passt/udp.h, branch ndebug Plug A Simple Socket Transport fwd: Unify TCP and UDP forwarding tables 2026-03-11T21:11:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-11T12:03:11+00:00 d460ca3236bafa724686a5ad7f585d70962f7373 Currently TCP and UDP each have their own forwarding tables. This is awkward in a few places, where we need switch statements to select the correct table. More importantly, it would make things awkward and messy to extend to other protocols in future, which we're likely to want to do. Merge the TCP and UDP tables into a single table per (source) pif, with the protocol given in each rule entry. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently TCP and UDP each have their own forwarding tables.  This is
awkward in a few places, where we need switch statements to select the
correct table.  More importantly, it would make things awkward and messy to
extend to other protocols in future, which we're likely to want to do.

Merge the TCP and UDP tables into a single table per (source) pif, with the
protocol given in each rule entry.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd: Split forwarding table from port scanning state 2026-03-11T21:11:30+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-11T12:03:10+00:00 bb2e4dda0f7c9b92195ab84920430659425afbc0 For hsitorical reasons, struct fwd_ports contained both the new forwarding table and some older state related to port / scanning auto-forwarding detection. They are related, but keeping them together prevents some future reworks we want to do. Separate them into struct fwd_table (for the table) and struct fwd_scan for the scanning state. Adjusting all the users makes for a logically straightforward, but fairly extensive patch. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
For hsitorical reasons, struct fwd_ports contained both the new forwarding
table and some older state related to port / scanning auto-forwarding
detection.  They are related, but keeping them together prevents some
future reworks we want to do.

Separate them into struct fwd_table (for the table) and struct fwd_scan
for the scanning state.  Adjusting all the users makes for a logically
straightforward, but fairly extensive patch.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Add missing includes to headers 2026-03-04T16:39:57+00:00 Peter Foley pefoley@google.com 2026-02-23T18:11:19+00:00 adbf5c135f19db5b6751393b7f5cbf516031bde8 Support build systems like bazel that check that headers are self-contained. Also update includes so that clang-include-cleaner succeeds. Tested with: clang-include-cleaner-19 --extra-arg=-D_GNU_SOURCE --extra-arg=-DPAGE_SIZE=4096 --extra-arg=-DVERSION=\"git\" --extra-arg=-DHAS_GETRANDOM *.h *.c Signed-off-by: Peter Foley <pefoley@google.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Support build systems like bazel that check that headers are
self-contained.

Also update includes so that clang-include-cleaner succeeds.

Tested with:
clang-include-cleaner-19 --extra-arg=-D_GNU_SOURCE --extra-arg=-DPAGE_SIZE=4096 --extra-arg=-DVERSION=\"git\" --extra-arg=-DHAS_GETRANDOM *.h *.c

Signed-off-by: Peter Foley <pefoley@google.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
udp: Split activity timeouts for UDP flows 2026-02-15T01:48:34+00:00 Yumei Huang yuhuang@redhat.com 2026-02-14T07:31:36+00:00 bebafa72a982784164a7d556bd860ec0ed1e02c7 Frequent DNS queries over UDP from a container or guest can result in many sockets shown in ss(8), typically one per flow. This is expected and harmless, but it can make the output of ss(8) look noisy and potentially concern users. This patch splits UDP flow timeouts into two, mirroring the Linux kernel, and sources the values from kernel parameters. The shorter timeout is applied to unidirectional flows and minimal bidirectional exchanges (single datagram and reply), while the longer timeout is used for bidirectional flows with multiple datagrams on either side. Link: https://bugs.passt.top/show_bug.cgi?id=197 Suggested-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Yumei Huang <yuhuang@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Frequent DNS queries over UDP from a container or guest can result
in many sockets shown in ss(8), typically one per flow. This is
expected and harmless, but it can make the output of ss(8) look
noisy and potentially concern users.

This patch splits UDP flow timeouts into two, mirroring the Linux
kernel, and sources the values from kernel parameters. The shorter
timeout is applied to unidirectional flows and minimal bidirectional
exchanges (single datagram and reply), while the longer timeout is
used for bidirectional flows with multiple datagrams on either side.

Link: https://bugs.passt.top/show_bug.cgi?id=197
Suggested-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd, tcp, udp: Add forwarding rule to listening socket epoll references 2026-01-18T11:48:06+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:25+00:00 fe37028466d3d29d74ebf53e9c53c9f139fbc74e Now that we have a table of all our forwarding rules, every listening socket can be associated with a specific rule. Add an index allowing us to locate that rule from the socket's epoll reference. We don't use it yet, but we'll use it to optimise rule lookup when forwarding new flows. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Now that we have a table of all our forwarding rules, every listening
socket can be associated with a specific rule.  Add an index allowing us to
locate that rule from the socket's epoll reference.  We don't use it yet,
but we'll use it to optimise rule lookup when forwarding new flows.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
tcp, udp: Remove old auto-forwarding socket arrays 2026-01-18T11:47:50+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:20+00:00 acb7a3057bbc6af72399c44d747c1cf7fb92d17f Now that we've moved listening socket management to the new forwarding table data structure, the existing arrays of socket fds are maintained, but never consulted. Remove them. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Now that we've moved listening socket management to the new forwarding
table data structure, the existing arrays of socket fds are maintained,
but never consulted.  Remove them.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd, tcp, udp: Set up listening sockets based on forward table 2026-01-18T11:47:47+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-16T00:59:19+00:00 b223bec48213060304c09882ce5b3055b15b7e07 Previously we created inbound listening sockets as we parsed the forwarding options (-t, -u) whereas outbound listening sockets were created during {tcp,udp}_init(). Now that we have a data structure recording the full details of the listening options we can move all listening socket creation to {tcp,udp}_init(). This means that errors for either direction are detected and reported the same way. Introduce fwd_listen_sync() which synchronizes the state of listening sockets to the forwarding rules table, both for fixed and automatic forwards. This does cause a change in semantics for "exclude only" port specifications. Previously an option like -t ~6000 wouldn't cause a fatal error, as long as we could bind at least one port. Now, it requires at least one port for each generated rule; that is for each of the contiguous blocks of ports the specification resolves to. With typical ephemeral ports settings that's one port each in 1..5999, 6001..32767 and 61000..65535. Preserving the exact behaviour for this case would require a considerably more complex data structure, so I'm hoping this is a sufficiently niche case for the change to be acceptable. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Previously we created inbound listening sockets as we parsed the forwarding
options (-t, -u) whereas outbound listening sockets were created during
{tcp,udp}_init().  Now that we have a data structure recording the full
details of the listening options we can move all listening socket creation
to {tcp,udp}_init().  This means that errors for either direction are
detected and reported the same way.

Introduce fwd_listen_sync() which synchronizes the state of listening
sockets to the forwarding rules table, both for fixed and automatic
forwards.

This does cause a change in semantics for "exclude only" port
specifications.  Previously an option like -t ~6000 wouldn't cause a
fatal error, as long as we could bind at least one port.  Now, it
requires at least one port for each generated rule; that is for each
of the contiguous blocks of ports the specification resolves to.  With
typical ephemeral ports settings that's one port each in 1..5999,
6001..32767 and 61000..65535.

Preserving the exact behaviour for this case would require a considerably
more complex data structure, so I'm hoping this is a sufficiently niche
case for the change to be acceptable.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
fwd, tcp, udp: Consolidate epoll refs for listening sockets 2026-01-10T19:54:13+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-08T02:14:50+00:00 9ea9dde5b5f64562d5fb0385dfee967a8cfec0f3 The epoll references we use for TCP listening sockets and UDP "listening" sockets have identical information. Combine them into a single structure. Note that, despite the name, epoll_ref.udp was only ever used for "listening" sockets, not flow sockets. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The epoll references we use for TCP listening sockets and UDP "listening"
sockets have identical information.  Combine them into a single structure.
Note that, despite the name, epoll_ref.udp was only ever used for
"listening" sockets, not flow sockets.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
udp: Rename udp_sock_init() to udp_listen() with small cleanups 2025-12-23T14:25:11+00:00 David Gibson david@gibson.dropbear.id.au 2025-12-18T06:22:42+00:00 6292845bfed92c618480d58dae5cf9d045918191 Despite the name, this functions is specifically for creating "listening" sockets, not any others. While we're there remove a redundant check for (s > FD_REF_MAX). pif_sock_l4() already checks for this (and must, in order to properly populate the epoll reference). Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Despite the name, this functions is specifically for creating
"listening" sockets, not any others.  While we're there remove a redundant
check for (s > FD_REF_MAX).  pif_sock_l4() already checks for this (and
must, in order to properly populate the epoll reference).

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
udp: Unify some more inbound/outbound parts of udp_sock_init() 2025-12-02T22:07:21+00:00 David Gibson david@gibson.dropbear.id.au 2025-12-02T04:02:08+00:00 c8d468339553b65818df784242d6abb787a36b45 udp_sock_init() takes an 'ns' parameter determining if it creates a socket in the guest namespace or host namespace. Alter it to take a pif parameter instead, like tcp_sock_init(), and use that change to slightly reduce code duplication between the HOST and SPLICE cases. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
udp_sock_init() takes an 'ns' parameter determining if it creates a socket
in the guest namespace or host namespace.  Alter it to take a pif
parameter instead, like tcp_sock_init(), and use that change to slightly
reduce code duplication between the HOST and SPLICE cases.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>