On Wed, May 06, 2026 at 01:47:00AM +0200, Stefano Brivio wrote: > Changes in v8: > * Implement --add, --delete, and --clear in 19/19, to add forwarding > rules instead of replacing tables, delete existing rules, and > explicitly clear tables > * Address Laurent's comments for 15/19 and 17/19 > * In 10/19, instead of passing SOCK_NONBLOCK to accept4(), explicitly > set O_NONBLOCK on the listening socket. Using SOCK_NONBLOCK doesn't > do what we want, as it results in setting O_NONBLOCK on the new > socket rather than on the listening one > * Note: 18/19 is left as it is, I didn't address pending comments > yet > * Note: this doesn't include yet changes for AppArmor and SELinux > policies, as well as changes for the template Fedora spec file. > I'm still working on them I haven't re-reviewed the whole series, but these changes all seem good, with the exception of 19/19 and a few concerns on 10/19 which I've sent separate mails about. > > Changes in v7: > * Addressed comments from Laurent in 6/18, 8/18, 9/18, 10/18, 11/18, > 12/18, 14/18, 15/18 (details in commit messages of single patches, > before my Signed-off-by) > * Note: this doesn't include yet --add and --delete, I'm still > working on that > > Changes in v6: > * Addressed comments from Jon in 10/18, 11/18, 14/18, and 16/18 > * Dodged all warnings from static checkers (Coverity Scan and > clang-tidy) with changes in 10/18, 11/18, 16/18, and with a > new patch, 18/18 > * This does *not* include yet the implementation of --add and > --delete switches for pesto as I originally intended, I'm > rather far from being done with those. At the moment I just > have a "mode selection" implementation for command line > parsing but merging rules to / removing rules from / clearing > the current table is something I barely started (and what I > have at the moment isn't really valuable anyway) > > David wrote: > > --- > Here's the next draft of dynamic configuration updates. This now can > successfully update rules, though I've not tested it very extensively. > > Patches 1..8/18 are preliminary reworks that make sense even without > pesto - feel free to apply if you're happy with them. I don't think > the rest should be applied yet; we need to at least harden it so passt > can't be blocked indefinitely by a client which sends a partial update > then waits. > > Based on my earlier series reworking static checking invocation. > > TODO: > - Don't allow a client which sends a partial configuration then > blocks also block passt > - Allow pesto to clear existing configuration, not just add > - Allow pesto selectively delete existing rules, not just add > > Changes in v5: > * If multiple clients connect at once, they're now blocked until the > first one finishes, instead of later ones being discarded > Changes in v4: > * Merged with remainder of forward rule parsing rework series > * Fix some bugs in rule checking pointed out by Laurent > * Significantly cleaned up option parsing code > * Changed from replacing all existing rules to adding new rules > (clear and remove still TBD) > * Somewhat simplified protocol (pif names and rules sent in a single > pass) > * pesto is now allocation free > * Fixed commit message and style nits pointed out by Stefano > Changes in v3: > * Removed already applied ASSERT() rename > * Renamed serialisation functions > * Incorporated Stefano's extensions, reworked and fixed > * Several additional cleanups / preliminary reworks > Changes in v2: > * Removed already applied cleanups > * Reworked assert() patch to handle -DNDEBUG properly > * Numerous extra patches: > * Factored out serialisation helpers and use them for migration as > well > * Reworked to allow ip.[ch] and inany.[ch] to be shared with pesto > * Reworks to share some forwarding rule datatypes with pesto > * Implemented sending pif names and current ruleset to pesto > --- > > David Gibson (17): > conf, fwd: Stricter rule checking in fwd_rule_add() > fwd_rule: Move ephemeral port probing to fwd_rule.c > fwd, conf: Move rule parsing code to fwd_rule.[ch] > fwd_rule: Move conflict checking back within fwd_rule_add() > fwd: Generalise fwd_rules_info() > pif: Limit pif names to 128 bytes > fwd_rule: Fix some format specifiers > pesto: Introduce stub configuration tool > pesto, log: Share log.h (but not log.c) with pesto tool > pesto, conf: Have pesto connect to passt and check versions > pesto: Expose list of pifs to pesto and display them > ip: Prepare ip.[ch] for sharing with pesto tool > inany: Prepare inany.[ch] for sharing with pesto tool > pesto: Read current ruleset from passt/pasta and optionally display it > pesto: Parse and add new rules from command line > pesto, conf: Send updated rules from pesto back to passt/pasta > conf, fwd: Allow switching to new rules received from pesto > > Stefano Brivio (2): > fwd_rule: Fix static checkers warnings in fwd_rule_add() > pesto, conf, fwd_rule: Add options and modes to add, delete, clear > rules > > .gitignore | 2 + > Makefile | 53 ++-- > common.h | 116 +++++++++ > conf.c | 696 ++++++++++++++++++++++----------------------------- > conf.h | 2 + > epoll_type.h | 4 + > flow.c | 4 +- > fwd.c | 169 ++++--------- > fwd.h | 41 +-- > fwd_rule.c | 680 +++++++++++++++++++++++++++++++++++++++++++++++-- > fwd_rule.h | 68 ++++- > inany.c | 19 +- > inany.h | 17 +- > ip.c | 56 +---- > ip.h | 4 +- > lineread.c | 2 +- > log.h | 53 +++- > passt.1 | 5 + > passt.c | 8 + > passt.h | 8 + > pesto.1 | 271 ++++++++++++++++++++ > pesto.c | 520 ++++++++++++++++++++++++++++++++++++++ > pesto.h | 54 ++++ > pif.c | 2 +- > pif.h | 7 +- > serialise.c | 7 + > serialise.h | 1 + > siphash.h | 13 + > tap.c | 52 ++++ > util.h | 110 +------- > 30 files changed, 2252 insertions(+), 792 deletions(-) > create mode 100644 common.h > create mode 100644 pesto.1 > create mode 100644 pesto.c > create mode 100644 pesto.h > > -- > 2.43.0 > -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson