August 2023 - dev

[PATCH v4 0/9] Flow Table Preliminaries
by David Gibson 22 Aug '23

22 Aug '23

I'm still working on bunch of things to start implementing the generalised flow table. However, I think this set of preliminary clean ups and fixes stand well enough on their own that they're ready for merge now. Sorry for the quick resend, noticed a dumb error in the last patch. Changes since v3: * Remove the now unused tcp.splice_conn_count Changes since v2: * Fix a formatting error in the in_epoll patch * Add patch for inany.h include guards * Add patch to remove broken pressure estimates for tcp_defer_handler() Changes since v1: * Add missing patch moving in_epoll flag David Gibson (9): tap: Don't clobber source address in tap6_handler() tap: Pass source address to protocol handler functions tcp: More precise terms for addresses and ports tcp: Consistent usage of ports in tcp_seq_init() tcp, udp: Don't include destination address in partially precomputed csums tcp, udp: Don't pre-fill IPv4 destination address in headers tcp: Move in_epoll flag out of common connection structure inany: Add missing double include guard to inany.h tcp: Remove broken pressure calculations for tcp_defer_handler() icmp.c | 12 ++- icmp.h | 3 +- inany.h | 5 ++ passt.c | 10 +-- passt.h | 4 +- pasta.c | 2 +- tap.c | 29 ++++---- tcp.c | 203 ++++++++++++++++++++++----------------------------- tcp.h | 7 +- tcp_conn.h | 18 +++-- tcp_splice.c | 6 +- udp.c | 37 ++++------ udp.h | 5 +- util.h | 4 +- 14 files changed, 156 insertions(+), 189 deletions(-) -- 2.41.0

2 13

[PATCH v3 0/9] Flow Table Preliminaries
by David Gibson 22 Aug '23

22 Aug '23

I'm still working on bunch of things to start implementing the generalised flow table. However, I think this set of preliminary clean ups and fixes stand well enough on their own that they're ready for merge now. Changes since v2: * Fix a formatting error in the in_epoll patch * Add patch for inany.h include guards * Add patch to remove broken pressure estimates for tcp_defer_handler() Changes since v1: * Add missing patch moving in_epoll flag David Gibson (9): tap: Don't clobber source address in tap6_handler() tap: Pass source address to protocol handler functions tcp: More precise terms for addresses and ports tcp: Consistent usage of ports in tcp_seq_init() tcp, udp: Don't include destination address in partially precomputed csums tcp, udp: Don't pre-fill IPv4 destination address in headers tcp: Move in_epoll flag out of common connection structure inany: Add missing double include guard to inany.h tcp: Remove broken pressure calculations for tcp_defer_handler() icmp.c | 12 ++- icmp.h | 3 +- inany.h | 5 ++ passt.c | 10 +-- passt.h | 4 +- pasta.c | 2 +- tap.c | 29 ++++---- tcp.c | 203 ++++++++++++++++++++++----------------------------- tcp.h | 5 +- tcp_conn.h | 18 +++-- tcp_splice.c | 4 +- udp.c | 37 ++++------ udp.h | 5 +- util.h | 4 +- 14 files changed, 156 insertions(+), 185 deletions(-) -- 2.41.0

1 9

passt: new version 2023_08_18.0af928e available
by Stefano Brivio 20 Aug '23

20 Aug '23

The new version with tag 2023_08_18.0af928e includes the following changes: 0af928e selinux: Fix domain transitions for typical commands pasta might run 30817fd selinux: Allow pasta_t to read nsfs entries 9776521 selinux: Add rules for sysctl and /proc/net accesses 56b8633 selinux: Update policy to fix user/group settings 6205905 selinux: Fix user namespace creation after breaking kernel change 0c42326 selinux: Use explicit paths for binaries in file context 479a9e1 fedora: Install pasta as hard link to ensure SELinux file context match 5f1fcff tap: Fix format specifier in tap4_is_fragment() warning da0aeb9 netlink: Don't propagate host address expiry to the container b4f8ffd netlink: Correctly calculate attribute length for address messages 4b9f4c2 netlink: Remove redundant check on nlmsg_type 5ed4e03 conf: Demote overlapping port ranges error to a warning ae5f6c8 epoll: Use different epoll types for passt and pasta tap fds eda4f19 epoll: Split listening Unix domain socket into its own type 485b5fb epoll: Split handling of listening TCP sockets into their own handler e6f81e5 epoll: Split handling of TCP timerfds into its own handler function 8271a2e epoll: Tiny cleanup to udp_sock_handler() 05f606a epoll: Split handling of ICMP and ICMPv6 sockets d850caa epoll: Fold sock_handler into general switch on epoll event fd 6a6735e epoll: Always use epoll_ref for the epoll data variable 3401644 epoll: Generalize epoll_ref to cover things other than sockets e26282b tap: Fold reset handling into tap_handler_passt() 0d870c5 tap: Fold reset handling into tap_handler_pasta() 548e05f tap: Clean up behaviour for errors on listening Unix socket 28877b0 tap: Clean up tap reset path b2bea00 tap: fix seq->p.count limit 02b30e7 netlink: Propagate errors for "dup" operations 5103811 netlink: Propagate errors for "dump" operations 4d6e9d0 netlink: Always process all responses to a netlink request 8de9805 netlink: Propagate errors for "set" operations a309318 netlink: Add nl_foreach_oftype to filter response message types 99ddd7c netlink: Split nl_req() to allow processing multiple response datagrams 8ec757d netlink: Clearer reasoning about the netlink response buffer size 9d4ab98 netlink: Add nl_do() helper for simple operations with error checking 282581b netlink: Fill in netlink header fields from nl_req() f62600b netlink: Treat send() or recv() errors as fatal 0a568c8 netlink: Start sequence number from 1 instead of 0 dee7594 netlink: Make nl_*_dup() use a separate datagram for each request 576df71 netlink: Explicitly pass netlink sockets to operations cfe7509 netlink: Use struct in_addr for IPv4 addresses, not bare uint32_t 257a6b0 netlink: Split nl_route() into separate operation functions eff3bcb netlink: Split nl_addr() into separate operation functions e96182e netlink: Split up functionality of nl_link() 0cf7bf3 tap: Remove unnecessary global tun_ns_fd 7bc9b66 tap: More detailed error reporting in tap_ns_tun() 6920add util: Make ns_enter() a void function and report setns() errors b15ce5b Use static assertion to verify that union epoll_ref is the right size 8218d99 Use C11 anonymous members to make poll refs less verbose to use 649068a Allow C11 code, not just C99 code 023d684 Revert "MAKE: Fix parallel builds; .o files; .gitignore; new makedocs" cc2a6be MAKE: Fix parallel builds; .o files; .gitignore; new makedocs e01759e tap: Explicitly drop IPv4 fragments, and give a warning 4c98d3b conf: Correct length checking of interface names in conf_ports() c4017cc conf: Fix size checking of -I interface name https://passt.top/passt/log/?qt=range&q=2023_06_27.289301b..2023_08_18.0af9… Packages: - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Debian tracker: https://tracker.debian.org/pkg/passt - Copr (CentOS Stream, EPEL, Fedora, Mageia, openSUSE): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/6317140/ permanent mirror: https://passt.top/builds/copr/0^20230818.g0af928e/ - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Ubuntu tracker: https://packages.ubuntu.com/lunar/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g0af928e-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_0af928e-1_all.deb -- Stefano

1 0

[PATCH v2 0/7] Extensive bandaging for SELinux policy issues, old and new
by Stefano Brivio 17 Aug '23

17 Aug '23

The most important fix here is actually the one that allows pasta and passt to create user namespaces (and hence, to start -- we need that for sandboxing) with recent kernels on e.g. Fedora Rawhide -- that's patch 3/7. But there are a number of other issues, some old, some new, that would currently prevent pasta from e.g. starting a shell, or simply run 'ip address show', again at least on Fedora Rawhide. Fix them. v2: Actually override pasta symlinks with hard links in 1/7 Stefano Brivio (7): fedora: Install pasta as hard link to ensure SELinux file context match selinux: Use explicit paths for binaries in file context selinux: Fix user namespace creation after breaking kernel change selinux: Update policy to fix user/group settings selinux: Add rules for sysctl and /proc/net accesses selinux: Allow pasta_t to read nsfs entries selinux: Fix domain transitions for typical commands pasta might run contrib/fedora/passt.spec | 7 +++++++ contrib/selinux/passt.fc | 3 ++- contrib/selinux/passt.te | 10 ++++++++-- contrib/selinux/pasta.fc | 3 ++- contrib/selinux/pasta.te | 33 ++++++++++++++++++++++++++++++--- 5 files changed, 49 insertions(+), 7 deletions(-) -- 2.39.2

2 9

[PATCH v2 0/7] Flow Table Preliminaries
by David Gibson 17 Aug '23

17 Aug '23

I'm still working on bunch of things to start implementing the generalised flow table. However, I think this set of preliminary clean ups and fixes stand well enough on their own that they're ready for merge now. Based on the epoll patch series. Changes since v1: * Add missing patch moving in_epoll flag David Gibson (7): tap: Don't clobber source address in tap6_handler() tap: Pass source address to protocol handler functions tcp: More precise terms for addresses and ports tcp: Consistent usage of ports in tcp_seq_init() tcp, udp: Don't include destination address in partially precomputed csums tcp, udp: Don't pre-fill IPv4 destination address in headers tcp: Move in_epoll flag out of common connection structure icmp.c | 12 ++-- icmp.h | 3 +- passt.c | 10 ++- passt.h | 4 +- pasta.c | 2 +- tap.c | 29 ++++---- tcp.c | 194 +++++++++++++++++++++++---------------------------- tcp.h | 5 +- tcp_conn.h | 18 ++--- tcp_splice.c | 4 +- udp.c | 37 ++++------ udp.h | 5 +- util.h | 4 +- 13 files changed, 151 insertions(+), 176 deletions(-) -- 2.41.0

1 8

[PATCH 0/3] pasta: Don't propagate host address lifetimes to the container
by David Gibson 16 Aug '23

16 Aug '23

We realized in yesterday's call that podman issue 19405 could be explained by the fact that along with other attributes we're copying the lifetime of host addresses to the container. Here is a fix for that bug, along with a couple of other small fixes to the netlink code I noticed as I was making it. Link: https://github.com/containers/podman/issues/19405 Link: https://bugs.passt.top/show_bug.cgi?id=70 David Gibson (3): netlink: Remove redundant check on nlmsg_type netlink: Correctly calculate attribute length for address messages netlink: Don't propagate host address expiry to the container netlink.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) -- 2.41.0

2 4

[PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new
by Stefano Brivio 16 Aug '23

16 Aug '23

The most important fix here is actually the one that allows pasta and passt to create user namespaces (and hence, to start -- we need that for sandboxing) with recent kernels on e.g. Fedora Rawhide -- that's patch 3/7. But there are a number of other issues, some old, some new, that would currently prevent pasta from e.g. starting a shell, or simply run 'ip address show', again at least on Fedora Rawhide. Fix them. Stefano Brivio (7): fedora: Install pasta as hard link to ensure SELinux file context match selinux: Use explicit paths for binaries in file context selinux: Fix user namespace creation after breaking kernel change selinux: Update policy to fix user/group settings selinux: Add rules for sysctl and /proc/net accesses selinux: Allow pasta_t to read nsfs entries selinux: Fix domain transitions for typical commands pasta might run contrib/fedora/passt.spec | 4 ++++ contrib/selinux/passt.fc | 3 ++- contrib/selinux/passt.te | 10 ++++++++-- contrib/selinux/pasta.fc | 3 ++- contrib/selinux/pasta.te | 33 ++++++++++++++++++++++++++++++--- 5 files changed, 46 insertions(+), 7 deletions(-) -- 2.39.2

2 15

[PATCH] tap: Fix format specifier in tap4_is_fragment() warning
by Stefano Brivio 16 Aug '23

16 Aug '23

Spotted by Coverity, relatively harmless. Fixes: e01759e2fab0 ("tap: Explicitly drop IPv4 fragments, and give a warning") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- tap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tap.c b/tap.c index a6f8692..760deb7 100644 --- a/tap.c +++ b/tap.c @@ -561,7 +561,8 @@ static bool tap4_is_fragment(const struct iphdr *iph, num_dropped++; if (now->tv_sec - last_message > FRAGMENT_MSG_RATE) { - warn("Can't process IPv4 fragments (%lu dropped)", num_dropped); + warn("Can't process IPv4 fragments (%u dropped)", + num_dropped); last_message = now->tv_sec; num_dropped = 0; } -- 2.39.2

2 1

[PATCH] conf: Demote overlapping port ranges error to a warning
by David Gibson 13 Aug '23

13 Aug '23

We give a fatal error if the port ranges from any port forwarding specifiers overlap. This occurs even if those port ranges are specifically bound to different addresses, so there's not really any overlap. Right now, we can't 100% handle this case correctly, because our data structures don't have a way to represent per-address forwarding. However, there are a number of cases that will actually work just fine: e.g. mapping the same port to the same port on two different addresses (say :: and 127.0.0.1). We have long term plans to fix this properly, but that is still some time away. For the time being, demote this error to a warning so that the cases that already work will be allowed. Link: https://bugs.passt.top/show_bug.cgi?id=56 Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- conf.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/conf.c b/conf.c index 0631b00..0ad6e23 100644 --- a/conf.c +++ b/conf.c @@ -303,7 +303,7 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, for (i = xrange.first; i <= xrange.last; i++) { if (bitmap_isset(exclude, i)) - goto overlap; + die("Overlapping excluded ranges %s", optarg); bitmap_set(exclude, i); } @@ -370,7 +370,8 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, for (i = orig_range.first; i <= orig_range.last; i++) { if (bitmap_isset(fwd->map, i)) - goto overlap; + warn( +"Altering mapping of already mapped port number: %s", optarg); if (bitmap_isset(exclude, i)) continue; @@ -406,8 +407,6 @@ enfile: die("Can't open enough sockets for port specifier: %s", optarg); bad: die("Invalid port specifier %s", optarg); -overlap: - die("Overlapping port specifier %s", optarg); mode_conflict: die("Port forwarding mode '%s' conflicts with previous mode", optarg); bind_fail: -- 2.41.0

2 1

[PATCH] tap: fix seq->p.count limit
by Laurent Vivier 13 Aug '23

13 Aug '23

The number of items in pool_l4_t is defined to UIO_MAXIOV, not TAP_SEQS. TAP_SEQS is the number of the messages. Fix the value used to compare seq->p.count with. Fix: bb708111833e ("treewide: Packet abstraction with mandatory boundary checks") Signed-off-by: Laurent Vivier <lvivier(a)redhat.com> --- tap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tap.c b/tap.c index e034f9468267..69bd19a2a91a 100644 --- a/tap.c +++ b/tap.c @@ -678,7 +678,7 @@ resume: seq->daddr.s_addr = iph->daddr; \ } while (0) - if (seq && L4_MATCH(iph, uh, seq) && seq->p.count < TAP_SEQS) + if (seq && L4_MATCH(iph, uh, seq) && seq->p.count < UIO_MAXIOV) goto append; if (seq_count == TAP_SEQS) @@ -686,7 +686,7 @@ resume: for (seq = tap4_l4 + seq_count - 1; seq >= tap4_l4; seq--) { if (L4_MATCH(iph, uh, seq)) { - if (seq->p.count >= TAP_SEQS) + if (seq->p.count >= UIO_MAXIOV) seq = NULL; break; } @@ -840,7 +840,7 @@ resume: } while (0) if (seq && L4_MATCH(ip6h, proto, uh, seq) && - seq->p.count < TAP_SEQS) + seq->p.count < UIO_MAXIOV) goto append; if (seq_count == TAP_SEQS) @@ -848,7 +848,7 @@ resume: for (seq = tap6_l4 + seq_count - 1; seq >= tap6_l4; seq--) { if (L4_MATCH(ip6h, proto, uh, seq)) { - if (seq->p.count >= TAP_SEQS) + if (seq->p.count >= UIO_MAXIOV) seq = NULL; break; } -- 2.41.0

3 4

2024

2023

2022

2021

dev August 2023