Re: [PATCH v8 00/19] Dynamic configuration update implementation

[David Gibson <david@gibson.dropbear.id.au>]

[-- Attachment #1: Type: text/plain, Size: 6616 bytes --]

On Wed, May 06, 2026 at 01:47:00AM +0200, Stefano Brivio wrote:
> Changes in v8:
>  * Implement --add, --delete, and --clear in 19/19, to add forwarding
>    rules instead of replacing tables, delete existing rules, and
>    explicitly clear tables
>  * Address Laurent's comments for 15/19 and 17/19
>  * In 10/19, instead of passing SOCK_NONBLOCK to accept4(), explicitly
>    set O_NONBLOCK on the listening socket. Using SOCK_NONBLOCK doesn't
>    do what we want, as it results in setting O_NONBLOCK on the new
>    socket rather than on the listening one
>  * Note: 18/19 is left as it is, I didn't address pending comments
>    yet
>  * Note: this doesn't include yet changes for AppArmor and SELinux
>    policies, as well as changes for the template Fedora spec file.
>    I'm still working on them

I haven't re-reviewed the whole series, but these changes all seem
good, with the exception of 19/19 and a few concerns on 10/19 which
I've sent separate mails about.

> 
> Changes in v7:
>  * Addressed comments from Laurent in 6/18, 8/18, 9/18, 10/18, 11/18,
>    12/18, 14/18, 15/18 (details in commit messages of single patches,
>    before my Signed-off-by)
>  * Note: this doesn't include yet --add and --delete, I'm still
>    working on that
> 
> Changes in v6:
>  * Addressed comments from Jon in 10/18, 11/18, 14/18, and 16/18
>  * Dodged all warnings from static checkers (Coverity Scan and
>    clang-tidy) with changes in 10/18, 11/18, 16/18, and with a
>    new patch, 18/18
>  * This does *not* include yet the implementation of --add and
>    --delete switches for pesto as I originally intended, I'm
>    rather far from being done with those. At the moment I just
>    have a "mode selection" implementation for command line
>    parsing but merging rules to / removing rules from / clearing
>    the current table is something I barely started (and what I
>    have at the moment isn't really valuable anyway)
> 
> David wrote:
> 
> ---
> Here's the next draft of dynamic configuration updates.  This now can
> successfully update rules, though I've not tested it very extensively.
> 
> Patches 1..8/18 are preliminary reworks that make sense even without
> pesto - feel free to apply if you're happy with them.  I don't think
> the rest should be applied yet; we need to at least harden it so passt
> can't be blocked indefinitely by a client which sends a partial update
> then waits.
> 
> Based on my earlier series reworking static checking invocation.
> 
> TODO:
>  - Don't allow a client which sends a partial configuration then
>    blocks also block passt
>  - Allow pesto to clear existing configuration, not just add
>  - Allow pesto selectively delete existing rules, not just add
> 
> Changes in v5:
>  * If multiple clients connect at once, they're now blocked until the
>    first one finishes, instead of later ones being discarded
> Changes in v4:
>  * Merged with remainder of forward rule parsing rework series
>    * Fix some bugs in rule checking pointed out by Laurent
>  * Significantly cleaned up option parsing code
>  * Changed from replacing all existing rules to adding new rules
>    (clear and remove still TBD)
>  * Somewhat simplified protocol (pif names and rules sent in a single
>    pass)
>  * pesto is now allocation free
>  * Fixed commit message and style nits pointed out by Stefano
> Changes in v3:
>  * Removed already applied ASSERT() rename
>  * Renamed serialisation functions
>  * Incorporated Stefano's extensions, reworked and fixed
>  * Several additional cleanups / preliminary reworks
> Changes in v2:
>  * Removed already applied cleanups
>  * Reworked assert() patch to handle -DNDEBUG properly
>  * Numerous extra patches:
>    * Factored out serialisation helpers and use them for migration as
>      well
>    * Reworked to allow ip.[ch] and inany.[ch] to be shared with pesto
>    * Reworks to share some forwarding rule datatypes with pesto
>    * Implemented sending pif names and current ruleset to pesto
> ---
> 
> David Gibson (17):
>   conf, fwd: Stricter rule checking in fwd_rule_add()
>   fwd_rule: Move ephemeral port probing to fwd_rule.c
>   fwd, conf: Move rule parsing code to fwd_rule.[ch]
>   fwd_rule: Move conflict checking back within fwd_rule_add()
>   fwd: Generalise fwd_rules_info()
>   pif: Limit pif names to 128 bytes
>   fwd_rule: Fix some format specifiers
>   pesto: Introduce stub configuration tool
>   pesto, log: Share log.h (but not log.c) with pesto tool
>   pesto, conf: Have pesto connect to passt and check versions
>   pesto: Expose list of pifs to pesto and display them
>   ip: Prepare ip.[ch] for sharing with pesto tool
>   inany: Prepare inany.[ch] for sharing with pesto tool
>   pesto: Read current ruleset from passt/pasta and optionally display it
>   pesto: Parse and add new rules from command line
>   pesto, conf: Send updated rules from pesto back to passt/pasta
>   conf, fwd: Allow switching to new rules received from pesto
> 
> Stefano Brivio (2):
>   fwd_rule: Fix static checkers warnings in fwd_rule_add()
>   pesto, conf, fwd_rule: Add options and modes to add, delete, clear
>     rules
> 
>  .gitignore   |   2 +
>  Makefile     |  53 ++--
>  common.h     | 116 +++++++++
>  conf.c       | 696 ++++++++++++++++++++++-----------------------------
>  conf.h       |   2 +
>  epoll_type.h |   4 +
>  flow.c       |   4 +-
>  fwd.c        | 169 ++++---------
>  fwd.h        |  41 +--
>  fwd_rule.c   | 680 +++++++++++++++++++++++++++++++++++++++++++++++--
>  fwd_rule.h   |  68 ++++-
>  inany.c      |  19 +-
>  inany.h      |  17 +-
>  ip.c         |  56 +----
>  ip.h         |   4 +-
>  lineread.c   |   2 +-
>  log.h        |  53 +++-
>  passt.1      |   5 +
>  passt.c      |   8 +
>  passt.h      |   8 +
>  pesto.1      | 271 ++++++++++++++++++++
>  pesto.c      | 520 ++++++++++++++++++++++++++++++++++++++
>  pesto.h      |  54 ++++
>  pif.c        |   2 +-
>  pif.h        |   7 +-
>  serialise.c  |   7 +
>  serialise.h  |   1 +
>  siphash.h    |  13 +
>  tap.c        |  52 ++++
>  util.h       | 110 +-------
>  30 files changed, 2252 insertions(+), 792 deletions(-)
>  create mode 100644 common.h
>  create mode 100644 pesto.1
>  create mode 100644 pesto.c
>  create mode 100644 pesto.h
> 
> -- 
> 2.43.0
> 

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]