- dev - passt

[PATCH] MAKE: Fix parallel builds; .o files; .gitignore; new makedocs
by KuhnChris 02 Jul '23

02 Jul '23

From: KuhnChris <kuhnchris(a)kuhnchris.eu> --- .gitignore | 1 + Makefile | 51 +++++++++++++++++++++++++-------------------------- makedocs.pl | 19 +++++++++++++++++++ 3 files changed, 45 insertions(+), 26 deletions(-) create mode 100644 makedocs.pl diff --git a/.gitignore b/.gitignore index d3d0e2c..caeafa5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *~ +*.o /passt /passt.avx2 /pasta diff --git a/Makefile b/Makefile index a5256f5..4c99771 100644 --- a/Makefile +++ b/Makefile @@ -100,29 +100,41 @@ else BIN := passt pasta qrap endif -all: $(BIN) $(MANPAGES) docs +.NOTPARALLEL: seccomp.h +all: seccomp.h $(BIN) $(MANPAGES) docs + +PASST_OBJS = $(PASST_SRCS:.c=.o) +PASST_AVX2_OBJS = $(PASST_SRCS:.c=.avx2.o) +OBJS = $(SRCS:.c=.o) +QRAP_OBJS = $(QRAP_SRCS:.c=.o) +AVXFLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops static: FLAGS += -static -DGLIBC_NO_STATIC_NSS -static: clean all +static: clean seccomp.h all seccomp.h: seccomp.sh $(PASST_SRCS) $(PASST_HEADERS) @ EXTRA_SYSCALLS="$(EXTRA_SYSCALLS)" ARCH="$(TARGET_ARCH)" CC="$(CC)" ./seccomp.sh $(PASST_SRCS) $(PASST_HEADERS) -passt: $(PASST_SRCS) $(HEADERS) - $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_SRCS) -o passt $(LDFLAGS) +.c.o: + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ + +$(PASST_AVX2_OBJS): seccomp.h + $(CC) $(AVXFLAGS) $(FLAGS) $(CFLAGS) $(CPPFLAGS) -c $(@:.avx2.o=.c) -o $@ + +passt: $(PASST_OBJS) seccomp.h + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_OBJS) -o passt $(LDFLAGS) -passt.avx2: FLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops -passt.avx2: $(PASST_SRCS) $(HEADERS) - $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) \ - $(PASST_SRCS) -o passt.avx2 $(LDFLAGS) +passt.avx2: $(PASST_AVX2_OBJS) $(HEADERS) seccomp.h + $(CC) $(filter-out -O2,$(FLAGS)) $(CFLAGS) $(CPPFLAGS) $(AVXFLAGS) \ + $(PASST_AVX2_OBJS) -o passt.avx2 $(LDFLAGS) -passt.avx2: passt +passt.avx2: passt seccomp.h pasta.avx2 pasta.1 pasta: pasta%: passt% ln -sf $< $@ -qrap: $(QRAP_SRCS) passt.h - $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_SRCS) -o qrap $(LDFLAGS) +qrap: $(QRAP_OBJS) passt.h seccomp.h + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(QRAP_OBJS) -o qrap $(LDFLAGS) valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \ getpid gettid kill clock_gettime mmap \ @@ -170,21 +182,8 @@ pkgs: static # other way around: the web version should be obtained by adding HTML and # JavaScript portions to a plain Markdown, instead. However, cgit needs to use # a file in the git tree. Find a better way around this. -docs: README.md - @( \ - skip=0; \ - while read l; do \ - case $$l in \ - "## Demo") exit 0 ;; \ - "<!"*) ;; \ - "</"*) skip=1 ;; \ - "<"*) skip=2 ;; \ - esac; \ - \ - [ $$skip -eq 0 ] && echo "$$l"; \ - [ $$skip -eq 1 ] && skip=0; \ - done < README.md; \ - ) > README.plain.md +docs: + [ ! -e doc/ ]; mkdir docs; perl makedocs.pl > docs/README.plain.md # Checkers currently disabled for clang-tidy: # - llvmlibc-restrict-system-libc-headers diff --git a/makedocs.pl b/makedocs.pl new file mode 100644 index 0000000..295e1d9 --- /dev/null +++ b/makedocs.pl @@ -0,0 +1,19 @@ +use strict; + +my $str = ''; +my $regex = qr/(<[^\/].*?>.*?<\/.*?>\n?)|(<\/div>)|(<\/p>)/msp; +my $subst = ''; + + +local $/=undef; +open FILE, '<', 'README.md' or die "Can't open file $!"; +my $file_content = <FILE>; +close FILE; +#print "Source: $file_content\n"; +my $result = $file_content =~ s/$regex//rg; + +my $regex2 = qr/\n[ \n]{3,}\n/msp; +$result = $result =~ s/$regex2/\n\n/rg; + +#print "The result of the substitution is: $result\n"; +print "$result\n"; -- 2.30.2

3 2

[PATCH 0/2] Fix bugs in validation of interface names
by David Gibson 28 Jun '23

28 Jun '23

We have a number of off by one bugs when checking the lengths of networking interface names. David Gibson (2): conf: Fix size checking of -I interface name conf: Correct length checking of interface names in conf_ports() conf.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) -- 2.41.0

2 3

passt: new version 2023_06_27.289301b available
by Stefano Brivio 27 Jun '23

27 Jun '23

The new version with tag 2023_06_27.289301b includes the following change: 289301b netlink: Use correct interface index in NL_SET mode https://passt.top/passt/log/?qt=range&q=2023_06_25.32660ce..2023_06_27.2893… Packages: - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Debian tracker: https://tracker.debian.org/pkg/passt - Copr (CentOS Stream, EPEL, Fedora, Mageia, openSUSE): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/6119154/ permanent mirror: https://passt.top/builds/copr/0^20230627.g289301b/ - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Ubuntu tracker: https://packages.ubuntu.com/lunar/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g289301b-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_289301b-1_all.deb -- Stefano

1 0

[PATCH] netlink: Use correct interface index in NL_SET mode
by David Gibson 27 Jun '23

27 Jun '23

nl_addr() and nl_route() take an 'op' selector which affects a number of parameters to the netlink call. Unfortunately when we introduced this option a bug was introduced so that we always use the interface index for the host side, rather than the one for the pasta namespace. Really, the entire interface to nl_addr() and nl_route() is pretty bad: it's tightly coupled with the use cases of its callers. This is a minimal fix which doesn't address that, but also doesn't make it significantly worse. Bugzilla: https://bugs.passt.top/show_bug.cgi?id=59 Fixes: 2fe046185634 ("netlink: Add functionality to copy routes from outer namespace") Fixes: e89da3cf03b2 ("netlink: Add functionality to copy addresses from outer namespace") Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/netlink.c b/netlink.c index bc5b2bf9..e15e23f9 100644 --- a/netlink.c +++ b/netlink.c @@ -226,7 +226,7 @@ void nl_route(enum nl_op op, unsigned int ifi, unsigned int ifi_ns, .rta.rta_type = RTA_OIF, .rta.rta_len = RTA_LENGTH(sizeof(unsigned int)), - .ifi = ifi, + .ifi = op == NL_SET ? ifi_ns : ifi, }; unsigned dup_routes = 0; ssize_t n, nlmsgs_size; @@ -370,7 +370,7 @@ void nl_addr(enum nl_op op, unsigned int ifi, unsigned int ifi_ns, .nlh.nlmsg_seq = nl_seq++, .ifa.ifa_family = af, - .ifa.ifa_index = ifi, + .ifa.ifa_index = op == NL_SET ? ifi_ns : ifi, .ifa.ifa_prefixlen = op == NL_SET ? *prefix_len : 0, }; ssize_t n, nlmsgs_size; -- 2.41.0

2 1

passt: new version 2023_06_25.32660ce available
by Stefano Brivio 26 Jun '23

26 Jun '23

The new version with tag 2023_06_25.32660ce includes the following changes: 32660ce pasta: include errno in error message 594dce6 isolation: keep CAP_SYS_PTRACE when required 5b646b9 conf: Accept -a and -g without --config-net in pasta mode d034fb6 conf: Make -a/--address really imply --no-copy-addrs db29fd2 seccomp: Make seccomp.sh re-entrancy safe 3c6d1b9 conf, log: On -h / --help, print usage to stdout, not stderr d072ac2 tap: With pasta, don't reset on tap errors, handle write failures https://passt.top/passt/log/?qt=range&q=2023_06_03.429e1a7..2023_06_25.3266… Packages: - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Debian tracker: https://tracker.debian.org/pkg/passt - Copr (CentOS Stream, EPEL, Fedora, Mageia, openSUSE): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/6113117/ permanent mirror: https://passt.top/builds/copr/0^20230625.g32660ce/ - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Ubuntu tracker: https://packages.ubuntu.com/lunar/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g32660ce-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_32660ce-1_all.deb -- Stefano

1 0

[PATCH] isolation: keep CAP_SYS_PTRACE when required
by Paul Holzinger 26 Jun '23

26 Jun '23

When pasta is started from an existing userns and tries to join the netns from another process it fails to open /proc/$pid/ns/net due the missing CAP_SYS_PTRACE capability in the --netns-only case. A simple reproducer for this. First create a userns: $ unshare -r Then create a new netns inside it and try to join that netns with pasta. $ unshare -n sleep inf & $ pasta --config-net --netns /proc/$!/ns/net Signed-off-by: Paul Holzinger <pholzing(a)redhat.com> --- isolation.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/isolation.c b/isolation.c index 19932bf..1866724 100644 --- a/isolation.c +++ b/isolation.c @@ -202,9 +202,11 @@ void isolate_initial(void) * a mapping from UID 0, which only happens with pasta spawning a child * from a non-init user namespace (pasta can't run as root), we need to * retain CAP_SETFCAP too. + * We also need to keep CAP_SYS_PTRACE in order to join an existing netns + * path under /proc/$pid/ns/net which was created in the same userns. */ if (!ns_is_init() && !geteuid()) - keep |= BIT(CAP_SETFCAP); + keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); drop_caps_ep_except(keep); } -- 2.41.0

2 1

[PATCH] pasta: include errno in error message
by Paul Holzinger 26 Jun '23

26 Jun '23

When the open() or setns() calls fails pasta exits early and prints an error. However it did not include the errno so it was impossible to know why the syscall failed. Signed-off-by: Paul Holzinger <pholzing(a)redhat.com> --- pasta.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pasta.c b/pasta.c index 13ab18b..27809d2 100644 --- a/pasta.c +++ b/pasta.c @@ -136,14 +136,14 @@ void pasta_open_ns(struct ctx *c, const char *netns) nfd = open(netns, O_RDONLY | O_CLOEXEC); if (nfd < 0) - die("Couldn't open network namespace %s", netns); + die("Couldn't open network namespace %s: %s", netns, strerror(errno)); c->pasta_netns_fd = nfd; NS_CALL(ns_check, c); if (c->pasta_netns_fd < 0) - die("Couldn't switch to pasta namespaces"); + die("Couldn't switch to pasta namespaces: %s", strerror(errno)); if (!c->no_netns_quit) { char buf[PATH_MAX] = { 0 }; @@ -261,7 +261,7 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, NS_CALL(pasta_wait_for_ns, c); if (c->pasta_netns_fd < 0) - die("Failed to join network namespace"); + die("Failed to join network namespace: %s", strerror(errno)); } /** -- 2.41.0

3 2

[PATCH] seccomp: Make seccomp.sh re-entrancy safe
by David Gibson 26 Jun '23

26 Jun '23

seccomp.sh generates seccomp.h piece by piece using >> directives. This means that if two instances of seccomp.h are run concurrently a corrupted version of seccomp.h will be generated. Amongst other problems this can cause spurious failures on clang-tidy. Alter seccomp.sh to build the output in a temporary file and atomic move it to seccomp.h, so concurrent invocations will still result in valud output. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- seccomp.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/seccomp.sh b/seccomp.sh index 092c24e0..e1224e0d 100755 --- a/seccomp.sh +++ b/seccomp.sh @@ -15,7 +15,7 @@ TMP="$(mktemp)" IN="$@" -OUT="seccomp.h" +OUT="$(mktemp)" [ -z "${ARCH}" ] && ARCH="$(uname -m)" [ -z "${CC}" ] && CC="cc" @@ -53,7 +53,7 @@ BST=' BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, @NR@, @R@, @L@),' # cleanup() - Remove temporary file if it exists cleanup() { - rm -f "${TMP}" + rm -f "${TMP}" "${OUT}" } trap "cleanup" EXIT @@ -254,3 +254,5 @@ for __p in ${__profiles}; do gen_profile "${__p}" ${__calls} done + +mv "${OUT}" seccomp.h -- 2.41.0

2 2

[PATCH] conf: Accept -a and -g without --config-net in pasta mode
by Stefano Brivio 23 Jun '23

23 Jun '23

While --no-copy-addrs and --no-copy-routes only make sense with --config-net, and they are implied on -g and -a, respectively, that doesn't mean we should refuse -a or -g without --config-net: they are still relevant for a number of things (including DHCP/DHCPv6/NDP configuration). Reported-by: Gianluca Stivan <me(a)yawnt.com> Fixes: cc9d16758be6 ("conf, pasta: With --config-net, copy all addresses by default") Fixes: da54641f140e ("conf, pasta: With --config-net, copy all routes by default") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- This is based on my previous patch: "conf: Make -a/--address really imply --no-copy-addrs" conf.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/conf.c b/conf.c index 16a3e64..820d597 100644 --- a/conf.c +++ b/conf.c @@ -1197,6 +1197,7 @@ void conf(struct ctx *c, int argc, char **argv) }; struct get_bound_ports_ns_arg ns_ports_arg = { .c = c }; char userns[PATH_MAX] = { 0 }, netns[PATH_MAX] = { 0 }; + bool copy_addrs_opt = false, copy_routes_opt = false; bool v4_only = false, v6_only = false; char *runas = NULL, *logfile = NULL; struct in6_addr *dns6 = c->ip6.dns; @@ -1362,14 +1363,14 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-routes is for pasta mode only"); warn("--no-copy-routes will be dropped soon"); - c->no_copy_routes = 1; + c->no_copy_routes = copy_routes_opt = true; break; case 19: if (c->mode != MODE_PASTA) die("--no-copy-addrs is for pasta mode only"); warn("--no-copy-addrs will be dropped soon"); - c->no_copy_addrs = 1; + c->no_copy_addrs = copy_addrs_opt = true; break; case 20: if (logfile) @@ -1682,10 +1683,10 @@ void conf(struct ctx *c, int argc, char **argv) die("Options --socket and --fd are mutually exclusive"); if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { - if (c->no_copy_routes) - die("Option --no-copy-routes needs --config-net"); - if (c->no_copy_addrs) - die("Option --no-copy-addrs needs --config-net"); + if (copy_routes_opt) + die("--no-copy-routes needs --config-net"); + if (copy_addrs_opt) + die("--no-copy-addrs needs --config-net"); } if (!ifi4 && *c->ip4.ifname_out) -- 2.39.2

1 0

[RFC v2] tcp: add support for MSG_PEEK with offset
by Jon Maloy 23 Jun '23

23 Jun '23

When reading received messages with MSG_PEEK, we would like to eliminate the need to read the leading bytes over and over again only to reach the part of the message we really want. We now introduce support for this feature, when supported by the kernel. Signed-off-by: Jon Maloy <jmaloy(a)redhat.com> --- tcp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tcp.c b/tcp.c index 0ed9bfa..ebaf520 100644 --- a/tcp.c +++ b/tcp.c @@ -500,7 +500,6 @@ tcp6_l2_buf[TCP_FRAMES_MEM]; static unsigned int tcp6_l2_buf_used; /* recvmsg()/sendmsg() data for tap */ -static char tcp_buf_discard [MAX_WINDOW]; static struct iovec iov_sock [TCP_FRAMES_MEM + 1]; static struct iovec tcp4_l2_iov [TCP_FRAMES_MEM]; @@ -2239,7 +2238,7 @@ static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn) mh_sock.msg_iov = iov_sock; mh_sock.msg_iovlen = fill_bufs + 1; - iov_sock[0].iov_base = tcp_buf_discard; + iov_sock[0].iov_base = NULL; iov_sock[0].iov_len = already_sent; if (( v4 && tcp4_l2_buf_used + fill_bufs > ARRAY_SIZE(tcp4_l2_buf)) || -- 2.39.0

1 0

2024

2023

2022

2021

dev