passt/inany.c, branch 2026_05_07.1afd4ed Plug A Simple Socket Transport inany: Prepare inany.[ch] for sharing with pesto tool 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:56+00:00 24c7ef9724929b6e7e3ffd35909f79f61959e57a inany contains a number of helpful functions for dealing with addresses which might be IPv4 or IPv6. We're going to want to use that in pesto. For the most part inany doesn't depend on other passt/pasta internals, however it does depend on siphash.h, which pesto doesn't need. Move the single dependent function, inany_siphash_feed() to siphash.h, renaming to match. Use that include inany.[ch] into pesto as well as passt/pasta. While we're there reformat pesto.c's header comment to match the convention used in most other files. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
inany contains a number of helpful functions for dealing with addresses
which might be IPv4 or IPv6.  We're going to want to use that in pesto.
For the most part inany doesn't depend on other passt/pasta internals,
however it does depend on siphash.h, which pesto doesn't need.

Move the single dependent function, inany_siphash_feed() to siphash.h,
renaming to match.  Use that include inany.[ch] into pesto as well as
passt/pasta.  While we're there reformat pesto.c's header comment to match
the convention used in most other files.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Support CIDR notation for -a/--address option 2026-02-24T11:05:53+00:00 Jon Maloy jmaloy@redhat.com 2026-02-16T20:57:41+00:00 c3201915c436b47481396f0ae95b52efed084ef3 We extend the -a/--address option to accept addresses in CIDR notation (e.g., 192.168.1.1/24 or 2001:db8::1/64) as an alternative to using separate -a and -n options. We add a new inany_prefix_pton() helper function that: - Parses address strings with a compulsory /prefix_len suffix - Validates prefix length based on address family (0-32 for IPv4, 0-128 for IPv6), including handling of IPv4-to-IPv6 mapping case. For IPv4, the prefix length is stored in ip4.prefix_len when provided. For IPv6, the given prefix length is still overridden by the default value 64 Mixing -n and CIDR notation results in an error to catch likely user mistakes. Also fix a bug in conf_ip4_prefix() that was incorrectly using the global 'optarg' instead of its 'arg' parameter. Signed-off-by: Jon Maloy <jmaloy@redhat.com> [sbrivio: Fix merge conflict with commit 0c611bcd3120] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
We extend the -a/--address option to accept addresses in CIDR notation
(e.g., 192.168.1.1/24 or 2001:db8::1/64) as an alternative to using
separate -a and -n options.

We add a new inany_prefix_pton() helper function that:
- Parses address strings with a compulsory /prefix_len suffix
- Validates prefix length based on address family (0-32 for IPv4,
  0-128 for IPv6), including handling of IPv4-to-IPv6 mapping case.

For IPv4, the prefix length is stored in ip4.prefix_len when provided.
For IPv6, the given prefix length is still overridden by the default
value 64

Mixing -n and CIDR notation results in an error to catch likely user
mistakes.

Also fix a bug in conf_ip4_prefix() that was incorrectly using the
global 'optarg' instead of its 'arg' parameter.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
[sbrivio: Fix merge conflict with commit 0c611bcd3120]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf, fwd: Check forwarding table for conflicting rules 2026-01-18T11:47:53+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:21+00:00 03a9c4b2eb3f1708e9ef5e4241cbda6a08aefc94 It's possible for a user to supply conflicting forwarding parameters, e.g. $ pasta -t 80:8080 -t 127.0.0.1/80:8888 We give a warning in this case, but it's based on the legacy forwarding bitmaps. This is too strict, because it will also warn on cases that shouldn't conflict because they use different addresses, e.g. $ pasta -t 192.0.2.1/80:8080 127.0.0.1/80:8888 Theoretically, it's also too loose because it won't take into account auto-scan forwarding rules. We can't hit that in practice now, because we only ever have one auto-scan rule and nothing else, but we want to remove that restriction in future. Replace the bitmap based check with a check based on actually scanning the forwarding rules for conflicts. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It's possible for a user to supply conflicting forwarding parameters, e.g.
    $ pasta -t 80:8080 -t 127.0.0.1/80:8888

We give a warning in this case, but it's based on the legacy
forwarding bitmaps.  This is too strict, because it will also warn on
cases that shouldn't conflict because they use different addresses,
e.g.
    $ pasta -t 192.0.2.1/80:8080 127.0.0.1/80:8888

Theoretically, it's also too loose because it won't take into account
auto-scan forwarding rules.  We can't hit that in practice now,
because we only ever have one auto-scan rule and nothing else, but we
want to remove that restriction in future.

Replace the bitmap based check with a check based on actually scanning
the forwarding rules for conflicts.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
inany: Extend inany_ntop() to treat NULL as a fully unspecified address 2026-01-18T11:47:29+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:13+00:00 016e3d756447ebadb45fb68719b4ea28bb12d103 In a number of places we're using a convention that a NULL inany represents a dual-stack unspecified address, that is one which includes both 0.0.0.0 and ::. Extend inany_ntop() to handle that convention, representing it as "*". Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In a number of places we're using a convention that a NULL inany represents
a dual-stack unspecified address, that is one which includes both 0.0.0.0
and ::.  Extend inany_ntop() to handle that convention, representing it
as "*".

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
arp/ndp: respond with true MAC address of LAN local remote hosts 2025-10-30T11:01:01+00:00 Jon Maloy jmaloy@redhat.com 2025-10-24T01:29:27+00:00 e456c02a0e84bedba8011a6c0b6659a7409ad14b When we receive an ARP request or NDP neigbour solicitation over the tap interface for a host on the local network segment attached to the template interface, we respond with that host's real MAC address, if available. Signed-off-by: Jon Maloy <jmaloy@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
When we receive an ARP request or NDP neigbour solicitation over
the tap interface for a host on the local network segment attached
to the template interface, we respond with that host's real MAC
address, if available.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
style: Fix 'Return' comment style 2025-07-18T17:19:24+00:00 Laurent Vivier lvivier@redhat.com 2025-06-20T09:36:41+00:00 9e0423e13541e8da657f46dff71e841f40ee7391 We always use imperative (no 'Returns:'), no tab after the ':' and only one space, the first character is always lowercase. This is fixed with: sed -i "s/Returns:/Return:/;s/Return: /Return: /;s/Return: */Return: /;s/Return: \([A-Z]\)/Return: \L\1/" *.[ch] And manually updated to fix alignment of multiline comment and words that must keep uppercase (like IPv4, TCP, UDP, Layer-4). Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
We always use imperative (no 'Returns:'), no tab after the ':' and
only one space, the first character is always lowercase.

This is fixed with:

 sed -i "s/Returns:/Return:/;s/Return:    /Return: /;s/Return:  */Return: /;s/Return: \([A-Z]\)/Return: \L\1/" *.[ch]

And manually updated to fix alignment of multiline comment and words
that must keep uppercase (like IPv4, TCP, UDP, Layer-4).

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
inany: Add inany_pton() helper 2024-09-25T17:03:17+00:00 David Gibson david@gibson.dropbear.id.au 2024-09-20T04:12:44+00:00 b55013b1a7e7dd7e4e90455703d272b9ffc28b64 We already have an inany_ntop() function to format inany addresses into text. Add inany_pton() to parse them from text, and use it in conf_ports(). Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
We already have an inany_ntop() function to format inany addresses into
text.  Add inany_pton() to parse them from text, and use it in
conf_ports().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
inany: Better helpers for using inany and specific family addrs together 2024-05-22T21:20:55+00:00 David Gibson david@gibson.dropbear.id.au 2024-05-21T05:57:04+00:00 a63199832a737dde45500e4037608727701c782f This adds some extra inany helpers for comparing an inany address to addresses of a specific family (including special addresses), and building an inany from an IPv4 address (either statically or at runtime). Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This adds some extra inany helpers for comparing an inany address to
addresses of a specific family (including special addresses), and building
an inany from an IPv4 address (either statically or at runtime).

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
util: move IP stuff from util.[ch] to ip.[ch] 2024-03-06T07:03:38+00:00 Laurent Vivier lvivier@redhat.com 2024-03-06T05:58:33+00:00 324bd46782fbc5aee23abe4def5956b98a44e81c Introduce ip.[ch] file to encapsulate IP protocol handling functions and structures. Modify various files to include the new header ip.h when it's needed. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Message-ID: <20240303135114.1023026-5-lvivier@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Introduce ip.[ch] file to encapsulate IP protocol handling functions and
structures.  Modify various files to include the new header ip.h when
it's needed.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-ID: <20240303135114.1023026-5-lvivier@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp_splice: Improve logic deciding when to splice 2024-02-29T08:48:13+00:00 David Gibson david@gibson.dropbear.id.au 2024-02-28T11:25:15+00:00 ee677e0a42c434787bf02cb715d76612a6550c21 This makes several tweaks to improve the logic which decides whether we're able to use the splice method for a new connection. * Rather than only calling tcp_splice_conn_from_sock() in pasta mode, we check for pasta mode within it, better localising the checks. * Previously if we got a connection from a non-loopback address we'd always fall back to the "tap" path, even if the connection was on a socket in the namespace. If we did get a non-loopback address on a namespace socket, something has gone wrong and the "tap" path certainly won't be able to handle it. Report the error and close, rather than passing it along to tap. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This makes several tweaks to improve the logic which decides whether
we're able to use the splice method for a new connection.

 * Rather than only calling tcp_splice_conn_from_sock() in pasta mode, we
   check for pasta mode within it, better localising the checks.
 * Previously if we got a connection from a non-loopback address we'd
   always fall back to the "tap" path, even if the  connection was on a
   socket in the namespace.  If we did get a non-loopback address on a
   namespace socket, something has gone wrong and the "tap" path certainly
   won't be able to handle it.  Report the error and close, rather than
   passing it along to tap.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>