New subject: [PATCH v8 01/19] conf, fwd: Stricter rule checking in fwd_rule_add()

6 May 2026

      Changes in v8:
 * Implement --add, --delete, and --clear in 19/19, to add forwarding
   rules instead of replacing tables, delete existing rules, and
   explicitly clear tables
 * Address Laurent's comments for 15/19 and 17/19
 * In 10/19, instead of passing SOCK_NONBLOCK to accept4(), explicitly
   set O_NONBLOCK on the listening socket. Using SOCK_NONBLOCK doesn't
   do what we want, as it results in setting O_NONBLOCK on the new
   socket rather than on the listening one
 * Note: 18/19 is left as it is, I didn't address pending comments
   yet
 * Note: this doesn't include yet changes for AppArmor and SELinux
   policies, as well as changes for the template Fedora spec file.
   I'm still working on them

Changes in v7:
 * Addressed comments from Laurent in 6/18, 8/18, 9/18, 10/18, 11/18,
   12/18, 14/18, 15/18 (details in commit messages of single patches,
   before my Signed-off-by)
 * Note: this doesn't include yet --add and --delete, I'm still
   working on that

Changes in v6:
 * Addressed comments from Jon in 10/18, 11/18, 14/18, and 16/18
 * Dodged all warnings from static checkers (Coverity Scan and
   clang-tidy) with changes in 10/18, 11/18, 16/18, and with a
   new patch, 18/18
 * This does *not* include yet the implementation of --add and
   --delete switches for pesto as I originally intended, I'm
   rather far from being done with those. At the moment I just
   have a "mode selection" implementation for command line
   parsing but merging rules to / removing rules from / clearing
   the current table is something I barely started (and what I
   have at the moment isn't really valuable anyway)

David wrote:

---
Here's the next draft of dynamic configuration updates.  This now can
successfully update rules, though I've not tested it very extensively.

Patches 1..8/18 are preliminary reworks that make sense even without
pesto - feel free to apply if you're happy with them.  I don't think
the rest should be applied yet; we need to at least harden it so passt
can't be blocked indefinitely by a client which sends a partial update
then waits.

Based on my earlier series reworking static checking invocation.

TODO:
 - Don't allow a client which sends a partial configuration then
   blocks also block passt
 - Allow pesto to clear existing configuration, not just add
 - Allow pesto selectively delete existing rules, not just add

Changes in v5:
 * If multiple clients connect at once, they're now blocked until the
   first one finishes, instead of later ones being discarded
Changes in v4:
 * Merged with remainder of forward rule parsing rework series
   * Fix some bugs in rule checking pointed out by Laurent
 * Significantly cleaned up option parsing code
 * Changed from replacing all existing rules to adding new rules
   (clear and remove still TBD)
 * Somewhat simplified protocol (pif names and rules sent in a single
   pass)
 * pesto is now allocation free
 * Fixed commit message and style nits pointed out by Stefano
Changes in v3:
 * Removed already applied ASSERT() rename
 * Renamed serialisation functions
 * Incorporated Stefano's extensions, reworked and fixed
 * Several additional cleanups / preliminary reworks
Changes in v2:
 * Removed already applied cleanups
 * Reworked assert() patch to handle -DNDEBUG properly
 * Numerous extra patches:
   * Factored out serialisation helpers and use them for migration as
     well
   * Reworked to allow ip.[ch] and inany.[ch] to be shared with pesto
   * Reworks to share some forwarding rule datatypes with pesto
   * Implemented sending pif names and current ruleset to pesto
---

David Gibson (17):
  conf, fwd: Stricter rule checking in fwd_rule_add()
  fwd_rule: Move ephemeral port probing to fwd_rule.c
  fwd, conf: Move rule parsing code to fwd_rule.[ch]
  fwd_rule: Move conflict checking back within fwd_rule_add()
  fwd: Generalise fwd_rules_info()
  pif: Limit pif names to 128 bytes
  fwd_rule: Fix some format specifiers
  pesto: Introduce stub configuration tool
  pesto, log: Share log.h (but not log.c) with pesto tool
  pesto, conf: Have pesto connect to passt and check versions
  pesto: Expose list of pifs to pesto and display them
  ip: Prepare ip.[ch] for sharing with pesto tool
  inany: Prepare inany.[ch] for sharing with pesto tool
  pesto: Read current ruleset from passt/pasta and optionally display it
  pesto: Parse and add new rules from command line
  pesto, conf: Send updated rules from pesto back to passt/pasta
  conf, fwd: Allow switching to new rules received from pesto

Stefano Brivio (2):
  fwd_rule: Fix static checkers warnings in fwd_rule_add()
  pesto, conf, fwd_rule: Add options and modes to add, delete, clear
    rules

 .gitignore   |   2 +
 Makefile     |  53 ++--
 common.h     | 116 +++++++++
 conf.c       | 696 ++++++++++++++++++++++-----------------------------
 conf.h       |   2 +
 epoll_type.h |   4 +
 flow.c       |   4 +-
 fwd.c        | 169 ++++---------
 fwd.h        |  41 +--
 fwd_rule.c   | 680 +++++++++++++++++++++++++++++++++++++++++++++++--
 fwd_rule.h   |  68 ++++-
 inany.c      |  19 +-
 inany.h      |  17 +-
 ip.c         |  56 +----
 ip.h         |   4 +-
 lineread.c   |   2 +-
 log.h        |  53 +++-
 passt.1      |   5 +
 passt.c      |   8 +
 passt.h      |   8 +
 pesto.1      | 271 ++++++++++++++++++++
 pesto.c      | 520 ++++++++++++++++++++++++++++++++++++++
 pesto.h      |  54 ++++
 pif.c        |   2 +-
 pif.h        |   7 +-
 serialise.c  |   7 +
 serialise.h  |   1 +
 siphash.h    |  13 +
 tap.c        |  52 ++++
 util.h       | 110 +-------
 30 files changed, 2252 insertions(+), 792 deletions(-)
 create mode 100644 common.h
 create mode 100644 pesto.1
 create mode 100644 pesto.c
 create mode 100644 pesto.h

-- 
2.43.0

[PATCH v8 00/19] Dynamic configuration update implementation

tags

participants (3)