aboutgitcodebugslistschat
path: root/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* Makefile: Ugly hack to get a "plain" Markdown version of READMEStefano Brivio2022-08-201-3/+27
| | | | | | | | | | | | | | | | | | Distribution packages reasonably expect to have a human-readable Markdown version of the README under /usr/share/doc/, but all we have right now is a heavily web-oriented version. Introduce a ugly hack to strip web-oriented parts from the current README and install it. It should probably work the other way around: a human-readable README could be used as a source for the web page. But cgit needs a file that's in the tree, not something that can be built, and https://passt.top/ is based on cgit. It should eventually be doable to work around this in cgit, instead. Reported-by: Benson Muite <benson_muite@emailplus.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* valgrind needs futexDavid Gibson2022-07-221-1/+1
| | | | | | | | | Some versions of valgrind (such as the version on my Fedora laptop - valgrind-3.19.0-3.fc36.x86_64) use futexes. But futex is currently not allowed in the seccomp filter, even with the extra calls added for valgrind builds. Add it, to avoid spurious valgrind failures. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* passt: Allow exit_group() system call in seccomp profilesStefano Brivio2022-07-141-1/+1
| | | | | | | | | | | | We handle SIGQUIT and SIGTERM calling exit(), which is usually implemented with the exit_group() system call. If we don't allow exit_group(), we'll get a SIGSYS while handling SIGQUIT and SIGTERM, which means a misleading non-zero exit code. Reported-by: Wenli Quan <wquan@redhat.com> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2101990 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Clean up passt.pid fileDavid Gibson2022-07-141-1/+2
| | | | | | | | If the tests are interrupted at the right point a passt.pid file can be left over. Clean it up with "make clean" and add it to .gitignore so it doesn't get accidentally committed. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Add cleaner line-by-line reading primitivesDavid Gibson2022-07-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Two places in passt need to read files line by line (one parsing resolv.conf, the other parsing /proc/net/*. They can't use fgets() because in glibc that can allocate memory. Instead they use an implementation line_read() in util.c. This has some problems: * It has two completely separate modes of operation, one buffering and one not, the relation between these and how they're activated is subtle and confusing * At least in non-buffered mode, it will mishandle an empty line, folding them onto the start of the next non-empty line * In non-buffered mode it will use lseek() which prevents using this on non-regular files (we don't need that at present, but it's a surprising limitation) * It has a lot of difficult to read pointer mangling Add a new cleaner implementation of allocation-free line-by-line reading in lineread.c. This one always buffers, using a state structure to keep track of what we need. This is larger than I'd like, but it turns out handling all the edge cases of line-by-line reading in C is surprisingly hard. This just adds the code, subsequent patches will change the existing users of line_read() to the new implementation. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Makefile: Don't create extraneous -.s fileDavid Gibson2022-06-181-1/+1
| | | | | | | | | | In order to probe availability of certain features the Makefile test compiles a handful of tiny snippets, feeding those in from stdin. However in one case - the one for -fstack-protector - it forgets to redirect the output to stdout, meaning it creates a stray '-.s' file when make is invoked (even make clean). Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Makefile: Tweak $(RM) usageDavid Gibson2022-06-181-3/+3
| | | | | | | | | | | The use of rm commands in the clean and uninstall targets adds an explicit leading - to ignore errors. However the built-in RM variable in make is actually "rm -f" which already ignores errors, so the - isn't neccessary. Also replace ${RM} with $(RM) which is the more conventional form in Makefiles. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Makefile: Simplify pasta* targets with a pattern ruleDavid Gibson2022-06-181-8/+2
| | | | | | | | pasta, pasta.avx2 and pasta.1 are all generated as a link to the corresponding passt file. We can consolidate the 3 rules for these targets into a single pattern rule. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Makefile: Use $(BIN) and $(MANPAGES) variable to simplify several targetsDavid Gibson2022-06-181-14/+12
| | | | | | | | | | | | | | There are several places which explicitly list the various generated binaries, even though a $(BIN) variable already lists them. There are several more places that list all the manpage files, introduce a $(MANPAGES) variable to remove that repetition as well. Tweak the generation of pasta.1 as a link to passt.1 so it's not just made as a side effect of the pasta target. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: add passt.1 and qrap.1 to guest files for distro tests] Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Avoid using wildcard sourcesDavid Gibson2022-06-181-15/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | The passt/pasta Makefile makes fairly heavy use of GNU make's $(wildcard) function to locate the sources and headers to build. Using wildcards for the things to compile is usually a bad idea though: if somehow you end up with a .c or .h file in your tree you didn't expect it can misbuild in an exceedingly confusing way. In particular this can sometimes happen if switching between releases / branches where files have been added or removed without 100% cleaning the tree. It also makes life a bit complicated if building multiple different binaries in the same tree: we already have some rather awkward $(filter-out) constructions to avoid including qrap.c in the passt build. Replace use of $(wildcard) with the more idiomatic approach of defining variables listing all the relevant source files then using that throughout. In the rule for seccomp.h there was also a bare "*.c" which caused make to always rebuild that target. Fix that as well. Similarly, seccomp.sh uses a wildcard to locate the sources, which is unwise for the same reasons. Make it take the sources to examine on the command line instead, and have the Makefile pass them in from the same variables. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* Makefile: Suppress unusedStructMember Cppcheck warning in dhcp.cStefano Brivio2022-06-181-0/+2
| | | | | | | | | | | | | | | New from Cppcheck 2.8: all the fields of struct msg that are not directly manipulated are now reported as unused, which is kind of correct as those fields are used as a blob "copied" from request to response and not as separate fields. However, keeping the message composition explicit is probably desirable, and adding inline suppressions makes the whole thing rather unreadable, so just suppress unusedStructMember warnings for dhcp.c, while also adding a suppression for unmatched suppressions to keep earlier versions of Cppcheck happy. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Allow implicit test for bugprone-suspicious-string-compare checkerStefano Brivio2022-03-291-4/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Fix android-cloexec-* clang-tidy warnings, re-enable checksStefano Brivio2022-03-291-9/+0
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test, seccomp, Makefile: Switch to valgrind runs for passt functional testsStefano Brivio2022-03-291-1/+7
| | | | | | | | | | | | | | Pass to seccomp.sh a list of additional syscalls valgrind needs as EXTRA_SYSCALLS in a new 'valgrind' make target, and add corresponding support in seccomp.sh itself. In test setup functions, start passt with valgrind, but not for performance tests. Add tests checking that valgrind exits without errors after all the other tests in the group are done. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Enable a few hardening flagsStefano Brivio2022-03-281-2/+8
| | | | | | | They don't have a measurable performance impact and make things a bit safer. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile, hooks: Static target precondition for pkgs, copy .avx2 buildsStefano Brivio2022-03-011-1/+1
| | | | | | Convenience packages are anyway built from static builds. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Run-time selection of AVX2 buildStefano Brivio2022-02-281-10/+28
| | | | | | | | | | | | | Build-time selection of AVX2 flags and routines is not practical for distributions, but limiting AVX2 usage to checksum routines with specific run-time detection doesn't allow for easy performance gains from auto-vectorisation of batched packet handling routines. For x86_64, build non-AVX2 and AVX2 binaries, and implement a simple wrapper replacing the current executable with the AVX2 build if it's available, and if AVX2 is supported by the current CPU. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Fix up AUDIT_ARCH for armv6l, armv7lStefano Brivio2022-02-261-0/+1
| | | | | | | There's a single AUDIT_ARCH_ARM define available (and big-endian shouldn't be a concern with those). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: By default, quit if filesystem-bound net namespace goes awayStefano Brivio2022-02-211-1/+2
| | | | | | | | | | | | This should be convenient for users managing filesystem-bound network namespaces: monitor the base directory of the namespace and exit if the namespace given as PATH or NAME target is deleted. We can't add an inotify watch directly on the namespace directory, that won't work with nsfs. Add an option to disable this behaviour, --no-netns-quit. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile, conf, passt: Drop passt4netns references, explicit argc checkStefano Brivio2022-02-211-5/+2
| | | | | | | | | | | Nobody currently calls this as passt4netns, that was the name I used before 'pasta', drop any reference before it's too late. While at it, explicitly check that argc is bigger than or equal to one, just as a defensive measure: argv[0] being NULL is not an issue anyway. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Address new clang-tidy warnings from LLVM 13.0.1Stefano Brivio2022-01-301-1/+23
| | | | | | | | | | | | | | | | | | | | | | | | | clang-tidy from LLVM 13.0.1 reports some new warnings from these checkers: - altera-unroll-loops, altera-id-dependent-backward-branch: ignore for the moment being, add a TODO item - bugprone-easily-swappable-parameters: ignore, nothing to do about those - readability-function-cognitive-complexity: ignore for the moment being, add a TODO item - altera-struct-pack-align: ignore, alignment is forced in protocol headers - concurrency-mt-unsafe: ignore for the moment being, add a TODO item Fix bugprone-implicit-widening-of-multiplication-result warnings, though, that's doable and they seem to make sense. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, netlink, HAS{BYTES_ACKED,MIN_RTT,GETRANDOM} and NETLINK_GET_STRICT_CHKStefano Brivio2022-01-261-0/+15
| | | | | | | | | | | | | | | | tcpi_bytes_acked and tcpi_min_rtt are only available on recent kernel versions: provide fall-back paths (incurring some grade of performance penalty). Support for getrandom() was introduced in Linux 3.17 and glibc 2.25: provide an alternate mechanism for that as well, reading from /dev/random. Also check if NETLINK_GET_STRICT_CHK is defined before using it: it's not strictly needed, we'll filter out irrelevant results from netlink anyway. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile, seccomp: Fix build for i386, ppc64, ppc64leStefano Brivio2022-01-261-2/+12
| | | | | | | | | | | | | | | | | On some distributions, on ppc64, ulimit -s returns 'unlimited': add a reasonable default, and also make sure ulimit is invoked using the default shell, which should ensure ulimit is actually implemented. Also note that AUDIT_ARCH doesn't follow closely the naming reported by 'uname -m': convert for i386 and ppc as needed. While at it, move inclusion of seccomp.h after util.h, the former is less generic (cosmetic/clang-tidy only). Older kernel headers might lack a definition for AUDIT_ARCH_PPC64LE: define that explicitly if it's not available. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: cppcheck target: Suppress unmatchedSuppression, pass CFLAGSStefano Brivio2021-10-211-3/+16
| | | | | | | | | | Some of those warnings don't trigger even on systems with very similar toolchains, suppress unmatchedSuppression warnings, they're basically useless. While at it, pass CFLAGS to cppcheck. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Add cppcheck target, test, and address resulting warningsStefano Brivio2021-10-211-1/+31
| | | | | | | ...mostly false positives, but a number of very relevant ones too, in tcp_get_sndbuf(), tcp_conn_from_tap(), and siphash PREAMBLE(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Fix build with gcc 7, use std=c99, enable some more Clang checkersStefano Brivio2021-10-211-5/+1
| | | | | | | | | | | | | | Unions and structs, you all have names now. Take the chance to enable bugprone-reserved-identifier, cert-dcl37-c, and cert-dcl51-cpp checkers in clang-tidy. Provide a ffsl() weak declaration using gcc built-in. Start reordering includes, but that's not enough for the llvm-include-order checker yet. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile, tcp: Don't try to use tcpi_snd_wnd from tcp_info on pre-5.3 kernelsStefano Brivio2021-10-211-0/+5
| | | | | | | Detect missing tcpi_snd_wnd in struct tcp_info at build time, otherwise build fails with a pre-5.3 linux/tcp.h header. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Add clang-tidy Makefile target and test, take care of warningsStefano Brivio2021-10-201-0/+75
| | | | | | | Most are just about style and form, but a few were actually serious mistakes (NDP-related). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Address gcc 11 warningsStefano Brivio2021-10-201-0/+14
| | | | | | | | | A mix of unchecked return values, a missing permission mask for open(2) with O_CREAT, and some false positives from -Wstringop-overflow and -Wmaybe-uninitialized. Reported-by: Martin Hauke <mardnh@gmx.de> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* LICENSES: Add license text files, add missing notices, fix SPDX tagsStefano Brivio2021-10-201-0/+11
| | | | | | | | | | SPDX tags don't replace license files. Some notices were missing and some tags were not according to the SPDX specification, too. Now reuse --lint from the REUSE tool (https://reuse.software/) passes. Reported-by: Martin Hauke <mardnh@gmx.de> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Install man pages to /usr/share/man instead of /usr/manStefano Brivio2021-10-201-5/+5
| | | | | Reported-by: Martin Hauke <mardnh@gmx.de> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Prefix installation paths with $(DESTDIR)Stefano Brivio2021-10-191-9/+9
| | | | | | | | | Martin reports that DESTDIR is ignored in install/uninstall targets, see also: https://www.gnu.org/prep/standards/html_node/DESTDIR.html Reported-by: Martin Hauke <mardnh@gmx.de> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Static builds: don't redefine __vsyslog(), skip getpwnam() and ↵Stefano Brivio2021-10-161-1/+1
| | | | | | initgroups() Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add seccomp supportStefano Brivio2021-10-141-9/+8
| | | | | | | | | | | | | | | | | | List of allowed syscalls comes from comments in the form: #syscalls <list> for syscalls needed both in passt and pasta mode, and: #syscalls:pasta <list> #syscalls:passt <list> for syscalls specifically needed in pasta or passt mode only. seccomp.sh builds a list of BPF statements from those comments, prefixed by a binary search tree to keep lookup fast. While at it, clean up a bit the Makefile using wildcards. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tap: Split netlink and pasta functions, allow interface configurationStefano Brivio2021-10-141-4/+5
| | | | | | | | | | Move netlink routines to their own file, and use netlink to configure or fetch all the information we need, except for the TUNSETIFF ioctl. Move pasta-specific functions to their own file as well, add parameters and calls to configure the tap interface in the namespace. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Allow specifying paths and names of namespacesGiuseppe Scrivano2021-10-071-0/+1
| | | | | | | | | | | | | | | | | | Based on a patch from Giuseppe Scrivano, this adds the ability to: - specify paths and names of target namespaces to join, instead of a PID, also for user namespaces, with --userns - request to join or create a network namespace only, without entering or creating a user namespace, with --netns-only - specify the base directory for netns mountpoints, with --nsrun-dir Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> [sbrivio: reworked logic to actually join the given namespaces when they're not created, implemented --netns-only and --nsrun-dir, updated pasta demo script and man page] Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Align pkt_buf to PAGE_SIZE (start and size), try to fit in huge pagesStefano Brivio2021-09-271-0/+1
| | | | | | | | | If transparent huge pages are available, madvise() will do the trick. While at it, decrease EPOLL_EVENTS for the main loop from 10 to 8, for slightly better socket fairness. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Visually separate CFLAGS from input files in resulting cc commandsStefano Brivio2021-09-271-2/+4
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Make sure destination directories exist on installStefano Brivio2021-09-011-0/+1
| | | | | | Mostly theoretical, but convenient for testing. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Quick hack to build convenience Debian and RPM packagesStefano Brivio2021-09-011-1/+15
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Add install, uninstall targetsStefano Brivio2021-09-011-1/+16
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Introduce command-line options and port re-mappingStefano Brivio2021-09-011-11/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* checksum: Introduce AVX2 implementation, unify helpersStefano Brivio2021-07-261-2/+17
| | | | | | | | | | | | | | | | | | | Provide an AVX2-based function using compiler intrinsics for TCP/IP-style checksums. The load/unpack/add idea and implementation is largely based on code from BESS (the Berkeley Extensible Software Switch) licensed as 3-Clause BSD, with a number of modifications to further decrease pipeline stalls and to minimise cache pollution. This speeds up considerably data paths from sockets to tap interfaces, decreasing overhead for checksum computation, with 16-64KiB packet buffers, from approximately 11% to 7%. The rest is just syscalls at this point. While at it, provide convenience targets in the Makefile for avx2, avx2_debug, and debug targets -- these simply add target-specific CFLAGS to the build. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Add PASTA mode, major reworkStefano Brivio2021-07-171-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PASTA (Pack A Subtle Tap Abstraction) provides quasi-native host connectivity to an otherwise disconnected, unprivileged network and user namespace, similarly to slirp4netns. Given that the implementation is largely overlapping with PASST, no separate binary is built: 'pasta' (and 'passt4netns' for clarity) both link to 'passt', and the mode of operation is selected depending on how the binary is invoked. Usage example: $ unshare -rUn # echo $$ 1871759 $ ./pasta 1871759 # From another terminal # udhcpc -i pasta0 2>/dev/null # ping -c1 pasta.pizza PING pasta.pizza (64.190.62.111) 56(84) bytes of data. 64 bytes from 64.190.62.111 (64.190.62.111): icmp_seq=1 ttl=255 time=34.6 ms --- pasta.pizza ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 34.575/34.575/34.575/0.000 ms # ping -c1 spaghetti.pizza PING spaghetti.pizza(2606:4700:3034::6815:147a (2606:4700:3034::6815:147a)) 56 data bytes 64 bytes from 2606:4700:3034::6815:147a (2606:4700:3034::6815:147a): icmp_seq=1 ttl=255 time=29.0 ms --- spaghetti.pizza ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 28.967/28.967/28.967/0.000 ms This entails a major rework, especially with regard to the storage of tracked connections and to the semantics of epoll(7) references. Indexing TCP and UDP bindings merely by socket proved to be inflexible and unsuitable to handle different connection flows: pasta also provides Layer-2 to Layer-2 socket mapping between init and a separate namespace for local connections, using a pair of splice() system calls for TCP, and a recvmmsg()/sendmmsg() pair for UDP local bindings. For instance, building on the previous example: # ip link set dev lo up # iperf3 -s $ iperf3 -c ::1 -Z -w 32M -l 1024k -P2 | tail -n4 [SUM] 0.00-10.00 sec 52.3 GBytes 44.9 Gbits/sec 283 sender [SUM] 0.00-10.43 sec 52.3 GBytes 43.1 Gbits/sec receiver iperf Done. epoll(7) references now include a generic part in order to demultiplex data to the relevant protocol handler, using 24 bits for the socket number, and an opaque portion reserved for usage by the single protocol handlers, in order to track sockets back to corresponding connections and bindings. A number of fixes pertaining to TCP state machine and congestion window handling are also included here. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Introduce packet capture implementationStefano Brivio2021-05-211-2/+2
| | | | | | | | With -DDEBUG, passt now saves guest-side traffic captures in pcap format at /tmp/passt_<ISO8601 timestamp>.pcap. The timestamp refers to time and date of start-up. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* qrap: Find qemu command if not passed, patch command lineStefano Brivio2021-05-101-1/+1
| | | | | | | | | | | | | | It might be impractical to pass options to qrap when using libvirt, because the <emulator/> tag expects a path to an executable, without further arguments. If the first argument is not a plausible socket number, and the second argument is not a valid executable, look up a qemu command from a list of possible names, then start it patching the command line to include the -netdev fd= parameter corresponding to the AF_UNIX domain socket we just opened. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Introduce a DHCPv6 serverStefano Brivio2021-04-131-2/+2
| | | | | | | | | | | | This implementation, similarly to the IPv4 DHCP one, hands out a single address, which is the same as the upstream address for the host. This avoids the need for address translation as long as the client runs a DHCPv6 client. The NDP "Managed" flag is now set in Router Advertisements. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Introduce ICMP echo proxyStefano Brivio2021-03-181-2/+2
| | | | | | | | It's nice to be able to confirm connectivity using ICMP or ICMPv6 echo requests, and "ping" sockets on Linux (IPPROTO_ICMP datagram) allow us to do that without any special capability. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Add siphash implementation for initial sequence numbersStefano Brivio2021-03-171-2/+2
| | | | | | | | | | | | | Implement siphash routines for initial TCP sequence numbers (12 bytes input for IPv4, 36 bytes input for IPv6), and while at it, also functions we'll use later on for hash table indices and TCP timestamp offsets (with 8, 20, 32 bytes of input). Use these to set the initial sequence number, according to RFC 6528, for connections originating either from the tap device or from sockets. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: New design and implementation with native Layer 4 socketsStefano Brivio2021-02-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a reimplementation, partially building on the earlier draft, that uses L4 sockets (SOCK_DGRAM, SOCK_STREAM) instead of SOCK_RAW, providing L4-L2 translation functionality without requiring any security capability. Conceptually, this follows the design presented at: https://gitlab.com/abologna/kubevirt-and-kvm/-/blob/master/Networking.md The most significant novelty here comes from TCP and UDP translation layers. In particular, the TCP state and translation logic follows the intent of being minimalistic, without reimplementing a full TCP stack in either direction, and synchronising as much as possible the TCP dynamic and flows between guest and host kernel. Another important introduction concerns addressing, port translation and forwarding. The Layer 4 implementations now attempt to bind on all unbound ports, in order to forward connections in a transparent way. While at it: - the qemu 'tap' back-end can't be used as-is by qrap anymore, because of explicit checks now introduced in qemu to ensure that the corresponding file descriptor is actually a tap device. For this reason, qrap now operates on a 'socket' back-end type, accounting for and building the additional header reporting frame length - provide a demo script that sets up namespaces, addresses and routes, and starts the daemon. A virtual machine started in the network namespace, wrapped by qrap, will now directly interface with passt and communicate using Layer 4 sockets provided by the host kernel. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>