passt, branch 2026_01_20.386b5f5 Plug A Simple Socket Transport flow: Remove EPOLLFD_ID_INVALID 2026-01-20T18:37:53+00:00 Laurent Vivier lvivier@redhat.com 2026-01-19T16:19:15+00:00 386b5f5472b89769c025f5d5056348532a823b93 As all flows are now registered with an epollid at creation, we no longer need to test if a flow is in epoll. Remove all related code including flow_in_epoll() and flow_epollid_clear(). Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
As all flows are now registered with an epollid at creation, we no
longer need to test if a flow is in epoll.  Remove all related code
including flow_in_epoll() and flow_epollid_clear().

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp: Register fds with epoll at flow creation 2026-01-20T18:37:46+00:00 Laurent Vivier lvivier@redhat.com 2026-01-19T16:19:14+00:00 90287c2a774ec5f13214db8384a1c730c6c0b83c Register connection sockets with epoll using empty events (events=0) in tcp_conn_from_tap(), tcp_tap_conn_from_sock() and tcp_flow_repair_socket(). This allows tcp_epoll_ctl() to always use EPOLL_CTL_MOD, removing the need to check whether fds are already registered. As a result, the conditional ADD/MOD logic is no longer needed, simplifying the function. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Register connection sockets with epoll using empty events
(events=0) in tcp_conn_from_tap(), tcp_tap_conn_from_sock()
and tcp_flow_repair_socket().

This allows tcp_epoll_ctl() to always use EPOLL_CTL_MOD, removing
the need to check whether fds are already registered. As a result, the
conditional ADD/MOD logic is no longer needed, simplifying the function.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp_splice: Register fds with epoll at flow creation 2026-01-20T18:37:39+00:00 Laurent Vivier lvivier@redhat.com 2026-01-19T16:19:13+00:00 0fbd7af77d5222f46863cfc144f0582bd08eaf29 Register both splice connection sockets with epoll using empty events (events=0) in tcp_splice_connect(), before initiating the connection. This allows tcp_splice_epoll_ctl() to always use EPOLL_CTL_MOD, removing the need to check whether fds are already registered. As a result, the conditional ADD/MOD logic is no longer needed, simplifying the function. If the second flow_epoll_set() fails after the first succeeds, we don't need explicit rollback: tcp_splice_conn_from_sock() sets the CLOSING flag on error, and conn_flag() handles it by calling epoll_del() for both sockets. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Register both splice connection sockets with epoll using empty events
(events=0) in tcp_splice_connect(), before initiating the connection.

This allows tcp_splice_epoll_ctl() to always use EPOLL_CTL_MOD, removing
the need to check whether fds are already registered. As a result, the
conditional ADD/MOD logic is no longer needed, simplifying the function.

If the second flow_epoll_set() fails after the first succeeds, we don't
need explicit rollback: tcp_splice_conn_from_sock() sets the CLOSING
flag on error, and conn_flag() handles it by calling epoll_del() for
both sockets.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf, pasta: Add --splice-only option 2026-01-19T08:12:27+00:00 Yumei Huang yuhuang@redhat.com 2026-01-16T03:25:09+00:00 cee7eb0dbf89cc096b8dea50999c6b90708defe4 This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device. It might be used to fix up podman IPv4 / IPv6 loopback mapping when using rootlesskit for forwarding ports, or a way to implement isolated containers. In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled. Option --no-splice is rejected. Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang <yuhuang@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This patch introduces a mode where we only forward loopback connections
and traffic between two namespaces (via the loopback interface, 'lo'),
without a tap device.

It might be used to fix up podman IPv4 / IPv6 loopback mapping when using
rootlesskit for forwarding ports, or a way to implement isolated containers.

In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled.
Option --no-splice is rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
flow, fwd: Optimise forwarding rule lookup using epoll ref when possible 2026-01-18T11:48:09+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:26+00:00 4a0d507296ef8c1349669e95fd672539734d9a6c Now that listening sockets include a reference to the forwarding rule which created them we can, in many cases, avoid a linear search of the forwarding table when we want to find the relevant rule. Instead we can take the rule index from the socket's epoll reference, and use that to immediately find the correct rule. This is conceptually simple, but requires a moderate amount of plumbing to get the index from the reference through to the rule lookup. We still allow fall back to linear search if we don't have the index, and this may (rarely) be used in the udp_flush_flow() case, where we could get packets for one flow on a different flow's socket, rather than through a listening socket as usual. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Now that listening sockets include a reference to the forwarding rule
which created them we can, in many cases, avoid a linear search of the
forwarding table when we want to find the relevant rule.  Instead we
can take the rule index from the socket's epoll reference, and use
that to immediately find the correct rule.

This is conceptually simple, but requires a moderate amount of
plumbing to get the index from the reference through to the rule
lookup.  We still allow fall back to linear search if we don't have
the index, and this may (rarely) be used in the udp_flush_flow() case,
where we could get packets for one flow on a different flow's socket,
rather than through a listening socket as usual.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd, tcp, udp: Add forwarding rule to listening socket epoll references 2026-01-18T11:48:06+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:25+00:00 fe37028466d3d29d74ebf53e9c53c9f139fbc74e Now that we have a table of all our forwarding rules, every listening socket can be associated with a specific rule. Add an index allowing us to locate that rule from the socket's epoll reference. We don't use it yet, but we'll use it to optimise rule lookup when forwarding new flows. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Now that we have a table of all our forwarding rules, every listening
socket can be associated with a specific rule.  Add an index allowing us to
locate that rule from the socket's epoll reference.  We don't use it yet,
but we'll use it to optimise rule lookup when forwarding new flows.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Remap ports based directly on forwarding rule 2026-01-18T11:48:03+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:24+00:00 01bcdb925b0700faecec7dfaa1005147303ec0fb Currently we remap port numbers based on the legacy delta[] array, which is indexed only by original port number, not the listening address. Now that we look up a forwarding rule entry in flow_target(), we can use this entry to directly determine the correct remapped port. Implement this, and remove the old delta[] array. Link: https://bugs.passt.top/show_bug.cgi?id=187 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently we remap port numbers based on the legacy delta[] array, which
is indexed only by original port number, not the listening address.  Now
that we look up a forwarding rule entry in flow_target(), we can use this
entry to directly determine the correct remapped port.  Implement this,
and remove the old delta[] array.

Link: https://bugs.passt.top/show_bug.cgi?id=187
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
flow, fwd: Consult rules table when forwarding a new flow from socket 2026-01-18T11:48:01+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:23+00:00 f56a822c4d76556a6868d329e31e33c895fdb59a We now have a formal array of forwarding rules. However, we don't actually consult it when we forward a new flow. Instead we rely on (a) implicit information (we wouldn't be here if there wasn't a listening socket for the rule) and (b) the legacy delta[] data structure. Start addressing this, by searching for a matching forwarding rule when attempting to forward a new flow. For now this is incomplete: * We only do this for socket-initiated flows * We make a potentially costly linear lookup * We don't actually use the matching rule for anything yet We'll address each of those in later patches. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
We now have a formal array of forwarding rules.  However, we don't actually
consult it when we forward a new flow.  Instead we rely on (a) implicit
information (we wouldn't be here if there wasn't a listening socket for the
rule) and (b) the legacy delta[] data structure.

Start addressing this, by searching for a matching forwarding rule when
attempting to forward a new flow.  For now this is incomplete:
 * We only do this for socket-initiated flows
 * We make a potentially costly linear lookup
 * We don't actually use the matching rule for anything yet

We'll address each of those in later patches.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Generate auto-forward exclusions from socket fd tables 2026-01-18T11:47:58+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:22+00:00 a0af19f858d119da4a9deff1ea6d488545e99c5c When auto-forwarding based on port scans, we must exclude our own listening ports, to avoid circular forwards. Currently we use the (previous value of the) forwarding bitmaps for the reverse direction to determine that. Instead, generate it from the tables of listening sockets that we now maintain. For now this seems like a lot more work to get to the same place. However, it does mean we're basing our exclusions directly on the relevant information: which of the scanned listens belong to us. More importantly, it's a step towards removing the bitmaps entirely. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
When auto-forwarding based on port scans, we must exclude our own
listening ports, to avoid circular forwards.  Currently we use the
(previous value of the) forwarding bitmaps for the reverse direction
to determine that.

Instead, generate it from the tables of listening sockets that we now
maintain.  For now this seems like a lot more work to get to the same
place.  However, it does mean we're basing our exclusions directly on the
relevant information: which of the scanned listens belong to us.  More
importantly, it's a step towards removing the bitmaps entirely.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf, fwd: Check forwarding table for conflicting rules 2026-01-18T11:47:53+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:21+00:00 03a9c4b2eb3f1708e9ef5e4241cbda6a08aefc94 It's possible for a user to supply conflicting forwarding parameters, e.g. $ pasta -t 80:8080 -t 127.0.0.1/80:8888 We give a warning in this case, but it's based on the legacy forwarding bitmaps. This is too strict, because it will also warn on cases that shouldn't conflict because they use different addresses, e.g. $ pasta -t 192.0.2.1/80:8080 127.0.0.1/80:8888 Theoretically, it's also too loose because it won't take into account auto-scan forwarding rules. We can't hit that in practice now, because we only ever have one auto-scan rule and nothing else, but we want to remove that restriction in future. Replace the bitmap based check with a check based on actually scanning the forwarding rules for conflicts. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It's possible for a user to supply conflicting forwarding parameters, e.g.
    $ pasta -t 80:8080 -t 127.0.0.1/80:8888

We give a warning in this case, but it's based on the legacy
forwarding bitmaps.  This is too strict, because it will also warn on
cases that shouldn't conflict because they use different addresses,
e.g.
    $ pasta -t 192.0.2.1/80:8080 127.0.0.1/80:8888

Theoretically, it's also too loose because it won't take into account
auto-scan forwarding rules.  We can't hit that in practice now,
because we only ever have one auto-scan rule and nothing else, but we
want to remove that restriction in future.

Replace the bitmap based check with a check based on actually scanning
the forwarding rules for conflicts.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>