passt/passt.h, branch 2026_06_11.a9c61ff Plug A Simple Socket Transport util, passt: Close daemon-lifetime fds on exit to avoid Coverity warning 2026-06-11T23:02:35+00:00 Jon Maloy jmaloy@redhat.com 2026-06-11T15:15:21+00:00 a9c61ffaf15347b8dfcc2347c5440e4b0e82333b conf_open_files() opens three file descriptors (fd_tap_listen, fd_repair_listen, fd_control_listen) that are held for the entire daemon lifetime. Because no close() call exists for them anywhere, Coverity flags each as INCOMPLETE_DEALLOCATOR. This is clearly a false positive, but we still want to get rid of this warning. We now register the execution context in global area so that passt_exit() can use it to close these descriptors before calling _exit(). All exit paths (signal handler, die(), die_perror()) funnel through passt_exit(), so this covers all cases. Signed-off-by: Jon Maloy <jmaloy@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
conf_open_files() opens three file descriptors (fd_tap_listen,
fd_repair_listen, fd_control_listen) that are held for the entire
daemon lifetime.  Because no close() call exists for them
anywhere, Coverity flags each as INCOMPLETE_DEALLOCATOR. This is
clearly a false positive, but we still want to get rid of this
warning.

We now register the execution context in global area so that
passt_exit() can use it to close these descriptors before calling
_exit().  All exit paths (signal handler, die(), die_perror())
funnel through passt_exit(), so this covers all cases.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf, util: Disable IPv6 if explicit IPv6 socket probe fails 2026-06-10T14:48:44+00:00 Stefano Brivio sbrivio@redhat.com 2026-06-08T19:06:17+00:00 e1a6d9ef626aa6dbcfeef97dbbab3bd69c35b4b1 In https://bugs.passt.top/show_bug.cgi?id=188, I originally reported that if IPv6 is disabled in the kernel (for example via command line parameter ipv6.disable=1, or disabled in build configuration), and we attempt to forward any port, we'll exit right away after failing to set up dual-stack listening sockets. The original instance of that issue is now fixed for pasta by commit 75dcbc300bf0 ("pasta: Warn, disable matching IP version if not supported, in local mode") together with the new implementation of the rule forwarding table, starting from commit b223bec48213 ("fwd, tcp, udp: Set up listening sockets based on forward table"), because we first parse forwarding options, then probe for IPv6 support in the target namespace (and disable IPv6 as a result), and finally bind sockets once we already know that IPv6 support is disabled. But we don't do that when invoked as passt, because we have no target namespace and hence no probing for IPv6 support whatsoever. Add IPv6 to the socket features we test in sock_probe_features(), and, if we fail to create an IPv6 socket for whatever reason (which might include security policies as well), disable IPv6 support altogether, so that we won't attempt to use dual-stack sockets for port forwarding either. Note that the probe comes without any sort of debug message, because at this point we haven't parsed the configuration yet, and we would therefore print that regardless of the selected logging level and other options, including --ipv4-only, which would be rather confusing. I doubt we'll miss this kind of message though, IPv6 support being disabled is anyway obvious from the initial configuration dump. Reported-by: Chi Cuong HA <ChiCuong.HA@amadeus.com> Reported-by: Romain Geissler <romain.geissler@amadeus.com> Link: https://bugs.passt.top/show_bug.cgi?id=188 Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, don't enable disabled IP version") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
In https://bugs.passt.top/show_bug.cgi?id=188, I originally reported
that if IPv6 is disabled in the kernel (for example via command line
parameter ipv6.disable=1, or disabled in build configuration), and we
attempt to forward any port, we'll exit right away after failing to
set up dual-stack listening sockets.

The original instance of that issue is now fixed for pasta by commit
75dcbc300bf0 ("pasta: Warn, disable matching IP version if not
supported, in local mode") together with the new implementation of
the rule forwarding table, starting from commit b223bec48213 ("fwd,
tcp, udp: Set up listening sockets based on forward table"), because
we first parse forwarding options, then probe for IPv6 support in the
target namespace (and disable IPv6 as a result), and finally bind
sockets once we already know that IPv6 support is disabled.

But we don't do that when invoked as passt, because we have no target
namespace and hence no probing for IPv6 support whatsoever.

Add IPv6 to the socket features we test in sock_probe_features(), and,
if we fail to create an IPv6 socket for whatever reason (which might
include security policies as well), disable IPv6 support altogether,
so that we won't attempt to use dual-stack sockets for port forwarding
either.

Note that the probe comes without any sort of debug message, because
at this point we haven't parsed the configuration yet, and we would
therefore print that regardless of the selected logging level and
other options, including --ipv4-only, which would be rather confusing.
I doubt we'll miss this kind of message though, IPv6 support being
disabled is anyway obvious from the initial configuration dump.

Reported-by: Chi Cuong HA <ChiCuong.HA@amadeus.com>
Reported-by: Romain Geissler <romain.geissler@amadeus.com>
Link: https://bugs.passt.top/show_bug.cgi?id=188
Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, don't enable disabled IP version")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
pesto, conf: Send updated rules from pesto back to passt/pasta 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:59+00:00 7c5b1d72ffa4225929e99ac32604df4648d20eed Extend pesto to send the updated rule configuration back to passt/pasta. Extend passt/pasta to read the new configuration and store the new rules in a "pending" table. We don't yet attempt to activate them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> [dwg: Based on an early draft from Stefano] [sbrivio: Add redundant check on interface names being terminated in conf_recv_rules(), to make static checkers happy] [sbrivio: Make conf_recv_rules() return -1 if fwd_rule_read() fails, as suggested by Jon Maloy] [sbrivio: Fix conflicts in Makefile] Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
Extend pesto to send the updated rule configuration back to passt/pasta.
Extend passt/pasta to read the new configuration and store the new rules in
a "pending" table.   We don't yet attempt to activate them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
[dwg: Based on an early draft from Stefano]
[sbrivio: Add redundant check on interface names being terminated in
 conf_recv_rules(), to make static checkers happy]
[sbrivio: Make conf_recv_rules() return -1 if fwd_rule_read() fails,
 as suggested by Jon Maloy]
[sbrivio: Fix conflicts in Makefile]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
pesto, conf: Have pesto connect to passt and check versions 2026-05-07T06:06:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-03T21:55:53+00:00 f1d893ca1926e58ae5a2bf5602b515a883f3f994 Start implementing pesto in earnest. Create a control/configuration socket in passt. Have pesto connect to it and retrieve a server greeting Perform some basic version checking. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Avoid potential recursive calling between conf_accept() and conf_close(), reported by clang-tidy] [sbrivio: In conf(), check we're not exceeding sizeof(c->control_path) instead of sizeof(c->socket_path), and, in pesto's main(), print argv[optind] instead of argv[1] to indicate an invalid socket path, both reported by Jon Maloy] [sbrivio: In pesto's main(), drop unnecessary newline from error message, reported by Laurent] [sbrivio: Don't use SOCK_NONBLOCK on accept4(), as that only applies to the *new* file descriptor, which we don't want -- set O_NONBLOCK on the listening file descriptor using fcntl()] [sbrivio: Switch to protocol version 1, and reflect the true magic behind pesto, i.e. basil, into the magic string] [sbrivio: Fix conflicts in the Makefile caused by the fact that I'm not merging a previous series reworking it] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> 
Start implementing pesto in earnest.  Create a control/configuration
socket in passt.  Have pesto connect to it and retrieve a server greeting
Perform some basic version checking.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Avoid potential recursive calling between conf_accept() and
 conf_close(), reported by clang-tidy]
[sbrivio: In conf(), check we're not exceeding sizeof(c->control_path)
 instead of sizeof(c->socket_path), and, in pesto's main(), print
 argv[optind] instead of argv[1] to indicate an invalid socket path,
 both reported by Jon Maloy]
[sbrivio: In pesto's main(), drop unnecessary newline from error
 message, reported by Laurent]
[sbrivio: Don't use SOCK_NONBLOCK on accept4(), as that only applies
 to the *new* file descriptor, which we don't want -- set O_NONBLOCK
 on the listening file descriptor using fcntl()]
[sbrivio: Switch to protocol version 1, and reflect the true magic
 behind pesto, i.e. basil, into the magic string]
[sbrivio: Fix conflicts in the Makefile caused by the fact that I'm
 not merging a previous series reworking it]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
fwd: Store forwarding tables indexed by (origin) pif 2026-03-28T13:35:48+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-27T04:34:20+00:00 559d4dcbd3593f6a7fc1cefd12666f56a1901652 Currently we store the inbound (PIF_HOST) and outbound (PIF_SPLICE) forwarding tables in separate fields of struct ctx. In a number of places this requires somewhat awkward if or switch constructs to select the right table for updates. Conceptually simplify that by using an index of forwarding tables by pif, which as a bonus keeps track generically which pifs have implemented forwarding tables so far. For now this doesn't simplify a lot textually, because many places that need this also have other special cases to apply by pif. It does simplify a few crucial places though, and we expect it will become more useful as the flexibility of the forwarding table is improved. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently we store the inbound (PIF_HOST) and outbound (PIF_SPLICE)
forwarding tables in separate fields of struct ctx.  In a number of places
this requires somewhat awkward if or switch constructs to select the
right table for updates.  Conceptually simplify that by using an index of
forwarding tables by pif, which as a bonus keeps track generically which
pifs have implemented forwarding tables so far.

For now this doesn't simplify a lot textually, because many places that
need this also have other special cases to apply by pif.  It does simplify
a few crucial places though, and we expect it will become more useful as
the flexibility of the forwarding table is improved.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Unify TCP and UDP forwarding tables 2026-03-11T21:11:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-11T12:03:11+00:00 d460ca3236bafa724686a5ad7f585d70962f7373 Currently TCP and UDP each have their own forwarding tables. This is awkward in a few places, where we need switch statements to select the correct table. More importantly, it would make things awkward and messy to extend to other protocols in future, which we're likely to want to do. Merge the TCP and UDP tables into a single table per (source) pif, with the protocol given in each rule entry. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently TCP and UDP each have their own forwarding tables.  This is
awkward in a few places, where we need switch statements to select the
correct table.  More importantly, it would make things awkward and messy to
extend to other protocols in future, which we're likely to want to do.

Merge the TCP and UDP tables into a single table per (source) pif, with the
protocol given in each rule entry.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Fix misnamed field in struct ctx comments 2026-03-11T21:11:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-11T12:03:09+00:00 d30e0b7699dde95c337a391bb991ac800d059e13 @no_udp wasn't listed, but @no_tcp was listed twice. Fixes: 1e49d194d017 ("passt, pasta: Introduce command-line options and port re-mapping") Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
@no_udp wasn't listed, but @no_tcp was listed twice.

Fixes: 1e49d194d017 ("passt, pasta: Introduce command-line options and port re-mapping")
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
conf, pasta: Add --splice-only option 2026-01-19T08:12:27+00:00 Yumei Huang yuhuang@redhat.com 2026-01-16T03:25:09+00:00 cee7eb0dbf89cc096b8dea50999c6b90708defe4 This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device. It might be used to fix up podman IPv4 / IPv6 loopback mapping when using rootlesskit for forwarding ports, or a way to implement isolated containers. In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled. Option --no-splice is rejected. Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang <yuhuang@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This patch introduces a mode where we only forward loopback connections
and traffic between two namespaces (via the loopback interface, 'lo'),
without a tap device.

It might be used to fix up podman IPv4 / IPv6 loopback mapping when using
rootlesskit for forwarding ports, or a way to implement isolated containers.

In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled.
Option --no-splice is rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Don't rely on terminator records in ip[46].dns arrays 2026-01-10T18:27:45+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-07T01:46:04+00:00 accc33148e0aab5597b7f409f8e97f8985c1828a In our arrays of DNS resolvers to pass to the guest we use a blank entry to indicate the end of the list. We rely on this when scanning the array, not having separate bounds checking. clang-tidy 21.1.7 has fancier checking for array overruns in loops, but it's not able to reason that there's always a terminating entry, so complains. Indeed, it's correct to do so in this case. Although we allow space in the arrays for the terminator (size MAXNS + 1), add_dns[46]() check only for idx >= ARRAY_SIZE() before adding an entry. This allows it to consume the last slot with a "real" entry, meaning the places where we scan really could overrun. Fix the bug, and make it easier to reason about (for both clang-tidy and people) by using ARRAY_SIZE() base bounds checking. Treat the terminator explicitly as an early exit case using 'break'. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> [sbrivio: Fix up comments to @dns in structs ip4_ctx and ip6_ctx] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In our arrays of DNS resolvers to pass to the guest we use a blank entry
to indicate the end of the list.  We rely on this when scanning the array,
not having separate bounds checking.  clang-tidy 21.1.7 has fancier
checking for array overruns in loops, but it's not able to reason that
there's always a terminating entry, so complains.

Indeed, it's correct to do so in this case.  Although we allow space in the
arrays for the terminator (size MAXNS + 1), add_dns[46]() check only for
    idx >= ARRAY_SIZE()
before adding an entry.  This allows it to consume the last slot with a
"real" entry, meaning the places where we scan really could overrun.

Fix the bug, and make it easier to reason about (for both clang-tidy and
people) by using ARRAY_SIZE() base bounds checking.  Treat the terminator
explicitly as an early exit case using 'break'.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
[sbrivio: Fix up comments to @dns in structs ip4_ctx and ip6_ctx]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
util: Extend sock_probe_mem() to sock_probe_features() 2025-12-02T22:06:25+00:00 David Gibson david@gibson.dropbear.id.au 2025-12-02T04:02:02+00:00 0ae7b8c21bdb6130686f6c8aead3e8ab4c0921c8 sock_probe_mem() currently checks whether we're able to allocate large socket buffers. Extend it to also check whether the SO_BINDTODEVICE socket option is available. Rename to sock_probe_features() to reflect the new functionality. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Add whitespace around "-" in sock_probe_features()] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
sock_probe_mem() currently checks whether we're able to allocate large
socket buffers.  Extend it to also check whether the SO_BINDTODEVICE
socket option is available.  Rename to sock_probe_features() to reflect the
new functionality.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Add whitespace around "-" in sock_probe_features()]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>