From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=bdQWHKgY;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 215BB5A0262
	for <passt-dev@passt.top>; Wed, 29 Apr 2026 07:21:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1777440103;
	bh=uFuiD8bO9tXqH712VO7HRsTxX2BjlXRWK/HCx0eHay4=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=bdQWHKgYELdb55lt3CJhFlIKTMQVexK2KFu40sZE8QgV5z+UL9kKy3Akb2ZUa6tDb
	 93eb5m/6wRrq8suxiv0ZheFOHsOm21B2qtPutjwQZaHz6Kc5gMJvYQwNKQ1kSOK2vi
	 1LTOR2A6uwbzlkNtQdpIJaPlTxZr4mT+8XRAaCPz3rkv5Xz0rwMfY6g6MmQhN9gnos
	 rg0A0xDvFoRK+NdoywfgnG5/4uEB9lJNvlI9uOwZjRuDhY+J8yMqKWIRwuRNZxEWP+
	 15Jwo4iidG/q2QB51y2e88eORa3QbNxvr/L6vMQ6fRFKixaasEt4ZAaUShEClg2eEK
	 KW2FETIw4bOgw==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4g55JR5sd7z4wpK; Wed, 29 Apr 2026 15:21:43 +1000 (AEST)
Date: Wed, 29 Apr 2026 15:21:36 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH v5 17/18] pesto, conf: Send updated rules from pesto back
 to passt/pasta
Message-ID: <afGVYIy177_ucK7g@zatzit>
References: <20260421062516.2601204-1-david@gibson.dropbear.id.au>
 <20260421062516.2601204-18-david@gibson.dropbear.id.au>
 <9c7a09d6-b4f2-429f-b5c9-7aed19a81902@redhat.com>
 <20260425113604.045c7a72@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="KozMsZN9coP2y4+M"
Content-Disposition: inline
In-Reply-To: <20260425113604.045c7a72@elisabeth>
Message-ID-Hash: UCMZZR6VQLXKR7JCYMRSHY74MQ2USRH2
X-Message-ID-Hash: UCMZZR6VQLXKR7JCYMRSHY74MQ2USRH2
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jon Maloy <jmaloy@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/afGVYIy177_ucK7g@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/UCMZZR6VQLXKR7JCYMRSHY74MQ2USRH2/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--KozMsZN9coP2y4+M
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Apr 25, 2026 at 11:36:05AM +0200, Stefano Brivio wrote:
> On Fri, 24 Apr 2026 18:38:57 -0400
> Jon Maloy <jmaloy@redhat.com> wrote:
>=20
> > On 2026-04-21 02:25, David Gibson wrote:
> > > Extend pesto to send the updated rule configuration back to passt/pas=
ta.
> > > Extend passt/pasta to read the new configuration and store the new ru=
les in
> > > a "pending" table.   We don't yet attempt to activate them.
> > >=20
> > > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > > Message-ID: <20260322141843.4095972-3-sbrivio@redhat.com>
> > > [dwg: Based on an early draft from Stefano]\
> > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> =20
> >=20
> > [...]
> > >  =20
> > > +/**
> > > + * conf_recv_rules() - Receive forwarding rules from configuration c=
lient
> > > + * @c:		Execution context
> > > + * @fd:		Socket to the client
> > > + *
> > > + * Return: 0 on success, -1 on failure
> > > + */
> > > +static int conf_recv_rules(const struct ctx *c, int fd)
> > > +{
> > > +	while (1) {
> > > +		struct fwd_table *fwd;
> > > +		struct fwd_rule r;
> > > +		uint32_t count;
> > > +		uint8_t pif;
> > > +		unsigned i;
> > > +
> > > +		if (read_u8(fd, &pif))
> > > +			return -1;
> > > +
> > > +		if (pif =3D=3D PIF_NONE)
> > > +			break;
> > > +
> > > +		if (pif >=3D ARRAY_SIZE(c->fwd_pending) ||
> > > +		    !(fwd =3D c->fwd_pending[pif])) {
> > > +			err("Received rules for non-existent table");
> > > +			return -1;
> > > +		}
> > > +
> > > +		if (read_u32(fd, &count))
> > > +			return -1;
> > > +
> > > +		if (count > MAX_FWD_RULES) {
> > > +			err("Received %"PRIu32" rules (maximum %u)",
> > > +			    count, MAX_FWD_RULES);
> > > +			return -1;
> > > +		}
> > > +
> > > +		for (i =3D 0; i < count; i++) {
> > > +			fwd_rule_read(fd, &r); =20
> >=20
> > Since we don't check the return value I think we risk passing an only=
=20
> > partially initialized fwd_rule to fwd_rule_add() if the read fails.
> > Maybe:
> >    if (fwd_rule_read(fd, &r))
> >        return -1;
>=20
> Right, yes, that makes sense in general, even though I think this will
> need a small rework (I didn't get to that yet) to implement this point
> of the to-do list (see cover letter):
>=20
> > - Don't allow a client which sends a partial configuration then
> >   blocks also block passt

Right.  In retrospect this requirement makes the way I structured the
helpers in serialise.c not so helpful after all.

> ...because at that point we'll want to permit partial reads and keep a
> buffer with a counter of received bytes (perhaps rules / PIFs too).
>=20
> But actually it doesn't even need to be in this series or in a first
> implementation. It could simply be a limitation (in that case, I'll add
> the return -1 you suggest).
>=20
> A user who can connect to passt could anyway configure it to be useless
> so I don't see any particular security concern with it.

That's a good point.  At the moment the limitations of the protocol
(specifically the lack of TAP rules) limits the amount of damage a
client can do, but we do hope to extend that, so I think the argument
makes sense anyway.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--KozMsZN9coP2y4+M
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmnxlVQACgkQzQJF27ox
2GcCng//emsH+e1oD5jsf5F/sBboM6lrAPXJaan8/JTbNNL/lBL+gnAV3P56IjXn
ZduseL5ctYFIlwbYT7I1iIFO+c5zTb3RPAhcUPE2CZKj0ZPoHfYbf8RNm8Ku0QxF
lPg5vPkEdzuFLQY7mnaLIEtcgdhjqQ8gBc42FIsYCLVbtto12z7YGVqzuNNjmwaN
xPbNIAre60ywd6fXbGxcisaCljODLGPykhfLCAxMrwKFenUM33oXMpjFFsEqxfDd
Y3sN2otn171FafUFB2N0ZGoE/o5ov+38cSqvim6BvZxxbmYCWzoQwywO/tOQOW9U
mKl3tmnVvNuAlL9neszBwM+vh+GuINzYN0qsC67nDN2wZLZUrElpnCcPOTeGwIC7
Y+mDiK6A9GE4MJ+t3tqX2Oe6xGD2UaxeU8Kh03kRxFmr/z11yrPiOY4qMvBUWrpO
NoiMMvjrq3ciBi5WfAybA7vDUMHSN0qwK8gAvkbUApNgAY9Dn2o78L5pI50xNQ55
uSkDO5r0+9OnfmbJtlgbyqfjYPGlfAL4SxU2LEytu9EEhtadsyhjrNePiHzJJBfa
4FarG4nva7v/9hkBtEKdFcIj6GYRSuj3AeBCfeWxFNQiwLchPY2p4Du665X6tqGs
vcCjsfYm85HMnQPYrFoxEu80GaEO0Pk/72OLWjUSSRoEF/h1E7I=
=Wq4v
-----END PGP SIGNATURE-----

--KozMsZN9coP2y4+M--