ6z98JRW7S6l6eophoWs0/ZyRfOm+QVSqRfFZdxdP2PlGeIFM C3fXJgygXJkFPyWkVElr76JTbtSHsGWbt6xUlYHKXWo+xf9WgtLeby3cfSkEchACrxDrQpj+ Jt/JFP+q997dybkyZ5IoHWuPkn7uZGBrKIHmBunTco1+cKSuRiSCYpBIXZMHCzPgVDjk4viP brV9NwRkmaOxVvye0vctJeWvJ6KA7NoAURplIGCqkCRwg0MmLrfoZnK/gRqVJ/f6adhU1oo6 z4p2/z3PemA0C0ANatgHgBb90cd16AUxpdEQmOCmdNnNJF/3Zt3inzF+NFzHoM5Vwq6rc1JP jfC3oqRLJzqAEHBDjQFlqNR3IFCIAo4SYQRBdAHBCzkM4rWyRhuVABEBAAHCwV8EGAECAAkF AlYFJhkCGwwACgkQ8ww4vT8vvjwg9w//VQrcnVg3TsjEybxDEUBm8dBmnKqcnTBFmxN5FFtI WlEuY8+YMiWRykd8Ln9RJ/98/ghABHz9TN8TRo2b6WimV64FmlVn17Ri6FgFU3xNt9TTEChq AcNg88eYryKsYpFwegGpwUlaUaaGh1m9OrTzcQy+klVfZWaVJ9Nw0keoGRGb8j4XjVpL8+2x OhXKrM1fzzb8JtAuSbuzZSQPDwQEI5CKKxp7zf76J21YeRrEW4WDznPyVcDTa+tz++q2S/Bp P4W98bXCBIuQgs2m+OflERv5c3Ojldp04/S4NEjXEYRWdiCxN7ca5iPml5gLtuvhJMSy36gl U6IW9kn30IWuSoBpTkgV7rLUEhh9Ms82VWW/h2TxL8enfx40PrfbDtWwqRID3WY8jLrjKfTd R3LW8BnUDNkG+c4FzvvGUs8AvuqxxyHbXAfDx9o/jXfPHVRmJVhSmd+hC3mcQ+4iX5bBPBPM oDqSoLt5w9GoQQ6gDVP2ZjTWqwSRMLzNr37rJjZ1pt0DCMMTbiYIUcrhX8eveCJtY7NGWNyx FCRkhxRuGcpwPmRVDwOl39MB3iTsRighiMnijkbLXiKoJ5CDVvX5yicNqYJPKh5MFXN1bvsB kmYiStMRbrD0HoY1kx5/VozBtc70OU0EB8Wrv9hZD+Ofp0T3KOr1RUHvCZoLURfFhSQ= In-Reply-To: <20260503215601.823029-16-sbrivio@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: JiYJXbL5rrhVOXlx4EzpsSiJNzwEodBr6rGR9uIMis0_1777913072 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: PBI2QSAWDFEXRS74W44JUEKYM52MU66F X-Message-ID-Hash: PBI2QSAWDFEXRS74W44JUEKYM52MU66F X-MailFrom: lvivier@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Jon Maloy , David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 5/3/26 23:55, Stefano Brivio wrote: > From: David Gibson > > This adds parsing of options using fwd_rule_parse(), validates them and > adds them to the existing rules. It doesn't yet send those rules back to > passt or pasta. > > Signed-off-by: Stefano Brivio > Message-ID: <20260322141843.4095972-3-sbrivio@redhat.com> > [dwg: Based on an early draft by Stefano] > Signed-off-by: David Gibson > --- > Makefile | 1 + > fwd_rule.c | 2 +- > fwd_rule.h | 1 + > pesto.c | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++--- > 4 files changed, 111 insertions(+), 6 deletions(-) > > diff --git a/Makefile b/Makefile > index 057e4eb..125ec01 100644 > --- a/Makefile > +++ b/Makefile > @@ -227,6 +227,7 @@ cppcheck: passt.cppcheck passt-repair.cppcheck pesto.cppcheck qrap.cppcheck > passt.cppcheck: BASE_CPPFLAGS += -UPESTO > passt.cppcheck: CPPCHECK_FLAGS += \ > --suppress=unusedFunction:fwd_rule.c \ > + --suppress=staticFunction:fwd_rule.c \ > --suppress=unusedFunction:serialise.c > passt.cppcheck: $(PASST_SRCS) $(PASST_HEADERS) seccomp.h > > diff --git a/fwd_rule.c b/fwd_rule.c > index da9d893..3c1eaa4 100644 > --- a/fwd_rule.c > +++ b/fwd_rule.c > @@ -187,7 +187,7 @@ static bool fwd_rule_conflicts(const struct fwd_rule *a, const struct fwd_rule * > * > * Return: 0 on success, negative error code on failure > */ > -static int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new) > +int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new) > { > /* Flags which can be set from the caller */ > const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN | FWD_DUAL_STACK_ANY; > diff --git a/fwd_rule.h b/fwd_rule.h > index 330d49e..f43b37d 100644 > --- a/fwd_rule.h > +++ b/fwd_rule.h > @@ -103,6 +103,7 @@ const char *fwd_rule_fmt(const struct fwd_rule *rule, char *dst, size_t size); > void fwd_rule_parse(char optname, const char *optarg, struct fwd_table *fwd); > int fwd_rule_read(int fd, struct fwd_rule *rule); > int fwd_rule_write(int fd, const struct fwd_rule *rule); > +int fwd_rule_add(struct fwd_table *fwd, const struct fwd_rule *new); > > /** > * fwd_rules_dump() - Dump forwarding rules > diff --git a/pesto.c b/pesto.c > index 4bf9bd8..95aecad 100644 > --- a/pesto.c > +++ b/pesto.c > @@ -55,6 +55,43 @@ static void usage(const char *name, FILE *f, int status) > FPRINTF(f, "Usage: %s [OPTION]... PATH\n", name); > FPRINTF(f, > "\n" > + " -t, --tcp-ports SPEC TCP inbound port forwarding\n" > + " can be specified multiple times\n" > + " SPEC can be:\n" > + " 'none': don't forward any ports\n" > + " [ADDR[%%IFACE]/]PORTS: forward specific ports\n" > + " PORTS is either 'all' (forward all unbound, non-ephemeral\n" > + " ports), or a comma-separated list of ports, optionally\n" > + " ranged with '-' and optional target ports after ':'.\n" > + " Ranges can be reduced by excluding ports or ranges\n" > + " prefixed by '~'.\n" > + " The 'auto' keyword may be given to only forward\n" > + " ports which are bound in the target namespace\n" > + " Examples:\n" > + " -t all Forward all ports\n" > + " -t 127.0.0.1/all Forward all ports from local address\n" > + " 127.0.0.1\n" > + " -t 22 Forward local port 22 to 22\n" > + " -t 22:23 Forward local port 22 to 23\n" > + " -t 22,25 Forward ports 22, 25 to ports 22, 25\n" > + " -t 22-80 Forward ports 22 to 80\n" > + " -t 22-80:32-90 Forward ports 22 to 80 to\n" > + " corresponding port numbers plus 10\n" > + " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1\n" > + " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > + " -t ~25 Forward all ports except for 25\n" > + " -t auto Forward all ports bound in namespace\n" > + " -t 192.0.2.2/auto Forward ports from 192.0.2.2 if\n" > + " they are bound in the namespace\n" > + " -t 8000-8010,auto Forward ports 8000-8010 if they\n" > + " are bound in the namespace\n" > + " -u, --udp-ports SPEC UDP inbound port forwarding\n" > + " SPEC is as described for TCP above\n" > + " -T, --tcp-ns SPEC TCP outbound port forwarding\n" > + " SPEC is as described above\n" > + " -U, --udp-ns SPEC UDP outbound port forwarding\n" > + " SPEC is as described above\n" I think description from conf.c is clearer: " -T, --tcp-ns SPEC TCP port forwarding to init namespace\n" " -U, --udp-ns SPEC UDP port forwarding to init namespace\n" Is it possible to define a common usage description between passt/pasta/pesto? A "#define COMMON_OPTS" ? > + " -s, --show Show configuration before and after\n" Update pesto.1 > " -d, --debug Print debugging messages\n" > " -h, --help Display this help message and exit\n" > " --version Show version and exit\n"); > @@ -204,6 +241,8 @@ static void show_conf(const struct configuration *conf) > fwd_rules_dump(printf, pc->fwd.rules, pc->fwd.count, > " ", "\n"); > } > + /* Flush stdout, so this doesn't get misordered with later debug()s */ > + (void)fflush(stdout); > } > > /** > @@ -215,7 +254,7 @@ static void show_conf(const struct configuration *conf) > * > * #syscalls:pesto socket s390x:socketcall i686:socketcall > * #syscalls:pesto connect shutdown close > - * #syscalls:pesto exit_group fstat read write > + * #syscalls:pesto exit_group fstat read write openat > */ > int main(int argc, char **argv) > { > @@ -223,11 +262,18 @@ int main(int argc, char **argv) > {"debug", no_argument, NULL, 'd' }, > {"help", no_argument, NULL, 'h' }, > {"version", no_argument, NULL, 1 }, > + {"tcp-ports", required_argument, NULL, 't' }, > + {"udp-ports", required_argument, NULL, 'u' }, > + {"tcp-ns", required_argument, NULL, 'T' }, > + {"udp-ns", required_argument, NULL, 'U' }, > + {"show", no_argument, NULL, 's' }, > { 0 }, > }; > + struct pif_configuration *inbound, *outbound; > struct sockaddr_un a = { AF_UNIX, "" }; > + const char *optstring = "dht:u:T:U:s"; > struct configuration conf = { 0 }; > - const char *optstring = "dh"; > + bool update = false, show = false; > struct pesto_hello hello; > struct sock_fprog prog; > int optname, ret, s; > @@ -248,6 +294,8 @@ int main(int argc, char **argv) > if (setvbuf(stdout, stdout_buf, _IOFBF, sizeof(stdout_buf))) > die_perror("Failed to set stdout buffer"); > > + fwd_probe_ephemeral(); > + > do { > optname = getopt_long(argc, argv, optstring, options, NULL); > > @@ -255,6 +303,16 @@ int main(int argc, char **argv) > case -1: > case 0: > break; > + case 't': > + case 'u': > + case 'T': > + case 'U': > + /* Parse these options after we've read state from passt/pasta */ > + update = true; > + break; > + case 's': > + show = true; > + break; > case 'h': > usage(argv[0], stdout, EXIT_SUCCESS); > break; > @@ -287,6 +345,8 @@ int main(int argc, char **argv) > die_perror("Failed to connect to %s", a.sun_path); > } > > + debug("Connected to passt/pasta control socket"); > + > ret = read_all_buf(s, &hello, sizeof(hello)); > if (ret < 0) > die_perror("Couldn't read server greeting"); > @@ -324,11 +384,54 @@ int main(int argc, char **argv) > while (read_pif_conf(s, &conf)) > ; > > - printf("passt/pasta configuration (%s)\n", a.sun_path); > - show_conf(&conf); > + if (!update) { > + printf("passt/pasta configuration (%s)\n", a.sun_path); > + show_conf(&conf); > + goto noupdate; > + } > + > + if (show) { > + printf("Previous configuration (%s)\n", a.sun_path); > + show_conf(&conf); > + } > + > + inbound = pif_conf_by_name(&conf, "HOST"); > + outbound = pif_conf_by_name(&conf, "SPLICE"); > + > + optind = 0; > + do { > + optname = getopt_long(argc, argv, optstring, options, NULL); > > + switch (optname) { > + case 't': > + case 'u': > + if (!inbound) { > + die("Can't use -%c, no inbound interface", > + optname); > + } > + fwd_rule_parse(optname, optarg, &inbound->fwd); > + break; > + case 'T': > + case 'U': > + if (!outbound) { > + die("Can't use -%c, no outbound interface", > + optname); > + } > + fwd_rule_parse(optname, optarg, &outbound->fwd); > + break; > + default: > + continue; > + } > + } while (optname != -1); > + > + if (show) { > + printf("Updated configuration (%s)\n", a.sun_path); > + show_conf(&conf); > + } > + > +noupdate: > if (shutdown(s, SHUT_RDWR) < 0 || close(s) < 0) > die_perror("Error shutting down control socket"); > - > + Unrelated change. > exit(0); > }