passt, branch 2025_03_20.32f6212 Plug A Simple Socket Transport Makefile: Enable -Wformat-security 2025-03-20T04:50:53+00:00 Stefano Brivio sbrivio@redhat.com 2025-03-19T19:45:12+00:00 32f6212551c5db3b7b3548e8483e5d73f07a35ac It looks like an easy win to prevent a number of possible security flaws. Suggested-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
It looks like an easy win to prevent a number of possible security
flaws.

Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
conf: Include libgen.h for basename(), fix build against musl 2025-03-20T04:50:49+00:00 Stefano Brivio sbrivio@redhat.com 2025-03-19T19:43:47+00:00 07c2d584b334b0c405a5702a4f2fad104d03940b Fixes: 4b17d042c7e4 ("conf: Move mode detection into helper function") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Fixes: 4b17d042c7e4 ("conf: Move mode detection into helper function")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
tcp: Flush socket before checking for more data in active close state 2025-03-20T04:50:43+00:00 Stefano Brivio sbrivio@redhat.com 2025-03-19T16:57:45+00:00 ebdd46367ce1acba235013d97e362b8677b538d5 Otherwise, if all the pending data is acknowledged: - tcp_update_seqack_from_tap() updates the current tap-side ACK sequence (conn->seq_ack_from_tap) - next, we compare the sequence we sent (conn->seq_to_tap) to the ACK sequence (conn->seq_ack_from_tap) in tcp_data_from_sock() to understand if there's more data we can send. If they match, we conclude that we haven't sent any of that data, and keep re-sending it. We need, instead, to flush the socket (drop acknowledged data) before calling tcp_update_seqack_from_tap(), so that once we update conn->seq_ack_from_tap, we can be sure that all data until there is gone from the socket. Link: https://bugs.passt.top/show_bug.cgi?id=114 Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Fixes: 30f1e082c3c0 ("tcp: Keep updating window and checking for socket data after FIN from guest") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Otherwise, if all the pending data is acknowledged:

- tcp_update_seqack_from_tap() updates the current tap-side ACK
  sequence (conn->seq_ack_from_tap)

- next, we compare the sequence we sent (conn->seq_to_tap) to the
  ACK sequence (conn->seq_ack_from_tap) in tcp_data_from_sock() to
  understand if there's more data we can send.

  If they match, we conclude that we haven't sent any of that data,
  and keep re-sending it.

We need, instead, to flush the socket (drop acknowledged data) before
calling tcp_update_seqack_from_tap(), so that once we update
conn->seq_ack_from_tap, we can be sure that all data until there is
gone from the socket.

Link: https://bugs.passt.top/show_bug.cgi?id=114
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: 30f1e082c3c0 ("tcp: Keep updating window and checking for socket data after FIN from guest")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
migrate: Bump migration version number 2025-03-19T16:17:18+00:00 David Gibson david@gibson.dropbear.id.au 2025-03-19T05:14:23+00:00 c250ffc5c11385d9618b3a8165e676d68d5cbfa2 v1 of the migration stream format, had some flaws: it didn't properly handle endianness of the MSS field, and it didn't transfer the RFC7323 timestamp. We've now fixed those bugs, but it requires incompatible changes to the stream format. Because of the timestamps in particular, v1 is not really usable, so there is little point maintaining compatible support for it. However, v1 is in released packages, both upstream and downstream (RHEL at least). Just updating the stream format without bumping the version would lead to very cryptic errors if anyone did attempt to migrate between an old and new passt. So, bump the migration version to v2, so we'll get a clear error message if anyone attempts this. We don't attempt to maintain backwards compatibility with v1, however: we'll simply fail if given a v1 stream. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
v1 of the migration stream format, had some flaws: it didn't properly
handle endianness of the MSS field, and it didn't transfer the RFC7323
timestamp.  We've now fixed those bugs, but it requires incompatible
changes to the stream format.

Because of the timestamps in particular, v1 is not really usable, so there
is little point maintaining compatible support for it.  However, v1 is in
released packages, both upstream and downstream (RHEL at least).  Just
updating the stream format without bumping the version would lead to very
cryptic errors if anyone did attempt to migrate between an old and new
passt.

So, bump the migration version to v2, so we'll get a clear error message if
anyone attempts this.  We don't attempt to maintain backwards compatibility
with v1, however: we'll simply fail if given a v1 stream.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
migrate, tcp: Migrate RFC 7323 timestamp 2025-03-19T14:27:27+00:00 David Gibson david@gibson.dropbear.id.au 2025-03-19T05:14:22+00:00 cfb3740568ab291d7be00e457658c45ce9367ed5 Currently our migration of the state of TCP sockets omits the RFC 7323 timestamp. In some circumstances that can result in data sent from the target machine not being received, because it is discarded on the peer due to PAWS checking. Add code to dump and restore the timestamp across migration. Link: https://bugs.passt.top/show_bug.cgi?id=115 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Minor style fixes] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently our migration of the state of TCP sockets omits the RFC 7323
timestamp.  In some circumstances that can result in data sent from the
target machine not being received, because it is discarded on the peer due
to PAWS checking.

Add code to dump and restore the timestamp across migration.

Link: https://bugs.passt.top/show_bug.cgi?id=115
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
migrate, tcp: More careful marshalling of mss parameter during migration 2025-03-19T14:25:12+00:00 David Gibson david@gibson.dropbear.id.au 2025-03-19T05:14:21+00:00 28772ee91a60b34786023496ea17c2c2f4e5f7f5 During migration we extract the limit on segment size using TCP_MAXSEG, and set it on the other side with TCP_REPAIR_OPTIONS. However, unlike most 32-bit values we transfer we transfer it in native endian, not network endian. This is not correct; add it to the list of endian fixups we make. In addition, while MAXSEG will be 32-bits in practice, and is given as such to TCP_REPAIR_OPTIONS, the TCP_MAXSEG sockopt treats it as an 'int'. It's not strictly safe to pass a uint32_t to a getsockopt() expecting an int, although we'll get away with it on most (maybe all) platforms. Correct this as well. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Minor coding style fix] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
During migration we extract the limit on segment size using TCP_MAXSEG,
and set it on the other side with TCP_REPAIR_OPTIONS.  However, unlike most
32-bit values we transfer we transfer it in native endian, not network
endian.  This is not correct; add it to the list of endian fixups we make.

In addition, while MAXSEG will be 32-bits in practice, and is given as such
to TCP_REPAIR_OPTIONS, the TCP_MAXSEG sockopt treats it as an 'int'.  It's
not strictly safe to pass a uint32_t to a getsockopt() expecting an int,
although we'll get away with it on most (maybe all) platforms.  Correct
this as well.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Minor coding style fix]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
passt-repair: Fix build with -Werror=format-security 2025-03-18T16:18:47+00:00 Stefano Brivio sbrivio@redhat.com 2025-03-18T16:18:47+00:00 51f3c071a76bd20677e72b49007b822dca71e755 Fixes: 04701702471e ("passt-repair: Add directory watch") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Fixes: 04701702471e ("passt-repair: Add directory watch")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp, flow: Better use flow specific logging heleprs 2025-03-14T22:40:40+00:00 David Gibson david@gibson.dropbear.id.au 2025-03-13T02:56:17+00:00 cb5b593563402680bee850245667f2e71b0d1bda A number of places in the TCP code use general logging functions, instead of the flow specific ones. That includes a few older ones as well as many places in the new migration code. Thus they either don't identify which flow the problem happened on, or identify it in a non-standard way. Convert many of these to use the existing flow specific helpers. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
A number of places in the TCP code use general logging functions, instead
of the flow specific ones.  That includes a few older ones as well as many
places in the new migration code.  Thus they either don't identify which
flow the problem happened on, or identify it in a non-standard way.

Convert many of these to use the existing flow specific helpers.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Unify several paths in conf_ports() 2025-03-14T22:40:23+00:00 David Gibson david@gibson.dropbear.id.au 2025-03-12T03:43:59+00:00 96fe5548cb16fe2664ad121c2976048ccad6a1ab In conf_ports() we have three different paths which actually do the setup of an individual forwarded port: one for the "all" case, one for the exclusions only case and one for the range of ports with possible exclusions case. We can unify those cases using a new helper which handles a single range of ports, with a bitmap of exclusions. Although this is slightly longer (largely due to the new helpers function comment), it reduces duplicated logic. It will also make future improvements to the tracking of port forwards easier. The new conf_ports_range_except() function has a pretty prodigious parameter list, but I still think it's an overall improvement in conceptual complexity. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In conf_ports() we have three different paths which actually do the setup
of an individual forwarded port: one for the "all" case, one for the
exclusions only case and one for the range of ports with possible
exclusions case.

We can unify those cases using a new helper which handles a single range
of ports, with a bitmap of exclusions.  Although this is slightly longer
(largely due to the new helpers function comment), it reduces duplicated
logic.  It will also make future improvements to the tracking of port
forwards easier.

The new conf_ports_range_except() function has a pretty prodigious
parameter list, but I still think it's an overall improvement in conceptual
complexity.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
test/perf: Simplify iperf3 server lifetime management 2025-03-12T22:08:33+00:00 David Gibson david@gibson.dropbear.id.au 2025-03-12T05:26:57+00:00 78f1f0fdfc1831f2ca3a65c2cee98c44ff3c30ab After we start the iperf3 server in the background, we have a sleep to make sure it's ready to receive connections. We can simplify this slightly by using the -D option to have iperf3 background itself rather than backgrounding it manually. That won't return until the server is ready to use. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
After we start the iperf3 server in the background, we have a sleep to
make sure it's ready to receive connections.  We can simplify this slightly
by using the -D option to have iperf3 background itself rather than
backgrounding it manually.  That won't return until the server is ready to
use.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>