passt, branch bug165 Plug A Simple Socket Transport bug165 debug 2 2025-12-01T23:26:12+00:00 David Gibson david@gibson.dropbear.id.au 2025-11-28T03:53:14+00:00 4830188d56462d00a926dfc82f883bef8c4f9c09 Instrumentation and possible workaround for bug 165. 
Instrumentation and possible workaround for bug 165.
arp/ndp: don't send messages on uninitialized tap interface 2025-11-27T21:29:25+00:00 Jon Maloy jmaloy@redhat.com 2025-11-27T00:53:16+00:00 2002c7d39c9d4fa01099d7f780b66cfb213b6454 When running pasta without --config-net, the tap interface is opened and assigned a valid file descriptor, but intentionally not brought up in the namespace. This is the expected behavior when the user wants to configure the namespace manually. However, in PASTA mode the code is attempting to send ARP announcements and NDP messages (initial requests and unsolicited NAs) based solely on whether c->fd_tap is valid, without checking if the interface actually is up and ready to transmit. This results in send failures, and when debug is activated (pasta -d) we see error printouts for these early messages. We now add new function tap_is_ready() which checks both conditions: - Whether fd_tap is valid (all modes) - Whether the tap interface is up (pasta mode only). In this mode, we use the existing c->pasta_conf_ns flag, which indicates whether pasta_ns_conf() configured and brought up the interface. This test is simple, and good enough for now. We update all functions that send unsolicited ARP/NDP messages to check with the new function before making any send attempt. This eliminates spurious send errors when starting pasta without --config-net, while preserving correct behavior when the interface is properly initialized. Signed-off-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
When running pasta without --config-net, the tap interface is opened
and assigned a valid file descriptor, but intentionally not brought
up in the namespace. This is the expected behavior when the user wants
to configure the namespace manually.

However, in PASTA mode the code is attempting to send ARP announcements
and NDP messages (initial requests and unsolicited NAs) based solely on
whether c->fd_tap is valid, without checking if the interface actually
is up and ready to transmit. This results in send failures, and when
debug is activated (pasta -d) we see error printouts for these early
messages.

We now add new function tap_is_ready() which checks both conditions:
- Whether fd_tap is valid (all modes)
- Whether the tap interface is up (pasta mode only). In this mode, we
  use the existing c->pasta_conf_ns flag, which indicates whether
  pasta_ns_conf() configured and brought up the interface. This test
  is simple, and good enough for now.

We update all functions that send unsolicited ARP/NDP messages to
check with the new function before making any send attempt.

This eliminates spurious send errors when starting pasta without
--config-net, while preserving correct behavior when the interface
is properly initialized.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
test: Fix IPv6 address/prefix mismatch error 2025-11-27T21:20:18+00:00 Yumei Huang yuhuang@redhat.com 2025-11-26T03:21:47+00:00 391c15afedacbc4c5e01bfd05ef73be5ab1770ac For IPv6 addresses within the same scope group, Linux kernel preserves insertion order, where the first inserted address appears last. As a result, the ordering inside pasta differs from the host, causing a few tests to fail when they compare only the first address on each side. Fix this by checking that the guest’s first address matches any of the host’s addresses. Link: https://bugs.passt.top/show_bug.cgi?id=175 Signed-off-by: Yumei Huang <yuhuang@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
For IPv6 addresses within the same scope group, Linux kernel preserves
insertion order, where the first inserted address appears last. As a
result, the ordering inside pasta differs from the host, causing a few
tests to fail when they compare only the first address on each side.
Fix this by checking that the guest’s first address matches any of the
host’s addresses.

Link: https://bugs.passt.top/show_bug.cgi?id=175
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
spec: use %selinux_requires_min macro, drop overlapping dependencies 2025-11-27T21:20:16+00:00 Danish Prakash contact@danishpraka.sh 2025-11-21T12:47:46+00:00 95ab87b490c5235c9c9dde8f100a93f4b17ba4f4 Also, drop unused preun policycoreutils requires, and Recommends on selinux-policy-%{targeted}, it has since been added to %selinux_requires_min. Signed-off-by: Danish Prakash <contact@danishpraka.sh> Reviewed-by: Max Chernoff <git@maxchernoff.ca> Tested-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Also, drop unused preun policycoreutils requires, and Recommends on
selinux-policy-%{targeted}, it has since been added to
%selinux_requires_min.

Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Reviewed-by: Max Chernoff <git@maxchernoff.ca>
Tested-by: Max Chernoff <git@maxchernoff.ca>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Don't explicitly exclude reverse-direction TCP ports for UDP 2025-11-21T03:17:22+00:00 David Gibson david@gibson.dropbear.id.au 2025-11-19T04:26:34+00:00 be1583f6ea608ed4f7b1409e7ed35237c79a14df In auto-forwarding mode, we forward UDP ports for which there isn't (yet) a listening UDP port on the other side, but where there is a listening TCP socket for the same port number. This is useful for certain protocols such as iperf3. Correspondinly, when excluding ports from forwarding, we also exclude TCP ports from the other direction. That sounds like it makes sense, but is unnecessary: for the purposes of exclusion, we don't care why we have a listening UDP socket for that port, just whether we have one. That is already incorporated into the UDP bitmap alone. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In auto-forwarding mode, we forward UDP ports for which there isn't (yet)
a listening UDP port on the other side, but where there is a listening
TCP socket for the same port number.  This is useful for certain protocols
such as iperf3.

Correspondinly, when excluding ports from forwarding, we also exclude TCP
ports from the other direction.  That sounds like it makes sense, but is
unnecessary: for the purposes of exclusion, we don't care why we have a
listening UDP socket for that port, just whether we have one.  That is
already incorporated into the UDP bitmap alone.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Exclude ports based on prior mapping state 2025-11-21T03:17:14+00:00 David Gibson david@gibson.dropbear.id.au 2025-11-19T04:26:33+00:00 fd3fc8d33d6c4344c59a60af16b074515b3da739 With auto port-forwarding modes we scan for listening ports on the host and/or guest and create forwardings for them. To avoid circular forwarding we need to exclude our own listening ports. We do this by masking out the forwarding map for one direction from the other. Since 1bc7d5485c10, some of our scans take place while the forward maps are out of sync with what our actual listening ports are though: the map represents what we intend to forward shortly, rather than what we have open sockets for right now. What we have sockets for right now is what matters for the purposes of excluding from the scan, though, so that was incorrect. So, restore correct behaviour by saving the map of ports to exclude before we start updating any of the forwarding maps with new scans. This allows us to keep all the scans separate from all the rebinds, and therefore several minor cleanups that permitted. As a bonus, pre-creating the exclusion bitmaps this way should make this code easier to adapt as we change the forwarding data structures to allow more flexible configuration. Fixes: 1bc7d5485c10 ("fwd: Consolidate scans (not rebinds) in fwd.c") Link: https://bugs.passt.top/show_bug.cgi?id=176 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
With auto port-forwarding modes we scan for listening ports on the host
and/or guest and create forwardings for them.  To avoid circular forwarding
we need to exclude our own listening ports.  We do this by masking out
the forwarding map for one direction from the other.

Since 1bc7d5485c10, some of our scans take place while the forward maps are
out of sync with what our actual listening ports are though: the map
represents what we intend to forward shortly, rather than what we have
open sockets for right now.

What we have sockets for right now is what matters for the purposes of
excluding from the scan, though, so that was incorrect.  So, restore
correct behaviour by saving the map of ports to exclude before we start
updating any of the forwarding maps with new scans.  This allows us to
keep all the scans separate from all the rebinds, and therefore several
minor cleanups that permitted.

As a bonus, pre-creating the exclusion bitmaps this way should make this
code easier to adapt as we change the forwarding data structures to allow
more flexible configuration.

Fixes: 1bc7d5485c10 ("fwd: Consolidate scans (not rebinds) in fwd.c")
Link: https://bugs.passt.top/show_bug.cgi?id=176
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Revert "fwd: Update all port maps before applying exclusions" 2025-11-21T03:16:57+00:00 David Gibson david@gibson.dropbear.id.au 2025-11-19T04:26:32+00:00 bdbdf4ed42ef8c30d3008d306ac237c28824221d This reverts commit 81942a2417357ff10b02ccc8275cde2d4d6fbfbe. That commit was based on the premise of trying to make all the exclusions use the "latest" scan data. That was a fundamentally wrong approach: what we need to exclude is listening ports that pasta itself has created. That is, we need to exclude ports that we were _already_ listening on, not ones that we intend to listen once we rebind - we *want* the old data. Reverting this reduces the cases in which bug 176 occurs, but it's not a complete fix. Link: https://bugs.passt.top/show_bug.cgi?id=176 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This reverts commit 81942a2417357ff10b02ccc8275cde2d4d6fbfbe.

That commit was based on the premise of trying to make all the exclusions
use the "latest" scan data.  That was a fundamentally wrong approach: what
we need to exclude is listening ports that pasta itself has created.  That
is, we need to exclude ports that we were _already_ listening on, not ones
that we intend to listen once we rebind - we *want* the old data.

Reverting this reduces the cases in which bug 176 occurs, but it's not a
complete fix.

Link: https://bugs.passt.top/show_bug.cgi?id=176
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
udp: Use IP_FREEBIND for flow sockets as well as listening sockets 2025-11-13T21:33:55+00:00 David Gibson david@gibson.dropbear.id.au 2025-11-13T01:34:13+00:00 2c6590d6a0883954f1f060ea8f2ce53179e12b27 The --freebind option allows pasta to listen on addresses that aren't registered on the host, which has a number of use cases. However, we omitted this option for UDP "flow sockets" which are created once a flow is started, connect()ed specifically to the peer. Flow sockets are also bound, and if the peer has contacted a freebind address, we need IP_FREEBIND to do so. Link: https://bugs.passt.top/show_bug.cgi?id=174 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The --freebind option allows pasta to listen on addresses that aren't
registered on the host, which has a number of use cases.  However, we
omitted this option for UDP "flow sockets" which are created once a flow
is started, connect()ed specifically to the peer.  Flow sockets are also
bound, and if the peer has contacted a freebind address, we need
IP_FREEBIND to do so.

Link: https://bugs.passt.top/show_bug.cgi?id=174
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp: Properly remove sockets from epoll loop when connection is closed 2025-11-12T22:09:31+00:00 David Gibson david@gibson.dropbear.id.au 2025-11-11T03:25:20+00:00 75b8bb966b9508693f35df30fbbfbf37aff05b15 Most of the handling for closing a TCP connectin is in conn_event_do() when it receives a 'CLOSED' event. We specifically check for this case and, correctly, remove the connection from the flow hash table. However, we also bypass the call tp tcp_epoll_ctl() which is not correct. By skipping tcp_epoll_ctl() we skip it's specific handling of the CLOSED event, which includes removing the TCP socket from epoll. If we somehow get an event on such a stale socket, we'll get a stale flow reference. That flow slot might have been re-used, leading to to a crash in conn_at_sidx(). Fixes: b86afe3559c0 ("tcp: Don't defer hash table removal") Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Most of the handling for closing a TCP connectin is in conn_event_do() when
it receives a 'CLOSED' event.  We specifically check for this case and,
correctly, remove the connection from the flow hash table.  However, we
also bypass the call tp tcp_epoll_ctl() which is not correct.  By skipping
tcp_epoll_ctl() we skip it's specific handling of the CLOSED event, which
includes removing the TCP socket from epoll.

If we somehow get an event on such a stale socket, we'll get a stale flow
reference.  That flow slot might have been re-used, leading to to a crash
in conn_at_sidx().

Fixes: b86afe3559c0 ("tcp: Don't defer hash table removal")
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seccomp.sh: Quote tr character ranges to prevent glob expansion 2025-11-04T17:53:41+00:00 Laurent Vivier lvivier@redhat.com 2025-11-03T12:08:34+00:00 a36031a4d807ca3197b6b14c50a93816d4d28f18 we use [a-z] and [A-Z] patterns with 'tr', but if there are files with names matching these patterns they will be replaced by the name of the file and seccomp.h will not be generated correctly: $ rm seccomp.h $ touch a b $ make tr: extra operand '[A-Z]' Try 'tr --help' for more information. seccomp profile passt allows: accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto ... cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt In file included from isolation.c:83: seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'? 11 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80), | ^~~~~~~~~~~ Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
we use [a-z] and [A-Z] patterns with 'tr', but
if there are files with names matching these patterns they will be
replaced by the name of the file and seccomp.h will not be generated
correctly:
$ rm seccomp.h
$ touch a b
$ make
tr: extra operand '[A-Z]'
Try 'tr --help' for more information.
seccomp profile passt allows:  accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group
   fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto
...
cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong   arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt
In file included from isolation.c:83:
seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'?
   11 |         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80),
      |                                             ^~~~~~~~~~~

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>