- dev - passt

[PATCH v2 0/3] Fixes to exeter test integration
by David Gibson 16 Oct '25

16 Oct '25

In advance of the tunbridge work, here are some further small fixes to the test logic, specifically how we interface with exeter tests. v2: * Consistently use ${} style for shell variables * Assorted minor revisions based on Stefano's feedback David Gibson (3): test: Use ${} consistently in lib/exeter test: Add some missing quoting in exeter runner test: For missing static checkers, skip rather than failing tests test/build/static_checkers.sh | 24 ++++++++++++++++++------ test/lib/exeter | 28 ++++++++++++++++++---------- 2 files changed, 36 insertions(+), 16 deletions(-) -- 2.51.0

2 1

[PATCH v13 00/10] Use true MAC address of LAN local remote hosts
by Jon Maloy 14 Oct '25

14 Oct '25

Bug #120 asks us to use the true MAC addresses of LAN local remote hosts, since some programs need this information. These commits introduces this for ARP, NDP, UDP, TCP and ICMP. --- v3: Updated according to feedback from Stefano and David: - Made the ARP/NDP lookup call filter out the requested address by itself, qualified by the index if the template interface - Moved the flow specific MAC address from struct flowside to struct flow_common. v4: - Updated according to feedback from David and Stefan - Added a cache table for ARP/NDP table contents v5: - Updated according to feedback from David and Stefan - Added cache table entries to FIFO/LRU queue - New criteria for when to consult ARP/NDP v6: - Simplified and merged mac cache table commits - Other changes after feedback from David. v7: - Fixes in patch #2 based on feedback from David and Stefano. v8: - Redesigned netlink and cache table part to be based on a subscription model. v8: - Small fix to patch #2 so that we cover the case when a MAC addess for a host has changed. - Added a commit where we send a gratuitous ARP/ unsolicitated NA to the guest when a new host is added to the neighbour cache table. v10: - Some fixes after feedback from David Gibson - Reordered: Moved patch #9 to position #3. - Added synchronization step between ARP/NDP table contents and the neigbour table at initialization. This reduces the number of "false" ARP/NDP replies drastically, but not completly. - (Next step could be to scan over the flow table and update affeced entries when we receive a MAC address update.) v11: - Corrected the gratuitous ARP implementation to use the "ARP Announcement" model instead of the "Gratuitous ARP reply" model. v12: - Updated based on feedback from David and Stefano - Added special handling of default GW and loopback addresses. v13: - Updated based on discussion with David and Stefano - Conceptually moved to only considering guest-side visible addresss. A lot of things became simpler and clearer through this change. Thank you, David. - Introduced a 'permanent' flag in the special entries representing addessed mapping to own host and conditionally the guest gw. This flag indicates those entries cannot be altered by possible remote hosts shadowed by these addresses. Suggested by Stefano. - Reordered patch ##4 and 5, since #5 cannot work correctly for NDP unsolicited NA until #4 is in place. - Added a new commit #2 to get later access to the flag no_map_gw. It was wrong to call fwd_neigh_table_init() from inside conf(), it has to be done in main() after random_init() and tap_backend_init(). Jon Maloy (10): netlink: add subscription on changes in NDP/ARP table passt: add no_map_gw flag to struct ctx fwd: Add cache table for ARP/NDP contents arp/ndp: respond with true MAC address of LAN local remote hosts arp/ndp: send ARP announcement / unsolicited NA when neigbour entry added flow: add MAC address of LAN local remote hosts to flow udp: forward external source MAC address through tap interface tcp: forward external source MAC address through tap interface tap: change signature of function tap_push_l2h() icmp: let icmp use mac address from flowside structure arp.c | 50 ++++++++++- arp.h | 2 + conf.c | 10 +-- epoll_type.h | 2 + flow.c | 2 + flow.h | 2 + fwd.c | 232 +++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 7 ++ icmp.c | 8 +- inany.c | 1 + ndp.c | 16 +++- ndp.h | 1 + netlink.c | 218 +++++++++++++++++++++++++++++++++++++++++++++- netlink.h | 4 + passt.c | 17 ++-- passt.h | 4 +- pasta.c | 2 +- tap.c | 24 ++--- tap.h | 7 +- tcp.c | 20 ++++- tcp.h | 2 +- tcp_buf.c | 37 ++++---- tcp_internal.h | 4 +- tcp_vu.c | 5 +- udp.c | 57 +++++++----- udp.h | 2 +- util.h | 2 + 27 files changed, 650 insertions(+), 88 deletions(-) -- 2.50.1

2 16

[PATCH v2 0/3] Retry SYNs for inbound connections
by Yumei Huang 14 Oct '25

14 Oct '25

When a client connects, SYN would be sent to guest only once. If the guest is not connected or ready at that time, the connection will be reset in 10s. These patches introduce the SYN retry mechanism using the similar backoff timeout as linux kernel. Also update the data retransmission timeout. Yumei Huang (3): tcp: Rename "retrans" to "retries" tcp: Resend SYN for inbound connections tcp: Update data retransmission timeout tcp.c | 132 +++++++++++++++++++++++++++++++++++++++++++++-------- tcp.h | 2 + tcp_conn.h | 12 ++--- 3 files changed, 120 insertions(+), 26 deletions(-) -- 2.47.0

3 10

[PATCH v2] test: Update the threshold value for some perf tests
by Yumei Huang 14 Oct '25

14 Oct '25

The values are adjusted to better match results observerd on the test hardware with 56-core Xeon Gold 6330 CPU and 126 GB RAM. Link: https://bugs.passt.top/show_bug.cgi?id=156 Signed-off-by: Yumei Huang <yuhuang(a)redhat.com> --- test/perf/passt_tcp | 6 +++--- test/perf/pasta_udp | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/test/perf/passt_tcp b/test/perf/passt_tcp index 5978c49..1a97a63 100644 --- a/test/perf/passt_tcp +++ b/test/perf/passt_tcp @@ -87,7 +87,7 @@ lat - lat - nsb tcp_crr --nolog -6 gout LAT tcp_crr --nolog -l1 -6 -c -H __MAP_NS6__ | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 400 +lat __LAT__ 550 450 tr TCP throughput over IPv4: guest to host iperf3s ns 10002 @@ -137,7 +137,7 @@ lat - lat - nsb tcp_crr --nolog -4 gout LAT tcp_crr --nolog -l1 -4 -c -H __MAP_NS4__ | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 400 +lat __LAT__ 550 450 tr TCP throughput over IPv6: host to guest iperf3s guest 10001 @@ -208,6 +208,6 @@ lat - guestb tcp_crr --nolog -P 10001 -C 10011 -4 sleep 1 nsout LAT tcp_crr --nolog -l1 -P 10001 -C 10011 -4 -c -H 127.0.0.1 | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 300 +lat __LAT__ 500 350 te diff --git a/test/perf/pasta_udp b/test/perf/pasta_udp index 3a7054c..c51bb6c 100644 --- a/test/perf/pasta_udp +++ b/test/perf/pasta_udp @@ -39,7 +39,7 @@ iperf3s host 10003 # (datagram size) = (packet size) - 48: 40 bytes of IPv6 header, 8 of UDP header iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 5G -l 1452 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 30G -l 16336 @@ -64,7 +64,7 @@ iperf3s host 10003 # (datagram size) = (packet size) - 28: 20 bytes of IPv4 header, 8 of UDP header iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 5G -l 1372 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 30G -l 16356 @@ -88,7 +88,7 @@ tr UDP throughput over IPv6: host to ns iperf3s ns 10002 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 5G -l 1452 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 30G -l 16336 @@ -111,7 +111,7 @@ lat __LAT__ 200 150 tr UDP throughput over IPv4: host to ns iperf3s ns 10002 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 5G -l 1372 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 30G -l 16356 -- 2.47.0

3 4

[PATCH] test: Update the threshold value for some perf tests
by Yumei Huang 13 Oct '25

13 Oct '25

Link: https://bugs.passt.top/show_bug.cgi?id=156 Signed-off-by: Yumei Huang <yuhuang(a)redhat.com> --- test/perf/passt_tcp | 6 +++--- test/perf/pasta_udp | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/test/perf/passt_tcp b/test/perf/passt_tcp index 5978c49..1a97a63 100644 --- a/test/perf/passt_tcp +++ b/test/perf/passt_tcp @@ -87,7 +87,7 @@ lat - lat - nsb tcp_crr --nolog -6 gout LAT tcp_crr --nolog -l1 -6 -c -H __MAP_NS6__ | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 400 +lat __LAT__ 550 450 tr TCP throughput over IPv4: guest to host iperf3s ns 10002 @@ -137,7 +137,7 @@ lat - lat - nsb tcp_crr --nolog -4 gout LAT tcp_crr --nolog -l1 -4 -c -H __MAP_NS4__ | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 400 +lat __LAT__ 550 450 tr TCP throughput over IPv6: host to guest iperf3s guest 10001 @@ -208,6 +208,6 @@ lat - guestb tcp_crr --nolog -P 10001 -C 10011 -4 sleep 1 nsout LAT tcp_crr --nolog -l1 -P 10001 -C 10011 -4 -c -H 127.0.0.1 | sed -n 's/^throughput=$.*$/\1/p' -lat __LAT__ 500 300 +lat __LAT__ 500 350 te diff --git a/test/perf/pasta_udp b/test/perf/pasta_udp index 3a7054c..c51bb6c 100644 --- a/test/perf/pasta_udp +++ b/test/perf/pasta_udp @@ -39,7 +39,7 @@ iperf3s host 10003 # (datagram size) = (packet size) - 48: 40 bytes of IPv6 header, 8 of UDP header iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 5G -l 1452 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW ns ::1 10003 __TIME__ __OPTS__ -b 30G -l 16336 @@ -64,7 +64,7 @@ iperf3s host 10003 # (datagram size) = (packet size) - 28: 20 bytes of IPv4 header, 8 of UDP header iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 5G -l 1372 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW ns 127.0.0.1 10003 __TIME__ __OPTS__ -b 30G -l 16356 @@ -88,7 +88,7 @@ tr UDP throughput over IPv6: host to ns iperf3s ns 10002 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 5G -l 1452 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW host ::1 10002 __TIME__ __OPTS__ -b 30G -l 16336 @@ -111,7 +111,7 @@ lat __LAT__ 200 150 tr UDP throughput over IPv4: host to ns iperf3s ns 10002 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 5G -l 1372 -bw __BW__ 1.0 1.5 +bw __BW__ 0.8 1.2 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 10G -l 3972 bw __BW__ 1.2 1.8 iperf3 BW host 127.0.0.1 10002 __TIME__ __OPTS__ -b 30G -l 16356 -- 2.47.0

2 2

[PATCH] tap: Update some function comments for accuracy
by David Gibson 13 Oct '25

13 Oct '25

Several of the tap_push_*() functions have doc comments claiming they take the context pointer, but don't. Some (tap_push_uh[46]) were broken fairly recently, but others (tap_push_ip[46]h) have been broken for a long time. Regardless, fix all the doc comments. Reported-by: Stefano Brivio <sbrivio(a)redhat.com> Fixes: 82a839be9 ("tap: break out building of udp header from tap_udp4_send function") Fixes: 87e6a4644 ("tap: break out building of udp header from tap_udp6_send function") Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- tap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tap.c b/tap.c index 95d309bd..f3d1f660 100644 --- a/tap.c +++ b/tap.c @@ -188,7 +188,7 @@ void *tap_push_l2h(const struct ctx *c, void *buf, uint16_t proto) /** * tap_push_ip4h() - Build IPv4 header for inbound packet, with checksum - * @c: Execution context + * @ip4h: Buffer in which to build the IPv4 header * @src: IPv4 source address * @dst: IPv4 destination address * @l4len: IPv4 payload length @@ -217,7 +217,7 @@ void *tap_push_ip4h(struct iphdr *ip4h, struct in_addr src, /** * tap_push_uh4() - Build UDPv4 header with checksum - * @c: Execution context + * @uh: Buffer in which to build the UDP header * @src: IPv4 source address * @sport: UDP source port * @dst: IPv4 destination address @@ -293,7 +293,7 @@ void tap_icmp4_send(const struct ctx *c, struct in_addr src, struct in_addr dst, /** * tap_push_ip6h() - Build IPv6 header for inbound packet - * @c: Execution context + * @ip6h: Buffer in which to build the IPv6 header * @src: IPv6 source address * @dst: IPv6 destination address * @l4len: L4 payload length @@ -319,7 +319,7 @@ void *tap_push_ip6h(struct ipv6hdr *ip6h, /** * tap_push_uh6() - Build UDPv6 header with checksum - * @c: Execution context + * @uh: Buffer in which to build the UDP header * @src: IPv6 source address * @sport: UDP source port * @dst: IPv6 destination address -- 2.51.0

1 0

[PATCH v11 0/4] Reconstruct incoming ICMP headers for failed UDP connect and forward back
by Jon Maloy 13 Oct '25

13 Oct '25

v2: - Added patch breaking out udp header creation from function tap_udp4_send(). - Updated the ICMP creation by using the new function. - Added logics to find correct flow, depending on origin. - All done after feedback from David Gibson. v3: - More changes after feedback from David Gibson. v4: - Even more changes after feedback from D. Gibson v5: - Added corresponding patches for IPv6 v6: - Fixed some small nits after comments from D. Gibson. v7: - Added handling of all rejected ICMP messages - Returning correct user data amount if IPv6 as per RFC 4884. v8: - Added MTU to ICMPv4 ICMP_FRAG_NEEDED messages. - Added ASSERT() validation to message creation functions. v9: - Using real source address of ICMP to complement destination address for originial UDP message when needed. v10: -Fixed wrong l4len value given to tap_push_ip4h() in function udp_send_conn_fail_icmp4(), patch #2. v11: -Eliminated coverity warnings. -Fixed a couple of tab issues (My emacs settings weren't able to handle my combination of whitespace and tab settings correctly.) Jon Maloy (4): tap: break out building of udp header from tap_udp4_send function udp: create and send ICMPv4 to local peer when applicable tap: break out building of udp header from tap_udp6_send function udp: create and send ICMPv6 to local peer when applicable tap.c | 86 +++++++++++++++++++++++--------- tap.h | 15 ++++++ udp.c | 132 ++++++++++++++++++++++++++++++++++++++++++++----- udp_internal.h | 2 +- udp_vu.c | 4 +- 5 files changed, 200 insertions(+), 39 deletions(-) -- 2.48.1

3 8

[PATCH 3/8] fwd: Consolidate scans (not rebinds) in fwd.c
by David Gibson 11 Oct '25

11 Oct '25

fwd_scan_ports_timer(), via the things it calls, goes through all the auto forwarding cases (tcp, udp, inbound, outbound) and for each one first scans for listening ports, then rebinds - that is, closes or opens our own listening ports to match. Rearrange to do all the scans first, then all the rebinds after. This lets us consolidate all the scans into fwd.c, and will enable further cleanups. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- fwd.c | 27 +++++++++++++++++++++------ fwd.h | 4 ---- tcp.c | 12 ++++-------- tcp.h | 2 +- udp.c | 14 ++++---------- udp.h | 2 +- 6 files changed, 31 insertions(+), 30 deletions(-) diff --git a/fwd.c b/fwd.c index bd89a94a..19309f14 100644 --- a/fwd.c +++ b/fwd.c @@ -153,7 +153,8 @@ static void procfs_scan_listen(int fd, unsigned int lstate, * @fwd: Forwarding information to update * @rev: Forwarding information for the reverse direction */ -void fwd_scan_ports_tcp(struct fwd_ports *fwd, const struct fwd_ports *rev) +static void fwd_scan_ports_tcp(struct fwd_ports *fwd, + const struct fwd_ports *rev) { memset(fwd->map, 0, PORT_BITMAP_SIZE); procfs_scan_listen(fwd->scan4, TCP_LISTEN, fwd->map, rev->map); @@ -167,9 +168,10 @@ void fwd_scan_ports_tcp(struct fwd_ports *fwd, const struct fwd_ports *rev) * @tcp_fwd: Corresponding TCP forwarding information * @tcp_rev: TCP forwarding information for the reverse direction */ -void fwd_scan_ports_udp(struct fwd_ports *fwd, const struct fwd_ports *rev, - const struct fwd_ports *tcp_fwd, - const struct fwd_ports *tcp_rev) +static void fwd_scan_ports_udp(struct fwd_ports *fwd, + const struct fwd_ports *rev, + const struct fwd_ports *tcp_fwd, + const struct fwd_ports *tcp_rev) { uint8_t exclude[PORT_BITMAP_SIZE]; @@ -248,10 +250,23 @@ void fwd_scan_ports_timer(struct ctx *c, const struct timespec *now) scan_ports_run = *now; + if (c->tcp.fwd_out.mode == FWD_AUTO) + fwd_scan_ports_tcp(&c->tcp.fwd_out, &c->tcp.fwd_in); + if (c->tcp.fwd_in.mode == FWD_AUTO) + fwd_scan_ports_tcp(&c->tcp.fwd_in, &c->tcp.fwd_out); + if (c->udp.fwd_out.mode == FWD_AUTO) { + fwd_scan_ports_udp(&c->udp.fwd_out, &c->udp.fwd_in, + &c->tcp.fwd_out, &c->tcp.fwd_in); + } + if (c->udp.fwd_in.mode == FWD_AUTO) { + fwd_scan_ports_udp(&c->udp.fwd_in, &c->udp.fwd_out, + &c->tcp.fwd_in, &c->tcp.fwd_out); + } + if (!c->no_tcp) - tcp_scan_ports(c); + tcp_port_rebind_all(c); if (!c->no_udp) - udp_scan_ports(c); + udp_port_rebind_all(c); } /** diff --git a/fwd.h b/fwd.h index 385e5bd8..8fe4119a 100644 --- a/fwd.h +++ b/fwd.h @@ -44,10 +44,6 @@ struct fwd_ports { #define FWD_PORT_SCAN_INTERVAL 1000 /* ms */ -void fwd_scan_ports_tcp(struct fwd_ports *fwd, const struct fwd_ports *rev); -void fwd_scan_ports_udp(struct fwd_ports *fwd, const struct fwd_ports *rev, - const struct fwd_ports *tcp_fwd, - const struct fwd_ports *tcp_rev); void fwd_scan_ports_init(struct ctx *c); void fwd_scan_ports_timer(struct ctx *c, const struct timespec *now); diff --git a/tcp.c b/tcp.c index dbbb00c4..a330538d 100644 --- a/tcp.c +++ b/tcp.c @@ -2869,22 +2869,18 @@ static int tcp_port_rebind_outbound(void *arg) } /** - * tcp_scan_ports() - Update forwarding maps based on scan of listening ports + * tcp_port_rebind_all() - Rebind ports to match forward maps (in host & ns) * @c: Execution context */ -void tcp_scan_ports(struct ctx *c) +void tcp_port_rebind_all(struct ctx *c) { ASSERT(c->mode == MODE_PASTA && !c->no_tcp); - if (c->tcp.fwd_out.mode == FWD_AUTO) { - fwd_scan_ports_tcp(&c->tcp.fwd_out, &c->tcp.fwd_in); + if (c->tcp.fwd_out.mode == FWD_AUTO) NS_CALL(tcp_port_rebind_outbound, c); - } - if (c->tcp.fwd_in.mode == FWD_AUTO) { - fwd_scan_ports_tcp(&c->tcp.fwd_in, &c->tcp.fwd_out); + if (c->tcp.fwd_in.mode == FWD_AUTO) tcp_port_rebind(c, false); - } } /** diff --git a/tcp.h b/tcp.h index 43ab0655..69b6c5dc 100644 --- a/tcp.h +++ b/tcp.h @@ -21,7 +21,7 @@ int tcp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t af, int tcp_sock_init(const struct ctx *c, const union inany_addr *addr, const char *ifname, in_port_t port); int tcp_init(struct ctx *c); -void tcp_scan_ports(struct ctx *c); +void tcp_port_rebind_all(struct ctx *c); void tcp_timer(const struct ctx *c, const struct timespec *now); void tcp_defer_handler(struct ctx *c); diff --git a/udp.c b/udp.c index d15f03dc..e27b2219 100644 --- a/udp.c +++ b/udp.c @@ -1239,24 +1239,18 @@ static int udp_port_rebind_outbound(void *arg) } /** - * udp_scan_ports() - Update forwarding maps based on scan of listening ports + * udp_port_rebind_all() - Rebind ports to match forward maps (in host & ns) * @c: Execution context */ -void udp_scan_ports(struct ctx *c) +void udp_port_rebind_all(struct ctx *c) { ASSERT(c->mode == MODE_PASTA && !c->no_udp); - if (c->udp.fwd_out.mode == FWD_AUTO) { - fwd_scan_ports_udp(&c->udp.fwd_out, &c->udp.fwd_in, - &c->tcp.fwd_out, &c->tcp.fwd_in); + if (c->udp.fwd_out.mode == FWD_AUTO) NS_CALL(udp_port_rebind_outbound, c); - } - if (c->udp.fwd_in.mode == FWD_AUTO) { - fwd_scan_ports_udp(&c->udp.fwd_in, &c->udp.fwd_out, - &c->tcp.fwd_in, &c->tcp.fwd_out); + if (c->udp.fwd_in.mode == FWD_AUTO) udp_port_rebind(c, false); - } } /** diff --git a/udp.h b/udp.h index a6de1f1c..a2bf2720 100644 --- a/udp.h +++ b/udp.h @@ -18,7 +18,7 @@ int udp_tap_handler(const struct ctx *c, uint8_t pif, int udp_sock_init(const struct ctx *c, int ns, const union inany_addr *addr, const char *ifname, in_port_t port); int udp_init(struct ctx *c); -void udp_scan_ports(struct ctx *c); +void udp_port_rebind_all(struct ctx *c); void udp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s); /** -- 2.51.0

1 0

[PATCH 2/8] tcp, udp, fwd: Run all port scanning from a single timer
by David Gibson 11 Oct '25

11 Oct '25

With -t auto and similar options we need to periodically scan /proc for listening ports. Currently we do this separately for TCP and UDP, from tcp_timer() and udp_timer(). For upcoming changes (leading eventually to a more general forwarding table), it's awkward to have these separate. Move them to a single common timer. For now this just calls new tcp_scan_ports() and udp_scan_ports() functions, but we'll consolidate more thoroughly in later patches. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- fwd.c | 24 ++++++++++++++++++++++++ fwd.h | 3 +++ passt.c | 7 +++---- tcp.c | 33 ++++++++++++++++++++------------- tcp.h | 3 ++- udp.c | 29 ++++++++++++----------------- udp.h | 4 +--- 7 files changed, 65 insertions(+), 38 deletions(-) diff --git a/fwd.c b/fwd.c index 250cf564..bd89a94a 100644 --- a/fwd.c +++ b/fwd.c @@ -230,6 +230,30 @@ void fwd_scan_ports_init(struct ctx *c) } } +/* Last time we scanned for open ports */ +static struct timespec scan_ports_run; + +/** + * fwd_scan_ports_timer() - Rescan open port information when necessary + * @c: Execution context + * @now: Current (monotonic) time + */ +void fwd_scan_ports_timer(struct ctx *c, const struct timespec *now) +{ + if (c->mode != MODE_PASTA) + return; + + if (timespec_diff_ms(now, &scan_ports_run) < FWD_PORT_SCAN_INTERVAL) + return; + + scan_ports_run = *now; + + if (!c->no_tcp) + tcp_scan_ports(c); + if (!c->no_udp) + udp_scan_ports(c); +} + /** * is_dns_flow() - Determine if flow appears to be a DNS request * @proto: Protocol (IP L4 protocol number) diff --git a/fwd.h b/fwd.h index 65c7c964..385e5bd8 100644 --- a/fwd.h +++ b/fwd.h @@ -42,11 +42,14 @@ struct fwd_ports { in_port_t delta[NUM_PORTS]; }; +#define FWD_PORT_SCAN_INTERVAL 1000 /* ms */ + void fwd_scan_ports_tcp(struct fwd_ports *fwd, const struct fwd_ports *rev); void fwd_scan_ports_udp(struct fwd_ports *fwd, const struct fwd_ports *rev, const struct fwd_ports *tcp_fwd, const struct fwd_ports *tcp_rev); void fwd_scan_ports_init(struct ctx *c); +void fwd_scan_ports_timer(struct ctx *c, const struct timespec *now); bool nat_inbound(const struct ctx *c, const union inany_addr *addr, union inany_addr *translated); diff --git a/passt.c b/passt.c index b877659e..28ce5711 100644 --- a/passt.c +++ b/passt.c @@ -56,7 +56,7 @@ #define EPOLL_EVENTS 8 -#define TIMER_INTERVAL_ MIN(TCP_TIMER_INTERVAL, UDP_TIMER_INTERVAL) +#define TIMER_INTERVAL_ MIN(TCP_TIMER_INTERVAL, FWD_PORT_SCAN_INTERVAL) #define TIMER_INTERVAL MIN(TIMER_INTERVAL_, FLOW_TIMER_INTERVAL) char pkt_buf[PKT_BUF_BYTES] __attribute__ ((aligned(PAGE_SIZE))); @@ -117,11 +117,10 @@ static void post_handler(struct ctx *c, const struct timespec *now) /* NOLINTNEXTLINE(bugprone-branch-clone): intervals can be the same */ CALL_PROTO_HANDLER(tcp, TCP); - /* NOLINTNEXTLINE(bugprone-branch-clone): intervals can be the same */ - CALL_PROTO_HANDLER(udp, UDP); +#undef CALL_PROTO_HANDLER flow_defer_handler(c, now); -#undef CALL_PROTO_HANDLER + fwd_scan_ports_timer(c, now); if (!c->no_ndp) ndp_timer(c, now); diff --git a/tcp.c b/tcp.c index 0f9e9b3f..dbbb00c4 100644 --- a/tcp.c +++ b/tcp.c @@ -2869,25 +2869,32 @@ static int tcp_port_rebind_outbound(void *arg) } /** - * tcp_timer() - Periodic tasks: port detection, closed connections, pool refill + * tcp_scan_ports() - Update forwarding maps based on scan of listening ports * @c: Execution context - * @now: Current timestamp */ -void tcp_timer(struct ctx *c, const struct timespec *now) +void tcp_scan_ports(struct ctx *c) { - (void)now; + ASSERT(c->mode == MODE_PASTA && !c->no_tcp); - if (c->mode == MODE_PASTA) { - if (c->tcp.fwd_out.mode == FWD_AUTO) { - fwd_scan_ports_tcp(&c->tcp.fwd_out, &c->tcp.fwd_in); - NS_CALL(tcp_port_rebind_outbound, c); - } + if (c->tcp.fwd_out.mode == FWD_AUTO) { + fwd_scan_ports_tcp(&c->tcp.fwd_out, &c->tcp.fwd_in); + NS_CALL(tcp_port_rebind_outbound, c); + } - if (c->tcp.fwd_in.mode == FWD_AUTO) { - fwd_scan_ports_tcp(&c->tcp.fwd_in, &c->tcp.fwd_out); - tcp_port_rebind(c, false); - } + if (c->tcp.fwd_in.mode == FWD_AUTO) { + fwd_scan_ports_tcp(&c->tcp.fwd_in, &c->tcp.fwd_out); + tcp_port_rebind(c, false); } +} + +/** + * tcp_timer() - Periodic tasks: port detection, closed connections, pool refill + * @c: Execution context + * @now: Current timestamp + */ +void tcp_timer(const struct ctx *c, const struct timespec *now) +{ + (void)now; tcp_sock_refill_init(c); if (c->mode == MODE_PASTA) diff --git a/tcp.h b/tcp.h index 234a8033..43ab0655 100644 --- a/tcp.h +++ b/tcp.h @@ -21,7 +21,8 @@ int tcp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t af, int tcp_sock_init(const struct ctx *c, const union inany_addr *addr, const char *ifname, in_port_t port); int tcp_init(struct ctx *c); -void tcp_timer(struct ctx *c, const struct timespec *now); +void tcp_scan_ports(struct ctx *c); +void tcp_timer(const struct ctx *c, const struct timespec *now); void tcp_defer_handler(struct ctx *c); void tcp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s); diff --git a/udp.c b/udp.c index 86585b7e..d15f03dc 100644 --- a/udp.c +++ b/udp.c @@ -1239,28 +1239,23 @@ static int udp_port_rebind_outbound(void *arg) } /** - * udp_timer() - Scan activity bitmaps for ports with associated timed events + * udp_scan_ports() - Update forwarding maps based on scan of listening ports * @c: Execution context - * @now: Current timestamp */ -void udp_timer(struct ctx *c, const struct timespec *now) +void udp_scan_ports(struct ctx *c) { - (void)now; - - ASSERT(!c->no_udp); + ASSERT(c->mode == MODE_PASTA && !c->no_udp); - if (c->mode == MODE_PASTA) { - if (c->udp.fwd_out.mode == FWD_AUTO) { - fwd_scan_ports_udp(&c->udp.fwd_out, &c->udp.fwd_in, - &c->tcp.fwd_out, &c->tcp.fwd_in); - NS_CALL(udp_port_rebind_outbound, c); - } + if (c->udp.fwd_out.mode == FWD_AUTO) { + fwd_scan_ports_udp(&c->udp.fwd_out, &c->udp.fwd_in, + &c->tcp.fwd_out, &c->tcp.fwd_in); + NS_CALL(udp_port_rebind_outbound, c); + } - if (c->udp.fwd_in.mode == FWD_AUTO) { - fwd_scan_ports_udp(&c->udp.fwd_in, &c->udp.fwd_out, - &c->tcp.fwd_in, &c->tcp.fwd_out); - udp_port_rebind(c, false); - } + if (c->udp.fwd_in.mode == FWD_AUTO) { + fwd_scan_ports_udp(&c->udp.fwd_in, &c->udp.fwd_out, + &c->tcp.fwd_in, &c->tcp.fwd_out); + udp_port_rebind(c, false); } } diff --git a/udp.h b/udp.h index 8f8531ad..a6de1f1c 100644 --- a/udp.h +++ b/udp.h @@ -6,8 +6,6 @@ #ifndef UDP_H #define UDP_H -#define UDP_TIMER_INTERVAL 1000 /* ms */ - void udp_portmap_clear(void); void udp_listen_sock_handler(const struct ctx *c, union epoll_ref ref, uint32_t events, const struct timespec *now); @@ -20,7 +18,7 @@ int udp_tap_handler(const struct ctx *c, uint8_t pif, int udp_sock_init(const struct ctx *c, int ns, const union inany_addr *addr, const char *ifname, in_port_t port); int udp_init(struct ctx *c); -void udp_timer(struct ctx *c, const struct timespec *now); +void udp_scan_ports(struct ctx *c); void udp_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s); /** -- 2.51.0

1 0

[PATCH v2 00/14] Clean up checksum and header generation for inbound packets
by David Gibson 10 Oct '25

10 Oct '25

The main packet "fast paths" for UDP and TCP mostly just forward packets rather than generating them from scratch. However the control paths for ICMP and DHCP sometimes generate packets more or less from scratch. Because these are relatively rare, it's not performance critical. The paths for sending these packets have some duplication of the header generation. There's also some layering violation in tap_ip_send() which both generates IP headers and updates the L4 (UDP or UCMP) checksum. Finally that checksum generation is a little awkward: it temporarily generates the IP pseudo header (or something close enough to serve) in the place of the actual header, generates the checksum, then replaces it with the real IP header. This approach seems to be causing miscompiles with some LTO optimization, because the stores to the pseudo header are being moved or elided across the code calculating the checksum. This series addresses all of these. We consolidate and clarify the packet sending helpers, and use them in some places there was previously duplicated code. In the process we use new checksum generation helpers which take a different approach which should avoid the LTO problems (this aspect I haven't tested yet though). Changes since v1: * Numerous minor style changes * Rename header generation helpers to make their behaviour clearer * Added several missing function doc comments * Corrected some erroneous statements and terms in comments David Gibson (14): Add csum_icmp6() helper for calculating ICMPv6 checksums Add csum_icmp4() helper for calculating ICMP checksums Add csum_udp6() helper for calculating UDP over IPv6 checksums Add csum_udp4() helper for calculating UDP over IPv4 checksums Add csum_ip4_header() helper to calculate IPv4 header checksums Add helpers for normal inbound packet destination addresses Remove support for TCP packets from tap_ip_send() tap: Remove unhelpeful vnet_pre optimization from tap_send() Split tap_ip_send() into IPv4 and IPv6 specific functions tap: Split tap_ip6_send() into UDP and ICMP variants ndp: Remove unneeded eh_source parameter ndp: Use tap_icmp6_send() helper tap: Split tap_ip4_send() into UDP and ICMP variants dhcp: Use tap_udp4_send() helper in dhcp() arp.c | 2 +- checksum.c | 120 ++++++++++++++++----- checksum.h | 15 ++- dhcp.c | 19 +--- dhcpv6.c | 21 +--- icmp.c | 12 +-- ndp.c | 28 +---- ndp.h | 3 +- tap.c | 312 ++++++++++++++++++++++++++++++++++------------------- tap.h | 19 +++- 10 files changed, 345 insertions(+), 206 deletions(-) -- 2.37.3

2 17