passt/ip.c, branch 2026_05_07.1afd4ed Plug A Simple Socket Transport ip: Prepare ip.[ch] for sharing with pesto tool 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:55+00:00 c9f7ed120500c630e74d1c77d2cdd670eba68368 Most things in ip.[ch] related purely to IP addresses and headers with no dependency on other passt/pasta internals. A number of these will be useful to re-use in pesto. The exception is ipv6_l4hdr() which uses iov_tail. The only caller of this is in tap.c, so move the function there. Along with moving the constant byteswapping functions to common.h, that lets ip.[ch] to be linked into pesto as well as passt/pasta. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> [sbrivio: Dropped duplicate definition of __bswap_constant_32() while at it, reported by Laurent] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Most things in ip.[ch] related purely to IP addresses and headers with
no dependency on other passt/pasta internals.  A number of these will be
useful to re-use in pesto.  The exception is ipv6_l4hdr() which uses
iov_tail.

The only caller of this is in tap.c, so move the function there.  Along
with moving the constant byteswapping functions to common.h, that lets
ip.[ch] to be linked into pesto as well as passt/pasta.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
[sbrivio: Dropped duplicate definition of __bswap_constant_32() while
 at it, reported by Laurent]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
ip: Define a bound for the string returned by ipproto_name() 2026-03-28T13:36:01+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-27T04:34:28+00:00 93c3e351f23561331824f2a2305bde3628676db5 ipproto_name() returns a static string of theoretically unbounded length. That's going to be inconvenient in future, so introduce IPPROTO_STRLEN giving an explicit bound on the length. Use static_assert() and some macros to ensure nothing we return can exceed this. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
ipproto_name() returns a static string of theoretically unbounded length.
That's going to be inconvenient in future, so introduce IPPROTO_STRLEN
giving an explicit bound on the length.  Use static_assert() and some
macros to ensure nothing we return can exceed this.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Support CIDR notation for -a/--address option 2026-02-24T11:05:53+00:00 Jon Maloy jmaloy@redhat.com 2026-02-16T20:57:41+00:00 c3201915c436b47481396f0ae95b52efed084ef3 We extend the -a/--address option to accept addresses in CIDR notation (e.g., 192.168.1.1/24 or 2001:db8::1/64) as an alternative to using separate -a and -n options. We add a new inany_prefix_pton() helper function that: - Parses address strings with a compulsory /prefix_len suffix - Validates prefix length based on address family (0-32 for IPv4, 0-128 for IPv6), including handling of IPv4-to-IPv6 mapping case. For IPv4, the prefix length is stored in ip4.prefix_len when provided. For IPv6, the given prefix length is still overridden by the default value 64 Mixing -n and CIDR notation results in an error to catch likely user mistakes. Also fix a bug in conf_ip4_prefix() that was incorrectly using the global 'optarg' instead of its 'arg' parameter. Signed-off-by: Jon Maloy <jmaloy@redhat.com> [sbrivio: Fix merge conflict with commit 0c611bcd3120] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
We extend the -a/--address option to accept addresses in CIDR notation
(e.g., 192.168.1.1/24 or 2001:db8::1/64) as an alternative to using
separate -a and -n options.

We add a new inany_prefix_pton() helper function that:
- Parses address strings with a compulsory /prefix_len suffix
- Validates prefix length based on address family (0-32 for IPv4,
  0-128 for IPv6), including handling of IPv4-to-IPv6 mapping case.

For IPv4, the prefix length is stored in ip4.prefix_len when provided.
For IPv6, the given prefix length is still overridden by the default
value 64

Mixing -n and CIDR notation results in an error to catch likely user
mistakes.

Also fix a bug in conf_ip4_prefix() that was incorrectly using the
global 'optarg' instead of its 'arg' parameter.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
[sbrivio: Fix merge conflict with commit 0c611bcd3120]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd, tcp, udp: Set up listening sockets based on forward table 2026-01-18T11:47:47+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:19+00:00 b223bec48213060304c09882ce5b3055b15b7e07 Previously we created inbound listening sockets as we parsed the forwarding options (-t, -u) whereas outbound listening sockets were created during {tcp,udp}_init(). Now that we have a data structure recording the full details of the listening options we can move all listening socket creation to {tcp,udp}_init(). This means that errors for either direction are detected and reported the same way. Introduce fwd_listen_sync() which synchronizes the state of listening sockets to the forwarding rules table, both for fixed and automatic forwards. This does cause a change in semantics for "exclude only" port specifications. Previously an option like -t ~6000 wouldn't cause a fatal error, as long as we could bind at least one port. Now, it requires at least one port for each generated rule; that is for each of the contiguous blocks of ports the specification resolves to. With typical ephemeral ports settings that's one port each in 1..5999, 6001..32767 and 61000..65535. Preserving the exact behaviour for this case would require a considerably more complex data structure, so I'm hoping this is a sufficiently niche case for the change to be acceptable. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Previously we created inbound listening sockets as we parsed the forwarding
options (-t, -u) whereas outbound listening sockets were created during
{tcp,udp}_init().  Now that we have a data structure recording the full
details of the listening options we can move all listening socket creation
to {tcp,udp}_init().  This means that errors for either direction are
detected and reported the same way.

Introduce fwd_listen_sync() which synchronizes the state of listening
sockets to the forwarding rules table, both for fixed and automatic
forwards.

This does cause a change in semantics for "exclude only" port
specifications.  Previously an option like -t ~6000 wouldn't cause a
fatal error, as long as we could bind at least one port.  Now, it
requires at least one port for each generated rule; that is for each
of the contiguous blocks of ports the specification resolves to.  With
typical ephemeral ports settings that's one port each in 1..5999,
6001..32767 and 61000..65535.

Preserving the exact behaviour for this case would require a considerably
more complex data structure, so I'm hoping this is a sufficiently niche
case for the change to be acceptable.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
ip: Add ipproto_name() function 2026-01-18T11:47:44+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:18+00:00 0c611bcd312094a3882be44b759d92423ab28b61 Add a function to get the name of an IP protocol from its number. Usually this would be done by getprotobynumber(), but that requires access to /etc/protocols and might allocate. We can't do either of those once we've self-isolated. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Add a function to get the name of an IP protocol from its number.  Usually
this would be done by getprotobynumber(), but that requires access to
/etc/protocols and might allocate.  We can't do either of those once we've
self-isolated.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
ip: Use iov_tail in ipv6_l4hdr() 2025-09-03T18:43:31+00:00 Laurent Vivier lvivier@redhat.com 2025-09-02T07:52:41+00:00 20cd6d0b8632ad520fd90bf11310429fed04d9fb Use packet_data() and extract headers using IOV_REMOVE_HEADER() and IOV_PEEK_HEADER() rather than packet_get(). Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Use packet_data() and extract headers using IOV_REMOVE_HEADER()
and IOV_PEEK_HEADER() rather than packet_get().

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
util: move IP stuff from util.[ch] to ip.[ch] 2024-03-06T07:03:38+00:00 Laurent Vivier lvivier@redhat.com 2024-03-06T05:58:33+00:00 324bd46782fbc5aee23abe4def5956b98a44e81c Introduce ip.[ch] file to encapsulate IP protocol handling functions and structures. Modify various files to include the new header ip.h when it's needed. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Message-ID: <20240303135114.1023026-5-lvivier@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Introduce ip.[ch] file to encapsulate IP protocol handling functions and
structures.  Modify various files to include the new header ip.h when
it's needed.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-ID: <20240303135114.1023026-5-lvivier@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>