passt, branch 2025_09_19.623dbf6 Plug A Simple Socket Transport Add --stats option to display event statistics 2025-09-19T17:30:27+00:00 Laurent Vivier lvivier@redhat.com 2025-09-19T12:53:58+00:00 623dbf6f16d8dedac5a361a0d1daadc772ac842b Introduce a new --stats DELAY option that displays event statistics tables showing counts by epoll event type. Statistics are printed to stderr with a minimum delay between updates, and only when events occur. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Introduce a new --stats DELAY option that displays event statistics
tables showing counts by epoll event type. Statistics are printed to
stderr with a minimum delay between updates, and only when events occur.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
netlink: Drop nexthop state flags from routes we duplicate 2025-09-19T17:30:00+00:00 Stefano Brivio sbrivio@redhat.com 2025-09-18T16:32:16+00:00 ad4aae7a3262460137c9a287819ee2957e882581 The kernel doesn't like those (EINVAL) on RTM_NEWROUTE, as they are flags representing states, not configuration. Link: https://github.com/containers/podman/discussions/27104 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Paul Holzinger <pholzing@redhat.com> 
The kernel doesn't like those (EINVAL) on RTM_NEWROUTE, as they are
flags representing states, not configuration.

Link: https://github.com/containers/podman/discussions/27104
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Paul Holzinger <pholzing@redhat.com>
Add CONTRIBUTING.md 2025-09-18T15:17:10+00:00 Yumei Huang yuhuang@redhat.com 2025-09-18T01:17:34+00:00 080f176ed13245f9c2999ee5bf76fa4ca56dc7d3 Signed-off-by: Yumei Huang <yuhuang@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add missing file contexts for Podman 2025-09-18T15:17:10+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:52+00:00 c66be2c2a0d4448623a32211222c5abf2e6aa7f4 Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not defined. Make sure the policy defined the right context for them as well. Link: https://github.com/containers/podman/issues/26473 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style fixes] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Podman may also use directories under /tmp if XDG_RUNTIME_DIR is not
defined. Make sure the policy defined the right context for them as
well.

Link: https://github.com/containers/podman/issues/26473
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2373054
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style fixes]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
selinux: add container_var_run_t type transition 2025-09-18T15:16:58+00:00 Paul Holzinger pholzing@redhat.com 2025-09-17T12:04:50+00:00 fd1bcc30af0778715666434799180ee456c0c83f In some cases the podman runroot directory used to be labelled container_var_run_t instead of user_tmp_t which was expected here. Starting with a recent container-selinux change the runroot is now always container_var_run_t so make the policy handle both types to allow for a better upgrade path where passt-selinux and container-selinux are not updated at the same time. Link: https://github.com/containers/container-selinux/pull/405 Link: https://github.com/containers/podman/issues/26473 Signed-off-by: Paul Holzinger <pholzing@redhat.com> [sbrivio: minor style edits] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In some cases the podman runroot directory used to be labelled
container_var_run_t instead of user_tmp_t which was expected here.
Starting with a recent container-selinux change the runroot is now
always container_var_run_t so make the policy handle both types to allow
for a better upgrade path where passt-selinux and container-selinux are
not updated at the same time.

Link: https://github.com/containers/container-selinux/pull/405
Link: https://github.com/containers/podman/issues/26473
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[sbrivio: minor style edits]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
dhcp: Fix coding style violations in dhcp() function 2025-09-18T15:11:36+00:00 Laurent Vivier lvivier@redhat.com 2025-09-17T06:41:42+00:00 6f23cb9fdb59a8369780c19a06c0739e1c2c8c09 The dhcp() function wasn't following the inverted Christmas tree variable declaration ordering convention. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The dhcp() function wasn't following the inverted Christmas tree
variable declaration ordering convention.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Improve clarity of comment 2025-09-17T11:52:41+00:00 Volker Diels-Grabsch v@njh.eu 2025-09-16T19:21:16+00:00 1f22fde93466005d803bf2fb1b17147b877fb7ed The new wording clarifies that we (1) use the broadcast MAC address only until we know the actual MAC address of the guest, and (2) our first packets will not necessarily "reach" the guest, in the sense of being processed rather than dropped. (Which is why we actively send an initial ARP and/or NDP message, to get the guest MAC address as soon as possible.) Signed-off-by: Volker Diels-Grabsch <v@njh.eu> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The new wording clarifies that we (1) use the broadcast MAC address
only until we know the actual MAC address of the guest, and (2) our
first packets will not necessarily "reach" the guest, in the sense of
being processed rather than dropped. (Which is why we actively send an
initial ARP and/or NDP message, to get the guest MAC address as soon
as possible.)

Signed-off-by: Volker Diels-Grabsch <v@njh.eu>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Send an initial ARP and NDP request to resolve the guest IP address 2025-09-17T11:51:28+00:00 Volker Diels-Grabsch v@njh.eu 2025-09-16T19:21:15+00:00 e2920e36f65f333af5d217933dc04f32947bb028 When restarting passt while QEMU keeps running with a configured "reconnect-ms" setting, the port forwardings will stop working until the guest sends some outgoing network traffic. Reason: Although QEMU reconnects successfully to the unix domain socket of the new passt process, that one no longer knows the guest's MAC address and uses instead the broadcast MAC address. However, this is ignored by the guest, at least if the guest runs Linux. Only after the guest sends some network package on its own initiative, passt will know the MAC address and will be able to establish forwarded connections. This change fixes this issue by sending an ARP and an NDP request to resolve the guest's MAC address via its IPv4 and IPv6 address, which we do know, right after the unix domain socket (re)connection. The only case where the IP is "wrong" would be if the configuration changed, or on the very first start right after qemu started. But in those cases, we just wouldn't get an ARP/NDP response, and can't do anything until we receive the guest's DHCP request - just as before. In other words, in the worst case the ARP/NDP requests would be harmless. Signed-off-by: Volker Diels-Grabsch <v@njh.eu> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
When restarting passt while QEMU keeps running with a configured
"reconnect-ms" setting, the port forwardings will stop working until
the guest sends some outgoing network traffic.

Reason: Although QEMU reconnects successfully to the unix domain
socket of the new passt process, that one no longer knows the guest's
MAC address and uses instead the broadcast MAC address.  However, this
is ignored by the guest, at least if the guest runs Linux.  Only after
the guest sends some network package on its own initiative, passt will
know the MAC address and will be able to establish forwarded
connections.

This change fixes this issue by sending an ARP and an NDP request to
resolve the guest's MAC address via its IPv4 and IPv6 address, which
we do know, right after the unix domain socket (re)connection.

The only case where the IP is "wrong" would be if the configuration
changed, or on the very first start right after qemu started.  But in
those cases, we just wouldn't get an ARP/NDP response, and can't do
anything until we receive the guest's DHCP request - just as before.
In other words, in the worst case the ARP/NDP requests would be
harmless.

Signed-off-by: Volker Diels-Grabsch <v@njh.eu>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Fix --no-icmp description and make it imply --no-ndp 2025-09-17T11:51:24+00:00 Volker Diels-Grabsch v@njh.eu 2025-09-16T19:21:14+00:00 142b3d872b7cd58391f59fa34f6ed399e72aaaf9 Signed-off-by: Volker Diels-Grabsch <v@njh.eu> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Volker Diels-Grabsch <v@njh.eu>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Introduce constant MAC_BROADCAST 2025-09-17T11:51:14+00:00 Volker Diels-Grabsch v@njh.eu 2025-09-16T19:21:13+00:00 07cb07de4c6e69beb9d15f9a0156e55c4ca6161a Signed-off-by: Volker Diels-Grabsch <v@njh.eu> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: Volker Diels-Grabsch <v@njh.eu>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>