From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=LrVNMnjx; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 97F365A0265 for ; Wed, 06 May 2026 08:54:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202602; t=1778050452; bh=cryElM+g5QdS/g+b80C2sHge8oVBGn4Iu+cO6F+U4Cs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=LrVNMnjxMJwtVPOkNuUVKZEoLQ6tJpwuLiA+xreGNqMH9daF+MwT+Tc2PX2EyufDZ FN1z6yd/8ZkJ+N5XsX7MIAPd+zGkvmDzV4A76uYj/M1NHwv2lxZ6EoESL7K7A75R3g oCODEXWB2o6q//+P0Ai+jRZig4y9Elz1Ed3bfPHt+pt7HzZV7Qg3jxr4G3/mmRtqHu +jwZ8NPdlXz8lmgZSKpKC1CfHR7sjMQwczGoywETEwhOvIAmxC+iGeavM37ZTPqbFo +AdPan85NUGjUcr8eGzJFmvLnSnGl6Hauti4knnP0OH0MiJvAkeSWo8Yk3UsbFMb52 nsFSSZlSROC6A== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4g9R1w3MVPz4wK0; Wed, 06 May 2026 16:54:12 +1000 (AEST) Date: Wed, 6 May 2026 16:53:57 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v8 00/19] Dynamic configuration update implementation Message-ID: References: <20260505234719.1437340-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3xAuV85C1auX5GAN" Content-Disposition: inline In-Reply-To: <20260505234719.1437340-1-sbrivio@redhat.com> Message-ID-Hash: VQQJQOVXVQ5TJIZHU4BTGYKNHMCJLYO7 X-Message-ID-Hash: VQQJQOVXVQ5TJIZHU4BTGYKNHMCJLYO7 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Jon Maloy , Laurent Vivier X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --3xAuV85C1auX5GAN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 06, 2026 at 01:47:00AM +0200, Stefano Brivio wrote: > Changes in v8: > * Implement --add, --delete, and --clear in 19/19, to add forwarding > rules instead of replacing tables, delete existing rules, and > explicitly clear tables > * Address Laurent's comments for 15/19 and 17/19 > * In 10/19, instead of passing SOCK_NONBLOCK to accept4(), explicitly > set O_NONBLOCK on the listening socket. Using SOCK_NONBLOCK doesn't > do what we want, as it results in setting O_NONBLOCK on the new > socket rather than on the listening one > * Note: 18/19 is left as it is, I didn't address pending comments > yet > * Note: this doesn't include yet changes for AppArmor and SELinux > policies, as well as changes for the template Fedora spec file. > I'm still working on them I haven't re-reviewed the whole series, but these changes all seem good, with the exception of 19/19 and a few concerns on 10/19 which I've sent separate mails about. >=20 > Changes in v7: > * Addressed comments from Laurent in 6/18, 8/18, 9/18, 10/18, 11/18, > 12/18, 14/18, 15/18 (details in commit messages of single patches, > before my Signed-off-by) > * Note: this doesn't include yet --add and --delete, I'm still > working on that >=20 > Changes in v6: > * Addressed comments from Jon in 10/18, 11/18, 14/18, and 16/18 > * Dodged all warnings from static checkers (Coverity Scan and > clang-tidy) with changes in 10/18, 11/18, 16/18, and with a > new patch, 18/18 > * This does *not* include yet the implementation of --add and > --delete switches for pesto as I originally intended, I'm > rather far from being done with those. At the moment I just > have a "mode selection" implementation for command line > parsing but merging rules to / removing rules from / clearing > the current table is something I barely started (and what I > have at the moment isn't really valuable anyway) >=20 > David wrote: >=20 > --- > Here's the next draft of dynamic configuration updates. This now can > successfully update rules, though I've not tested it very extensively. >=20 > Patches 1..8/18 are preliminary reworks that make sense even without > pesto - feel free to apply if you're happy with them. I don't think > the rest should be applied yet; we need to at least harden it so passt > can't be blocked indefinitely by a client which sends a partial update > then waits. >=20 > Based on my earlier series reworking static checking invocation. >=20 > TODO: > - Don't allow a client which sends a partial configuration then > blocks also block passt > - Allow pesto to clear existing configuration, not just add > - Allow pesto selectively delete existing rules, not just add >=20 > Changes in v5: > * If multiple clients connect at once, they're now blocked until the > first one finishes, instead of later ones being discarded > Changes in v4: > * Merged with remainder of forward rule parsing rework series > * Fix some bugs in rule checking pointed out by Laurent > * Significantly cleaned up option parsing code > * Changed from replacing all existing rules to adding new rules > (clear and remove still TBD) > * Somewhat simplified protocol (pif names and rules sent in a single > pass) > * pesto is now allocation free > * Fixed commit message and style nits pointed out by Stefano > Changes in v3: > * Removed already applied ASSERT() rename > * Renamed serialisation functions > * Incorporated Stefano's extensions, reworked and fixed > * Several additional cleanups / preliminary reworks > Changes in v2: > * Removed already applied cleanups > * Reworked assert() patch to handle -DNDEBUG properly > * Numerous extra patches: > * Factored out serialisation helpers and use them for migration as > well > * Reworked to allow ip.[ch] and inany.[ch] to be shared with pesto > * Reworks to share some forwarding rule datatypes with pesto > * Implemented sending pif names and current ruleset to pesto > --- >=20 > David Gibson (17): > conf, fwd: Stricter rule checking in fwd_rule_add() > fwd_rule: Move ephemeral port probing to fwd_rule.c > fwd, conf: Move rule parsing code to fwd_rule.[ch] > fwd_rule: Move conflict checking back within fwd_rule_add() > fwd: Generalise fwd_rules_info() > pif: Limit pif names to 128 bytes > fwd_rule: Fix some format specifiers > pesto: Introduce stub configuration tool > pesto, log: Share log.h (but not log.c) with pesto tool > pesto, conf: Have pesto connect to passt and check versions > pesto: Expose list of pifs to pesto and display them > ip: Prepare ip.[ch] for sharing with pesto tool > inany: Prepare inany.[ch] for sharing with pesto tool > pesto: Read current ruleset from passt/pasta and optionally display it > pesto: Parse and add new rules from command line > pesto, conf: Send updated rules from pesto back to passt/pasta > conf, fwd: Allow switching to new rules received from pesto >=20 > Stefano Brivio (2): > fwd_rule: Fix static checkers warnings in fwd_rule_add() > pesto, conf, fwd_rule: Add options and modes to add, delete, clear > rules >=20 > .gitignore | 2 + > Makefile | 53 ++-- > common.h | 116 +++++++++ > conf.c | 696 ++++++++++++++++++++++----------------------------- > conf.h | 2 + > epoll_type.h | 4 + > flow.c | 4 +- > fwd.c | 169 ++++--------- > fwd.h | 41 +-- > fwd_rule.c | 680 +++++++++++++++++++++++++++++++++++++++++++++++-- > fwd_rule.h | 68 ++++- > inany.c | 19 +- > inany.h | 17 +- > ip.c | 56 +---- > ip.h | 4 +- > lineread.c | 2 +- > log.h | 53 +++- > passt.1 | 5 + > passt.c | 8 + > passt.h | 8 + > pesto.1 | 271 ++++++++++++++++++++ > pesto.c | 520 ++++++++++++++++++++++++++++++++++++++ > pesto.h | 54 ++++ > pif.c | 2 +- > pif.h | 7 +- > serialise.c | 7 + > serialise.h | 1 + > siphash.h | 13 + > tap.c | 52 ++++ > util.h | 110 +------- > 30 files changed, 2252 insertions(+), 792 deletions(-) > create mode 100644 common.h > create mode 100644 pesto.1 > create mode 100644 pesto.c > create mode 100644 pesto.h >=20 > --=20 > 2.43.0 >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --3xAuV85C1auX5GAN Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmn65X0ACgkQzQJF27ox 2GcygA//c+PL3q7jr+Qs2JgJwNH/DpZjz4vEP1z5ekVB/3agHrpCty7cZus4V32o np7Prbe4OPehys1jyhLxCon7W0nZZSlMnguVqNMBeyyVsX8W/3gNdp1Cb7YS5wgx FYB+Mb8pS/lyPh4n15NBCRzEmypZ0TdFWT/SWCzQXgDK/1h+yPZ6sb+V7RvUxe1s XD6fTr78JeBbaYIwORVsOnZ63f/hbfGCxkSPBiLifhRbl1zZiDWlHC5hPn8jARmj El88oyIC8gcSurvOIe3qAgpA2J4qqgVtz9uXWpLL4qAtqrsPPIR5epD66/Qz0UVm gIzYnXJMkUl1HD+cmv/P9brlsi5PdKmh0bjGYCLX21v8WiRk7Ugc62jEzz+6zn/y M4HGD8qBe3e+gZ/ikTNp9DhFv8GxB/y8ssFHWmHKdwf0kyNGOiyoU5uqVQgJELXd udwF4LGk0wEu4K5enW0XA0efJwl5Dhjhzvii4mm8YPPujrf5QfbnWAgZ8mRViBKD V+3aLitGkHTq/m0nJXUpSycddZVJGljkI+C1QgTFzIMKPqEQr2uODQUwiU7mwkNj uQgMB5cKHsEtSpTp5vte93a22qiKypRiXaI40eTryiA495qge/mCnWIEUBUu2Sw1 TirHZCghl+ZXijJTiD8gxOpIGT5uW2Y1ImDnRjCzXttKs/vPwi4= =NUX7 -----END PGP SIGNATURE----- --3xAuV85C1auX5GAN--