passt, branch 2026_05_07.1afd4ed Plug A Simple Socket Transport hooks: Copy static build of pesto and related man page to server 2026-05-07T06:06:30+00:00 Stefano Brivio sbrivio@redhat.com 2026-05-06T01:33:36+00:00 1afd4edb0eab5cb06197ab721739aa8dfef4b3ce Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
fedora: Install pesto, its SELinux policy, and the man page from the spec file 2026-05-07T06:06:30+00:00 Stefano Brivio sbrivio@redhat.com 2026-05-06T01:32:21+00:00 82523bc8a78c89f19de3c162aaab71bd29a239ae It's time to ship it in packages. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
It's time to ship it in packages.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
selinux: Add file context and type enforcement for pesto 2026-05-07T06:06:30+00:00 Stefano Brivio sbrivio@redhat.com 2026-05-06T01:30:29+00:00 5335770089427746986e4f2a6304b39181393083 Loosely inspired by passt-repair's policy: pesto needs to be able to run, check networking entries under /proc (for ip_local_port_range), talk to passt and pasta, wherever the control socket is. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Loosely inspired by passt-repair's policy: pesto needs to be able to
run, check networking entries under /proc (for ip_local_port_range),
talk to passt and pasta, wherever the control socket is.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
apparmor: Add policy file for pesto 2026-05-07T06:06:30+00:00 Stefano Brivio sbrivio@redhat.com 2026-05-06T01:28:42+00:00 b3b26323aaeac6119577922e47e8cfa3ed3a16d0 It needs to connect to passt and pasta, whether they're started as root or not, and the control socket can be anywhere. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It needs to connect to passt and pasta, whether they're started as
root or not, and the control socket can be anywhere.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
pesto, conf, fwd_rule: Add options and modes to add, delete, clear rules 2026-05-07T06:06:30+00:00 Stefano Brivio sbrivio@redhat.com 2026-05-05T22:39:09+00:00 2692ef3fa67d89076e1ad035434db9312a0b3813 Instead of just being able to add to the existing tables, implement an explicit --clear option to replace them, which now becomes the default behaviour, and implement explicit --add and --delete options to maintain the table and add or delete specific ports. The option --clear PIF forces the clearing of a table, instead. These options can be combined arbitrarily and are handled as sequential commands, as now described in pesto(1). If no option is given before forwarding specifiers for a matching table, the command line is interpreted as a replacement of the existing rules. To this end: - there's no protocol change, as pesto is anyway sending updated copies of the table - the forwarding table functions now include a new fwd_rule_del(), which deletes existing rule only if a matching one is found - a trivial fwd_rule_clear() is factored out from the existing conf_handler() implementation, so that it can be directly used in pesto The entry points for parsing of port specifiers now take an additional 'del' parameter which is passed down all the way before reaching the fwd_rule_add() implementation. If a rule should be deleted, at that point, fwd_rule_del() is called instead. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Instead of just being able to add to the existing tables, implement
an explicit --clear option to replace them, which now becomes the
default behaviour, and implement explicit --add and --delete options
to maintain the table and add or delete specific ports.

The option --clear PIF forces the clearing of a table, instead.

These options can be combined arbitrarily and are handled as
sequential commands, as now described in pesto(1).

If no option is given before forwarding specifiers for a matching
table, the command line is interpreted as a replacement of the
existing rules.

To this end:

- there's no protocol change, as pesto is anyway sending updated
  copies of the table

- the forwarding table functions now include a new fwd_rule_del(),
  which deletes existing rule only if a matching one is found

- a trivial fwd_rule_clear() is factored out from the existing
  conf_handler() implementation, so that it can be directly used
  in pesto

The entry points for parsing of port specifiers now take an additional
'del' parameter which is passed down all the way before reaching the
fwd_rule_add() implementation. If a rule should be deleted, at that
point, fwd_rule_del() is called instead.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
fwd_rule: Fix static checkers warnings in fwd_rule_add() 2026-05-07T06:06:30+00:00 Stefano Brivio sbrivio@redhat.com 2026-05-03T21:56:01+00:00 e371d347ebb764665f3acd10c804ded44d04bb60 The new checks are actually sufficient but not enough for Coverity Scan. Now that fwd->sock_count and new->last are affected or supplied by clients, we need explicit (albeit redundant) checks on them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
The new checks are actually sufficient but not enough for Coverity
Scan. Now that fwd->sock_count and new->last are affected or supplied
by clients, we need explicit (albeit redundant) checks on them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
conf, fwd: Allow switching to new rules received from pesto 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:56:00+00:00 4ff9887bfe630aa27178ec38c69e69f7960e1d50 We can now receive updates to the forwarding rules from the pesto client and store them in a "pending" copy of the forwarding tables. Implement switching to using the new rules. The logic is in a new fwd_listen_switch(). For now this closes all listening sockets related to the old tables, swaps the active and pending tables, then listens based on the new tables. In future we look to improve this so that we don't temporarily stop listening on ports that both the old and new tables specify. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: In fwd_listen_switch(), use the destination size as argument to memcpy(), instead of sizeof(tmp), as suggested by Laurent] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
We can now receive updates to the forwarding rules from the pesto client
and store them in a "pending" copy of the forwarding tables.  Implement
switching to using the new rules.

The logic is in a new fwd_listen_switch().  For now this closes all
listening sockets related to the old tables, swaps the active and pending
tables, then listens based on the new tables.  In future we look to improve
this so that we don't temporarily stop listening on ports that both the
old and new tables specify.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: In fwd_listen_switch(), use the destination size as argument
 to memcpy(), instead of sizeof(tmp), as suggested by Laurent]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
pesto, conf: Send updated rules from pesto back to passt/pasta 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:59+00:00 7c5b1d72ffa4225929e99ac32604df4648d20eed Extend pesto to send the updated rule configuration back to passt/pasta. Extend passt/pasta to read the new configuration and store the new rules in a "pending" table. We don't yet attempt to activate them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> [dwg: Based on an early draft from Stefano] [sbrivio: Add redundant check on interface names being terminated in conf_recv_rules(), to make static checkers happy] [sbrivio: Make conf_recv_rules() return -1 if fwd_rule_read() fails, as suggested by Jon Maloy] [sbrivio: Fix conflicts in Makefile] Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
Extend pesto to send the updated rule configuration back to passt/pasta.
Extend passt/pasta to read the new configuration and store the new rules in
a "pending" table.   We don't yet attempt to activate them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
[dwg: Based on an early draft from Stefano]
[sbrivio: Add redundant check on interface names being terminated in
 conf_recv_rules(), to make static checkers happy]
[sbrivio: Make conf_recv_rules() return -1 if fwd_rule_read() fails,
 as suggested by Jon Maloy]
[sbrivio: Fix conflicts in Makefile]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
pesto: Parse and add new rules from command line 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:58+00:00 cbd58d631db9875967aedc8157ee3b23b93eb299 This adds parsing of options using fwd_rule_parse(), validates them and adds them to the existing rules. It doesn't yet send those rules back to passt or pasta. Message-ID: <20260322141843.4095972-3-sbrivio@redhat.com> [dwg: Based on an early draft by Stefano] Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Recycled usage messages for -T and -U from conf.c as suggested by Laurent, dropped unrelated whitespace change] [sbrivio: Add description of -t, -u, -T, -U to pesto.1] [sbrivio: Fix conflicts in Makefile] [sbrivio: Add description of -s to pesto.1 as well] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
This adds parsing of options using fwd_rule_parse(), validates them and
adds them to the existing rules. It doesn't yet send those rules back to
passt or pasta.

Message-ID: <20260322141843.4095972-3-sbrivio@redhat.com>
[dwg: Based on an early draft by Stefano]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Recycled usage messages for -T and -U from conf.c as
 suggested by Laurent, dropped unrelated whitespace change]
[sbrivio: Add description of -t, -u, -T, -U to pesto.1]
[sbrivio: Fix conflicts in Makefile]
[sbrivio: Add description of -s to pesto.1 as well]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
pesto: Read current ruleset from passt/pasta and optionally display it 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:57+00:00 fa0676869ff02e98facdf52e31dcba01f35983ad Implement serialisation of our current forwarding rules in conf.c, deserialising it to display in the pesto client. Doing this requires adding ip.c, inany.c, bitmap.c, lineread.c and fwd_rule.c to the pesto build. With previous preparations that now requires only a trivial change to lineread.c. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> [sbrivio: Use ntohs() for rule->to instead of htons() in fwd_rule_read(), reported by Jon Maloy] [sbrivio: Add upper bound check on pc->fwd.count for count of rules received by pesto, reported missing by Laurent, plus nits also reported by Laurent] [sbrivio: Fix conflicts in Makefile] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Implement serialisation of our current forwarding rules in conf.c,
deserialising it to display in the pesto client.  Doing this requires
adding ip.c, inany.c, bitmap.c, lineread.c and fwd_rule.c to the pesto
build.  With previous preparations that now requires only a trivial change
to lineread.c.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
[sbrivio: Use ntohs() for rule->to instead of htons() in
 fwd_rule_read(), reported by Jon Maloy]
[sbrivio: Add upper bound check on pc->fwd.count for count of rules
 received by pesto, reported missing by Laurent, plus nits also
 reported by Laurent]
[sbrivio: Fix conflicts in Makefile]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>