From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=gNDajX6A; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 86BB25A0265 for ; Tue, 05 May 2026 11:58:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202602; t=1777975120; bh=qwPUBC8YsiiPGj+lD3/UfLSbKto1PvzXf4ayMr+jcOM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=gNDajX6AK1d9sACwPGBf7BmgvWomPPnVkrIsVdUCJQHbqsMWezwoDoUMSNOSib+kW buGZh9NJYNtjLh+4xOr97X4iN0ISheZR5yVs7yDzM75zd+BOm+3050KAGRnDNCkguz dZxj+YWX7m/7P1rFgphop9jYVP48pO/6Kxp/ecPoDu1X3NDHMaTq8xw5FIS9XiTOeX q/tD2rQqPoXFPJ7CBI9gRw9zAXzscnVS0fn9Th5+ABLVZtV+6HN8+YpES1iPIfNYwI MpK87cFHRgjRchYm3VpJk8dWz4GXFILRqzNwK82Hf6Bx/I/L85f+FY2HpiIA0GL5G1 c33mr7wY3baOQ== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4g8v9D4qCjz4wL2; Tue, 05 May 2026 19:58:40 +1000 (AEST) Date: Tue, 5 May 2026 19:53:43 +1000 From: David Gibson To: Laurent Vivier Subject: Re: [PATCH v7 17/18] conf, fwd: Allow switching to new rules received from pesto Message-ID: References: <20260504231142.1118652-1-sbrivio@redhat.com> <20260504231142.1118652-18-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="26vERu+xLVSiYEvd" Content-Disposition: inline In-Reply-To: Message-ID-Hash: XLKGQ7DK24LOH3SVQPXDZGUF55XY3KHB X-Message-ID-Hash: XLKGQ7DK24LOH3SVQPXDZGUF55XY3KHB X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Stefano Brivio , passt-dev@passt.top, Jon Maloy X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --26vERu+xLVSiYEvd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 05, 2026 at 11:08:27AM +0200, Laurent Vivier wrote: > On 5/5/26 01:11, Stefano Brivio wrote: > > From: David Gibson > >=20 > > We can now receive updates to the forwarding rules from the pesto client > > and store them in a "pending" copy of the forwarding tables. Implement > > switching to using the new rules. > >=20 > > The logic is in a new fwd_listen_switch(). For now this closes all > > listening sockets related to the old tables, swaps the active and pendi= ng > > tables, then listens based on the new tables. In future we look to imp= rove > > this so that we don't temporarily stop listening on ports that both the > > old and new tables specify. > >=20 > > Signed-off-by: David Gibson > > Signed-off-by: Stefano Brivio > > --- > > conf.c | 5 ++--- > > fwd.c | 34 ++++++++++++++++++++++++++++++++++ > > fwd.h | 1 + > > 3 files changed, 37 insertions(+), 3 deletions(-) > >=20 > > diff --git a/conf.c b/conf.c > > index f035fd3..75b8291 100644 > > --- a/conf.c > > +++ b/conf.c > > @@ -2159,15 +2159,14 @@ void conf_handler(struct ctx *c, uint32_t event= s) > > fwd_rules_dump(info, fwd->rules, fwd->count, > > " ", ""); > > } > > + > > + fwd_listen_switch(c); > > } > > if (events & EPOLLHUP) { > > debug("Configuration client hangup"); > > - goto close; > > } > > - return; > > - > > close: > > conf_close(c); > > diff --git a/fwd.c b/fwd.c > > index d93d2e5..35b9e2b 100644 > > --- a/fwd.c > > +++ b/fwd.c > > @@ -534,6 +534,40 @@ int fwd_listen_init(const struct ctx *c) > > return 0; > > } > > +/** > > + * fwd_listen_switch() - Switch from current to pending rules table > > + * @c: Execution context > > + */ > > +void fwd_listen_switch(struct ctx *c) > > +{ > > + struct fwd_table *tmp[PIF_NUM_TYPES]; > > + unsigned i; > > + > > + /* Stop listening on the old tables */ > > + for (i =3D 0; i < PIF_NUM_TYPES; i++) { > > + struct fwd_table *fwd =3D c->fwd[i]; > > + > > + if (!fwd) > > + continue; > > + > > + debug("Flushing %u old %s rules", fwd->count, pif_name(i)); > > + fwd_listen_close(fwd); > > + fwd->count =3D fwd->sock_count =3D 0; >=20 > Perhaps we can reset fwd->count and fwd->sock_count in fwd_listen_close()= as > after fwd_listen_close() these values are wrong? No, they're not. fwd_listen_close() closes the listening sockets, but it doesn't remove the rules. fwd->sock_count isn't the number of *open* listening sockets, it's the maximum potential number of sockets for all the rules. Having some or all of the sockets close (-1 stored in the array) is an allowed state. It's rare for most rules, but routine for SCAN ("auto") rules. > > + } > > + > > + /* Swap active and pending tables */ > > + static_assert(sizeof(tmp) =3D=3D sizeof(c->fwd) && > > + sizeof(tmp) =3D=3D sizeof(c->fwd_pending), > > + "Temporary has wrong size"); > > + memcpy(&tmp, (void *)c->fwd, sizeof(tmp)); > > + memcpy((void *)c->fwd, (void *)c->fwd_pending, sizeof(tmp)); > > + memcpy((void *)c->fwd_pending, &tmp, sizeof(tmp)); >=20 > I know we have the static_assert(), but with memcpy() we usually use the > sizeof() of the destination to avoid write overflow. >=20 > Why do we keep the old active table? Do we plan to have a "--restore" opt= ion? Sort of. There are two reasons we keep the table around. One is allow for at rollback if switching to the new one fails. The other is that we'll need it in order to allow for rule changes without interrupting listening sockets. > > + > > + /* Start listening on the new tables */ > > + if (fwd_listen_init(c) < 0) > > + err("Error switching to new forwarding rules"); > > +} > > + > > /* See enum in kernel's include/net/tcp_states.h */ > > #define UDP_LISTEN 0x07 > > #define TCP_LISTEN 0x0a > > diff --git a/fwd.h b/fwd.h > > index ac24782..b60697d 100644 > > --- a/fwd.h > > +++ b/fwd.h > > @@ -61,6 +61,7 @@ int fwd_listen_sync(const struct ctx *c, uint8_t pif, > > const struct fwd_scan *tcp, const struct fwd_scan *udp); > > void fwd_listen_close(const struct fwd_table *fwd); > > int fwd_listen_init(const struct ctx *c); > > +void fwd_listen_switch(struct ctx *c); > > bool nat_inbound(const struct ctx *c, const union inany_addr *addr, > > union inany_addr *translated); >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --26vERu+xLVSiYEvd Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmn5vhMACgkQzQJF27ox 2Gd78A/5AY69EmABbn8z2ZB4V1UO/xVFyy066w730WCgNKIpJEfTQS0rfGoVc3aj I53PnSAL9GFlbKt3tBNSrooV2DkXeimLshJh7MbTxYL009u2HoXyljkZWUPZmzEy V/7kwKTrglAE9viOYdxIAz8coGOJABNjGhej/F+jD3urGKZnNF06zMDY/WsvaPkB owReGaMXJU+u1MjGvPZ52TMQu8M0iVbg+IsoISaeexoElm/BYuY26ik+cBNF2Il8 oQfqS8j5rJ53htWK6CBC66Wf/DY5mp7oS2GhwRq600TeYoLAzDet01NdQ41Ya1A5 1HaNr2Nc3Khmm6JVRmfadjWAo1ykhOHCpXYjkWyo7X3jEUtnAlQK3F/2fhJa9924 Av1tpiCfZDtMEP8t50I548PEq3hs8a0P1uPz7Z+krWDut2y47twbEBwz6OYvY0AQ cnK9Pu4FcG4aJkvSN8ZSi4AWHbAuJt8AFd+/dEjWTZH60fFPz7MbTQ9ceTunBIUs qtzn7Ftk7Boy0VNVaovnvctn08JaveGk36oYnjth9Ik0NTeeS3AfuxsSP/LLnt9z UPOJJ0tQLIvYOVVBTZnjGPWsv531QeNFQDT1yG9DdW6TZV88B/FABSmQ8osfmIwa XV9h7Ijo+paFpFJ3tYz8Yklqa5+dPgGB7jmQM/Y/TO3AXNhg/6s= =oT85 -----END PGP SIGNATURE----- --26vERu+xLVSiYEvd--