passt/tcp.c, branch podman23739 Plug A Simple Socket Transport flow, treewide: Promote priority of selected flow-linked messages 2026-06-09T02:28:20+00:00 David Gibson david@gibson.dropbear.id.au 2026-06-05T12:30:40+00:00 dd8923b8adb9ab1e1ad79727ee0a912131f6e2cb Most of out flow specific log messages are debug level for fear of flooding the logs, even when they report real error conditions that might be off significance. Now that we have the mechanisms for log message rate limiting, we can do better. Promote many flow related messages to warning or error level, with rate limiting. While we're there add ratelimiting to a handful of existing warning or error level messages. They general heuristic is to promote messages that report a failure which is not something that should be triggered by the guest doing something weird. This mostly means failures from socket operations we expect to be legitimate. Adding the ratelimiting means plumbing the 'now' timestamp through much more of the code, hence the large churn. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
Most of out flow specific log messages are debug level for fear of flooding
the logs, even when they report real error conditions that might be off
significance.

Now that we have the mechanisms for log message rate limiting, we can do
better.  Promote many flow related messages to warning or error level, with
rate limiting.  While we're there add ratelimiting to a handful of existing
warning or error level messages.

They general heuristic is to promote messages that report a failure which
is not something that should be triggered by the guest doing something
weird.  This mostly means failures from socket operations we expect to be
legitimate.

Adding the ratelimiting means plumbing the 'now' timestamp through much
more of the code, hence the large churn.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
flow: Safer errno handling in flowside_connect() callers 2026-06-09T02:18:40+00:00 David Gibson david@gibson.dropbear.id.au 2026-06-05T11:04:26+00:00 d71e04013af0f449effcf2ec18235f6e1d1cbf5c flowside_connect() behaves much like connect(2) itself, returning -1 on error with errno set to the error code. One of the callers, in udp_flow_sock(), uses the errno code with flow_dbg_perror() *after* it's called epoll_del() and close() either of which could clobber errno. Change flowside_connect() to use the more regular convention for internal functions: return a negative errno code on error, rather than just -1. Save it in the callers and use that rather than raw errno to print the message. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
flowside_connect() behaves much like connect(2) itself, returning -1 on
error with errno set to the error code.  One of the callers, in
udp_flow_sock(), uses the errno code with flow_dbg_perror() *after* it's
called epoll_del() and close() either of which could clobber errno.

Change flowside_connect() to use the more regular convention for internal
functions: return a negative errno code on error, rather than just -1.
Save it in the callers and use that rather than raw errno to print the
message.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
flow: Regularise flow specific logging helpers 2026-06-09T02:18:40+00:00 David Gibson david@gibson.dropbear.id.au 2026-06-05T10:12:18+00:00 06e98568c44ddde26e7011ffd4ac488e63bf485a flow.h has a collection of logging helpers that automatically include information about a specific flow. Which variants are present are a bit ad-hoc, based on what we happened to want use (e.g. there are no LOG_WARNING level versions, at present). There's also a rather awkward and only occasionally used flow_log_details_() helper to print additional log messages with more details of the flow (basically its addresses). It's particularly awkward to try to combine that with ratelimiting. Re-organise this to be based around a flow_log__() internal helper, which has bool parameters to include strerror() / perror information and/or the extra details. Add wrapper macros for all combinations of perror, ratelimiting and DEBUG/WARNING/ERR priorities. Be a little more consistent about parameter order between the various functions / macros / wrappers while we're at it. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
flow.h has a collection of logging helpers that automatically include
information about a specific flow.  Which variants are present are a bit
ad-hoc, based on what we happened to want use (e.g. there are no
LOG_WARNING level versions, at present).  There's also a rather awkward
and only occasionally used flow_log_details_() helper to print additional
log messages with more details of the flow (basically its addresses).
It's particularly awkward to try to combine that with ratelimiting.

Re-organise this to be based around a flow_log__() internal helper, which
has bool parameters to include strerror() / perror information and/or
the extra details.  Add wrapper macros for all combinations of perror,
ratelimiting and DEBUG/WARNING/ERR priorities.

Be a little more consistent about parameter order between the various
functions / macros / wrappers while we're at it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
passt, tcp: Inline CALL_PROTO_HANDLER() and merge tcp_timer() 2026-06-04T04:45:09+00:00 Laurent Vivier lvivier@redhat.com 2026-06-02T13:17:08+00:00 31d0893d47e3d147b3a1597bbede7de65281a62f Since 260075bde769 ("tcp, udp, fwd: Run all port scanning from a single timer"), CALL_PROTO_HANDLER() has only one user (tcp), so inline it at the call site and remove the macro. Merge tcp_timer() into tcp_defer_handler(), moving the timer interval check there, matching the pattern used by flow_defer_handler() and fwd_scan_ports_timer(). The weak declaration and null check for tcp_defer_handler are also dropped as the function is always defined. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Since 260075bde769 ("tcp, udp, fwd: Run all port scanning from a
single timer"), CALL_PROTO_HANDLER() has only one user (tcp), so
inline it at the call site and remove the macro.

Merge tcp_timer() into tcp_defer_handler(), moving the timer interval
check there, matching the pattern used by flow_defer_handler() and
fwd_scan_ports_timer().

The weak declaration and null check for tcp_defer_handler are also
dropped as the function is always defined.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp: Don't leak sockets on error paths 2026-05-27T08:17:42+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-13T07:18:21+00:00 4b2823784aab04a70dfc295b16fd6f0592955790 tcp_listen_handler() has several error paths that will cancel the creation of a new flow, after having accept()ed an incoming socket connection. Coverity pointed out that in those cases we leak the new socket. Correct this by properly closing the socket. Make sure to also set SO_LINGER so that the peer will get an RST. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
tcp_listen_handler() has several error paths that will cancel the creation
of a new flow, after having accept()ed an incoming socket connection.
Coverity pointed out that in those cases we leak the new socket.  Correct
this by properly closing the socket.  Make sure to also set SO_LINGER so
that the peer will get an RST.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp, tcp_splice: Make helper for setting SO_LINGER socket option 2026-05-27T08:17:18+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-13T07:18:20+00:00 98e3c015b3791ff55381e5ee687f541721d1695e Both spliced and non-spliced TCP in some cases set the SO_LINGER socket option in order to to force a TCP RST on a socket side connection. In each case we open code the setsockopt() logic. We're shortly going to add another place that needs this, so move the setsockopt() and error handling logic into a shared helper. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Both spliced and non-spliced TCP in some cases set the SO_LINGER socket
option in order to to force a TCP RST on a socket side connection.  In each
case we open code the setsockopt() logic.  We're shortly going to add
another place that needs this, so move the setsockopt() and error handling
logic into a shared helper.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp: Encode checksum computation flags in a single parameter 2026-05-26T10:17:10+00:00 Laurent Vivier lvivier@redhat.com 2026-05-20T15:10:07+00:00 92845dd9f0450d54c135ccef6b118fc259ea8dad tcp_fill_headers() takes a pointer to a previously computed IPv4 header checksum to avoid recalculating it when the payload length doesn't change, and a separate bool to skip TCP checksum computation. Replace both parameters with a single uint32_t csum_flags that encodes: - IP4_CSUM (bit 31): compute IPv4 header checksum from scratch - TCP_CSUM (bit 30): compute TCP checksum - IP4_CMASK (low 16 bits): cached IPv4 header checksum value When IP4_CSUM is not set, the cached checksum is extracted from the low 16 bits. This is cleaner than the pointer-based approach, and also avoids a potential dangling pointer issue: a subsequent patch makes tcp_fill_headers() access ip4h via with_header(), which scopes it to a temporary variable, so a pointer to ip4h->check would become invalid after the with_header() block. Suggested-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Jon Maloy <jmaloy@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
tcp_fill_headers() takes a pointer to a previously computed IPv4 header
checksum to avoid recalculating it when the payload length doesn't
change, and a separate bool to skip TCP checksum computation.

Replace both parameters with a single uint32_t csum_flags that encodes:
- IP4_CSUM (bit 31): compute IPv4 header checksum from scratch
- TCP_CSUM (bit 30): compute TCP checksum
- IP4_CMASK (low 16 bits): cached IPv4 header checksum value

When IP4_CSUM is not set, the cached checksum is extracted from the low
16 bits.  This is cleaner than the pointer-based approach, and also
avoids a potential dangling pointer issue: a subsequent patch makes
tcp_fill_headers() access ip4h via with_header(), which scopes it to a
temporary variable, so a pointer to ip4h->check would become invalid
after the with_header() block.

Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Jon Maloy <jmaloy@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp: Pass explicit data length to tcp_fill_headers() 2026-05-19T23:21:51+00:00 Laurent Vivier lvivier@redhat.com 2026-05-13T11:52:17+00:00 de6387aa0bed9e01c99e58a0f3e01f617bc7fe33 tcp_fill_headers() computed the TCP payload length from iov_tail_size(), but with vhost-user multibuffer frames, the iov_tail will be larger than the actual data. Pass the data length explicitly so that IP total length, pseudo-header, and checksum computations use the correct value. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
tcp_fill_headers() computed the TCP payload length from iov_tail_size(),
but with vhost-user multibuffer frames, the iov_tail will be larger than
the actual data.  Pass the data length explicitly so that IP total
length, pseudo-header, and checksum computations use the correct value.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
checksum: Pass explicit L4 length to checksum functions 2026-05-19T23:21:38+00:00 Laurent Vivier lvivier@redhat.com 2026-05-13T11:52:14+00:00 aa78f63c3c9491a9cad9f3c805a59748bd8c1ae2 The iov_tail passed to csum_iov_tail() may contain padding or trailing data beyond the actual L4 payload. Rather than relying on iov_tail_size() to determine how many bytes to checksum, pass the length explicitly so that only the relevant payload bytes are included in the checksum computation. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The iov_tail passed to csum_iov_tail() may contain padding or trailing
data beyond the actual L4 payload.  Rather than relying on
iov_tail_size() to determine how many bytes to checksum, pass the
length explicitly so that only the relevant payload bytes are included
in the checksum computation.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Make some additional variables static 2026-05-11T22:04:08+00:00 David Gibson david@gibson.dropbear.id.au 2026-05-11T10:03:21+00:00 97e478b40d4154cf007641f1e247cc3fef8392ad Mark a number of extra variables local to a single module as static. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Mark a number of extra variables local to a single module as static.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>