aboutgitcodebugslistschat
Commit message (Collapse)AuthorAgeFilesLines
* util: Drop CHECK_SET_MIN_MAX{,_PROTO_FD} macrosStefano Brivio2022-03-251-14/+0
| | | | | | | ...those were used when epoll references used to be socket numbers, they should have gone away a long time ago. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pcap: Fix mistake in printed stringStefano Brivio2022-03-251-1/+1
| | | | | | Packets are saved *to* a file, not *at* it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, util, tap: Implement --trace option for extra verbose loggingStefano Brivio2022-03-259-4/+55
| | | | | | | | --debug can be a bit too noisy, especially as single packets or socket messages are logged: implement a new option, --trace, implying --debug, that enables all debug messages. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Make it somewhat readable on mobile devicesStefano Brivio2022-03-046-35/+161
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* hooks, README: gzipped js snippets, webp alternatives for pngStefano Brivio2022-03-022-4/+17
| | | | | | | | Upload gzipped js snippets for usage with gzip_static in nginx or equivalent. Convert png drawings to webp for smaller size, use them as alternatives in README. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/lib/setup: Unshare PID namespace in pasta_setup()Stefano Brivio2022-03-021-4/+8
| | | | | | ...otherwise, we'll leave processes (dhclient) around. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Don't preload CI recording, show poster from end of runStefano Brivio2022-03-011-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: s/guest/namespace/ in pasta "Try it" sectionStefano Brivio2022-03-011-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile, hooks: Static target precondition for pkgs, copy .avx2 buildsStefano Brivio2022-03-013-9/+7
| | | | | | Convenience packages are anyway built from static builds. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo/pasta: Clean up before rebuilding with -gStefano Brivio2022-03-011-0/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* arp, dhcp: Fix strict aliasing warnings reported by gcc 4.9 with -OfastStefano Brivio2022-02-282-8/+9
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Run-time selection of AVX2 buildStefano Brivio2022-02-289-48/+92
| | | | | | | | | | | | | Build-time selection of AVX2 flags and routines is not practical for distributions, but limiting AVX2 usage to checksum routines with specific run-time detection doesn't allow for easy performance gains from auto-vectorisation of batched packet handling routines. For x86_64, build non-AVX2 and AVX2 binaries, and implement a simple wrapper replacing the current executable with the AVX2 build if it's available, and if AVX2 is supported by the current CPU. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/distro/opensuse: Add Tumbleweed armv7l testStefano Brivio2022-02-281-0/+29
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/lib/term: Don't run demo when started as ./runStefano Brivio2022-02-281-1/+1
| | | | | | | I changed this in a previous commit by mistake, restore the original command. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seccomp, tcp: Add fcntl64 to pasta syscalls for armv6l, armv7lStefano Brivio2022-02-281-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* hooks/pre-push: Keep original cast on gzip, fix uploading with dashStefano Brivio2022-02-281-2/+3
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo/pasta: Exit namespace in 'ns' pane before restarting pastaStefano Brivio2022-02-281-0/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seccomp: Adjust list of allowed syscalls for armv6l, armv7lStefano Brivio2022-02-263-5/+9
| | | | | | | | | | | It looks like glibc commonly implements clock_gettime(2) with clock_gettime64(), and uses recv() instead of recvfrom(), send() instead of sendto(), and sigreturn() instead of rt_sigreturn() on armv6l and armv7l. Adjust the list of system calls for armv6l and armv7l accordingly. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Don't warn on failed madvise()Stefano Brivio2022-02-261-2/+1
| | | | | | | | A kernel might not be configured with CONFIG_TRANSPARENT_HUGEPAGE, especially on embedded systems. Ignore the error, it doesn't affect functionality. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Fix up AUDIT_ARCH for armv6l, armv7lStefano Brivio2022-02-261-0/+1
| | | | | | | There's a single AUDIT_ARCH_ARM define available (and big-endian shouldn't be a concern with those). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tap: Cast ETH_MAX_MTU to signed in comparisonsStefano Brivio2022-02-261-2/+2
| | | | | | At least gcc 8.3 and 10.2 emit a warning on armv6l and armv7l. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seccomp.sh: Handle syscall number defines in the (x + y) formStefano Brivio2022-02-261-0/+3
| | | | | | | This is the case at least for current glibc headers on armv6l and armv7l. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* udp: Explicitly initialise sin6_scope_id and sin_zero in sockaddr_in{,6}Stefano Brivio2022-02-251-0/+2
| | | | | | | Not functionally needed, but gcc versions 7 to 9 (at least) will issue a warning otherwise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Explicitly check return value of chdir()Stefano Brivio2022-02-251-1/+3
| | | | | | | | ...it doesn't actually matter as we're checking errno at the very end, but, depending on build flags, chdir() might be declared with warn_unused_result and the compiler issues a warning. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* hooks: Uploaded compressed .cast files tooStefano Brivio2022-02-231-3/+6
| | | | | | ...to benefit from gzip_static in nginx or equivalent. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt.1: Drop duplicate --dns sectionStefano Brivio2022-02-231-11/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, ndp: Disable router advertisements on --config-netStefano Brivio2022-02-232-1/+6
| | | | | | | | | If we statically configure a default route, and also advertise it for SLAAC, the kernel will try moments later to add the same route: ICMPv6: RA: ndisc_router_discovery failed to add default route Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* netlink: Avoid left-over bytes in request on MTU configurationStefano Brivio2022-02-231-4/+7
| | | | | | | | | When nl_link() configures the MTU, it shouldn't send extra bytes, otherwise we'll get a kernel warning: netlink: 4 bytes leftover after parsing attributes in process `pasta'. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Fix name of CI asciinema player in perf links handlerStefano Brivio2022-02-231-5/+4
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Fix demo div grid layoutStefano Brivio2022-02-231-17/+23
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Drop PASST_LEGACY_NO_OPTIONS sectionsStefano Brivio2022-02-224-25/+0
| | | | | | ...nobody uses those builds anymore. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo, ci: Switch to asciinema(1) for terminal recordingsStefano Brivio2022-02-227-108/+142
| | | | | | | | | | For demos, cool-retro-term(1) looked fancier, but several threads of that and ffmpeg(1) are just messing up with performance testing. The CI videos started getting really big as well, and they were difficult to read. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Add demo for Podman with pastaStefano Brivio2022-02-227-6/+959
| | | | | | | | ...showing setup steps, some peculiarities as --net option, and a general side-to-side comparison with slirp4netns(1), including "quick" TCP and UDP throughput and latency benchmarks. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Add patch for Podman integrationStefano Brivio2022-02-211-0/+542
| | | | | | | | The patch introduces a "pasta" networking mode for rootless container, similar to the existing slirp4netns mode. Notable differences are described in the commit message. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README, hooks: Build HTML man page on push, add a linkStefano Brivio2022-02-212-0/+5
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* man page: Update REPORTING BUGS sectionStefano Brivio2022-02-211-4/+5
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/perf/passt_udp: Drop threshold for 256B testStefano Brivio2022-02-211-2/+2
| | | | | | | | | That test fails sometimes, it looks like iperf3 is still sending initial messages that are too big. I'll need to figure out why, but given that 256 bytes is not really an expected MTU, drop the thresholds to zero for the moment being. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/distro/ubuntu: Use DEBIAN_FRONTEND=noninteractive for apt on 22.04Stefano Brivio2022-02-211-0/+1
| | | | | | | | | Removing the needrestart package doesn't seem to work anymore, and I'm getting again prompts to restart services after installing gcc and make: export DEBIAN_FRONTEND=noninteractive before installing packages to avoid that. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: By default, quit if filesystem-bound net namespace goes awayStefano Brivio2022-02-217-12/+107
| | | | | | | | | | | | This should be convenient for users managing filesystem-bound network namespaces: monitor the base directory of the namespace and exit if the namespace given as PATH or NAME target is deleted. We can't add an inotify watch directly on the namespace directory, that won't work with nsfs. Add an option to disable this behaviour, --no-netns-quit. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, udp: Receive batching doesn't pay off when writing single frames to tapStefano Brivio2022-02-212-32/+37
| | | | | | | | | | | | | | | | In pasta mode, when we get data from sockets and write it as single frames to the tap device, we batch receive operations considerably, and then (conceptually) split the data in many smaller writes. It looked like an obvious choice, but performance is actually better if we receive data in many small frame-sized recvmsg()/recvmmsg(). The syscall overhead with the previous behaviour, observed by perf, comes predominantly from write operations, but receiving data in shorter chunks probably improves cache locality by a considerable amount. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* udp: Allow loopback connections from host using configured unicast addressStefano Brivio2022-02-211-2/+18
| | | | | | | | | | | | Likely for testing purposes only: allow connections from host to guest or namespace using, as connection target, the configured, possibly global unicast address. In this case, we have to map the destination address to a link-local address, and for port-based tracked responses, the source address needs to be again the unicast address: not loopback, not link-local. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, udp: Introduce basic DNS forwardingStefano Brivio2022-02-218-38/+177
| | | | | | | | | | | | | | | | | | | | | | | | | For compatibility with libslirp/slirp4netns users: introduce a mechanism to map, in the UDP routines, an address facing guest or namespace to the first IPv4 or IPv6 address resulting from configuration as resolver. This can be enabled with the new --dns-forward option. This implies that sourcing and using DNS addresses and search lists, passed via command line or read from /etc/resolv.conf, is not bound anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just want to use addresses from /etc/resolv.conf as mapping target, while not passing DNS options via DHCP. Reflect this in all the involved code paths by differentiating DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns, --no-dhcp-search for passt. This should be the last bit to enable substantial compatibility between slirp4netns.sh and slirp4netns(1): pass the --dns-forward option from the script too. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Given IPv4 address and no netmask, assign RFC 790-style classesStefano Brivio2022-02-211-10/+10
| | | | | | | Provide a sane default, instead of /0, if an address is given, and it doesn't correspond to any host address we could find via netlink. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Don't print configuration on --quietStefano Brivio2022-02-211-1/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* slirp4netns.sh: Implement API socket option for port forwardingStefano Brivio2022-02-211-7/+182
| | | | | | | | | | | | | | | | | | Introduce the equivalent of the --api-socket option from slirp4netns: spawn a subshell to handle requests, netcat binds to a UNIX domain socket and jq parses messages. Three minor differences compared to slirp4netns: - IPv6 ports are forwarded too - error messages are not as specific, for example we don't tell apart malformed JSON requests from invalid parameters - host addresses are always 0.0.0.0 and ::1, pasta doesn't bind on specific addresses for different ports Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile, conf, passt: Drop passt4netns references, explicit argc checkStefano Brivio2022-02-213-13/+15
| | | | | | | | | | | Nobody currently calls this as passt4netns, that was the name I used before 'pasta', drop any reference before it's too late. While at it, explicitly check that argc is bigger than or equal to one, just as a defensive measure: argv[0] being NULL is not an issue anyway. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Make process not dumpable after sandboxingStefano Brivio2022-02-211-0/+2
| | | | | | | | | | | | | Two effects: - ptrace() on passt and pasta can only be done by root, so that even if somebody gains access to the same user, they won't be able to check data passed in syscalls anyway. No core dumps allowed either - /proc/PID files are owned by root:root, and they can't be read by the same user as the one passt or pasta are running with Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Namespace-based sandboxing, defer seccomp policy applicationStefano Brivio2022-02-2117-262/+365
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To reach (at least) a conceptually equivalent security level as implemented by --enable-sandbox in slirp4netns, we need to create a new mount namespace and pivot_root() into a new (empty) mountpoint, so that passt and pasta can't access any filesystem resource after initialisation. While at it, also detach IPC, PID (only for passt, to prevent vulnerabilities based on the knowledge of a target PID), and UTS namespaces. With this approach, if we apply the seccomp filters right after the configuration step, the number of allowed syscalls grows further. To prevent this, defer the application of seccomp policies after the initialisation phase, before the main loop, that's where we expect bad things to happen, potentially. This way, we get back to 22 allowed syscalls for passt and 34 for pasta, on x86_64. While at it, move #syscalls notes to specific code paths wherever it conceptually makes sense. We have to open all the file handles we'll ever need before sandboxing: - the packet capture file can only be opened once, drop instance numbers from the default path and use the (pre-sandbox) PID instead - /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection of bound ports in pasta mode, are now opened only once, before sandboxing, and their handles are stored in the execution context - the UNIX domain socket for passt is also bound only once, before sandboxing: to reject clients after the first one, instead of closing the listening socket, keep it open, accept and immediately discard new connection if we already have a valid one Clarify the (unchanged) behaviour for --netns-only in the man page. To actually make passt and pasta processes run in a separate PID namespace, we need to unshare(CLONE_NEWPID) before forking to background (if configured to do so). Introduce a small daemon() implementation, __daemon(), that additionally saves the PID file before forking. While running in foreground, the process itself can't move to a new PID namespace (a process can't change the notion of its own PID): mention that in the man page. For some reason, fork() in a detached PID namespace causes SIGTERM and SIGQUIT to be ignored, even if the handler is still reported as SIG_DFL: add a signal handler that just exits. We can now drop most of the pasta_child_handler() implementation, that took care of terminating all processes running in the same namespace, if pasta started a shell: the shell itself is now the init process in that namespace, and all children will terminate once the init process exits. Issuing 'echo $$' in a detached PID namespace won't return the actual namespace PID as seen from the init namespace: adapt demo and test setup scripts to reflect that. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* slirp4netns: Add EXIT as condition for trapStefano Brivio2022-02-041-1/+1
| | | | | | | ...otherwise, we don't terminate pasta on regular exit, i.e. on a read from the "exit" file descriptor. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* slirp4netns: Look up pasta command, exit if not foundStefano Brivio2022-02-041-1/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>