- dev - passt

[PATCH v5 0/4] Retry SYNs for inbound connections
by Yumei Huang 17 Oct '25

17 Oct '25

When a client connects, SYN would be sent to guest only once. If the guest is not connected or ready at that time, the connection will be reset in 10s. These patches introduce the SYN retry mechanism using the similar backoff timeout as linux kernel. Also update the data retransmission timeout using the backoff timeout. Yumei Huang (4): tcp: Rename "retrans" to "retries" util: Introduce read_file() and read_file_integer() function tcp: Resend SYN for inbound connections tcp: Update data retransmission timeout tcp.c | 76 +++++++++++++++++++++++++++++++++++------------- tcp.h | 5 ++++ tcp_conn.h | 12 ++++---- util.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ util.h | 10 +++++++ 5 files changed, 161 insertions(+), 26 deletions(-) -- 2.47.0

1 0

[PATCH 0/3] RFC: Reduce differences between inbound and outbound socket binding
by David Gibson 17 Oct '25

17 Oct '25

The fact that outbound forwarding sockets are bound to the loopback address, whereas inbound forwarding sockets are (by default) bound to the unspecified address leads to some unexpected differences between the paths setting up each of them. Happily there's an approach to tackling bug 100 which also reduces those differences, allowing more code to be shared between the two paths. Amongst other things, this will make the next steps of flexible forwarding configuration easier. Link: https://bugs.passt.top/show_bug.cgi?id=100 David Gibson (3): tcp: Merge tcp_ns_sock_init[46]() into tcp_sock_init_one() udp: Unify some more inbound/outbound parts of udp_sock_init() tcp, udp: Bind outbound listening sockets by interface instead of address conf.c | 4 +-- pif.c | 6 ---- tcp.c | 110 +++++++++++++++------------------------------------------ tcp.h | 5 +-- udp.c | 55 +++++++++++++---------------- udp.h | 5 +-- 6 files changed, 61 insertions(+), 124 deletions(-) -- 2.51.0

1 0

[PATCH v3 0/6] Refactor epoll handling in preparation for multithreading
by Laurent Vivier 17 Oct '25

17 Oct '25

This series refactors how epoll file descriptors are managed throughout the codebase in preparation for introducing multithreading support. Currently, passt uses a single global epollfd accessed through the context structure. With multithreading, each thread will need its own epollfd managing its subset of flows. The key changes are: 1. Centralize epoll management by extracting helper functions into a new epoll_ctl.c/h module and moving union epoll_ref from passt.h to its more logical location in epoll_ctl.h. 2. Simplify epoll_del() to take the epollfd directly rather than extracting it from the context structure, reducing coupling between epoll operations and the global context. 3. Move epoll registration out of sock_l4_sa() into protocol-specific code, giving callers explicit control over which epoll instance manages each socket. 4. Replace the boolean in_epoll flag in TCP connections with a threadnb (thread number) field in flow_common. This serves dual purposes: tracking registration status (FLOW_THREADNB_INVALID = not registered) and identifying the owning thread. A thread-to-epollfd mapping allows retrieving the actual epoll file descriptor. The threadnb field is 8 bits, limiting values to 0-254 (255 = FLOW_THREADNB_INVALID). 5. Apply this pattern consistently across all protocol handlers (TCP, ICMP, UDP), storing the managing thread number in each flow's common structure. These changes make thread ownership explicit in the flow tracking system, enabling flows to be managed by different threads (and their epoll instances), a prerequisite for per-thread epollfd design in upcoming multithreading work. Changes since v1: - New patch: "epoll_ctl: Extract epoll operations" - centralizes epoll helpers into a dedicated module and relocates union epoll_ref from passt.h to epoll_ctl.h - Changed epollfd type in flow_common from int to 8-bit bitfield to avoid exceeding cacheline size threshold - Added flow_epollfd_valid() helper to check epoll registration status - Added flow_set_epollfd() helper to set the epoll instance for a flow Changes since v2: - Renamed field in flow_common from epollfd to threadnb (thread number) to better reflect that flows are now associated with threads rather than directly with epoll file descriptors - Introduced thread-to-epollfd mapping via threadnb_to_epollfd[] array in flow.c, providing an indirection layer between threads and their epoll instances - Renamed/refactored helper functions: - flow_set_epollfd() -> flow_epollfd_set() - now takes thread number and epollfd parameters - Added flow_epollfd_get() - retrieves the epoll fd for a flow's thread - flow_epollfd_valid() - now checks threadnb instead of epollfd - Updated constants: replaced EPOLLFD_* with FLOW_THREADNB_* equivalents (e.g., EPOLLFD_INVALID -> FLOW_THREADNB_INVALID) - Applied thread-based pattern consistently across TCP, ICMP, and UDP Laurent Vivier (6): util: Simplify epoll_del() interface to take epollfd directly epoll_ctl: Extract epoll operations util: Move epoll registration out of sock_l4_sa() tcp, flow: Replace per-connection in_epoll flag with threadnb in flow_common icmp: Use thread-based epoll management for ICMP flows udp: Use thread-based epoll management for UDP flows Makefile | 22 +++++++++++----------- epoll_ctl.c | 45 ++++++++++++++++++++++++++++++++++++++++++++ epoll_ctl.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ flow.c | 53 +++++++++++++++++++++++++++++++++++++++++++++------- flow.h | 13 ++++++++++++- icmp.c | 23 +++++++++++++++-------- passt.c | 2 +- passt.h | 34 --------------------------------- pasta.c | 7 +++---- pif.c | 32 ++++++++++++++++++++++++------- repair.c | 14 +++++--------- tap.c | 15 +++++---------- tcp.c | 41 +++++++++++++++++++++------------------- tcp_conn.h | 8 +------- tcp_splice.c | 26 +++++++++++++------------- udp.c | 2 +- udp_flow.c | 23 +++++++++++++++++++---- util.c | 28 ++------------------------- util.h | 6 ++++-- vhost_user.c | 14 +++++--------- vu_common.c | 2 +- 21 files changed, 287 insertions(+), 174 deletions(-) create mode 100644 epoll_ctl.c create mode 100644 epoll_ctl.h -- 2.50.1

3 12

[PATCH] contrib/selinux: use regex instead of non-standard bash macro
by Danish Prakash 16 Oct '25

16 Oct '25

It might be possible to avoid using non-standard bash macro (%USERID), and instead using regex to match user ids. This would also mean discarding the explicit restorecon call while packaging[1]. [1] - https://passt.top/passt/commit/?id=e019323538699967c155c29411545223dadfc0f5 Link: https://bugzilla.suse.com/show_bug.cgi?id=1246291 Signed-off-by: Danish Prakash <contact(a)danishpraka.sh> --- contrib/fedora/passt.spec | 11 ----------- contrib/selinux/pasta.fc | 12 ++++++------ 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 663289f53d97..d1bcf4a74338 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -103,17 +103,6 @@ fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} -# %selinux_relabel_post calls fixfiles(8) with the previous file_contexts file -# (see selabel_file(5)) in order to restore only the file contexts which -# actually changed. However, as file_contexts doesn't support %{USERID} -# substitutions, this will not work for specific file contexts that pasta needs -# to have under /run/user. -# -# Restore those explicitly, hiding errors from restorecon(8): we can't pass a -# path that's more specific than this, but at the same time /run/user often -# contains FUSE mountpoints that can't be accessed as root, leading to -# "Permission denied" messages, but not failures. -restorecon -R /run/user 2>/dev/null %files %license LICENSES/{GPL-2.0-or-later.txt,BSD-3-Clause.txt} diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index e60c6148f412..82dbcbe2b75e 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -12,11 +12,11 @@ /usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 /tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 -/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 -/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/[0-9]+/netns system_u:object_r:ifconfig_var_run_t:s0 +/run/user/[0-9]+/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 # In case XDG_RUNTIME_DIR is not set (i.e. no systemd user session) Podman falls # back to a location under /tmp -/tmp/storage-run-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 -/tmp/storage-run-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 -/tmp/containers-user-%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 -/tmp/containers-user-%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-[0-9]+/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/storage-run-[0-9]+/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-[0-9]+/netns system_u:object_r:ifconfig_var_run_t:s0 +/tmp/containers-user-[0-9]+/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 -- 2.51.0

1 0

[PATCH v2] passt: Rename EPOLL_EVENTS to NUM_EPOLL_EVENTS
by Laurent Vivier 16 Oct '25

16 Oct '25

The macro EPOLL_EVENTS conflicts with enum EPOLL_EVENTS defined in sys/epoll.h (glibc). Rename the local macro to NUM_EPOLL_EVENTS to avoid this namespace collision. Signed-off-by: Laurent Vivier <lvivier(a)redhat.com> --- Notes: v2: Rename PASST_EPOLL_EVENTS to NUM_EPOLL_EVENTS for better clarity passt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/passt.c b/passt.c index 31fbb75b1b12..bdb7b6935f0c 100644 --- a/passt.c +++ b/passt.c @@ -54,7 +54,7 @@ #include "migrate.h" #include "repair.h" -#define EPOLL_EVENTS 8 +#define NUM_EPOLL_EVENTS 8 #define TIMER_INTERVAL__ MIN(TCP_TIMER_INTERVAL, UDP_TIMER_INTERVAL) #define TIMER_INTERVAL_ MIN(TIMER_INTERVAL__, ICMP_TIMER_INTERVAL) @@ -245,7 +245,7 @@ static void print_stats(const struct ctx *c, const struct passt_stats *stats, */ int main(int argc, char **argv) { - struct epoll_event events[EPOLL_EVENTS]; + struct epoll_event events[NUM_EPOLL_EVENTS]; struct passt_stats stats = { 0 }; int nfds, i, devnull_fd = -1; struct ctx c = { 0 }; @@ -349,7 +349,7 @@ int main(int argc, char **argv) loop: /* NOLINTBEGIN(bugprone-branch-clone): intervals can be the same */ /* cppcheck-suppress [duplicateValueTernary, unmatchedSuppression] */ - nfds = epoll_wait(c.epollfd, events, EPOLL_EVENTS, TIMER_INTERVAL); + nfds = epoll_wait(c.epollfd, events, NUM_EPOLL_EVENTS, TIMER_INTERVAL); /* NOLINTEND(bugprone-branch-clone) */ if (nfds == -1 && errno != EINTR) die_perror("epoll_wait() failed in main loop"); -- 2.50.1

3 2

[PATCH] Fix the wrong command in CONTRIBUTING.md
by Yumei Huang 16 Oct '25

16 Oct '25

Signed-off-by: Yumei Huang <yuhuang(a)redhat.com> --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5f41bc3..75ad2a7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -115,7 +115,7 @@ letter before sending. Use `git send-email` to send patches directly to the mailing list: - git send-email --to=passt-dev(a)passt.top 000*.patch -o outgoing/000*.patch + git send-email --to=passt-dev(a)passt.top outgoing/000*.patch If there are CCs (e.g. maintainers, reviewers), you can add them with `--cc`: -- 2.47.0

3 2

[PATCH v2 0/3] Fixes to exeter test integration
by David Gibson 16 Oct '25

16 Oct '25

In advance of the tunbridge work, here are some further small fixes to the test logic, specifically how we interface with exeter tests. v2: * Consistently use ${} style for shell variables * Assorted minor revisions based on Stefano's feedback David Gibson (3): test: Use ${} consistently in lib/exeter test: Add some missing quoting in exeter runner test: For missing static checkers, skip rather than failing tests test/build/static_checkers.sh | 24 ++++++++++++++++++------ test/lib/exeter | 28 ++++++++++++++++++---------- 2 files changed, 36 insertions(+), 16 deletions(-) -- 2.51.0

2 1

[PATCH v13 00/10] Use true MAC address of LAN local remote hosts
by Jon Maloy 14 Oct '25

14 Oct '25

Bug #120 asks us to use the true MAC addresses of LAN local remote hosts, since some programs need this information. These commits introduces this for ARP, NDP, UDP, TCP and ICMP. --- v3: Updated according to feedback from Stefano and David: - Made the ARP/NDP lookup call filter out the requested address by itself, qualified by the index if the template interface - Moved the flow specific MAC address from struct flowside to struct flow_common. v4: - Updated according to feedback from David and Stefan - Added a cache table for ARP/NDP table contents v5: - Updated according to feedback from David and Stefan - Added cache table entries to FIFO/LRU queue - New criteria for when to consult ARP/NDP v6: - Simplified and merged mac cache table commits - Other changes after feedback from David. v7: - Fixes in patch #2 based on feedback from David and Stefano. v8: - Redesigned netlink and cache table part to be based on a subscription model. v8: - Small fix to patch #2 so that we cover the case when a MAC addess for a host has changed. - Added a commit where we send a gratuitous ARP/ unsolicitated NA to the guest when a new host is added to the neighbour cache table. v10: - Some fixes after feedback from David Gibson - Reordered: Moved patch #9 to position #3. - Added synchronization step between ARP/NDP table contents and the neigbour table at initialization. This reduces the number of "false" ARP/NDP replies drastically, but not completly. - (Next step could be to scan over the flow table and update affeced entries when we receive a MAC address update.) v11: - Corrected the gratuitous ARP implementation to use the "ARP Announcement" model instead of the "Gratuitous ARP reply" model. v12: - Updated based on feedback from David and Stefano - Added special handling of default GW and loopback addresses. v13: - Updated based on discussion with David and Stefano - Conceptually moved to only considering guest-side visible addresss. A lot of things became simpler and clearer through this change. Thank you, David. - Introduced a 'permanent' flag in the special entries representing addessed mapping to own host and conditionally the guest gw. This flag indicates those entries cannot be altered by possible remote hosts shadowed by these addresses. Suggested by Stefano. - Reordered patch ##4 and 5, since #5 cannot work correctly for NDP unsolicited NA until #4 is in place. - Added a new commit #2 to get later access to the flag no_map_gw. It was wrong to call fwd_neigh_table_init() from inside conf(), it has to be done in main() after random_init() and tap_backend_init(). Jon Maloy (10): netlink: add subscription on changes in NDP/ARP table passt: add no_map_gw flag to struct ctx fwd: Add cache table for ARP/NDP contents arp/ndp: respond with true MAC address of LAN local remote hosts arp/ndp: send ARP announcement / unsolicited NA when neigbour entry added flow: add MAC address of LAN local remote hosts to flow udp: forward external source MAC address through tap interface tcp: forward external source MAC address through tap interface tap: change signature of function tap_push_l2h() icmp: let icmp use mac address from flowside structure arp.c | 50 ++++++++++- arp.h | 2 + conf.c | 10 +-- epoll_type.h | 2 + flow.c | 2 + flow.h | 2 + fwd.c | 232 +++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 7 ++ icmp.c | 8 +- inany.c | 1 + ndp.c | 16 +++- ndp.h | 1 + netlink.c | 218 +++++++++++++++++++++++++++++++++++++++++++++- netlink.h | 4 + passt.c | 17 ++-- passt.h | 4 +- pasta.c | 2 +- tap.c | 24 ++--- tap.h | 7 +- tcp.c | 20 ++++- tcp.h | 2 +- tcp_buf.c | 37 ++++---- tcp_internal.h | 4 +- tcp_vu.c | 5 +- udp.c | 57 +++++++----- udp.h | 2 +- util.h | 2 + 27 files changed, 650 insertions(+), 88 deletions(-) -- 2.50.1

2 16

[PATCH v2 0/3] Retry SYNs for inbound connections
by Yumei Huang 14 Oct '25

14 Oct '25

When a client connects, SYN would be sent to guest only once. If the guest is not connected or ready at that time, the connection will be reset in 10s. These patches introduce the SYN retry mechanism using the similar backoff timeout as linux kernel. Also update the data retransmission timeout. Yumei Huang (3): tcp: Rename "retrans" to "retries" tcp: Resend SYN for inbound connections tcp: Update data retransmission timeout tcp.c | 132 +++++++++++++++++++++++++++++++++++++++++++++-------- tcp.h | 2 + tcp_conn.h | 12 ++--- 3 files changed, 120 insertions(+), 26 deletions(-) -- 2.47.0

3 10

[PATCH v2] test: Update the threshold value for some perf tests
by Yumei Huang 14 Oct '25

14 Oct '25

The values are adjusted to better match results observerd on the test hardware with 56-core Xeon Gold 6330 CPU and 126 GB RAM. Link: https://bugs.passt.top/show_bug.cgi?id=156 Signed-off-by: Yumei Huang <yuhuang(a)redhat.com> --- test/perf/passt_tcp | 6 +++--- test/perf/pasta_udp | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/test/perf/passt_tcp b/test/perf/passt_tcp index 5978c49..1a97a63 100644 --- a/test/perf/passt_tcp +++ b/test/perf/passt_tcp @@ -87,7 +87,7 @@ lat - lat - nsb tcp_crr --nolog -6 gout LAT tcp_crr --nolog -l1 -6 -c -H __MAP_NS6__ | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 400 +lat __LAT__ 550 450 tr TCP throughput over IPv4: guest to host iperf3s ns 10002 @@ -137,7 +137,7 @@ lat - lat - nsb tcp_crr --nolog -4 gout LAT tcp_crr --nolog -l1 -4 -c -H __MAP_NS4__ | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 400 +lat __LAT__ 550 450 tr TCP throughput over IPv6: host to guest iperf3s guest 10001 @@ -208,6 +208,6 @@ lat - guestb tcp_crr --nolog -P 10001 -C 10011 -4 sleep 1 nsout LAT tcp_crr --nolog -l1 -P 10001 -C 10011 -4 -c -H 127.0.0.1 | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 300 +lat __LAT__ 500 350 te diff --git a/test/perf/pasta_udp b/test/perf/pasta_udp index 3a7054c..c51bb6c 100644 --- a/test/perf/pasta_udp +++ b/test/perf/pasta_udp @@ -39,7 +39,7 @@ iperf3s host 10003 # (datagram size) = (packet size) - 48: 40 bytes of IPv6 header, 8 of UDP header iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 5G -l 1452 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 30G -l 16336 @@ -64,7 +64,7 @@ iperf3s host 10003 # (datagram size) = (packet size) - 28: 20 bytes of IPv4 header, 8 of UDP header iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 5G -l 1372 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 30G -l 16356 @@ -88,7 +88,7 @@ tr UDP throughput over IPv6: host to ns iperf3s ns 10002 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 5G -l 1452 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 30G -l 16336 @@ -111,7 +111,7 @@ lat __LAT__ 200 150 tr UDP throughput over IPv4: host to ns iperf3s ns 10002 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 5G -l 1372 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 30G -l 16356 -- 2.47.0

3 4