passt/passt.1, branch 2026_05_07.1afd4ed Plug A Simple Socket Transport pesto, conf: Have pesto connect to passt and check versions 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:53+00:00 f1d893ca1926e58ae5a2bf5602b515a883f3f994 Start implementing pesto in earnest. Create a control/configuration socket in passt. Have pesto connect to it and retrieve a server greeting Perform some basic version checking. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Avoid potential recursive calling between conf_accept() and conf_close(), reported by clang-tidy] [sbrivio: In conf(), check we're not exceeding sizeof(c->control_path) instead of sizeof(c->socket_path), and, in pesto's main(), print argv[optind] instead of argv[1] to indicate an invalid socket path, both reported by Jon Maloy] [sbrivio: In pesto's main(), drop unnecessary newline from error message, reported by Laurent] [sbrivio: Don't use SOCK_NONBLOCK on accept4(), as that only applies to the *new* file descriptor, which we don't want -- set O_NONBLOCK on the listening file descriptor using fcntl()] [sbrivio: Switch to protocol version 1, and reflect the true magic behind pesto, i.e. basil, into the magic string] [sbrivio: Fix conflicts in the Makefile caused by the fact that I'm not merging a previous series reworking it] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
Start implementing pesto in earnest.  Create a control/configuration
socket in passt.  Have pesto connect to it and retrieve a server greeting
Perform some basic version checking.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Avoid potential recursive calling between conf_accept() and
 conf_close(), reported by clang-tidy]
[sbrivio: In conf(), check we're not exceeding sizeof(c->control_path)
 instead of sizeof(c->socket_path), and, in pesto's main(), print
 argv[optind] instead of argv[1] to indicate an invalid socket path,
 both reported by Jon Maloy]
[sbrivio: In pesto's main(), drop unnecessary newline from error
 message, reported by Laurent]
[sbrivio: Don't use SOCK_NONBLOCK on accept4(), as that only applies
 to the *new* file descriptor, which we don't want -- set O_NONBLOCK
 on the listening file descriptor using fcntl()]
[sbrivio: Switch to protocol version 1, and reflect the true magic
 behind pesto, i.e. basil, into the magic string]
[sbrivio: Fix conflicts in the Makefile caused by the fact that I'm
 not merging a previous series reworking it]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
conf: Allow user-specified auto-scanned port forwarding ranges 2026-04-20T21:35:51+00:00 David Gibson david@gibson.dropbear.id.au 2026-04-17T05:05:12+00:00 4e09ddf034439930685a2aa04dfe5c456581d6ba The forwarding table now allows for arbitrary port ranges to be marked as FWD_SCAN, meaning we don't open sockets for every port, but only those we scan as listening on the target side. However, there's currently no way to create such rules, except -[tTuU] auto which always scans every port with an unspecified listening address and interface. Allow user-specified "auto" ranges by moving the parsing of the "auto" keyword from conf_ports(), to conf_ports_spec() as part of the port specified. "auto" can be combined freely with other port ranges, e.g. -t 127.0.0.1/auto -u %lo/5000-7000,auto -T auto,12345 -U auto,~1-9000 Note that any address and interface given only affects where the automatic forwards listen, not what addresses we consider when scanning. That is, if the target side is listening on *any* address, we will create a forward on the specified address. Link: https://bugs.passt.top/show_bug.cgi?id=180 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> [sbrivio: Fix extra space after if (isdigit(*p)) reported by Laurent] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The forwarding table now allows for arbitrary port ranges to be marked as
FWD_SCAN, meaning we don't open sockets for every port, but only those we
scan as listening on the target side.  However, there's currently no way
to create such rules, except -[tTuU] auto which always scans every port
with an unspecified listening address and interface.

Allow user-specified "auto" ranges by moving the parsing of the "auto"
keyword from conf_ports(), to conf_ports_spec() as part of the port
specified.  "auto" can be combined freely with other port ranges, e.g.
    -t 127.0.0.1/auto
    -u %lo/5000-7000,auto
    -T auto,12345
    -U auto,~1-9000

Note that any address and interface given only affects where the automatic
forwards listen, not what addresses we consider when scanning.  That is,
if the target side is listening on *any* address, we will create a forward
on the specified address.

Link: https://bugs.passt.top/show_bug.cgi?id=180
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
[sbrivio: Fix extra space after if (isdigit(*p)) reported by Laurent]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Move "all" handling to port specifier 2026-04-20T21:34:12+00:00 David Gibson david@gibson.dropbear.id.au 2026-04-17T05:05:11+00:00 bf7eebc88dcf615817e2826d962dee147b328eca Currently -[tTuU] all is handled separately in conf_ports() before calling conf_ports_spec(). Earlier changes mean we can now move this handling to conf_ports_spec(). This makes the code slightly simpler, but more importantly it allows some useful combinations we couldn't previously do, such as -t 127.0.0.1/all or -u %eth2/all Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently -[tTuU] all is handled separately in conf_ports() before calling
conf_ports_spec().  Earlier changes mean we can now move this handling to
conf_ports_spec().  This makes the code slightly simpler, but more
importantly it allows some useful combinations we couldn't previously do,
such as
	-t 127.0.0.1/all
or
	-u %eth2/all

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
doc: Rework man page description of port specifiers 2026-04-20T21:33:38+00:00 David Gibson david@gibson.dropbear.id.au 2026-04-17T05:05:10+00:00 0a466eb86ecdd5a87201e0f65aaa73686a71710d Currently the man page describes the internal syntax of port specifiers in prose, which isn't particularly easy to follow. Rework it to use more syntax "diagrams" to show how it works. This will also allow us to more easily update the manual page for some coming changes in syntax. usage() output is updated similarly, though more briefly. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently the man page describes the internal syntax of port specifiers
in prose, which isn't particularly easy to follow.  Rework it to use
more syntax "diagrams" to show how it works.  This will also allow us to
more easily update the manual page for some coming changes in syntax.

usage() output is updated similarly, though more briefly.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Permit -[tTuU] all in pasta mode 2026-04-15T21:31:40+00:00 David Gibson david@gibson.dropbear.id.au 2026-04-10T01:02:51+00:00 dbe0ba1d26f2b82b94d243b3338cd54a228115fc Currently we explicitly forbid -[tTuU] all in pasta mode. While these are primarily useful for passt, there's no particular reason they can't be used in pasta mode as well. Indeed you can do the same thing in pasta by using "-t ~32768-60999" (assuming default Linux configuration of ephemeral ports). For consistency, permit "all" for pasta as well. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently we explicitly forbid -[tTuU] all in pasta mode.  While these are
primarily useful for passt, there's no particular reason they can't be
used in pasta mode as well.  Indeed you can do the same thing in pasta
by using "-t ~32768-60999" (assuming default Linux configuration of
ephemeral ports).  For consistency, permit "all" for pasta as well.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
doc: Consolidate -[tu] option descriptions for passt and pasta 2026-04-15T21:31:39+00:00 David Gibson david@gibson.dropbear.id.au 2026-04-10T01:02:50+00:00 a47b6ac2acc7001f25d01b69016d491bee7ccd5d The man page currently has two fairly large, near-identical sections separately describing the -t and -u options for passt and pasta. This is bulky and potentially confusing. It will make this information more tedious to update as we alter what's possible here with the forwarding table. Consolidate both descriptions to a single one in the common options, noting the few passt/pasta difference inline. There's similar duplication usage(), consolidate that as well. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The man page currently has two fairly large, near-identical sections
separately describing the -t and -u options for passt and pasta.  This is
bulky and potentially confusing.  It will make this information more
tedious to update as we alter what's possible here with the forwarding
table.  Consolidate both descriptions to a single one in the common
options, noting the few passt/pasta difference inline.

There's similar duplication usage(), consolidate that as well.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
doc: Fix formatting of (DEPRECATED) notes in man page 2026-03-16T22:34:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-16T05:46:26+00:00 b5e6ef465469b2a7db73be05e5487176c0534cc1 Some places where we note command line options as (DEPRECATED) are missing a space between the option name itself and the tag. Correct them. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Some places where we note command line options as (DEPRECATED) are missing
a space between the option name itself and the tag.  Correct them.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Support CIDR notation for -a/--address option 2026-02-24T11:05:53+00:00 Jon Maloy jmaloy@redhat.com 2026-02-16T20:57:41+00:00 c3201915c436b47481396f0ae95b52efed084ef3 We extend the -a/--address option to accept addresses in CIDR notation (e.g., 192.168.1.1/24 or 2001:db8::1/64) as an alternative to using separate -a and -n options. We add a new inany_prefix_pton() helper function that: - Parses address strings with a compulsory /prefix_len suffix - Validates prefix length based on address family (0-32 for IPv4, 0-128 for IPv6), including handling of IPv4-to-IPv6 mapping case. For IPv4, the prefix length is stored in ip4.prefix_len when provided. For IPv6, the given prefix length is still overridden by the default value 64 Mixing -n and CIDR notation results in an error to catch likely user mistakes. Also fix a bug in conf_ip4_prefix() that was incorrectly using the global 'optarg' instead of its 'arg' parameter. Signed-off-by: Jon Maloy <jmaloy@redhat.com> [sbrivio: Fix merge conflict with commit 0c611bcd3120] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
We extend the -a/--address option to accept addresses in CIDR notation
(e.g., 192.168.1.1/24 or 2001:db8::1/64) as an alternative to using
separate -a and -n options.

We add a new inany_prefix_pton() helper function that:
- Parses address strings with a compulsory /prefix_len suffix
- Validates prefix length based on address family (0-32 for IPv4,
  0-128 for IPv6), including handling of IPv4-to-IPv6 mapping case.

For IPv4, the prefix length is stored in ip4.prefix_len when provided.
For IPv6, the given prefix length is still overridden by the default
value 64

Mixing -n and CIDR notation results in an error to catch likely user
mistakes.

Also fix a bug in conf_ip4_prefix() that was incorrectly using the
global 'optarg' instead of its 'arg' parameter.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
[sbrivio: Fix merge conflict with commit 0c611bcd3120]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf, pasta: Add --splice-only option 2026-01-19T08:12:27+00:00 Yumei Huang yuhuang@redhat.com 2026-01-16T03:25:09+00:00 cee7eb0dbf89cc096b8dea50999c6b90708defe4 This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device. It might be used to fix up podman IPv4 / IPv6 loopback mapping when using rootlesskit for forwarding ports, or a way to implement isolated containers. In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled. Option --no-splice is rejected. Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang <yuhuang@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This patch introduces a mode where we only forward loopback connections
and traffic between two namespaces (via the loopback interface, 'lo'),
without a tap device.

It might be used to fix up podman IPv4 / IPv6 loopback mapping when using
rootlesskit for forwarding ports, or a way to implement isolated containers.

In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled.
Option --no-splice is rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf: Separate local mode for each IP version, don't enable disabled IP version 2025-12-07T22:18:11+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-05T00:37:45+00:00 4ddd59bc6085cbb87a3630e746323ac247164976 This fixes an issue and introduces a feature: - in local mode, we accidentally ignored the -4 / --ipv4-only and -6 / --ipv6-only command line options - if no template interface is available for a given IP version, instead of disabling that IP version, use local mode, separately, for it Link: https://bugs.passt.top/show_bug.cgi?id=129 Link: https://bugs.passt.top/show_bug.cgi?id=128 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Tested-by: Paul Holzinger <pholzing@redhat.com> 
This fixes an issue and introduces a feature:

- in local mode, we accidentally ignored the -4 / --ipv4-only and
  -6 / --ipv6-only command line options

- if no template interface is available for a given IP version,
  instead of disabling that IP version, use local mode, separately,
  for it

Link: https://bugs.passt.top/show_bug.cgi?id=129
Link: https://bugs.passt.top/show_bug.cgi?id=128
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Paul Holzinger <pholzing@redhat.com>