passt/udp.c, branch podman23739 Plug A Simple Socket Transport flow, treewide: Promote priority of selected flow-linked messages 2026-06-09T02:28:20+00:00 David Gibson david@gibson.dropbear.id.au 2026-06-05T12:30:40+00:00 dd8923b8adb9ab1e1ad79727ee0a912131f6e2cb Most of out flow specific log messages are debug level for fear of flooding the logs, even when they report real error conditions that might be off significance. Now that we have the mechanisms for log message rate limiting, we can do better. Promote many flow related messages to warning or error level, with rate limiting. While we're there add ratelimiting to a handful of existing warning or error level messages. They general heuristic is to promote messages that report a failure which is not something that should be triggered by the guest doing something weird. This mostly means failures from socket operations we expect to be legitimate. Adding the ratelimiting means plumbing the 'now' timestamp through much more of the code, hence the large churn. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
Most of out flow specific log messages are debug level for fear of flooding
the logs, even when they report real error conditions that might be off
significance.

Now that we have the mechanisms for log message rate limiting, we can do
better.  Promote many flow related messages to warning or error level, with
rate limiting.  While we're there add ratelimiting to a handful of existing
warning or error level messages.

They general heuristic is to promote messages that report a failure which
is not something that should be triggered by the guest doing something
weird.  This mostly means failures from socket operations we expect to be
legitimate.

Adding the ratelimiting means plumbing the 'now' timestamp through much
more of the code, hence the large churn.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
flow: Include flow details with higher priority log messages 2026-06-09T02:18:40+00:00 David Gibson david@gibson.dropbear.id.au 2026-06-05T10:30:46+00:00 b2787350eab2a69d90a583dbc5a648b8c6cbf15b Currently flow_log() and related functions / macros have a 'details' parameter which indicates whether to add extra messages with details of the flow's addresses. This is still a bit awkward to invoke, and only used in a few places. Change the logic, to automatically include the details if and only if the log priority is greater than LOG_DEBUG. Rationale: If at debug log level, there are already a bunch of debug messages tracking the flow life cycle, which include those details (we make sure to retain those). It's usually pretty easy to cross reference a specific flow debug message with the flow's history including the details. If at higher log level, and we generate a flow-connected error or warning we don't have those life cycle messages. So, just giving the flow index doesn't really tell you anything about which flow tripped the error. Adding the address details make the error message significantly more useful. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
Currently flow_log() and related functions / macros have a 'details'
parameter which indicates whether to add extra messages with details of the
flow's addresses.  This is still a bit awkward to invoke, and only used in
a few places.  Change the logic, to automatically include the details if
and only if the log priority is greater than LOG_DEBUG.

Rationale:

If at debug log level, there are already a bunch of debug messages tracking
the flow life cycle, which include those details (we make sure to retain
those).  It's usually pretty easy to cross reference a specific flow debug
message with the flow's history including the details.

If at higher log level, and we generate a flow-connected error or warning
we don't have those life cycle messages.  So, just giving the flow index
doesn't really tell you anything about which flow tripped the error.
Adding the address details make the error message significantly more
useful.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
flow: Regularise flow specific logging helpers 2026-06-09T02:18:40+00:00 David Gibson david@gibson.dropbear.id.au 2026-06-05T10:12:18+00:00 06e98568c44ddde26e7011ffd4ac488e63bf485a flow.h has a collection of logging helpers that automatically include information about a specific flow. Which variants are present are a bit ad-hoc, based on what we happened to want use (e.g. there are no LOG_WARNING level versions, at present). There's also a rather awkward and only occasionally used flow_log_details_() helper to print additional log messages with more details of the flow (basically its addresses). It's particularly awkward to try to combine that with ratelimiting. Re-organise this to be based around a flow_log__() internal helper, which has bool parameters to include strerror() / perror information and/or the extra details. Add wrapper macros for all combinations of perror, ratelimiting and DEBUG/WARNING/ERR priorities. Be a little more consistent about parameter order between the various functions / macros / wrappers while we're at it. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> 
flow.h has a collection of logging helpers that automatically include
information about a specific flow.  Which variants are present are a bit
ad-hoc, based on what we happened to want use (e.g. there are no
LOG_WARNING level versions, at present).  There's also a rather awkward
and only occasionally used flow_log_details_() helper to print additional
log messages with more details of the flow (basically its addresses).
It's particularly awkward to try to combine that with ratelimiting.

Re-organise this to be based around a flow_log__() internal helper, which
has bool parameters to include strerror() / perror information and/or
the extra details.  Add wrapper macros for all combinations of perror,
ratelimiting and DEBUG/WARNING/ERR priorities.

Be a little more consistent about parameter order between the various
functions / macros / wrappers while we're at it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
udp: Pass iov_tail to udp_update_hdr4()/udp_update_hdr6() 2026-05-26T10:17:07+00:00 Laurent Vivier lvivier@redhat.com 2026-05-20T09:55:26+00:00 dec66c02b5e43e0ef809afa47e1008e143a01250 Change udp_update_hdr4() and udp_update_hdr6() to take an iov_tail pointing at the UDP frame instead of a contiguous udp_payload_t buffer and explicit data length. This lets vhost-user pass scatter-gather virtqueue buffers directly without an intermediate copy. The UDP header is built into a local struct udphdr and written back with IOV_PUSH_HEADER(). On the tap side, udp_tap_prepare() wraps the existing udp_payload_t in a two-element iov to match the new interface. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Change udp_update_hdr4() and udp_update_hdr6() to take an iov_tail
pointing at the UDP frame instead of a contiguous udp_payload_t buffer
and explicit data length.  This lets vhost-user pass scatter-gather
virtqueue buffers directly without an intermediate copy.

The UDP header is built into a local struct udphdr and written back with
IOV_PUSH_HEADER().  On the tap side, udp_tap_prepare() wraps the
existing udp_payload_t in a two-element iov to match the new interface.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
checksum: Pass explicit L4 length to checksum functions 2026-05-19T23:21:38+00:00 Laurent Vivier lvivier@redhat.com 2026-05-13T11:52:14+00:00 aa78f63c3c9491a9cad9f3c805a59748bd8c1ae2 The iov_tail passed to csum_iov_tail() may contain padding or trailing data beyond the actual L4 payload. Rather than relying on iov_tail_size() to determine how many bytes to checksum, pass the length explicitly so that only the relevant payload bytes are included in the checksum computation. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The iov_tail passed to csum_iov_tail() may contain padding or trailing
data beyond the actual L4 payload.  Rather than relying on
iov_tail_size() to determine how many bytes to checksum, pass the
length explicitly so that only the relevant payload bytes are included
in the checksum computation.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tap, tcp, udp: Use rate-limited logging 2026-04-15T18:59:35+00:00 Anshu Kumari anskuma@redhat.com 2026-04-10T10:37:37+00:00 5ac9cf11a512e6d54c94a2e6a7ddaabc10cb5b9b Now that rate-limited logging macros are available, promote several debug messages to higher severity levels. These messages were previously kept at debug to prevent guests from flooding host logs, but with rate limiting they can safely be made visible in normal operation. In tap.c, refactor tap4_is_fragment() to use warn_ratelimit() instead of its ad-hoc rate limiting, and promote the guest MAC address change message to info level. In tcp.c, promote the invalid TCP SYN endpoint message to warn level. In udp.c, promote dropped datagram messages to warn level, and rate-limit the unrecoverable socket error message. In udp_flow.c, promote flow allocation failures to err_ratelimit. Link: https://bugs.passt.top/show_bug.cgi?id=134 Signed-off-by: Anshu Kumari <anskuma@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Now that rate-limited logging macros are available, promote several
debug messages to higher severity levels.  These messages were
previously kept at debug to prevent guests from flooding host
logs, but with rate limiting they can safely be made visible in
normal operation.

In tap.c, refactor tap4_is_fragment() to use warn_ratelimit() instead
of its ad-hoc rate limiting, and promote the guest MAC address change
message to info level.

In tcp.c, promote the invalid TCP SYN endpoint message to warn level.

In udp.c, promote dropped datagram messages to warn level, and
rate-limit the unrecoverable socket error message.

In udp_flow.c, promote flow allocation failures to err_ratelimit.

Link: https://bugs.passt.top/show_bug.cgi?id=134
Signed-off-by: Anshu Kumari <anskuma@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Spell ASSERT() as assert() 2026-03-20T20:05:29+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-19T06:11:43+00:00 bc872d91765dfd6ff34b0e9a34bce410fac1cef3 The standard library assert(3), at least with glibc, hits our seccomp filter and dies with SIGSYS before it's able to print a message, making it near useless. Therefore, since 7a8ed9459dfe ("Make assertions actually useful") we've instead used our own implementation, named ASSERT(). This makes our code look slightly odd though - ASSERT() has the same overall effect as assert(), it's just a different implementation. More importantly this makes it awkward to share code between passt/pasta proper and things that compile in a more typical environment. We're going to want that for our upcoming dynamic configuration tool. Address this by overriding the standard library's assert() implementation with our own, instead of giving ours its own name. The standard assert() is supposed to be omitted if NDEBUG is defined, which ours doesn't do. Implement that as well, so ours doesn't unexpectedly differ. For the -DNDEBUG case we do this by *not* overriding assert(), since it will be a no-op anyway. This requires a few places to add a #include <assert.h> to let us compile (albeit with warnings) when -DNDEBUG. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Fix some conflicts and missing conversions as a result of applying "vu_common: Move iovec management into vu_collect()" first] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The standard library assert(3), at least with glibc, hits our seccomp
filter and dies with SIGSYS before it's able to print a message, making it
near useless.  Therefore, since 7a8ed9459dfe ("Make assertions actually
useful") we've instead used our own implementation, named ASSERT().

This makes our code look slightly odd though - ASSERT() has the same
overall effect as assert(), it's just a different implementation.  More
importantly this makes it awkward to share code between passt/pasta proper
and things that compile in a more typical environment.  We're going to want
that for our upcoming dynamic configuration tool.

Address this by overriding the standard library's assert() implementation
with our own, instead of giving ours its own name.

The standard assert() is supposed to be omitted if NDEBUG is defined,
which ours doesn't do.  Implement that as well, so ours doesn't
unexpectedly differ.  For the -DNDEBUG case we do this by *not* overriding
assert(), since it will be a no-op anyway.  This requires a few places to
add a #include <assert.h> to let us compile (albeit with warnings) when
-DNDEBUG.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Fix some conflicts and missing conversions as a result of
 applying "vu_common: Move iovec management into vu_collect()" first]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Unify TCP and UDP forwarding tables 2026-03-11T21:11:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-11T12:03:11+00:00 d460ca3236bafa724686a5ad7f585d70962f7373 Currently TCP and UDP each have their own forwarding tables. This is awkward in a few places, where we need switch statements to select the correct table. More importantly, it would make things awkward and messy to extend to other protocols in future, which we're likely to want to do. Merge the TCP and UDP tables into a single table per (source) pif, with the protocol given in each rule entry. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently TCP and UDP each have their own forwarding tables.  This is
awkward in a few places, where we need switch statements to select the
correct table.  More importantly, it would make things awkward and messy to
extend to other protocols in future, which we're likely to want to do.

Merge the TCP and UDP tables into a single table per (source) pif, with the
protocol given in each rule entry.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Split forwarding table from port scanning state 2026-03-11T21:11:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-11T12:03:10+00:00 bb2e4dda0f7c9b92195ab84920430659425afbc0 For hsitorical reasons, struct fwd_ports contained both the new forwarding table and some older state related to port / scanning auto-forwarding detection. They are related, but keeping them together prevents some future reworks we want to do. Separate them into struct fwd_table (for the table) and struct fwd_scan for the scanning state. Adjusting all the users makes for a logically straightforward, but fairly extensive patch. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
For hsitorical reasons, struct fwd_ports contained both the new forwarding
table and some older state related to port / scanning auto-forwarding
detection.  They are related, but keeping them together prevents some
future reworks we want to do.

Separate them into struct fwd_table (for the table) and struct fwd_scan
for the scanning state.  Adjusting all the users makes for a logically
straightforward, but fairly extensive patch.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd, pif: Replace with pif_sock_l4() with pif_listen() 2026-03-04T16:52:55+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-02T04:31:34+00:00 9ee780567310f2486e1510db502a96e5b1a81a1c It turns out all users of pif_sock_l4() use it for "listening" sockets, which now all have a common epoll reference format. We can take advantage of that to pass the necessary epoll information into pif_sock_l4() in a more natural way, rather than as an opaque u32. That in turn allows union fwd_listen_ref can become a struct, since the union only exist to allow the meaningful fields to be coerced into a u32 for pif_sock_l4(). Rename pif_sock_l4() to pif_listen() to reflect the new semantics. While we're there, remove the static_assert() on the fwd_listen_ref's size. We do still need it to fit into 32 bits, but that constraint is imposed only by the fact that it needs to fit into the whole, epoll_ref structure, which we already check with a static_assert() in epoll_ctl.h. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reported-by: Peter Foley <pefoley@google.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
It turns out all users of pif_sock_l4() use it for "listening" sockets,
which now all have a common epoll reference format.  We can take advantage
of that to pass the necessary epoll information into pif_sock_l4() in a
more natural way, rather than as an opaque u32.

That in turn allows union fwd_listen_ref can become a struct, since the
union only exist to allow the meaningful fields to be coerced into a u32
for pif_sock_l4().

Rename pif_sock_l4() to pif_listen() to reflect the new semantics.  While
we're there, remove the static_assert() on the fwd_listen_ref's size.  We
do still need it to fit into 32 bits, but that constraint is imposed only
by the fact that it needs to fit into the whole, epoll_ref structure,
which we already check with a static_assert() in epoll_ctl.h.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reported-by: Peter Foley <pefoley@google.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>