- dev - passt

[PATCH 0/2] Adding SO_PEEK_OFF for TCPv6
by jmaloy＠redhat.com 01 Sep '24

01 Sep '24

From: Jon Maloy <jmaloy(a)redhat.com> Adding SO_PEEK_OFF for TCPv6 and selftest for both TCPv4 and TCPv6. Jon Maloy (2): tcp: add SO_PEEK_OFF socket option tor TCPv6 selftests: add selftest for tcp SO_PEEK_OFF support net/ipv6/af_inet6.c | 1 + tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/tcp_so_peek_off.c | 181 ++++++++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 tools/testing/selftests/net/tcp_so_peek_off.c -- 2.45.2

4 8

[PATCH] Makefile: Enable _FORTIFY_SOURCE iff needed
by Michal Privoznik 30 Aug '24

30 Aug '24

On some systems source fortification is enabled whenever code optimization is enabled (e.g. with -O2). Since code fortification is explicitly enabled too (with possibly different value than the system wants, there are three levels [1]), distros are required to patch our Makefile, e.g. [2]. Detect whether fortification is not already enabled and enable it explicitly only if really needed. 1: https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html 2: https://github.com/gentoo/gentoo/commit/edfeb8763ac56112c59248c62c9cda13e5d… Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- It may be worth exploring whether level 3 would be beneficial: https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-le… Makefile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 01fada4..74a9513 100644 --- a/Makefile +++ b/Makefile @@ -33,9 +33,16 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/SH4/SH/') +# On some systems enabling optimization also enables source fortification, +# automagically. Do not override it. +FORTIFY_FLAG := +ifeq ($(shell $(CC) -O2 -dM -E - < /dev/null 2>&1 | grep ' _FORTIFY_SOURCE ' > /dev/null; echo $$?),1) +FORTIFY_FLAG := -D_FORTIFY_SOURCE=2 +endif + FLAGS := -Wall -Wextra -Wno-format-zero-length FLAGS += -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE +FLAGS += $(FORTIFY_FLAG) -O2 -pie -fPIE FLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE) FLAGS += -DNETNS_RUN_DIR=\"/run/netns\" FLAGS += -DPASST_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH) -- 2.44.2

3 3

[PATCH v3 0/3] Probe host's ephemeral ports, rather than using RFC values
by David Gibson 30 Aug '24

30 Aug '24

As discussed on our recent call, this implements basing which ports we consider "ephemeral" on probing the host's settings, rather than just assuming the RFC 6335 recommended values, which are not what Linux uses by default. I think this is more correct, but additionally using the Linux values means we consider more ports ephemeral, reducing kernel memory consumption for -t all -u all. Changes in v3: * Used in_port_t instead of plan uint16_t * Considered using sscanf() rather than strchr() + strtol(), but decided against it. I can never remember exactly what is and isn't accepted by scanf(), plus clang-tidy complained about it. Changes in v2: * Add missing close() for the sysctl file David Gibson (3): conf, fwd: Make ephemeral port logic more flexible conf, fwd: Don't attempt to forward port 0 fwd, conf: Probe host's ephemeral ports conf.c | 19 +++++++++++---- fwd.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 3 +++ util.h | 3 --- 4 files changed, 92 insertions(+), 7 deletions(-) -- 2.46.0

3 5

[net-next, v3 0/2] Adding SO_PEEK_OFF for TCPv6
by jmaloy＠redhat.com 30 Aug '24

30 Aug '24

From: Jon Maloy <jmaloy(a)redhat.com> Adding SO_PEEK_OFF for TCPv6 and selftest for both TCPv4 and TCPv6 Jon Maloy (2): tcp: add SO_PEEK_OFF socket option tor TCPv6 selftests: add selftest for tcp SO_PEEK_OFF support net/ipv6/af_inet6.c | 1 + tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/tcp_so_peek_off.c | 183 ++++++++++++++++++ 3 files changed, 185 insertions(+) create mode 100644 tools/testing/selftests/net/tcp_so_peek_off.c -- 2.45.2

3 4

[PATCH v2 0/3] Probe host's ephemeral ports, rather than using RFC values
by David Gibson 29 Aug '24

29 Aug '24

As discussed on our recent call, this implements basing which ports we consider "ephemeral" on probing the host's settings, rather than just assuming the RFC 6335 recommended values, which are not what Linux uses by default. I think this is more correct, but additionally using the Linux values means we consider more ports ephemeral, reducing kernel memory consumption for -t all -u all. Changes in v2: * Add missing close() for the sysctl file David Gibson (3): conf, fwd: Make ephemeral port logic more flexible conf, fwd: Don't attempt to forward port 0 fwd, conf: Probe host's ephemeral ports conf.c | 19 +++++++++++---- fwd.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 3 +++ util.h | 3 --- 4 files changed, 92 insertions(+), 7 deletions(-) -- 2.46.0

2 5

[PATCH 0/3] Probe host's ephemeral ports, rather than using RFC values
by David Gibson 29 Aug '24

29 Aug '24

As discussed on our recent call, this implements basing which ports we consider "ephemeral" on probing the host's settings, rather than just assuming the RFC 6335 recommended values, which are not what Linux uses by default. I think this is more correct, but additionally using the Linux values means we consider more ports ephemeral, reducing kernel memory consumption for -t all -u all. David Gibson (3): conf, fwd: Make ephemeral port logic more flexible conf, fwd: Don't attempt to forward port 0 fwd, conf: Probe host's ephemeral ports conf.c | 19 ++++++++++++---- fwd.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 3 +++ util.h | 3 --- 4 files changed, 88 insertions(+), 7 deletions(-) -- 2.46.0

3 9

[net-next, v2 0/2] Adding SO_PEEK_OFF for TCPv6
by jmaloy＠redhat.com 28 Aug '24

28 Aug '24

From: Jon Maloy <jmaloy(a)redhat.com> Adding SO_PEEK_OFF for TCPv6 and selftest for it. Jon Maloy (2): tcp: add SO_PEEK_OFF socket option tor TCPv6 selftests: add selftest for tcp SO_PEEK_OFF support net/ipv6/af_inet6.c | 1 + tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/tcp_so_peek_off.c | 184 ++++++++++++++++++ 3 files changed, 186 insertions(+) create mode 100644 tools/testing/selftests/net/tcp_so_peek_off.c -- 2.45.2

4 7

[PATCH v2 0/3] Dual stack sockets for UDP
by David Gibson 27 Aug '24

27 Aug '24

Here, at last, is a change to use dual stack sockets for UDP port forwards as we have for TCP for some time. With the merging of many parallel IPv4/IPv6 structures being done for the flow table and other recent work, this actually turned out much easier than I anticipated. Changes since v1: * Removed a redundant assignment to msg_namelen David Gibson (3): udp: Merge udp[46]_mh_recv arrays udp: Remove unnnecessary local from udp_sock_init() udp: Use dual stack sockets for port forwarding when possible udp.c | 101 +++++++++++++++++++++++++++++----------------------------- udp.h | 2 -- 2 files changed, 50 insertions(+), 53 deletions(-) -- 2.46.0

2 4

[PATCH] seccomp.sh: Try to account for terminal width while formatting list of system calls
by Stefano Brivio 27 Aug '24

27 Aug '24

Avoid excess lines on wide terminals, but make sure we don't fail if we can't fetch the number of columns for any reason, as it's not a fundamental feature and we don't want to break anything with it. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- seccomp.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/seccomp.sh b/seccomp.sh index 052e1c8..38aa826 100755 --- a/seccomp.sh +++ b/seccomp.sh @@ -242,7 +242,10 @@ for __p in ${__profiles}; do __calls="$(sed -n 's/[\t ]*\*[\t ]*#syscalls$:'"${__p}"'\|$[\t ]\{1,\}$.*$/\2/p' ${IN})" __calls="${__calls} ${EXTRA_SYSCALLS:-}" __calls="$(filter ${__calls})" - echo "seccomp profile ${__p} allows: ${__calls}" | tr '\n' ' ' | fmt -t + + cols="$(stty -a | sed -n 's/.*columns $[0-9]*$.*/\1/p' || :)" 2>/dev/null + case $cols in [0-9]*) col_args="-w ${cols}";; *) col_args="";; esac + echo "seccomp profile ${__p} allows: ${__calls}" | tr '\n' ' ' | fmt -t ${col_args} # Pad here to keep gen_profile() "simple" __count=0 -- 2.43.0

1 0

[PATCH 0/3] Dual stack sockets for UDP
by David Gibson 27 Aug '24

27 Aug '24

Here, at last, is a change to use dual stack sockets for UDP port forwards as we have for TCP for some time. With the merging of many parallel IPv4/IPv6 structures being done for the flow table and other recent work, this actually turned out much easier than I anticipated. David Gibson (3): udp: Merge udp[46]_mh_recv arrays udp: Remove unnnecessary local from udp_sock_init() udp: Use dual stack sockets for port forwarding when possible udp.c | 104 ++++++++++++++++++++++++++++++---------------------------- udp.h | 2 -- 2 files changed, 53 insertions(+), 53 deletions(-) -- 2.46.0

2 8

2024

2023

2022

2021

dev