From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202512 header.b=EpKP0pMn; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 2179C5A065B for ; Thu, 18 Dec 2025 05:06:33 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202512; t=1766030789; bh=+G4AMPFhByhfFWwWf4UcoQFjJuwZ3XJuKSY5J5+4Ygk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EpKP0pMnkryvh9L1LXxNgtg6wjTql+RHPYrDdKZ0RSqvaBlQG2Q/uNkAkdMaU1D5t iu98eq3L8WHXQ5dQOxVvvo/riXo5TVq9S8aghF1sBJLi/Y6x1W6OWmTJia7oJfuJ2a QBtoQiliewo0MgNUY9MLSEbbkBfrgUYQ+ryJdLXq/olebhRBGSv5rArniVRrnG2tcw i1hIeUQNLW5PBbCeRtPRPqU221TRC8mmd2cJmJnaYaFqw0wxenssfPQXTYFqzM0NYk dek6VLYMw0y2hpJhE+ftjSIeAOHfUgb8qlDR2jkpYBqz2qoJxvqncFh9gDDe8uvndN WHXeCfz7DGQOA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4dWxtY4yhmz4wGr; Thu, 18 Dec 2025 15:06:29 +1100 (AEDT) Date: Thu, 18 Dec 2025 14:47:06 +1100 From: David Gibson To: Stefano Brivio Subject: Re: Thoughts on interface modes / multiple guest addresses Message-ID: References: <20251217012936.5aefec93@elisabeth> <20251218002220.18311a7b@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="TncE8c70elltA2AA" Content-Disposition: inline In-Reply-To: <20251218002220.18311a7b@elisabeth> Message-ID-Hash: EW55HTBAIJE33CYAR6A3UFLFV7VFDTFG X-Message-ID-Hash: EW55HTBAIJE33CYAR6A3UFLFV7VFDTFG X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Jon Maloy , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --TncE8c70elltA2AA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 18, 2025 at 12:22:20AM +0100, Stefano Brivio wrote: > On Wed, 17 Dec 2025 13:01:36 +1100 > David Gibson wrote: >=20 > > On Wed, Dec 17, 2025 at 01:29:36AM +0100, Stefano Brivio wrote: > > > On Tue, 16 Dec 2025 16:53:49 +1100 > > > David Gibson wrote: > > > =20 > > > > Hi Jon, > > > >=20 > > > > As discussed on the call yesterday, I've written up my thoughts on > > > > what a bunch of the address semantics should be. Turns out I'd > > > > already done some of this at: > > > > https://pad.passt.top/p/InterfaceMode =20 > > >=20 > > > Two general comments: > > >=20 > > > 1. local mode is already implemented, and some things such as the > > > interface name ("tap0") are already defined, see man page and > > > 'pasta -- pasta --config-net ip a' =20 > >=20 > > Yes, I'm aware. The two modes have the "normal" and "local" local to > > indicate the existing modes they're more similar to (neither is > > identical to current behaviour). Another point I left out is that > > this is intended as an endpoint to aim at. Getting there I expect to > > involve extra stuff for compatiblity along the way. > >=20 > > > 2. I think it's more relevant to define the basics of how one switches > > > between the existing local mode and a mode where we copy addresses > > > and routes (as they become available on the host), rather than > > > defining every single detail of these modes. =20 > >=20 > > Oh.. right. I guess I did't make this clear: these are modes set by > > the command line (details TBD), we never switch between them at > > runtime. They kind of have to be, because which mode we're in affects > > how we respond to runtime changes. > >=20 > > > In these terms, I think it would actually be helpful to *avoid* > > > seeing them as separate modes. If there's no host connectivity, we= 'll > > > start in local mode, and switch to the other mode as we get addres= ses > > > and routes configured... just to switch back to the previous mode = if > > > we lose them. =20 > >=20 > > The whole point of all-interface mode (better name suggestions > > welcome) is that the guest's routing configuration *doesn't* change, > > even if the host's does. >=20 > If that's what you mean, I think we're talking about two rather > different things. Evidently. This is my attempt to convey the picture in my head, I don't yet have much grasp of the picture in your head. > At the moment, local mode is used if a given IP version doesn't have a > configured address on the host, in that specific moment. This is what > the netlink monitor needs to make independent of the timing. Right. Maybe labelling this "local mode" was misleading. I'm using that because how we'd implement it is pretty close to how the current "local mode" works. > But if the user wants to specify addresses, or routes, we certainly > don't want to override them. So we would rather have an "override" or > "manual" mode (same as we already have now) as opposed to a "template" > or "automatic" mode where we copy (at runtime, with a monitor) > addresses and routes. Ah, yes, good. There are less differences here than I thought, so I've removed several rows from the table, hooray! > It's actually rather simple to implement a netlink monitor on top of > this, and that's for sure what we need to implement because it's rather > broken in Podman and rootlesskit and it has been for a while. Many things have been "rather simple to implement" until I actually did them. > I think that's the priority and what Jon was about to do rather than > spending now months to revise addressing and all possible defaults and > command line options. I mean, feel free to do that of course but I > think it needs to be implemented in parallel at that point. I'm really trying not to get into the weeds here. But I think through what the semantics of the new feature should be, and then weeds are all around me. For multi-address support there are at least four things to consider: (a) What goes in our internal list of addresses to give the guest? a.1. Everything listed with -a? a.2. Everything on the host? a.3. Everything on the host template interface? a.4. A link local address we pick? a.5. Some combination of the above. Unlike routes (that I can see), I'm pretty sure there are use cases where we want both host-copied addresses (for transparency) and explicit addresses (for a stable way of communicating with the host). -a auto (orthogonal to the mode proposals) is a suggestion of a way to make that configurable. Maybe it should be -a ir -a all, to cover a.3? (b) How do we convey those addresses to the guest? With --config-net it's fairly straightforward: whenever something changes in the internal list add/remove it in the guest. Without --config-net (including passt) it's trickier. b.1. We can use DHCP / RA lease times - Q: How long should they be? b.2. We can use DHCPNAK / RECONFIGURE - Can we count on the guest responding to these properly? - Do we care? (c) What if the guest uses an address we didn't tell it? That is, a multi-address equivalent of addr_seen. c.1. Add observed guest addresses to internal list - closest equivalent to current addr_seen - need to flag them so we don't send them back to the guest - Q: for how long do we keep them? c.2. Guest side netlink monitor updates=20 - Can't be used with passt - Shouldn't (IMO) be used with !--config-net - Does this give us anything c.1 doesn't? c.3. Discard packets with an address not in the internal list - Simplest semantics - Breaking change c.4. Send a DHCPNAK if the guest uses an unexpected address - Combined with? (d) Interaction between addresses and routes If we remove an address, and that address prefix was responsible for the guest route to reach $GGW, we need to update routes as well. > > Advantages: > > * The host can have whatever source-dependent, multi-path, bizarro > > routing configuration, changing as often as it likes and we (and > > the guest) don't care. Guest routes to the host, host routes > > onward from there. > > * We have a consistent (link local) way of addressing the host > > regardless of what changes happen on the host side > > * We have the freedom to allocate link-local addresses if we want > > them for any purpose > > Disadvantages: > > * No access to external peers via link-local address > > * Guest's routing setup is visibly different from the host's (so less > > L3 transparent) > >=20 > > I actually think that's a more useful and robust way of operating for > > most use cases and we should eventually make it the default. >=20 > Making things look like they're on the host is a very fundamental > feature that many users appreciate and use. There are degrees to "looking like the host". We'll never be perfect, so we have some choice on which aspects matter. Sharing the host address makes a lot of things work smoother, and I think we absolutely should keep that by default. I'm pretty sure *far* fewer things care whether the host's routing config is mirrored. That's why I'm suggesting an approach that preserves the former while dropping the latter. Part of the issue here is that if the host has multiple links, we really can't "look like the host" without putting multiple links in the guest. There's really no way to make a single-link config look like a multi-link config. Multiple guest interfaces is feasible for pasta (though a fair bit of work), but pretty awkward for passt. > I haven't reviewed the rest in detail but forcing users to specify a > new option to go back to a convenient default they had for years now > doesn't sound like a good idea. Eh, I can easily be persuaded on defaults. > > One-interface mode is for the use cases where those disadvantages are > > fatal. > >=20 > > There is another possible option here: present multiple interfaces in > > the guest, one for each host interface. I'm not including it, since > > it's basically equivalent to having multiple pasta instances in > > one-interface mode. To implement this, we'd basically have to > > implement one-interface mode first. > >=20 > > > So does it really help to have "modes" instead of just considering > > > what addresses and routes are we going to delete, and when? Because > > > that's what we'll need to do anyway (and that's what I think defin= es > > > the design). =20 > >=20 > > I haven't seen a way to define coherent semantics that cover all the > > use cases without introducing two modes. The overlapping constraints > > here are: >=20 > The two modes could be what we roughly have now: -a / -g imply that we > don't copy addresses / routes, and we don't source them for DHCP / > SLAAC / DHCPv6 either. The netlink monitor could simply be enabled when > the user doesn't override things. >=20 > > * With passt or !--config-net, we can't fully control the guest's > > networking config. We both can't set things with arbitrary > > precision, and we don't have a way of forcing an update when things > > change. >=20 > What is the problem with that? Nobody reported any issue with it. It's > actually expected. The problem is that if the guest relies on routing matching the host to work, then when the host has some configuration we can't or don't reflect into the guest, it will break. This already happened with source-specific routes IIRC. > > * If we're dealing with multiple host interfaces - either > > concurrently or to a lesser extent over time, then there's no way > > to coherently map host-side link-local addresses to the guest. >=20 > Also never reported as an issue as far as I know. It means whenever I need to write forwarding logic, I don't know what to do with ll addresses, because there's no clear model what they mean. > > > I see that this is not an explicit use case in Jon's list (which I > > > still have to review), but it's one of the most two fundamental on= es > > > I think (that, and Podman Quadlets), also nicely described by a us= er > > > at: > > >=20 > > > https://github.com/containers/podman/discussions/22737#discussio= ncomment-9478727 =20 > >=20 > > Ah, yes, that is another case. I think it would work out equivalent > > to one-interface mode attached to a dummy0 interface on the host. So, > > it should be fairly easy to implement in terms of one-interface mode, > > just pretending a dummy0 existed even if it doesn't. >=20 > That's pretty much the most important / most frequently reported case, > not just another case. But anyway, there's no need for dummy0 or > suchlike, we can just keep what we use as "local mode" (which wouldn't > be a mode anymore, rather a temporary state). Wait... I misread it. From the reference to -network none, I thought this one was intended as a permanent state, not a temporary one. The laptop-on-a-train case is absolutely the main one I'm thinking about for opaque mode. The guest always has an LL address, and the host can be accessed via it, whether or not the host currently has a network. When the host does get a network, the guest (maybe) gets extra addresses and can access the outside world. A lot of this comes down to: at the moment I can't make sense of what a "template interface" is or does. It doesn't affect where packets go to on the host (that's --outbound-if, except when it isn't). It doesn't affect where we packets come from on the host (that's -t and -u, defaulting to *). So what the heck does it do? - It selects the guest address(es), in a weird indirect way - It selects which host interface's neighbours we can talk to with link-local addresses. That's not something are often thinking about. - It selects the guest interface name, except when it doesn't=20 - Possibly some other things I've forgotten We try quite hard to pick a template interface, so it's not exactly optional. Except it is, because we eventually fall back to local mode, which doesn't have one. Making the template interface change - which switching between local mode and template mode implies - just makes all the above even more confusing. The two modes I'm proposing are different directions of resolving this: "transparent mode" is for when we really do care about what interface on the host we're using. We _do_ want to control where packets go to and come from on the host, and we want to see the details of how routes and addresses relate to links. "opaque mode" is when we don't. We can reach the host, and we might be able to reach the world via there, but we don't care exactly how. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --TncE8c70elltA2AA Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmlDeS8ACgkQzQJF27ox 2GfLQBAAp819JLg4ECIbTgtHH2NXsshh6Puz8XRs/lufLbI+KHzUbTbNFJhIg3sD kvw+krybASYcU+C3LHigwHSrQ9XpVwFZBVodi6jxyD4abDeBFHvXX61Xmn1T+b+N R8xCcs/+9qaK11dZ1dyZxZp6iINGSeyWJqVE0/NaShP8/gLcOAYQWBUi6qfGaiWp YTXklvaf7bp4Zyrq2ez1jmQm+i7w98iN1fapAbOw6g2AaPnuHQw/+wSX+KX2X/kC Te1k52M0ARdDcyxQsMuln4Y2QfY7ehfI8uPAT0p4FttwRsRjS3+lXjSyAOiBB8Iu pRrqPVEwod0ebZWJm42cg4syodMDJK/hzswSDglIM4RI+I5Kz6U7I+CKqs6LBEeq 0l861N32uHbFnyXj/GYrAxLl6w3ZYkHxx8orLnSRxuQfTZddhG27JqqfgtkXh2nU G9AnxW4AC21Uo/oEYOmaFa+CNPLzplEcLBjTeXzO/8KQEaAjjdkT4h8bn2xW6EXv sSTBYjEq5HIEch5OKdf080NpzadE4Z4MyepmpXMcwx0M0EXTj+LspnmkmX3fyBGl /R4Mk/0AQqbdO0rNfSViKzI3mBYuyQpzM+woK4Jgol/at6vdSKsLezP4cklCGxwq ucFvt4DxRti8oucD1GTaEg9EVac66Bt6F1zo8tGGpM4vNFnoYiY= =cdXd -----END PGP SIGNATURE----- --TncE8c70elltA2AA--