[PATCH v2 00/15] RFC: Read-only dynamic update implementation

David Gibson

19 Mar 2026 19 Mar '26

7:11 a.m.

I've taken Stefano's draft implementation of dynamic updates, and polished it up to have a read-only implementation of the dynamic update protocol. So far it retrieves the pif names and ruleset from passt/pasta and displays it. Sending a new ruleset back comes next. Patches 1..6/15 are preliminary reworks that make moderate sense even without pesto - feel free to apply if you're happy with them. Changes in v2: * Removed already applied cleanups * Reworked assert() patch to handle -DNDEBUG properly * Numerous extra patches: * Factored out serialisation helpers and use them for migration as well * Reworked to allow ip.[ch] and inany.[ch] to be shared with pesto * Reworks to share some forwarding rule datatypes with pesto * Implemented sending pif names and current ruleset to pesto David Gibson (15): treewide: Spell ASSERT() as assert() serialise: Split functions user for serialisation from util.c serialise: Add helpers for serialising unsigned integers fwd: Move selecting correct scan bitmap into fwd_sync_one() fwd: Look up rule index in fwd_sync_one() fwd: Store forwarding tables indexed by (origin) pif pesto: Introduce stub configuration interface and tool pesto: Add command line option parsing and debug messages pesto: Expose list of pifs to pesto ip: Prepare ip.[ch] for sharing with pesto tool inany: Prepare inany.[ch] for sharing with pesto tool fwd: Split forwading rule specification from its implementation state ip: Define a bound for the string returned by ipproto_name() fwd_rule: Move forwarding rule text formatting to common code pesto: Read current ruleset from passt/pasta and display it .gitignore | 2 + Makefile | 43 ++++--- common.h | 79 ++++++++++++ conf.c | 294 ++++++++++++++++++++++++++++++++++++++++---- conf.h | 2 + epoll_type.h | 4 + flow.c | 117 +++++++++--------- flow_table.h | 2 +- fwd.c | 218 +++++++++++++++----------------- fwd.h | 35 ++---- fwd_rule.c | 113 +++++++++++++++++ fwd_rule.h | 59 +++++++++ icmp.c | 14 +-- inany.c | 16 ++- inany.h | 20 +-- iov.c | 4 +- ip.c | 74 +++-------- ip.h | 4 +- isolation.c | 2 +- lineread.c | 5 +- log.c | 1 + migrate.c | 9 +- netlink.c | 2 +- packet.c | 4 +- passt.1 | 5 + passt.c | 11 +- passt.h | 9 +- pcap.c | 3 +- pesto.1 | 46 +++++++ pesto.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++ pesto.h | 34 +++++ pif.c | 4 +- serialise.c | 147 ++++++++++++++++++++++ serialise.h | 27 ++++ siphash.h | 13 ++ tap.c | 58 ++++++++- tcp.c | 43 +++---- tcp_splice.c | 10 +- tcp_vu.c | 8 +- udp.c | 22 ++-- udp_flow.c | 4 +- udp_vu.c | 4 +- util.c | 82 ++----------- util.h | 84 ++----------- vhost_user.c | 8 +- virtio.c | 6 +- vu_common.c | 4 +- 47 files changed, 1535 insertions(+), 561 deletions(-) create mode 100644 common.h create mode 100644 fwd_rule.c create mode 100644 fwd_rule.h create mode 100644 pesto.1 create mode 100644 pesto.c create mode 100644 pesto.h create mode 100644 serialise.c create mode 100644 serialise.h -- 2.53.0

Show replies by date

David Gibson

19 Mar 19 Mar

20 Mar 20 Mar

9:58 p.m.

New subject: [PATCH v2 06/15] fwd: Store forwarding tables indexed by (origin) pif

On Thu, 19 Mar 2026 17:11:48 +1100 David Gibson wrote:

...

Currently we store the inbound (PIF_HOST) and outbound (PIF_SPLICE) forwarding tables in separate fields of struct ctx. In a number of places this requires somewhat awkward if or switch constructs to select the right table for updates. Conceptually simplify that by using an index of forwarding tables by pif, which as a bonus keeps track generically which pifs have implemented forwarding tables so far.

For now this doesn't simplify a lot textually, because many places that need this also have other special cases to apply by pif. It does simplify a few crucial places though, and we expect it will become more useful as the flexibility of the forwarding table is improved.

Signed-off-by: David Gibson --- conf.c | 53 +++++++++++++++++++++++++++------------------- flow.c | 22 +++++++------------ fwd.c | 65 ++++++++++++++++++++++++++++++--------------------------- fwd.h | 4 ++-- passt.h | 3 +-- 5 files changed, 77 insertions(+), 70 deletions(-)

diff --git a/conf.c b/conf.c index 940fb9e9..6af3c8a5 100644 --- a/conf.c +++ b/conf.c @@ -1252,11 +1252,12 @@ dns6: } }

- info("Inbound forwarding:"); - fwd_rules_print(&c->fwd_in); - if (c->mode == MODE_PASTA) { - info("Outbound forwarding:"); - fwd_rules_print(&c->fwd_out); + for (i = 0; i < PIF_NUM_TYPES; i++) { + if (!c->fwd[i]) + continue; + + info("Forwarding from %s:", pif_name(i));

I don't have a good solution to propose but it's slightly annoying that we're changing very clear "Inbound forwarding" and "Outbound forwarding" indications to "Forwarding from: " HOST | TAP | SPLICE. Should we perhaps introduce a PIF_INBOUND_MAX value that's the same as HOST, and then: if (i <= PIF_INBOUND_MAX) info("Inbound forwarding:"); else info("Outbound forwarding:"); ? I'm fine keeping it as it is, I would just have a slight preference to make it as clear as it was before. This is something users can now look at to double check things and I have the feeling we're avoid a bunch of bug reports as a result.

...

+ fwd_rules_print(c->fwd[i]); } }

@@ -2154,18 +2155,24 @@ void conf(struct ctx *c, int argc, char **argv)

/* Forwarding options can be parsed now, after IPv4/IPv6 settings */ fwd_probe_ephemeral(); + fwd_rule_init(c); optind = 0; do { name = getopt_long(argc, argv, optstring, options, NULL);

- if (name == 't') - conf_ports(c, name, optarg, &c->fwd_in, &tcp_in_mode); - else if (name == 'u') - conf_ports(c, name, optarg, &c->fwd_in, &udp_in_mode); - else if (name == 'T') - conf_ports(c, name, optarg, &c->fwd_out, &tcp_out_mode); - else if (name == 'U') - conf_ports(c, name, optarg, &c->fwd_out, &udp_out_mode); + if (name == 't') { + conf_ports(c, name, optarg, c->fwd[PIF_HOST], + &tcp_in_mode); + } else if (name == 'u') { + conf_ports(c, name, optarg, c->fwd[PIF_HOST], + &udp_in_mode); + } else if (name == 'T') { + conf_ports(c, name, optarg, c->fwd[PIF_SPLICE], + &tcp_out_mode); + } else if (name == 'U') { + conf_ports(c, name, optarg, c->fwd[PIF_SPLICE], + &udp_out_mode); + } } while (name != -1);

if (c->mode == MODE_PASTA) @@ -2224,20 +2231,24 @@ void conf(struct ctx *c, int argc, char **argv) udp_out_mode = fwd_default;

if (tcp_in_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 't', "auto", &c->fwd_in, NULL, NULL, - 1, NUM_PORTS - 1, NULL, 1, FWD_SCAN); + conf_ports_range_except(c, 't', "auto", c->fwd[PIF_HOST], + NULL, NULL, 1, NUM_PORTS - 1, NULL, 1, + FWD_SCAN); } if (tcp_out_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 'T', "auto", &c->fwd_out, NULL, "lo", - 1, NUM_PORTS - 1, NULL, 1, FWD_SCAN); + conf_ports_range_except(c, 'T', "auto", c->fwd[PIF_SPLICE], + NULL, "lo", 1, NUM_PORTS - 1, NULL, 1, + FWD_SCAN); } if (udp_in_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 'u', "auto", &c->fwd_in, NULL, NULL, - 1, NUM_PORTS - 1, NULL, 1, FWD_SCAN); + conf_ports_range_except(c, 'u', "auto", c->fwd[PIF_HOST], + NULL, NULL, 1, NUM_PORTS - 1, NULL, 1, + FWD_SCAN); } if (udp_out_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 'U', "auto", &c->fwd_out, NULL, "lo", - 1, NUM_PORTS - 1, NULL, 1, FWD_SCAN); + conf_ports_range_except(c, 'U', "auto", c->fwd[PIF_SPLICE], + NULL, "lo", 1, NUM_PORTS - 1, NULL, 1, + FWD_SCAN); }

if (!c->quiet) diff --git a/flow.c b/flow.c index 81333dbc..11cd5752 100644 --- a/flow.c +++ b/flow.c @@ -503,10 +503,10 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, { char estr[INANY_ADDRSTRLEN], ostr[INANY_ADDRSTRLEN]; struct flow_common *f = &flow->f; + const struct fwd_table *fwd = c->fwd[f->pif[INISIDE]]; const struct flowside *ini = &f->side[INISIDE]; struct flowside *tgt = &f->side[TGTSIDE]; const struct fwd_rule *rule = NULL; - const struct fwd_table *fwd; uint8_t tgtpif = PIF_NONE;

assert(flow_new_entry == flow && f->state == FLOW_STATE_INI); @@ -514,6 +514,11 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, assert(f->pif[INISIDE] != PIF_NONE && f->pif[TGTSIDE] == PIF_NONE); assert(flow->f.state == FLOW_STATE_INI);

+ if (fwd) { + if (!(rule = fwd_rule_search(fwd, ini, proto, rule_hint))) + goto norule; + } + switch (f->pif[INISIDE]) { case PIF_TAP: memcpy(f->tap_omac, MAC_UNDEF, ETH_ALEN); @@ -521,20 +526,10 @@ struct flowside *flow_target(const struct ctx *c, union flow *flow, break;

case PIF_SPLICE: - fwd = &c->fwd_out; - - if (!(rule = fwd_rule_search(fwd, ini, proto, rule_hint))) - goto norule; - tgtpif = fwd_nat_from_splice(rule, proto, ini, tgt); break;

case PIF_HOST: - fwd = &c->fwd_in; - - if (!(rule = fwd_rule_search(fwd, ini, proto, rule_hint))) - goto norule; - tgtpif = fwd_nat_from_host(c, rule, proto, ini, tgt); fwd_neigh_mac_get(c, &tgt->oaddr, f->tap_omac); break; @@ -1014,8 +1009,7 @@ static int flow_migrate_source_rollback(struct ctx *c, unsigned bound, int ret)

debug("...roll back migration");

- if (fwd_listen_sync(c, &c->fwd_in, PIF_HOST, - &c->tcp.scan_in, &c->udp.scan_in) < 0) + if (fwd_listen_sync(c, PIF_HOST, &c->tcp.scan_in, &c->udp.scan_in) < 0) die("Failed to re-establish listening sockets");

foreach_established_tcp_flow(flow) { @@ -1148,7 +1142,7 @@ int flow_migrate_source(struct ctx *c, const struct migrate_stage *stage, * fix that is to not allow local to local migration, which arguably we * should (use namespaces for testing instead). */ debug("Stop listen()s"); - fwd_listen_close(&c->fwd_in); + fwd_listen_close(c->fwd[PIF_HOST]);

debug("Sending %u flows", count);

diff --git a/fwd.c b/fwd.c index 7844a674..3395a28e 100644 --- a/fwd.c +++ b/fwd.c @@ -331,6 +331,21 @@ bool fwd_port_is_ephemeral(in_port_t port) return (port >= fwd_ephemeral_min) && (port <= fwd_ephemeral_max); }

+/* Forwarding table storage, generally accessed via pointers in struct ctx */ +static struct fwd_table fwd_in; +static struct fwd_table fwd_out; + +/** + * fwd_rule_init() - Initialise forwarding tables + * @c: Execution context + */ +void fwd_rule_init(struct ctx *c) +{ + c->fwd[PIF_HOST] = &fwd_in; + if (c->mode == MODE_PASTA) + c->fwd[PIF_SPLICE] = &fwd_out; +} + /** * fwd_rule_add() - Add a rule to a forwarding table * @fwd: Table to add to @@ -505,19 +520,17 @@ void fwd_rules_print(const struct fwd_table *fwd)

/** fwd_sync_one() - Create or remove listening sockets for a forward entry * @c: Execution context - * @fwd: Forwarding table - * @idx: Rule index * @pif: Interface to create listening sockets for + * @idx: Rule index * @tcp: Bitmap of TCP ports to listen for on FWD_SCAN entries * @udp: Bitmap of UDP ports to listen for on FWD_SCAN entries * * Return: 0 on success, -1 on failure */ -static int fwd_sync_one(const struct ctx *c, const struct fwd_table *fwd, - unsigned idx, uint8_t pif, +static int fwd_sync_one(const struct ctx *c, uint8_t pif, unsigned idx, const uint8_t *tcp, const uint8_t *udp) { - const struct fwd_rule *rule = &fwd->rules[idx]; + const struct fwd_rule *rule = &c->fwd[pif]->rules[idx]; const union inany_addr *addr = fwd_rule_addr(rule); const char *ifname = rule->ifname; const uint8_t *map = NULL; @@ -598,7 +611,6 @@ static int fwd_sync_one(const struct ctx *c, const struct fwd_table *fwd,

/** struct fwd_listen_args - arguments for fwd_listen_init_() * @c: Execution context - * @fwd: Forwarding table * @tcpmap: Bitmap of TCP ports to auto-forward * @udpmap: Bitmap of TCP ports to auto-forward * @pif: Interface to create listening sockets for @@ -606,7 +618,6 @@ static int fwd_sync_one(const struct ctx *c, const struct fwd_table *fwd, */ struct fwd_listen_args { const struct ctx *c; - const struct fwd_table *fwd; const uint8_t *tcpmap, *udpmap; uint8_t pif; int ret; @@ -625,9 +636,8 @@ static int fwd_listen_sync_(void *arg) if (a->pif == PIF_SPLICE) ns_enter(a->c);

- for (i = 0; i < a->fwd->count; i++) { - a->ret = fwd_sync_one(a->c, a->fwd, i, a->pif, - a->tcpmap, a->udpmap); + for (i = 0; i < a->c->fwd[a->pif]->count; i++) { + a->ret = fwd_sync_one(a->c, a->pif, i, a->tcpmap, a->udpmap); if (a->ret < 0) break; } @@ -637,21 +647,17 @@ static int fwd_listen_sync_(void *arg)

/** fwd_listen_sync() - Call fwd_listen_sync_() in correct namespace * @c: Execution context - * @fwd: Forwarding information * @pif: Interface to create listening sockets for * @tcp: Scanning state for TCP * @udp: Scanning state for UDP * * Return: 0 on success, -1 on failure */ -int fwd_listen_sync(const struct ctx *c, const struct fwd_table *fwd, - uint8_t pif, +int fwd_listen_sync(const struct ctx *c, uint8_t pif, const struct fwd_scan *tcp, const struct fwd_scan *udp) { struct fwd_listen_args a = { - .c = c, .fwd = fwd, - .tcpmap = tcp->map, .udpmap = udp->map, - .pif = pif, + .c = c, .tcpmap = tcp->map, .udpmap = udp->map, .pif = pif, };

if (pif == PIF_SPLICE) @@ -695,12 +701,11 @@ void fwd_listen_close(const struct fwd_table *fwd) */ int fwd_listen_init(const struct ctx *c) { - if (fwd_listen_sync(c, &c->fwd_in, PIF_HOST, - &c->tcp.scan_in, &c->udp.scan_in) < 0) + if (fwd_listen_sync(c, PIF_HOST, &c->tcp.scan_in, &c->udp.scan_in) < 0) return -1;

if (c->mode == MODE_PASTA) { - if (fwd_listen_sync(c, &c->fwd_out, PIF_SPLICE, + if (fwd_listen_sync(c, PIF_SPLICE, &c->tcp.scan_out, &c->udp.scan_out) < 0) return -1; } @@ -851,16 +856,16 @@ static void fwd_scan_ports(struct ctx *c) uint8_t excl_tcp_out[PORT_BITMAP_SIZE], excl_udp_out[PORT_BITMAP_SIZE]; uint8_t excl_tcp_in[PORT_BITMAP_SIZE], excl_udp_in[PORT_BITMAP_SIZE];

- current_listen_map(excl_tcp_out, &c->fwd_in, IPPROTO_TCP); - current_listen_map(excl_tcp_in, &c->fwd_out, IPPROTO_TCP); - current_listen_map(excl_udp_out, &c->fwd_in, IPPROTO_UDP); - current_listen_map(excl_udp_in, &c->fwd_out, IPPROTO_UDP); + current_listen_map(excl_tcp_out, c->fwd[PIF_HOST], IPPROTO_TCP); + current_listen_map(excl_tcp_in, c->fwd[PIF_SPLICE], IPPROTO_TCP); + current_listen_map(excl_udp_out, c->fwd[PIF_HOST], IPPROTO_UDP); + current_listen_map(excl_udp_in, c->fwd[PIF_SPLICE], IPPROTO_UDP);

- fwd_scan_ports_tcp(&c->fwd_out, &c->tcp.scan_out, excl_tcp_out); - fwd_scan_ports_tcp(&c->fwd_in, &c->tcp.scan_in, excl_tcp_in); - fwd_scan_ports_udp(&c->fwd_out, &c->udp.scan_out, + fwd_scan_ports_tcp(c->fwd[PIF_SPLICE], &c->tcp.scan_out, excl_tcp_out); + fwd_scan_ports_tcp(c->fwd[PIF_HOST], &c->tcp.scan_in, excl_tcp_in); + fwd_scan_ports_udp(c->fwd[PIF_SPLICE], &c->udp.scan_out, &c->tcp.scan_out, excl_udp_out); - fwd_scan_ports_udp(&c->fwd_in, &c->udp.scan_in, + fwd_scan_ports_udp(c->fwd[PIF_HOST], &c->udp.scan_in, &c->tcp.scan_in, excl_udp_in); }

@@ -912,10 +917,8 @@ void fwd_scan_ports_timer(struct ctx *c, const struct timespec *now)

fwd_scan_ports(c);

- fwd_listen_sync(c, &c->fwd_in, PIF_HOST, - &c->tcp.scan_in, &c->udp.scan_in); - fwd_listen_sync(c, &c->fwd_out, PIF_SPLICE, - &c->tcp.scan_out, &c->udp.scan_out); + fwd_listen_sync(c, PIF_HOST, &c->tcp.scan_in, &c->udp.scan_in); + fwd_listen_sync(c, PIF_SPLICE, &c->tcp.scan_out, &c->udp.scan_out); }

/** diff --git a/fwd.h b/fwd.h index 958eee25..b387d926 100644 --- a/fwd.h +++ b/fwd.h @@ -108,6 +108,7 @@ struct fwd_scan {

#define FWD_PORT_SCAN_INTERVAL 1000 /* ms */

+void fwd_rule_init(struct ctx *c); void fwd_rule_add(struct fwd_table *fwd, uint8_t proto, uint8_t flags, const union inany_addr *addr, const char *ifname, in_port_t first, in_port_t last, in_port_t to); @@ -119,8 +120,7 @@ void fwd_rules_print(const struct fwd_table *fwd); void fwd_scan_ports_init(struct ctx *c); void fwd_scan_ports_timer(struct ctx * c, const struct timespec *now);

-int fwd_listen_sync(const struct ctx *c, const struct fwd_table *fwd, - uint8_t pif, +int fwd_listen_sync(const struct ctx *c, uint8_t pif, const struct fwd_scan *tcp, const struct fwd_scan *udp); void fwd_listen_close(const struct fwd_table *fwd); int fwd_listen_init(const struct ctx *c); diff --git a/passt.h b/passt.h index b614bdf0..5fc4e07f 100644 --- a/passt.h +++ b/passt.h @@ -264,8 +264,7 @@ struct ctx { unsigned int pasta_ifi; int pasta_conf_ns;

- struct fwd_table fwd_in; - struct fwd_table fwd_out; + struct fwd_table *fwd[PIF_NUM_TYPES];

Nit: the struct documentation should be updated accordingly.

...

int no_tcp; struct tcp_ctx tcp;

-- Stefano

Stefano Brivio

9:58 p.m.

New subject: [PATCH v2 01/15] treewide: Spell ASSERT() as assert()

On Thu, 19 Mar 2026 17:11:43 +1100 David Gibson wrote:

...

The standard library assert(3), at least with glibc, hits our seccomp filter and dies with SIGSYS before it's able to print a message, making it near useless. Therefore, since 7a8ed9459dfe ("Make assertions actually useful") we've instead used our own implementation, named ASSERT().

This makes our code look slightly odd though - ASSERT() has the same overall effect as assert(), it's just a different implementation. More importantly this makes it awkward to share code between passt/pasta proper and things that compile in a more typical environment. We're going to want that for our upcoming dynamic configuration tool.

Address this by overriding the standard library's assert() implementation with our own, instead of giving ours its own name.

The standard assert() is supposed to be omitted if NDEBUG is defined, which ours doesn't do. Implement that as well, so ours doesn't unexpectedly differ. For the -DNDEBUG case we do this by *not* overriding assert(), since it will be a no-op anyway. This requires a few places to add a #include to let us compile (albeit with warnings) when -DNDEBUG.

Signed-off-by: David Gibson

Applied (just this patch). I fixed up some (expected) trivial conflicts in tcp_vu.c and udp_vu.c with "vu_common: Move iovec management into vu_collect()". -- Stefano

Stefano Brivio

22 Mar 22 Mar

3:18 p.m.

New subject: [PATCH 16/18] conf: Move port parsing functions to own file, ports.c

Move conf_ports_range_except(), conf_ports(), and related to helpers to ports.c, so that they can be used from pesto in the future. We'll need to make those independent from passt-specific bits, but this patch just moves them out, first. Signed-off-by: Stefano Brivio --- Makefile | 13 +- conf.c | 363 +-------------------------------------------------- ports.c | 385 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ports.h | 35 +++++ 4 files changed, 428 insertions(+), 368 deletions(-) create mode 100644 ports.c create mode 100644 ports.h diff --git a/Makefile b/Makefile index 44c396e..47d4c95 100644 --- a/Makefile +++ b/Makefile @@ -40,9 +40,9 @@ FLAGS += -DDUAL_STACK_SOCKETS=$(DUAL_STACK_SOCKETS) PASST_SRCS = arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c \ flow.c fwd.c fwd_rule.c icmp.c igmp.c inany.c iov.c ip.c isolation.c \ lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c \ - pasta.c pcap.c pif.c repair.c serialise.c tap.c tcp.c tcp_buf.c \ - tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c \ - virtio.c vu_common.c + pasta.c pcap.c pif.c ports.c repair.c serialise.c tap.c tcp.c \ + tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c \ + vhost_user.c virtio.c vu_common.c QRAP_SRCS = qrap.c PASST_REPAIR_SRCS = passt-repair.c PESTO_SRCS = pesto.c fwd_rule.c inany.c ip.c serialise.c @@ -54,9 +54,10 @@ PESTO_HEADERS = common.h fwd_rule.h inany.h ip.h pesto.h serialise.h PASST_HEADERS = arch.h arp.h checksum.h conf.h dhcp.h dhcpv6.h epoll_ctl.h \ flow.h fwd.h flow_table.h icmp.h icmp_flow.h iov.h isolation.h \ lineread.h log.h migrate.h ndp.h netlink.h packet.h passt.h pasta.h \ - pcap.h pif.h repair.h siphash.h tap.h tcp.h tcp_buf.h tcp_conn.h \ - tcp_internal.h tcp_splice.h tcp_vu.h udp.h udp_flow.h udp_internal.h \ - udp_vu.h util.h vhost_user.h virtio.h vu_common.h $(PESTO_HEADERS) + pcap.h pif.h ports.h repair.h siphash.h tap.h tcp.h tcp_buf.h \ + tcp_conn.h tcp_internal.h tcp_splice.h tcp_vu.h udp.h udp_flow.h \ + udp_internal.h udp_vu.h util.h vhost_user.h virtio.h vu_common.h \ + $(PESTO_HEADERS) HEADERS = $(PASST_HEADERS) seccomp.h C := \#include \nint main(){int a=getrandom(0, 0, 0);} diff --git a/conf.c b/conf.c index b235221..de4c3c6 100644 --- a/conf.c +++ b/conf.c @@ -52,6 +52,7 @@ #include "conf.h" #include "pesto.h" #include "serialise.h" +#include "ports.h" #define NETNS_RUN_DIR "/run/netns" @@ -69,368 +70,6 @@ const char *pasta_default_ifn = "tap0"; -/** - * next_chunk() - Return the next piece of a string delimited by a character - * @s: String to search - * @c: Delimiter character - * - * Return: if another @c is found in @s, returns a pointer to the - * character *after* the delimiter, if no further @c is in @s, - * return NULL - */ -static char *next_chunk(const char *s, char c) -{ - char *sep = strchr(s, c); - return sep ? sep + 1 : NULL; -} - -/** - * port_range() - Represents a non-empty range of ports - * @first: First port number in the range - * @last: Last port number in the range (inclusive) - * - * Invariant: @last >= @first - */ -struct port_range { - in_port_t first, last; -}; - -/** - * parse_port_range() - Parse a range of port numbers '<first>[-<last>]' - * @s: String to parse - * @endptr: Update to the character after the parsed range (similar to - * strtol() etc.) - * @range: Update with the parsed values on success - * - * Return: -EINVAL on parsing error, -ERANGE on out of range port - * numbers, 0 on success - */ -static int parse_port_range(const char *s, char **endptr, - struct port_range *range) -{ - unsigned long first, last; - - last = first = strtoul(s, endptr, 10); - if (*endptr == s) /* Parsed nothing */ - return -EINVAL; - if (**endptr == '-') { /* we have a last value too */ - const char *lasts = *endptr + 1; - last = strtoul(lasts, endptr, 10); - if (*endptr == lasts) /* Parsed nothing */ - return -EINVAL; - } - - if ((last < first) || (last >= NUM_PORTS)) - return -ERANGE; - - range->first = first; - range->last = last; - - return 0; -} - -/** - * conf_ports_range_except() - Set up forwarding for a range of ports minus a - * bitmap of exclusions - * @c: Execution context - * @optname: Short option name, t, T, u, or U - * @optarg: Option argument (port specification) - * @fwd: Forwarding table to be updated - * @addr: Listening address - * @ifname: Listening interface - * @first: First port to forward - * @last: Last port to forward - * @exclude: Bitmap of ports to exclude (may be NULL) - * @to: Port to translate @first to when forwarding - * @flags: Flags for forwarding entries - */ -static void conf_ports_range_except(const struct ctx *c, char optname, - const char *optarg, struct fwd_table *fwd, - const union inany_addr *addr, - const char *ifname, - uint16_t first, uint16_t last, - const uint8_t *exclude, uint16_t to, - uint8_t flags) -{ - unsigned delta = to - first; - unsigned base, i; - uint8_t proto; - - if (first == 0) { - die("Can't forward port 0 for option '-%c %s'", - optname, optarg); - } - - if (optname == 't' || optname == 'T') - proto = IPPROTO_TCP; - else if (optname == 'u' || optname == 'U') - proto = IPPROTO_UDP; - else - assert(0); - - if (addr) { - if (!c->ifi4 && inany_v4(addr)) { - die("IPv4 is disabled, can't use -%c %s", - optname, optarg); - } else if (!c->ifi6 && !inany_v4(addr)) { - die("IPv6 is disabled, can't use -%c %s", - optname, optarg); - } - } - - for (base = first; base <= last; base++) { - if (exclude && bitmap_isset(exclude, base)) - continue; - - for (i = base; i <= last; i++) { - if (exclude && bitmap_isset(exclude, i)) - break; - } - - if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { - /* FIXME: Once the fwd bitmaps are removed, move this - * workaround to the caller - */ - assert(!addr && ifname && !strcmp(ifname, "lo")); - warn( -"SO_BINDTODEVICE unavailable, forwarding only 127.0.0.1 and ::1 for '-%c %s'", - optname, optarg); - - if (c->ifi4) { - fwd_rule_add(fwd, proto, flags, - &inany_loopback4, NULL, - base, i - 1, base + delta); - } - if (c->ifi6) { - fwd_rule_add(fwd, proto, flags, - &inany_loopback6, NULL, - base, i - 1, base + delta); - } - } else { - fwd_rule_add(fwd, proto, flags, addr, ifname, - base, i - 1, base + delta); - } - base = i - 1; - } -} - -/** - * enum fwd_mode - Overall forwarding mode for a direction and protocol - * @FWD_MODE_UNSET Initial value, not parsed/configured yet - * @FWD_MODE_SPEC Forward specified ports - * @FWD_MODE_NONE No forwarded ports - * @FWD_MODE_AUTO Automatic detection and forwarding based on bound ports - * @FWD_MODE_ALL Bind all free ports - */ -enum fwd_mode { - FWD_MODE_UNSET = 0, - FWD_MODE_SPEC, - FWD_MODE_NONE, - FWD_MODE_AUTO, - FWD_MODE_ALL, -}; - -/** - * conf_ports() - Parse port configuration options, initialise UDP/TCP sockets - * @c: Execution context - * @optname: Short option name, t, T, u, or U - * @optarg: Option argument (port specification) - * @fwd: Forwarding table to be updated - * @mode: Overall port forwarding mode (updated) - */ -static void conf_ports(const struct ctx *c, char optname, const char *optarg, - struct fwd_table *fwd, enum fwd_mode *mode) -{ - union inany_addr addr_buf = inany_any6, *addr = &addr_buf; - char buf[BUFSIZ], *spec, *ifname = NULL, *p; - uint8_t exclude[PORT_BITMAP_SIZE] = { 0 }; - bool exclude_only = true; - unsigned i; - - if (!strcmp(optarg, "none")) { - if (*mode) - goto mode_conflict; - - *mode = FWD_MODE_NONE; - return; - } - - if ((optname == 't' || optname == 'T') && c->no_tcp) - die("TCP port forwarding requested but TCP is disabled"); - if ((optname == 'u' || optname == 'U') && c->no_udp) - die("UDP port forwarding requested but UDP is disabled"); - - if (!strcmp(optarg, "auto")) { - if (*mode) - goto mode_conflict; - - if (c->mode != MODE_PASTA) - die("'auto' port forwarding is only allowed for pasta"); - - if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { - warn( -"'-%c auto' enabled without unprivileged SO_BINDTODEVICE", optname); - warn( -"Forwarding from addresses other than 127.0.0.1 will not work"); - } - *mode = FWD_MODE_AUTO; - return; - } - - if (!strcmp(optarg, "all")) { - if (*mode) - goto mode_conflict; - - if (c->mode == MODE_PASTA) - die("'all' port forwarding is only allowed for passt"); - - *mode = FWD_MODE_ALL; - - /* Exclude ephemeral ports */ - for (i = 0; i < NUM_PORTS; i++) - if (fwd_port_is_ephemeral(i)) - bitmap_set(exclude, i); - - conf_ports_range_except(c, optname, optarg, fwd, - NULL, NULL, - 1, NUM_PORTS - 1, exclude, - 1, FWD_WEAK); - return; - } - - if (*mode > FWD_MODE_SPEC) - die("Specific ports cannot be specified together with all/none/auto"); - - *mode = FWD_MODE_SPEC; - - strncpy(buf, optarg, sizeof(buf) - 1); - - if ((spec = strchr(buf, '/'))) { - *spec = 0; - spec++; - - if (optname != 't' && optname != 'u') - goto bad; - - if ((ifname = strchr(buf, '%'))) { - *ifname = 0; - ifname++; - - /* spec is already advanced one past the '/', - * so the length of the given ifname is: - * (spec - ifname - 1) - */ - if (spec - ifname - 1 >= IFNAMSIZ) - goto bad; - - } - - if (ifname == buf + 1) { /* Interface without address */ - addr = NULL; - } else { - p = buf; - - /* Allow square brackets for IPv4 too for convenience */ - if (*p == '[' && p[strlen(p) - 1] == ']') { - p[strlen(p) - 1] = '\0'; - p++; - } - - if (!inany_pton(p, addr)) - goto bad; - } - } else { - spec = buf; - - addr = NULL; - } - - /* Mark all exclusions first, they might be given after base ranges */ - p = spec; - do { - struct port_range xrange; - - if (*p != '~') { - /* Not an exclude range, parse later */ - exclude_only = false; - continue; - } - p++; - - if (parse_port_range(p, &p, &xrange)) - goto bad; - if ((*p != '\0') && (*p != ',')) /* Garbage after the range */ - goto bad; - - for (i = xrange.first; i <= xrange.last; i++) { - if (bitmap_isset(exclude, i)) - die("Overlapping excluded ranges %s", optarg); - - bitmap_set(exclude, i); - } - } while ((p = next_chunk(p, ','))); - - if (ifname && c->no_bindtodevice) { - die( -"Device binding for '-%c %s' unsupported (requires kernel 5.7+)", - optname, optarg); - } - /* Outbound forwards come from guest loopback */ - if ((optname == 'T' || optname == 'U') && !ifname) - ifname = "lo"; - - if (exclude_only) { - /* Exclude ephemeral ports */ - for (i = 0; i < NUM_PORTS; i++) - if (fwd_port_is_ephemeral(i)) - bitmap_set(exclude, i); - - conf_ports_range_except(c, optname, optarg, fwd, - addr, ifname, - 1, NUM_PORTS - 1, exclude, - 1, FWD_WEAK); - return; - } - - /* Now process base ranges, skipping exclusions */ - p = spec; - do { - struct port_range orig_range, mapped_range; - - if (*p == '~') - /* Exclude range, already parsed */ - continue; - - if (parse_port_range(p, &p, &orig_range)) - goto bad; - - if (*p == ':') { /* There's a range to map to as well */ - if (parse_port_range(p + 1, &p, &mapped_range)) - goto bad; - if ((mapped_range.last - mapped_range.first) != - (orig_range.last - orig_range.first)) - goto bad; - } else { - mapped_range = orig_range; - } - - if ((*p != '\0') && (*p != ',')) /* Garbage after the ranges */ - goto bad; - - conf_ports_range_except(c, optname, optarg, fwd, - addr, ifname, - orig_range.first, orig_range.last, - exclude, - mapped_range.first, 0); - } while ((p = next_chunk(p, ','))); - - return; -bad: - die("Invalid port specifier %s", optarg); -mode_conflict: - die("Port forwarding mode '%s' conflicts with previous mode", optarg); -} - /** * add_dns4() - Possibly add the IPv4 address of a DNS resolver to configuration * @c: Execution context diff --git a/ports.c b/ports.c new file mode 100644 index 0000000..5480176 --- /dev/null +++ b/ports.c @@ -0,0 +1,385 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +/* PASST - Plug A Simple Socket Transport + * for qemu/UNIX domain socket mode + * + * PASTA - Pack A Subtle Tap Abstraction + * for network namespace/tap device mode + * + * PESTO - Programmable Extensible Socket Translation Orchestrator + * front-end for passt(1) and pasta(1) forwarding configuration + * + * ports.c - Parse port options + * + * Copyright (c) 2026 Red Hat GmbH + * Author: Stefano Brivio + * Author: David Gibson + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "common.h" +#include "util.h" +#include "ip.h" +#include "passt.h" +#include "common.h" +#include "pesto.h" +#include "ports.h" + +/** + * next_chunk() - Return the next piece of a string delimited by a character + * @s: String to search + * @c: Delimiter character + * + * Return: if another @c is found in @s, returns a pointer to the + * character *after* the delimiter, if no further @c is in @s, + * return NULL + */ +static char *next_chunk(const char *s, char c) +{ + char *sep = strchr(s, c); + return sep ? sep + 1 : NULL; +} + +/** + * port_range() - Represents a non-empty range of ports + * @first: First port number in the range + * @last: Last port number in the range (inclusive) + * + * Invariant: @last >= @first + */ +struct port_range { + in_port_t first, last; +}; + +/** + * parse_port_range() - Parse a range of port numbers '<first>[-<last>]' + * @s: String to parse + * @endptr: Update to the character after the parsed range (similar to + * strtol() etc.) + * @range: Update with the parsed values on success + * + * Return: -EINVAL on parsing error, -ERANGE on out of range port + * numbers, 0 on success + */ +static int parse_port_range(const char *s, char **endptr, + struct port_range *range) +{ + unsigned long first, last; + + last = first = strtoul(s, endptr, 10); + if (*endptr == s) /* Parsed nothing */ + return -EINVAL; + if (**endptr == '-') { /* we have a last value too */ + const char *lasts = *endptr + 1; + last = strtoul(lasts, endptr, 10); + if (*endptr == lasts) /* Parsed nothing */ + return -EINVAL; + } + + if ((last < first) || (last >= NUM_PORTS)) + return -ERANGE; + + range->first = first; + range->last = last; + + return 0; +} + +/** + * conf_ports_range_except() - Set up forwarding for a range of ports minus a + * bitmap of exclusions + * @c: Execution context + * @optname: Short option name, t, T, u, or U + * @optarg: Option argument (port specification) + * @fwd: Forwarding table to be updated + * @addr: Listening address + * @ifname: Listening interface + * @first: First port to forward + * @last: Last port to forward + * @exclude: Bitmap of ports to exclude (may be NULL) + * @to: Port to translate @first to when forwarding + * @flags: Flags for forwarding entries + */ +void conf_ports_range_except(const struct ctx *c, char optname, + const char *optarg, struct fwd_table *fwd, + const union inany_addr *addr, + const char *ifname, uint16_t first, uint16_t last, + const uint8_t *exclude, uint16_t to, uint8_t flags) +{ + unsigned delta = to - first; + unsigned base, i; + uint8_t proto; + + if (first == 0) { + die("Can't forward port 0 for option '-%c %s'", + optname, optarg); + } + + if (optname == 't' || optname == 'T') + proto = IPPROTO_TCP; + else if (optname == 'u' || optname == 'U') + proto = IPPROTO_UDP; + else + assert(0); + + if (addr) { + if (!c->ifi4 && inany_v4(addr)) { + die("IPv4 is disabled, can't use -%c %s", + optname, optarg); + } else if (!c->ifi6 && !inany_v4(addr)) { + die("IPv6 is disabled, can't use -%c %s", + optname, optarg); + } + } + + for (base = first; base <= last; base++) { + if (exclude && bitmap_isset(exclude, base)) + continue; + + for (i = base; i <= last; i++) { + if (exclude && bitmap_isset(exclude, i)) + break; + } + + if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { + /* FIXME: Once the fwd bitmaps are removed, move this + * workaround to the caller + */ + assert(!addr && ifname && !strcmp(ifname, "lo")); + warn( +"SO_BINDTODEVICE unavailable, forwarding only 127.0.0.1 and ::1 for '-%c %s'", + optname, optarg); + + if (c->ifi4) { + fwd_rule_add(fwd, proto, flags, + &inany_loopback4, NULL, + base, i - 1, base + delta); + } + if (c->ifi6) { + fwd_rule_add(fwd, proto, flags, + &inany_loopback6, NULL, + base, i - 1, base + delta); + } + } else { + fwd_rule_add(fwd, proto, flags, addr, ifname, + base, i - 1, base + delta); + } + base = i - 1; + } +} + +/** + * conf_ports() - Parse port configuration options, initialise UDP/TCP sockets + * @c: Execution context + * @optname: Short option name, t, T, u, or U + * @optarg: Option argument (port specification) + * @fwd: Forwarding table to be updated + * @mode: Overall port forwarding mode (updated) + */ +void conf_ports(const struct ctx *c, char optname, const char *optarg, + struct fwd_table *fwd, enum fwd_mode *mode) +{ + union inany_addr addr_buf = inany_any6, *addr = &addr_buf; + char buf[BUFSIZ], *spec, *ifname = NULL, *p; + uint8_t exclude[PORT_BITMAP_SIZE] = { 0 }; + bool exclude_only = true; + unsigned i; + + if (!strcmp(optarg, "none")) { + if (*mode) + goto mode_conflict; + + *mode = FWD_MODE_NONE; + return; + } + + if ((optname == 't' || optname == 'T') && c->no_tcp) + die("TCP port forwarding requested but TCP is disabled"); + if ((optname == 'u' || optname == 'U') && c->no_udp) + die("UDP port forwarding requested but UDP is disabled"); + + if (!strcmp(optarg, "auto")) { + if (*mode) + goto mode_conflict; + + if (c->mode != MODE_PASTA) + die("'auto' port forwarding is only allowed for pasta"); + + if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { + warn( +"'-%c auto' enabled without unprivileged SO_BINDTODEVICE", optname); + warn( +"Forwarding from addresses other than 127.0.0.1 will not work"); + } + *mode = FWD_MODE_AUTO; + return; + } + + if (!strcmp(optarg, "all")) { + if (*mode) + goto mode_conflict; + + if (c->mode == MODE_PASTA) + die("'all' port forwarding is only allowed for passt"); + + *mode = FWD_MODE_ALL; + + /* Exclude ephemeral ports */ + for (i = 0; i < NUM_PORTS; i++) + if (fwd_port_is_ephemeral(i)) + bitmap_set(exclude, i); + + conf_ports_range_except(c, optname, optarg, fwd, + NULL, NULL, + 1, NUM_PORTS - 1, exclude, + 1, FWD_WEAK); + return; + } + + if (*mode > FWD_MODE_SPEC) + die("Specific ports cannot be specified together with all/none/auto"); + + *mode = FWD_MODE_SPEC; + + strncpy(buf, optarg, sizeof(buf) - 1); + + if ((spec = strchr(buf, '/'))) { + *spec = 0; + spec++; + + if (optname != 't' && optname != 'u') + goto bad; + + if ((ifname = strchr(buf, '%'))) { + *ifname = 0; + ifname++; + + /* spec is already advanced one past the '/', + * so the length of the given ifname is: + * (spec - ifname - 1) + */ + if (spec - ifname - 1 >= IFNAMSIZ) + goto bad; + + } + + if (ifname == buf + 1) { /* Interface without address */ + addr = NULL; + } else { + p = buf; + + /* Allow square brackets for IPv4 too for convenience */ + if (*p == '[' && p[strlen(p) - 1] == ']') { + p[strlen(p) - 1] = '\0'; + p++; + } + + if (!inany_pton(p, addr)) + goto bad; + } + } else { + spec = buf; + + addr = NULL; + } + + /* Mark all exclusions first, they might be given after base ranges */ + p = spec; + do { + struct port_range xrange; + + if (*p != '~') { + /* Not an exclude range, parse later */ + exclude_only = false; + continue; + } + p++; + + if (parse_port_range(p, &p, &xrange)) + goto bad; + if ((*p != '\0') && (*p != ',')) /* Garbage after the range */ + goto bad; + + for (i = xrange.first; i <= xrange.last; i++) { + if (bitmap_isset(exclude, i)) + die("Overlapping excluded ranges %s", optarg); + + bitmap_set(exclude, i); + } + } while ((p = next_chunk(p, ','))); + + if (ifname && c->no_bindtodevice) { + die( +"Device binding for '-%c %s' unsupported (requires kernel 5.7+)", + optname, optarg); + } + /* Outbound forwards come from guest loopback */ + if ((optname == 'T' || optname == 'U') && !ifname) + ifname = "lo"; + + if (exclude_only) { + /* Exclude ephemeral ports */ + for (i = 0; i < NUM_PORTS; i++) + if (fwd_port_is_ephemeral(i)) + bitmap_set(exclude, i); + + conf_ports_range_except(c, optname, optarg, fwd, + addr, ifname, + 1, NUM_PORTS - 1, exclude, + 1, FWD_WEAK); + return; + } + + /* Now process base ranges, skipping exclusions */ + p = spec; + do { + struct port_range orig_range, mapped_range; + + if (*p == '~') + /* Exclude range, already parsed */ + continue; + + if (parse_port_range(p, &p, &orig_range)) + goto bad; + + if (*p == ':') { /* There's a range to map to as well */ + if (parse_port_range(p + 1, &p, &mapped_range)) + goto bad; + if ((mapped_range.last - mapped_range.first) != + (orig_range.last - orig_range.first)) + goto bad; + } else { + mapped_range = orig_range; + } + + if ((*p != '\0') && (*p != ',')) /* Garbage after the ranges */ + goto bad; + + conf_ports_range_except(c, optname, optarg, fwd, + addr, ifname, + orig_range.first, orig_range.last, + exclude, + mapped_range.first, 0); + } while ((p = next_chunk(p, ','))); + + return; +bad: + die("Invalid port specifier %s", optarg); +mode_conflict: + die("Port forwarding mode '%s' conflicts with previous mode", optarg); +} diff --git a/ports.h b/ports.h new file mode 100644 index 0000000..3ef50e6 --- /dev/null +++ b/ports.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later + * Copyright (c) 2026 Red Hat GmbH + * Author: Stefano Brivio + */ + +#ifndef PORTS_H +#define PORTS_H + +/** + * enum fwd_mode - Overall forwarding mode for a direction and protocol + * @FWD_MODE_UNSET Initial value, not parsed/configured yet + * @FWD_MODE_SPEC Forward specified ports + * @FWD_MODE_NONE No forwarded ports + * @FWD_MODE_AUTO Automatic detection and forwarding based on bound ports + * @FWD_MODE_ALL Bind all free ports + */ +enum fwd_mode { + FWD_MODE_UNSET = 0, + FWD_MODE_SPEC, + FWD_MODE_NONE, + FWD_MODE_AUTO, + FWD_MODE_ALL, +}; + +void conf_ports_range_except(const struct ctx *c, char optname, + const char *optarg, struct fwd_table *fwd, + const union inany_addr *addr, + const char *ifname, uint16_t first, uint16_t last, + const uint8_t *exclude, uint16_t to, + uint8_t flags); +void conf_ports(const struct ctx *c, char optname, const char *optarg, + struct fwd_table *fwd, enum fwd_mode *mode); + + +#endif /* PORTS_H */ -- 2.43.0

Stefano Brivio

3:18 p.m.

New subject: [PATCH 17/18] conf, fwd, ports, util: Move things around for pesto

...so that pesto can reuse functions parsing port forwarding specifications from ports.c: - checks on validity of some forwarding options (auto with pasta only all with passt only) move to the caller, conf() - some other checks (availability of IPv4, IPv6, SO_BINDTODEVICE) are now based on specific parameters passed to conf_ports() and conf_ports_range_except(), so that we don't need struct ctx there - bitmap operations and some convenience macros move to common.h - fwd_probe_ephemeral(), fwd_port_is_ephemeral(), and fwd_rule_add() move to ports.c and fwd_rule.c, without any renaming for the moment - forwarding table definitions move to fwd_rule.h - selection of the definition of some logging functions now depends on a gross but unintrusive hack, a PESTO define (this will needs a cleaner solution later) Signed-off-by: Stefano Brivio --- Makefile | 8 ++- common.h | 99 ++++++++++++++++++++++++++++ conf.c | 54 +++++++++++----- fwd.c | 160 --------------------------------------------- fwd.h | 54 +--------------- fwd_rule.c | 89 ++++++++++++++++++++++++- fwd_rule.h | 53 +++++++++++++++ lineread.c | 1 - log.h | 33 ++++++++++ pesto.c | 21 ++---- ports.c | 186 ++++++++++++++++++++++++++++++++++++----------------- ports.h | 29 ++++++--- util.c | 84 ------------------------ util.h | 18 ------ 14 files changed, 470 insertions(+), 419 deletions(-) diff --git a/Makefile b/Makefile index 47d4c95..b6b6a82 100644 --- a/Makefile +++ b/Makefile @@ -45,12 +45,13 @@ PASST_SRCS = arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c \ vhost_user.c virtio.c vu_common.c QRAP_SRCS = qrap.c PASST_REPAIR_SRCS = passt-repair.c -PESTO_SRCS = pesto.c fwd_rule.c inany.c ip.c serialise.c +PESTO_SRCS = pesto.c fwd_rule.c inany.c ip.c serialise.c ports.c lineread.c SRCS = $(PASST_SRCS) $(QRAP_SRCS) $(PASST_REPAIR_SRCS) $(PESTO_SRCS) MANPAGES = passt.1 pasta.1 pesto.1 qrap.1 passt-repair.1 -PESTO_HEADERS = common.h fwd_rule.h inany.h ip.h pesto.h serialise.h +PESTO_HEADERS = common.h fwd_rule.h inany.h ip.h pesto.h serialise.h ports.h \ + lineread.h PASST_HEADERS = arch.h arp.h checksum.h conf.h dhcp.h dhcpv6.h epoll_ctl.h \ flow.h fwd.h flow_table.h icmp.h icmp_flow.h iov.h isolation.h \ lineread.h log.h migrate.h ndp.h netlink.h packet.h passt.h pasta.h \ @@ -117,7 +118,8 @@ passt-repair: $(PASST_REPAIR_SRCS) seccomp_repair.h $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PASST_REPAIR_SRCS) -o passt-repair $(LDFLAGS) pesto: $(PESTO_SRCS) $(PESTO_HEADERS) seccomp_pesto.h - $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PESTO_SRCS) -o pesto $(LDFLAGS) + $(CC) $(FLAGS) $(CFLAGS) $(CPPFLAGS) $(PESTO_SRCS) -DPESTO -o pesto \ + $(LDFLAGS) valgrind: EXTRA_SYSCALLS += rt_sigprocmask rt_sigtimedwait rt_sigaction \ rt_sigreturn getpid gettid kill clock_gettime \ diff --git a/common.h b/common.h index 7d37b92..43b1455 100644 --- a/common.h +++ b/common.h @@ -8,6 +8,9 @@ #ifndef COMMON_H #define COMMON_H +#include +#include + #define VERSION_BLOB \ VERSION "\n" \ "Copyright Red Hat\n" \ @@ -19,6 +22,8 @@ /* FPRINTF() intentionally silences cert-err33-c clang-tidy warnings */ #define FPRINTF(f, ...) (void)fprintf(f, __VA_ARGS__) +#define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) + #ifndef MIN #define MIN(x, y) (((x) < (y)) ? (x) : (y)) #endif @@ -26,7 +31,13 @@ #define MAX(x, y) (((x) > (y)) ? (x) : (y)) #endif +#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) +#define DIV_ROUND_CLOSEST(n, d) (((n) + (d) / 2) / (d)) +#define ROUND_DOWN(x, y) ((x) & ~((y) - 1)) +#define ROUND_UP(x, y) (((x) + (y) - 1) & ~((y) - 1)) + #define BIT(n) (1UL << (n)) +#define MAX_FROM_BITS(n) (((1U << (n)) - 1)) #ifndef __bswap_constant_16 #define __bswap_constant_16(x) \ @@ -76,4 +87,92 @@ #define ntohll(x) (be64toh((x))) #define htonll(x) (htobe64((x))) +#define BITMAP_BIT(n) (BIT((n) % (sizeof(long) * 8))) +#define BITMAP_WORD(n) (n / (sizeof(long) * 8)) + +/** + * bitmap_set() - Set single bit in bitmap + * @map: Pointer to bitmap + * @bit: Bit number to set + */ +static inline void bitmap_set(uint8_t *map, unsigned bit) +{ + unsigned long *word = (unsigned long *)map + BITMAP_WORD(bit); + + *word |= BITMAP_BIT(bit); +} + +/** + * bitmap_clear() - Clear single bit in bitmap + * @map: Pointer to bitmap + * @bit: Bit number to clear + */ +/* cppcheck-suppress unusedFunction */ +static inline void bitmap_clear(uint8_t *map, unsigned bit) +{ + unsigned long *word = (unsigned long *)map + BITMAP_WORD(bit); + + *word &= ~BITMAP_BIT(bit); +} + +/** + * bitmap_isset() - Check for set bit in bitmap + * @map: Pointer to bitmap + * @bit: Bit number to check + * + * Return: true if given bit is set, false if it's not + */ +static inline bool bitmap_isset(const uint8_t *map, unsigned bit) +{ + const unsigned long *word + = (const unsigned long *)map + BITMAP_WORD(bit); + + return !!(*word & BITMAP_BIT(bit)); +} + +/** + * bitmap_or() - Logical disjunction (OR) of two bitmaps + * @dst: Pointer to result bitmap + * @size: Size of bitmaps, in bytes + * @a: First operand + * @b: Second operand + */ +/* cppcheck-suppress unusedFunction */ +static inline void bitmap_or(uint8_t *dst, size_t size, + const uint8_t *a, const uint8_t *b) +{ + unsigned long *dw = (unsigned long *)dst; + unsigned long *aw = (unsigned long *)a; + unsigned long *bw = (unsigned long *)b; + size_t i; + + for (i = 0; i < size / sizeof(long); i++, dw++, aw++, bw++) + *dw = *aw | *bw; + + for (i = size / sizeof(long) * sizeof(long); i < size; i++) + dst[i] = a[i] | b[i]; +} + +/** + * bitmap_and_not() - Logical conjunction with complement (AND NOT) of bitmap + * @dst: Pointer to result bitmap + * @size: Size of bitmaps, in bytes + * @a: First operand + * @b: Second operand + */ +static inline void bitmap_and_not(uint8_t *dst, size_t size, + const uint8_t *a, const uint8_t *b) +{ + unsigned long *dw = (unsigned long *)dst; + unsigned long *aw = (unsigned long *)a; + unsigned long *bw = (unsigned long *)b; + size_t i; + + for (i = 0; i < size / sizeof(long); i++, dw++, aw++, bw++) + *dw = *aw & ~*bw; + + for (i = size / sizeof(long) * sizeof(long); i < size; i++) + dst[i] = a[i] & ~b[i]; +} + #endif /* _COMMON_H */ diff --git a/conf.c b/conf.c index de4c3c6..8e54b85 100644 --- a/conf.c +++ b/conf.c @@ -1846,18 +1846,36 @@ void conf(struct ctx *c, int argc, char **argv) do { name = getopt_long(argc, argv, optstring, options, NULL); + if (name != 't' && name != 'T' && name != 'u' && name != 'U') + continue; + + if ((name == 't' || name == 'T') && c->no_tcp) + die("TCP forwarding requested but TCP is disabled"); + if ((name == 'u' || name == 'U') && c->no_udp) + die("UDP forwarding requested but UDP is disabled"); + + if (!strcmp(optarg, "auto") && c->mode != MODE_PASTA) + die("'auto' port forwarding is only allowed for pasta"); + + if (!strcmp(optarg, "all") && c->mode == MODE_PASTA) + die("'all' port forwarding is only allowed for passt"); + if (name == 't') { - conf_ports(c, name, optarg, c->fwd[PIF_HOST], - &tcp_in_mode); + conf_ports(name, optarg, c->fwd[PIF_HOST], + &tcp_in_mode, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } else if (name == 'u') { - conf_ports(c, name, optarg, c->fwd[PIF_HOST], - &udp_in_mode); + conf_ports(name, optarg, c->fwd[PIF_HOST], + &udp_in_mode, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } else if (name == 'T') { - conf_ports(c, name, optarg, c->fwd[PIF_SPLICE], - &tcp_out_mode); + conf_ports(name, optarg, c->fwd[PIF_SPLICE], + &tcp_out_mode, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } else if (name == 'U') { - conf_ports(c, name, optarg, c->fwd[PIF_SPLICE], - &udp_out_mode); + conf_ports(name, optarg, c->fwd[PIF_SPLICE], + &udp_out_mode, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } } while (name != -1); @@ -1917,24 +1935,28 @@ void conf(struct ctx *c, int argc, char **argv) udp_out_mode = fwd_default; if (tcp_in_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 't', "auto", c->fwd[PIF_HOST], + conf_ports_range_except('t', "auto", c->fwd[PIF_HOST], NULL, NULL, 1, NUM_PORTS - 1, NULL, 1, - FWD_SCAN); + FWD_SCAN, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } if (tcp_out_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 'T', "auto", c->fwd[PIF_SPLICE], + conf_ports_range_except('T', "auto", c->fwd[PIF_SPLICE], NULL, "lo", 1, NUM_PORTS - 1, NULL, 1, - FWD_SCAN); + FWD_SCAN, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } if (udp_in_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 'u', "auto", c->fwd[PIF_HOST], + conf_ports_range_except('u', "auto", c->fwd[PIF_HOST], NULL, NULL, 1, NUM_PORTS - 1, NULL, 1, - FWD_SCAN); + FWD_SCAN, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } if (udp_out_mode == FWD_MODE_AUTO) { - conf_ports_range_except(c, 'U', "auto", c->fwd[PIF_SPLICE], + conf_ports_range_except('U', "auto", c->fwd[PIF_SPLICE], NULL, "lo", 1, NUM_PORTS - 1, NULL, 1, - FWD_SCAN); + FWD_SCAN, !c->no_bindtodevice, + !!c->ifi4, !!c->ifi6); } conf_sock_listen(c); diff --git a/fwd.c b/fwd.c index 72028e7..4592af2 100644 --- a/fwd.c +++ b/fwd.c @@ -34,12 +34,6 @@ #include "arp.h" #include "ndp.h" -/* Ephemeral port range: values from RFC 6335 */ -static in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); -static in_port_t fwd_ephemeral_max = NUM_PORTS - 1; - -#define PORT_RANGE_SYSCTL "/proc/sys/net/ipv4/ip_local_port_range" - #define NEIGH_TABLE_SLOTS 1024 #define NEIGH_TABLE_SIZE (NEIGH_TABLE_SLOTS / 2) static_assert((NEIGH_TABLE_SLOTS & (NEIGH_TABLE_SLOTS - 1)) == 0, @@ -249,74 +243,6 @@ void fwd_neigh_table_init(const struct ctx *c) fwd_neigh_table_update(c, &mga, c->our_tap_mac, true); } -/** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral - * - * Work out what ports the host thinks are emphemeral and record it for later - * use by fwd_port_is_ephemeral(). If we're unable to probe, assume the range - * recommended by RFC 6335. - */ -void fwd_probe_ephemeral(void) -{ - char *line, *tab, *end; - struct lineread lr; - long min, max; - ssize_t len; - int fd; - - fd = open(PORT_RANGE_SYSCTL, O_RDONLY | O_CLOEXEC); - if (fd < 0) { - warn_perror("Unable to open %s", PORT_RANGE_SYSCTL); - return; - } - - lineread_init(&lr, fd); - len = lineread_get(&lr, &line); - close(fd); - - if (len < 0) - goto parse_err; - - tab = strchr(line, '\t'); - if (!tab) - goto parse_err; - *tab = '\0'; - - errno = 0; - min = strtol(line, &end, 10); - if (*end || errno) - goto parse_err; - - errno = 0; - max = strtol(tab + 1, &end, 10); - if (*end || errno) - goto parse_err; - - if (min < 0 || min >= (long)NUM_PORTS || - max < 0 || max >= (long)NUM_PORTS) - goto parse_err; - - fwd_ephemeral_min = min; - fwd_ephemeral_max = max; - - return; - -parse_err: - warn("Unable to parse %s", PORT_RANGE_SYSCTL); -} - -/** - * fwd_port_is_ephemeral() - Is port number ephemeral? - * @port: Port number - * - * Return: true if @port is ephemeral, that is may be allocated by the kernel as - * a local port for outgoing connections or datagrams, but should not be - * used for binding services to. - */ -bool fwd_port_is_ephemeral(in_port_t port) -{ - return (port >= fwd_ephemeral_min) && (port <= fwd_ephemeral_max); -} - /* Forwarding table storage, generally accessed via pointers in struct ctx */ static struct fwd_table fwd_in; static struct fwd_table fwd_out; @@ -332,92 +258,6 @@ void fwd_rule_init(struct ctx *c) c->fwd[PIF_SPLICE] = &fwd_out; } -/** - * fwd_rule_add() - Add a rule to a forwarding table - * @fwd: Table to add to - * @proto: Protocol to forward - * @flags: Flags for this entry - * @addr: Our address to forward (NULL for both 0.0.0.0 and ::) - * @ifname: Only forward from this interface name, if non-empty - * @first: First port number to forward - * @last: Last port number to forward - * @to: First port of target port range to map to - */ -void fwd_rule_add(struct fwd_table *fwd, uint8_t proto, uint8_t flags, - const union inany_addr *addr, const char *ifname, - in_port_t first, in_port_t last, in_port_t to) -{ - /* Flags which can be set from the caller */ - const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN; - unsigned num = (unsigned)last - first + 1; - struct fwd_rule_state *new; - unsigned i, port; - - assert(!(flags & ~allowed_flags)); - - if (fwd->count >= ARRAY_SIZE(fwd->rules)) - die("Too many port forwarding ranges"); - if ((fwd->sock_count + num) > ARRAY_SIZE(fwd->socks)) - die("Too many listening sockets"); - - /* Check for any conflicting entries */ - for (i = 0; i < fwd->count; i++) { - char newstr[INANY_ADDRSTRLEN], rulestr[INANY_ADDRSTRLEN]; - struct fwd_rule_state *rule = &fwd->rules[i]; - - if (proto != rule->rule.proto) - /* Non-conflicting protocols */ - continue; - - if (!inany_matches(addr, fwd_rule_addr(&rule->rule))) - /* Non-conflicting addresses */ - continue; - - if (last < rule->rule.first || rule->rule.last < first) - /* Port ranges don't overlap */ - continue; - - die("Forwarding configuration conflict: %s/%u-%u versus %s/%u-%u", - inany_ntop(addr, newstr, sizeof(newstr)), first, last, - inany_ntop(fwd_rule_addr(&rule->rule), - rulestr, sizeof(rulestr)), - rule->rule.first, rule->rule.last); - } - - new = &fwd->rules[fwd->count++]; - new->rule.proto = proto; - new->rule.flags = flags; - - if (addr) { - new->rule.addr = *addr; - } else { - new->rule.addr = inany_any6; - new->rule.flags |= FWD_DUAL_STACK_ANY; - } - - memset(new->rule.ifname, 0, sizeof(new->rule.ifname)); - if (ifname) { - int ret; - - ret = snprintf(new->rule.ifname, sizeof(new->rule.ifname), - "%s", ifname); - if (ret <= 0 || (size_t)ret >= sizeof(new->rule.ifname)) - die("Invalid interface name: %s", ifname); - } - - assert(first <= last); - new->rule.first = first; - new->rule.last = last; - - new->rule.to = to; - - new->socks = &fwd->socks[fwd->sock_count]; - fwd->sock_count += num; - - for (port = new->rule.first; port <= new->rule.last; port++) - new->socks[port - new->rule.first] = -1; -} - /** * fwd_rule_match() - Does a prospective flow match a given forwarding rule? * @rule: Forwarding rule diff --git a/fwd.h b/fwd.h index 00f96860..00450a4 100644 --- a/fwd.h +++ b/fwd.h @@ -15,66 +15,14 @@ #include #include "inany.h" +#include "ports.h" #include "fwd_rule.h" struct flowside; -/* Number of ports for both TCP and UDP */ -#define NUM_PORTS (1U << 16) - void fwd_probe_ephemeral(void); bool fwd_port_is_ephemeral(in_port_t port); -/** - * struct fwd_rule_state - Forwarding rule and associated state - * @rule: Rule specification - * @socks: Array of listening sockets for this entry - */ -struct fwd_rule_state { - struct fwd_rule rule; - int *socks; -}; - -#define FWD_RULE_BITS 8 -#define MAX_FWD_RULES MAX_FROM_BITS(FWD_RULE_BITS) -#define FWD_NO_HINT (-1) - -/** - * struct fwd_listen_ref - information about a single listening socket - * @port: Bound port number of the socket - * @pif: pif in which the socket is listening - * @rule: Index of forwarding rule - */ -struct fwd_listen_ref { - in_port_t port; - uint8_t pif; - unsigned rule :FWD_RULE_BITS; -}; - -/* Maximum number of listening sockets (per pif) - * - * Rationale: This lets us listen on every port for two addresses and two - * protocols (which we need for -T auto -U auto without SO_BINDTODEVICE), plus a - * comfortable number of extras. - */ -#define MAX_LISTEN_SOCKS (NUM_PORTS * 5) - -/** - * struct fwd_table - Table of forwarding rules (per initiating pif) - * @count: Number of forwarding rules - * @rules: Array of forwarding rules - * @sock_count: Number of entries used in @socks - * @socks: Listening sockets for forwarding - */ -struct fwd_table { - unsigned count; - struct fwd_rule_state rules[MAX_FWD_RULES]; - unsigned sock_count; - int socks[MAX_LISTEN_SOCKS]; -}; - -#define PORT_BITMAP_SIZE DIV_ROUND_UP(NUM_PORTS, 8) - /** * struct fwd_scan - Port scanning state for a protocol+direction * @scan4: /proc/net fd to scan for IPv4 ports when in AUTO mode diff --git a/fwd_rule.c b/fwd_rule.c index 3e39b4f..091e196 100644 --- a/fwd_rule.c +++ b/fwd_rule.c @@ -18,8 +18,9 @@ #include #include "serialise.h" - +#include "ports.h" #include "fwd_rule.h" +#include "log.h" /** * fwd_rule_addr() - Return match address for a rule @@ -74,6 +75,92 @@ const char *fwd_rule_ntop(const struct fwd_rule *rule, char *dst, size_t size) return dst; } +/** + * fwd_rule_add() - Add a rule to a forwarding table + * @fwd: Table to add to + * @proto: Protocol to forward + * @flags: Flags for this entry + * @addr: Our address to forward (NULL for both 0.0.0.0 and ::) + * @ifname: Only forward from this interface name, if non-empty + * @first: First port number to forward + * @last: Last port number to forward + * @to: First port of target port range to map to + */ +void fwd_rule_add(struct fwd_table *fwd, uint8_t proto, uint8_t flags, + const union inany_addr *addr, const char *ifname, + in_port_t first, in_port_t last, in_port_t to) +{ + /* Flags which can be set from the caller */ + const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN; + unsigned num = (unsigned)last - first + 1; + struct fwd_rule_state *new; + unsigned i, port; + + assert(!(flags & ~allowed_flags)); + + if (fwd->count >= ARRAY_SIZE(fwd->rules)) + die("Too many port forwarding ranges"); + if ((fwd->sock_count + num) > ARRAY_SIZE(fwd->socks)) + die("Too many listening sockets"); + + /* Check for any conflicting entries */ + for (i = 0; i < fwd->count; i++) { + char newstr[INANY_ADDRSTRLEN], rulestr[INANY_ADDRSTRLEN]; + struct fwd_rule_state *rule = &fwd->rules[i]; + + if (proto != rule->rule.proto) + /* Non-conflicting protocols */ + continue; + + if (!inany_matches(addr, fwd_rule_addr(&rule->rule))) + /* Non-conflicting addresses */ + continue; + + if (last < rule->rule.first || rule->rule.last < first) + /* Port ranges don't overlap */ + continue; + + die("Forwarding configuration conflict: %s/%u-%u versus %s/%u-%u", + inany_ntop(addr, newstr, sizeof(newstr)), first, last, + inany_ntop(fwd_rule_addr(&rule->rule), + rulestr, sizeof(rulestr)), + rule->rule.first, rule->rule.last); + } + + new = &fwd->rules[fwd->count++]; + new->rule.proto = proto; + new->rule.flags = flags; + + if (addr) { + new->rule.addr = *addr; + } else { + new->rule.addr = inany_any6; + new->rule.flags |= FWD_DUAL_STACK_ANY; + } + + memset(new->rule.ifname, 0, sizeof(new->rule.ifname)); + if (ifname) { + int ret; + + ret = snprintf(new->rule.ifname, sizeof(new->rule.ifname), + "%s", ifname); + if (ret <= 0 || (size_t)ret >= sizeof(new->rule.ifname)) + die("Invalid interface name: %s", ifname); + } + + assert(first <= last); + new->rule.first = first; + new->rule.last = last; + + new->rule.to = to; + + new->socks = &fwd->socks[fwd->sock_count]; + fwd->sock_count += num; + + for (port = new->rule.first; port <= new->rule.last; port++) + new->socks[port - new->rule.first] = -1; +} + /** * fwd_rule_seread() - Read erialised rule from an fd * @fd: fd to serialise to diff --git a/fwd_rule.h b/fwd_rule.h index 500b955..411a396 100644 --- a/fwd_rule.h +++ b/fwd_rule.h @@ -42,7 +42,60 @@ struct fwd_rule { uint8_t flags; }; +/** + * struct fwd_rule_state - Forwarding rule and associated state + * @rule: Rule specification + * @socks: Array of listening sockets for this entry + */ +struct fwd_rule_state { + struct fwd_rule rule; + int *socks; +}; + +#define FWD_RULE_BITS 8 +#define MAX_FWD_RULES MAX_FROM_BITS(FWD_RULE_BITS) +#define FWD_NO_HINT (-1) + +/** + * struct fwd_listen_ref - information about a single listening socket + * @port: Bound port number of the socket + * @pif: pif in which the socket is listening + * @rule: Index of forwarding rule + */ +struct fwd_listen_ref { + in_port_t port; + uint8_t pif; + unsigned rule :FWD_RULE_BITS; +}; + +/* Maximum number of listening sockets (per pif) + * + * Rationale: This lets us listen on every port for two addresses and two + * protocols (which we need for -T auto -U auto without SO_BINDTODEVICE), plus a + * comfortable number of extras. + */ +#define MAX_LISTEN_SOCKS (NUM_PORTS * 5) + +/** + * struct fwd_table - Table of forwarding rules (per initiating pif) + * @count: Number of forwarding rules + * @rules: Array of forwarding rules + * @sock_count: Number of entries used in @socks + * @socks: Listening sockets for forwarding + */ +struct fwd_table { + unsigned count; + struct fwd_rule_state rules[MAX_FWD_RULES]; + unsigned sock_count; + int socks[MAX_LISTEN_SOCKS]; +}; + +#define PORT_BITMAP_SIZE DIV_ROUND_UP(NUM_PORTS, 8) + const union inany_addr *fwd_rule_addr(const struct fwd_rule *rule); +void fwd_rule_add(struct fwd_table *fwd, uint8_t proto, uint8_t flags, + const union inany_addr *addr, const char *ifname, + in_port_t first, in_port_t last, in_port_t to); #define FWD_RULE_STRLEN \ (IPPROTO_STRLEN - 1 \ diff --git a/lineread.c b/lineread.c index b9ceae1..ae495a4 100644 --- a/lineread.c +++ b/lineread.c @@ -20,7 +20,6 @@ #include #include "lineread.h" -#include "util.h" /** * lineread_init() - Prepare for line by line file reading without allocation diff --git a/log.h b/log.h index 6ceb686..e2657ef 100644 --- a/log.h +++ b/log.h @@ -7,10 +7,42 @@ #define LOG_H #include +#include #include #include #include +#ifdef PESTO +extern int verbosity; + +#define die(...) \ + do { \ + FPRINTF(stderr, __VA_ARGS__); \ + FPRINTF(stderr, "\n"); \ + exit(EXIT_FAILURE); \ + } while (0) + +#define warn(...) \ + do { \ + FPRINTF(stderr, __VA_ARGS__); \ + FPRINTF(stderr, "\n"); \ + } while (0) + +#define warn_perror(...) \ + do { \ + FPRINTF(stderr, __VA_ARGS__); \ + FPRINTF(stderr, ": %i", errno); \ + } while (0) + +#define debug(...) \ + do { \ + if (verbosity > 1) { \ + FPRINTF(stderr, __VA_ARGS__); \ + FPRINTF(stderr, "\n"); \ + } \ + } while (0) +#else + /* This would make more sense in util.h, but because we use it in die(), that * would cause awkward circular reference problems. */ @@ -65,4 +97,5 @@ void __openlog(const char *ident, int option, int facility); void logfile_init(const char *name, const char *path, size_t size); void __setlogmask(int mask); +#endif /* !PESTO */ #endif /* LOG_H */ diff --git a/pesto.c b/pesto.c index f021cdb..42fa7f2 100644 --- a/pesto.c +++ b/pesto.c @@ -34,25 +34,12 @@ #include "common.h" #include "seccomp_pesto.h" #include "serialise.h" +#include "ports.h" #include "fwd_rule.h" #include "pesto.h" +#include "log.h" -static int verbosity = 1; - -#define die(...) \ - do { \ - FPRINTF(stderr, __VA_ARGS__); \ - FPRINTF(stderr, "\n"); \ - exit(EXIT_FAILURE); \ - } while (0) - -#define debug(...) \ - do { \ - if (verbosity > 1) { \ - FPRINTF(stderr, __VA_ARGS__); \ - FPRINTF(stderr, "\n"); \ - } \ - } while (0) +int verbosity = 1; /** * xmalloc() - Allocate memory, with fatal error on failure @@ -234,7 +221,7 @@ static void show_state(const struct conf_state *state) * * Return: 0 on success, won't return on failure * - * #syscalls:pesto connect write close exit_group fstat brk + * #syscalls:pesto connect write close exit_group fstat brk getrandom * #syscalls:pesto socket s390x:socketcall i686:socketcall * #syscalls:pesto recvfrom recvmsg arm:recv ppc64le:recv * #syscalls:pesto sendto sendmsg arm:send ppc64le:send diff --git a/ports.c b/ports.c index 5480176..a7167ac 100644 --- a/ports.c +++ b/ports.c @@ -26,19 +26,93 @@ #include #include #include +#include #include #include #include #include #include +#include "lineread.h" #include "common.h" -#include "util.h" -#include "ip.h" -#include "passt.h" -#include "common.h" -#include "pesto.h" #include "ports.h" +#include "fwd_rule.h" +#include "log.h" +#include "pesto.h" + +/* Ephemeral port range: values from RFC 6335 */ +static in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); +static in_port_t fwd_ephemeral_max = NUM_PORTS - 1; + +#define PORT_RANGE_SYSCTL "/proc/sys/net/ipv4/ip_local_port_range" + +/** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral + * + * Work out what ports the host thinks are emphemeral and record it for later + * use by fwd_port_is_ephemeral(). If we're unable to probe, assume the range + * recommended by RFC 6335. + */ +void fwd_probe_ephemeral(void) +{ + char *line, *tab, *end; + struct lineread lr; + long min, max; + ssize_t len; + int fd; + + fd = open(PORT_RANGE_SYSCTL, O_RDONLY | O_CLOEXEC); + if (fd < 0) { + warn_perror("Unable to open %s", PORT_RANGE_SYSCTL); + return; + } + + lineread_init(&lr, fd); + len = lineread_get(&lr, &line); + close(fd); + + if (len < 0) + goto parse_err; + + tab = strchr(line, '\t'); + if (!tab) + goto parse_err; + *tab = '\0'; + + errno = 0; + min = strtol(line, &end, 10); + if (*end || errno) + goto parse_err; + + errno = 0; + max = strtol(tab + 1, &end, 10); + if (*end || errno) + goto parse_err; + + if (min < 0 || min >= (long)NUM_PORTS || + max < 0 || max >= (long)NUM_PORTS) + goto parse_err; + + fwd_ephemeral_min = min; + fwd_ephemeral_max = max; + + return; + +parse_err: + warn("Unable to parse %s", PORT_RANGE_SYSCTL); +} + +/** + * fwd_port_is_ephemeral() - Is port number ephemeral? + * @port: Port number + * + * Return: true if @port is ephemeral, that is may be allocated by the kernel as + * a local port for outgoing connections or datagrams, but should not be + * used for binding services to. + */ +bool fwd_port_is_ephemeral(in_port_t port) +{ + return (port >= fwd_ephemeral_min) && (port <= fwd_ephemeral_max); +} /** * next_chunk() - Return the next piece of a string delimited by a character @@ -103,23 +177,27 @@ static int parse_port_range(const char *s, char **endptr, /** * conf_ports_range_except() - Set up forwarding for a range of ports minus a * bitmap of exclusions - * @c: Execution context - * @optname: Short option name, t, T, u, or U - * @optarg: Option argument (port specification) - * @fwd: Forwarding table to be updated - * @addr: Listening address - * @ifname: Listening interface - * @first: First port to forward - * @last: Last port to forward - * @exclude: Bitmap of ports to exclude (may be NULL) - * @to: Port to translate @first to when forwarding - * @flags: Flags for forwarding entries + * @optname: Short option name, t, T, u, or U + * @optarg: Option argument (port specification) + * @fwd: Forwarding table to be updated + * @addr: Listening address + * @ifname: Listening interface + * @first: First port to forward + * @last: Last port to forward + * @exclude: Bitmap of ports to exclude (may be NULL) + * @to: Port to translate @first to when forwarding + * @flags: Flags for forwarding entries + * @can_bindtodevice SO_BINDTODEVICE is available + * @v4_enabled IPv4 is enabled + * @v6_enabled IPv6 is enabled */ -void conf_ports_range_except(const struct ctx *c, char optname, - const char *optarg, struct fwd_table *fwd, - const union inany_addr *addr, - const char *ifname, uint16_t first, uint16_t last, - const uint8_t *exclude, uint16_t to, uint8_t flags) +void conf_ports_range_except(char optname, const char *optarg, + struct fwd_table *fwd, + const union inany_addr *addr, const char *ifname, + uint16_t first, uint16_t last, + const uint8_t *exclude, uint16_t to, uint8_t flags, + bool can_bindtodevice, + bool v4_enabled, bool v6_enabled) { unsigned delta = to - first; unsigned base, i; @@ -138,10 +216,10 @@ void conf_ports_range_except(const struct ctx *c, char optname, assert(0); if (addr) { - if (!c->ifi4 && inany_v4(addr)) { + if (!v4_enabled && inany_v4(addr)) { die("IPv4 is disabled, can't use -%c %s", optname, optarg); - } else if (!c->ifi6 && !inany_v4(addr)) { + } else if (!v6_enabled && !inany_v4(addr)) { die("IPv6 is disabled, can't use -%c %s", optname, optarg); } @@ -156,7 +234,7 @@ void conf_ports_range_except(const struct ctx *c, char optname, break; } - if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { + if ((optname == 'T' || optname == 'U') && !can_bindtodevice) { /* FIXME: Once the fwd bitmaps are removed, move this * workaround to the caller */ @@ -165,12 +243,12 @@ void conf_ports_range_except(const struct ctx *c, char optname, "SO_BINDTODEVICE unavailable, forwarding only 127.0.0.1 and ::1 for '-%c %s'", optname, optarg); - if (c->ifi4) { + if (v4_enabled) { fwd_rule_add(fwd, proto, flags, &inany_loopback4, NULL, base, i - 1, base + delta); } - if (c->ifi6) { + if (v6_enabled) { fwd_rule_add(fwd, proto, flags, &inany_loopback6, NULL, base, i - 1, base + delta); @@ -185,14 +263,17 @@ void conf_ports_range_except(const struct ctx *c, char optname, /** * conf_ports() - Parse port configuration options, initialise UDP/TCP sockets - * @c: Execution context - * @optname: Short option name, t, T, u, or U - * @optarg: Option argument (port specification) - * @fwd: Forwarding table to be updated - * @mode: Overall port forwarding mode (updated) + * @optname: Short option name, t, T, u, or U + * @optarg: Option argument (port specification) + * @fwd: Forwarding table to be updated + * @mode: Overall port forwarding mode (updated) + * @can_bindtodevice Whether SO_BINDTODEVICE is available + * @v4_enabled IPv4 is enabled + * @v6_enabled IPv6 is enabled */ -void conf_ports(const struct ctx *c, char optname, const char *optarg, - struct fwd_table *fwd, enum fwd_mode *mode) +void conf_ports(char optname, const char *optarg, struct fwd_table *fwd, + enum fwd_mode *mode, bool can_bindtodevice, + bool v4_enabled, bool v6_enabled) { union inany_addr addr_buf = inany_any6, *addr = &addr_buf; char buf[BUFSIZ], *spec, *ifname = NULL, *p; @@ -208,19 +289,11 @@ void conf_ports(const struct ctx *c, char optname, const char *optarg, return; } - if ((optname == 't' || optname == 'T') && c->no_tcp) - die("TCP port forwarding requested but TCP is disabled"); - if ((optname == 'u' || optname == 'U') && c->no_udp) - die("UDP port forwarding requested but UDP is disabled"); - if (!strcmp(optarg, "auto")) { if (*mode) goto mode_conflict; - if (c->mode != MODE_PASTA) - die("'auto' port forwarding is only allowed for pasta"); - - if ((optname == 'T' || optname == 'U') && c->no_bindtodevice) { + if ((optname == 'T' || optname == 'U') && can_bindtodevice) { warn( "'-%c auto' enabled without unprivileged SO_BINDTODEVICE", optname); warn( @@ -234,9 +307,6 @@ void conf_ports(const struct ctx *c, char optname, const char *optarg, if (*mode) goto mode_conflict; - if (c->mode == MODE_PASTA) - die("'all' port forwarding is only allowed for passt"); - *mode = FWD_MODE_ALL; /* Exclude ephemeral ports */ @@ -244,10 +314,10 @@ void conf_ports(const struct ctx *c, char optname, const char *optarg, if (fwd_port_is_ephemeral(i)) bitmap_set(exclude, i); - conf_ports_range_except(c, optname, optarg, fwd, - NULL, NULL, - 1, NUM_PORTS - 1, exclude, - 1, FWD_WEAK); + conf_ports_range_except(optname, optarg, fwd, NULL, NULL, + 1, NUM_PORTS - 1, exclude, 1, FWD_WEAK, + can_bindtodevice, + v4_enabled, v6_enabled); return; } @@ -323,7 +393,7 @@ void conf_ports(const struct ctx *c, char optname, const char *optarg, } } while ((p = next_chunk(p, ','))); - if (ifname && c->no_bindtodevice) { + if (ifname && !can_bindtodevice) { die( "Device binding for '-%c %s' unsupported (requires kernel 5.7+)", optname, optarg); @@ -338,10 +408,10 @@ void conf_ports(const struct ctx *c, char optname, const char *optarg, if (fwd_port_is_ephemeral(i)) bitmap_set(exclude, i); - conf_ports_range_except(c, optname, optarg, fwd, - addr, ifname, - 1, NUM_PORTS - 1, exclude, - 1, FWD_WEAK); + conf_ports_range_except(optname, optarg, fwd, addr, ifname, + 1, NUM_PORTS - 1, exclude, 1, FWD_WEAK, + can_bindtodevice, + v4_enabled, v6_enabled); return; } @@ -370,11 +440,11 @@ void conf_ports(const struct ctx *c, char optname, const char *optarg, if ((*p != '\0') && (*p != ',')) /* Garbage after the ranges */ goto bad; - conf_ports_range_except(c, optname, optarg, fwd, - addr, ifname, + conf_ports_range_except(optname, optarg, fwd, addr, ifname, orig_range.first, orig_range.last, - exclude, - mapped_range.first, 0); + exclude, mapped_range.first, 0, + can_bindtodevice, + v4_enabled, v6_enabled); } while ((p = next_chunk(p, ','))); return; diff --git a/ports.h b/ports.h index 3ef50e6..ffe440a 100644 --- a/ports.h +++ b/ports.h @@ -6,6 +6,13 @@ #ifndef PORTS_H #define PORTS_H +#include + +#include "inany.h" + +/* Number of ports for both TCP and UDP */ +#define NUM_PORTS (1U << 16) + /** * enum fwd_mode - Overall forwarding mode for a direction and protocol * @FWD_MODE_UNSET Initial value, not parsed/configured yet @@ -22,14 +29,20 @@ enum fwd_mode { FWD_MODE_ALL, }; -void conf_ports_range_except(const struct ctx *c, char optname, - const char *optarg, struct fwd_table *fwd, - const union inany_addr *addr, - const char *ifname, uint16_t first, uint16_t last, - const uint8_t *exclude, uint16_t to, - uint8_t flags); -void conf_ports(const struct ctx *c, char optname, const char *optarg, - struct fwd_table *fwd, enum fwd_mode *mode); +struct fwd_table; + +void fwd_probe_ephemeral(void); +bool fwd_port_is_ephemeral(in_port_t port); +void conf_ports_range_except(char optname, const char *optarg, + struct fwd_table *fwd, + const union inany_addr *addr, const char *ifname, + uint16_t first, uint16_t last, + const uint8_t *exclude, uint16_t to, uint8_t flags, + bool can_bindtodevice, + bool v4_enabled, bool v6_enabled); +void conf_ports(char optname, const char *optarg, struct fwd_table *fwd, + enum fwd_mode *mode, bool can_bindtodevice, + bool v4_enabled, bool v6_enabled); #endif /* PORTS_H */ diff --git a/util.c b/util.c index c64a1a6..ff5094e 100644 --- a/util.c +++ b/util.c @@ -367,90 +367,6 @@ long timespec_diff_ms(const struct timespec *a, const struct timespec *b) return timespec_diff_us(a, b) / 1000; } -/** - * bitmap_set() - Set single bit in bitmap - * @map: Pointer to bitmap - * @bit: Bit number to set - */ -void bitmap_set(uint8_t *map, unsigned bit) -{ - unsigned long *word = (unsigned long *)map + BITMAP_WORD(bit); - - *word |= BITMAP_BIT(bit); -} - -/** - * bitmap_clear() - Clear single bit in bitmap - * @map: Pointer to bitmap - * @bit: Bit number to clear - */ -/* cppcheck-suppress unusedFunction */ -void bitmap_clear(uint8_t *map, unsigned bit) -{ - unsigned long *word = (unsigned long *)map + BITMAP_WORD(bit); - - *word &= ~BITMAP_BIT(bit); -} - -/** - * bitmap_isset() - Check for set bit in bitmap - * @map: Pointer to bitmap - * @bit: Bit number to check - * - * Return: true if given bit is set, false if it's not - */ -bool bitmap_isset(const uint8_t *map, unsigned bit) -{ - const unsigned long *word - = (const unsigned long *)map + BITMAP_WORD(bit); - - return !!(*word & BITMAP_BIT(bit)); -} - -/** - * bitmap_or() - Logical disjunction (OR) of two bitmaps - * @dst: Pointer to result bitmap - * @size: Size of bitmaps, in bytes - * @a: First operand - * @b: Second operand - */ -/* cppcheck-suppress unusedFunction */ -void bitmap_or(uint8_t *dst, size_t size, const uint8_t *a, const uint8_t *b) -{ - unsigned long *dw = (unsigned long *)dst; - unsigned long *aw = (unsigned long *)a; - unsigned long *bw = (unsigned long *)b; - size_t i; - - for (i = 0; i < size / sizeof(long); i++, dw++, aw++, bw++) - *dw = *aw | *bw; - - for (i = size / sizeof(long) * sizeof(long); i < size; i++) - dst[i] = a[i] | b[i]; -} - -/** - * bitmap_and_not() - Logical conjunction with complement (AND NOT) of bitmap - * @dst: Pointer to result bitmap - * @size: Size of bitmaps, in bytes - * @a: First operand - * @b: Second operand - */ -void bitmap_and_not(uint8_t *dst, size_t size, - const uint8_t *a, const uint8_t *b) -{ - unsigned long *dw = (unsigned long *)dst; - unsigned long *aw = (unsigned long *)a; - unsigned long *bw = (unsigned long *)b; - size_t i; - - for (i = 0; i < size / sizeof(long); i++, dw++, aw++, bw++) - *dw = *aw & ~*bw; - - for (i = size / sizeof(long) * sizeof(long); i < size; i++) - dst[i] = a[i] & ~b[i]; -} - /** * ns_enter() - Enter configured user (unless already joined) and network ns * @c: Execution context diff --git a/util.h b/util.h index 8495ed9..8e81a80 100644 --- a/util.h +++ b/util.h @@ -28,16 +28,6 @@ #define IP_MAX_MTU USHRT_MAX #endif -#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) -#define DIV_ROUND_CLOSEST(n, d) (((n) + (d) / 2) / (d)) -#define ROUND_DOWN(x, y) ((x) & ~((y) - 1)) -#define ROUND_UP(x, y) (((x) + (y) - 1) & ~((y) - 1)) - -#define MAX_FROM_BITS(n) (((1U << (n)) - 1)) - -#define BITMAP_BIT(n) (BIT((n) % (sizeof(long) * 8))) -#define BITMAP_WORD(n) (n / (sizeof(long) * 8)) - #define SWAP(a, b) \ do { \ __typeof__(a) __x = (a); (a) = (b); (b) = __x; \ @@ -82,8 +72,6 @@ void abort_with_msg(const char *fmt, ...) #define V6 1 #define IP_VERSIONS 2 -#define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) - #define foreach(item, array) \ for ((item) = (array); (item) - (array) < ARRAY_SIZE(array); (item)++) @@ -164,12 +152,6 @@ int sock_unix(char *sock_path); void sock_probe_features(struct ctx *c); long timespec_diff_ms(const struct timespec *a, const struct timespec *b); int64_t timespec_diff_us(const struct timespec *a, const struct timespec *b); -void bitmap_set(uint8_t *map, unsigned bit); -void bitmap_clear(uint8_t *map, unsigned bit); -bool bitmap_isset(const uint8_t *map, unsigned bit); -void bitmap_or(uint8_t *dst, size_t size, const uint8_t *a, const uint8_t *b); -void bitmap_and_not(uint8_t *dst, size_t size, - const uint8_t *a, const uint8_t *b); char *line_read(char *buf, size_t len, int fd); void ns_enter(const struct ctx *c); bool ns_is_init(void); -- 2.43.0

Stefano Brivio

3:18 p.m.

New subject: [PATCH 18/18] [DO NOT USE] pesto, conf: Parse, send and receive rules, try to sync forwards

*** DO NOT USE ***: this introduces a security weakness as it allows passt to dynamically allocate memory based on external input (needed by fwd_rule_seread(), which will need either a replacement or a rewrite). This adds parsing of options using conf_ports() in pesto, builds rules, takes them out of the table (!) and sends them one by one to passt, which now receives them and uses them to replace the current forwarding table. This part works. This also adds a convenience implementation that closes all current sockets and tries to synchronise listening sockets from the new set of rules. This partially works, but for some reason sockets don't bind correctly, and I couldn't quite wrap my head around the complexity of the new "fwd_rule_state" and the fact that with this we can't simply dump rules in the tables and re-sync them (this part was very simple and it worked in my earlier draft). I'm sharing this part as well anyway as it might be convenient if it's useful to build a quick hack that makes the whole flow work with Podman, but that's about it. Signed-off-by: Stefano Brivio --- Makefile | 2 +- conf.c | 65 +++++++++++++++++++++++++++++++++++++++-- fwd.c | 8 ++++-- fwd.h | 2 +- pesto.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- pif.h | 2 ++ util.c | 2 ++ 7 files changed, 160 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index b6b6a82..2423570 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,7 @@ SRCS = $(PASST_SRCS) $(QRAP_SRCS) $(PASST_REPAIR_SRCS) $(PESTO_SRCS) MANPAGES = passt.1 pasta.1 pesto.1 qrap.1 passt-repair.1 PESTO_HEADERS = common.h fwd_rule.h inany.h ip.h pesto.h serialise.h ports.h \ - lineread.h + lineread.h pif.h PASST_HEADERS = arch.h arp.h checksum.h conf.h dhcp.h dhcpv6.h epoll_ctl.h \ flow.h fwd.h flow_table.h icmp.h icmp_flow.h iov.h isolation.h \ lineread.h log.h migrate.h ndp.h netlink.h packet.h passt.h pasta.h \ diff --git a/conf.c b/conf.c index 8e54b85..10fef65 100644 --- a/conf.c +++ b/conf.c @@ -2041,6 +2041,49 @@ static int conf_send_rules(const struct ctx *c, int fd) return 0; } +/** + * conf_send_rules() - Send current forwarding rules to dynamic update client (pesto) + * @c: Execution context + * @fd: Socket to the client + * + * Return: 0 on success, -1 on failure + */ +static int conf_recv_rules(const struct ctx *c, int fd) +{ + unsigned pif, i, j; + + for (i = 0; i < PIF_NUM_TYPES; i++) { + struct fwd_table *fwd; + struct fwd_rule r; + uint32_t count; + uint8_t num; + + if (seread_u8(fd, &num)) + return -1; + + pif = num; + if (pif == PIF_NONE) + return 0; + + fwd = c->fwd[pif]; + if (!fwd) + continue; + + fwd_listen_close(fwd); + + if (seread_u32(fd, &count)) + return -1; + + for (j = 0; j < count; j++) { + fwd_rule_seread(fd, &r); + fwd_rule_add(fwd, r.proto, 0, &r.addr, NULL, + r.first, r.last, r.to); + } + } + + return 0; +} + /** * conf_listen_handler() - Handle events on configuration listening socket * @c: Execution context @@ -2055,14 +2098,14 @@ void conf_listen_handler(struct ctx *c, uint32_t events) union epoll_ref ref = { .type = EPOLL_TYPE_CONF }; struct ucred uc = { 0 }; socklen_t len = sizeof(uc); - int fd, rc; + int fd, rc, i; if (events != EPOLLIN) { err("Unexpected event 0x%04x on configuration socket", events); return; } - fd = accept4(c->fd_control_listen, NULL, NULL, SOCK_NONBLOCK); + fd = accept4(c->fd_control_listen, NULL, NULL, 0); if (fd < 0) { warn_perror("accept4() on configuration listening socket"); return; @@ -2103,6 +2146,24 @@ void conf_listen_handler(struct ctx *c, uint32_t events) if (conf_send_rules(c, fd) < 0) goto fail; + if (conf_recv_rules(c, fd) < 0) + goto fail; + + info("Received new forwarding table:"); + for (i = 0; i < PIF_NUM_TYPES; i++) { + if (!c->fwd[i]) + continue; + + info("Forwarding from %s:", pif_name(i)); + fwd_rules_print(c->fwd[i]); + } + + memset(&c->tcp.scan_in, 0, PORT_BITMAP_SIZE); + memset(&c->tcp.scan_out, 0, PORT_BITMAP_SIZE); + memset(&c->udp.scan_in, 0, PORT_BITMAP_SIZE); + memset(&c->udp.scan_out, 0, PORT_BITMAP_SIZE); + fwd_listen_init(c); + return; fail: diff --git a/fwd.c b/fwd.c index 4592af2..eda382e 100644 --- a/fwd.c +++ b/fwd.c @@ -487,12 +487,12 @@ int fwd_listen_sync(const struct ctx *c, uint8_t pif, /** fwd_listen_close() - Close all listening sockets * @fwd: Forwarding information */ -void fwd_listen_close(const struct fwd_table *fwd) +void fwd_listen_close(struct fwd_table *fwd) { unsigned i; for (i = 0; i < fwd->count; i++) { - const struct fwd_rule_state *rs = &fwd->rules[i]; + struct fwd_rule_state *rs = &fwd->rules[i]; unsigned port; for (port = rs->rule.first; port <= rs->rule.last; port++) { @@ -503,9 +503,11 @@ void fwd_listen_close(const struct fwd_table *fwd) } } } + + fwd->sock_count = 0; } -/** fwd_listen_init() - Set up listening sockets at start up +/** fwd_listen_init() - Set up listening sockets * @c: Execution context * * Return: 0 on success, -1 on failure diff --git a/fwd.h b/fwd.h index 00450a4..d2a0c39 100644 --- a/fwd.h +++ b/fwd.h @@ -51,7 +51,7 @@ void fwd_scan_ports_timer(struct ctx * c, const struct timespec *now); int fwd_listen_sync(const struct ctx *c, uint8_t pif, const struct fwd_scan *tcp, const struct fwd_scan *udp); -void fwd_listen_close(const struct fwd_table *fwd); +void fwd_listen_close(struct fwd_table *fwd); int fwd_listen_init(const struct ctx *c); bool nat_inbound(const struct ctx *c, const union inany_addr *addr, diff --git a/pesto.c b/pesto.c index 42fa7f2..85683fa 100644 --- a/pesto.c +++ b/pesto.c @@ -38,6 +38,7 @@ #include "fwd_rule.h" #include "pesto.h" #include "log.h" +#include "pif.h" int verbosity = 1; @@ -65,6 +66,36 @@ static void usage(const char *name, FILE *f, int status) FPRINTF(f, "Usage: %s [OPTION]... PATH\n", name); FPRINTF(f, "\n" + " -t, --tcp-ports SPEC TCP inbound port forwarding\n" + " can be specified multiple times\n" + " SPEC can be:\n" + " 'none': don't forward any ports\n" + " 'auto': forward all ports currently bound in namespace\n" + " 'all': forward all unbound, non-ephemeral ports\n" + " a comma-separated list, optionally ranged with '-'\n" + " and optional target ports after ':', with optional\n" + " address specification suffixed by '/' and optional\n" + " interface prefixed by '%%'. Examples:\n" + " -t 22 Forward local port 22 to port 22 in netns\n" + " -t 22:23 Forward local port 22 to port 23\n" + " -t 22,25 Forward ports 22, 25 to ports 22, 25\n" + " -t 22-80 Forward ports 22 to 80\n" + " -t 22-80:32-90 Forward ports 22 to 80 to\n" + " corresponding port numbers plus 10\n" + " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1\n" + " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" + " -t ~25 Forward all bound ports except for 25\n" + " IPv6 bound ports are also forwarded for IPv4\n" + " -u, --udp-ports SPEC UDP inbound port forwarding\n" + " SPEC is as described for TCP above\n" + " IPv6 bound ports are also forwarded for IPv4\n" + " unless specified, with '-t auto', UDP ports with numbers\n" + " corresponding to forwarded TCP port numbers are\n" + " forwarded too\n" + " -T, --tcp-ns SPEC TCP port forwarding to init namespace\n" + " SPEC is as described above\n" + " -U, --udp-ns SPEC UDP port forwarding to init namespace\n" + " SPEC is as described above\n" " -v, --verbose Be more verbose\n" " -q, --quiet Be less verbose\n" " -h, --help Display this help message and exit\n" @@ -221,7 +252,7 @@ static void show_state(const struct conf_state *state) * * Return: 0 on success, won't return on failure * - * #syscalls:pesto connect write close exit_group fstat brk getrandom + * #syscalls:pesto connect write close exit_group fstat brk getrandom openat * #syscalls:pesto socket s390x:socketcall i686:socketcall * #syscalls:pesto recvfrom recvmsg arm:recv ppc64le:recv * #syscalls:pesto sendto sendmsg arm:send ppc64le:send @@ -233,15 +264,22 @@ int main(int argc, char **argv) {"verbose", no_argument, NULL, 'v' }, {"help", no_argument, NULL, 'h' }, {"version", no_argument, NULL, 1 }, + {"tcp-ports", required_argument, NULL, 't' }, + {"udp-ports", required_argument, NULL, 'u' }, + {"tcp-ns", required_argument, NULL, 'T' }, + {"udp-ns", required_argument, NULL, 'U' }, { 0 }, }; + struct fwd_table fwd_in = { .count = 0 }, fwd_out = { .count = 0 }; struct sockaddr_un a = { AF_UNIX, "" }; - const char *optstring = "vh"; + const char *optstring = "vht:u:T:U:"; + enum fwd_mode fwd_default; struct pesto_hello hello; struct conf_state *state; struct sock_fprog prog; int optname, ret, s; uint32_t s_version; + unsigned i; prog.len = (unsigned short)sizeof(filter_pesto) / sizeof(filter_pesto[0]); @@ -250,6 +288,8 @@ int main(int argc, char **argv) prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) die("Failed to apply seccomp filter"); + fwd_probe_ephemeral(); + do { optname = getopt_long(argc, argv, optstring, options, NULL); @@ -266,6 +306,18 @@ int main(int argc, char **argv) case 'v': verbosity++; break; + case 't': + case 'u': + fwd_default = FWD_MODE_UNSET; + conf_ports(optname, optarg, &fwd_in, &fwd_default, + true, true, true); + break; + case 'T': + case 'U': + fwd_default = FWD_MODE_UNSET; + conf_ports(optname, optarg, &fwd_out, &fwd_default, + true, true, true); + break; case 1: FPRINTF(stdout, "pesto "); FPRINTF(stdout, VERSION_BLOB); @@ -291,6 +343,22 @@ int main(int argc, char **argv) a.sun_path, strerror(errno)); } + debug("Inbound rules from command line:"); + for (i = 0; i < fwd_in.count; i++) { + const struct fwd_rule *rule = &fwd_in.rules[i].rule; + char rulestr[FWD_RULE_STRLEN]; + + debug(" %s", fwd_rule_ntop(rule, rulestr, sizeof(rulestr))); + } + + debug("Outbound rules from command line:"); + for (i = 0; i < fwd_out.count; i++) { + const struct fwd_rule *rule = &fwd_out.rules[i].rule; + char rulestr[FWD_RULE_STRLEN]; + + debug(" %s", fwd_rule_ntop(rule, rulestr, sizeof(rulestr))); + } + debug("Connected to passt/pasta control socket"); ret = seread_var(s, &hello); @@ -324,5 +392,21 @@ int main(int argc, char **argv) show_state(state); + if (fwd_in.count) { + sewrite_u8(s, PIF_HOST); + sewrite_u32(s, fwd_in.count); + for (i = 0; i < fwd_in.count; i++) + fwd_rule_sewrite(s, &fwd_in.rules[i].rule); + } + + if (fwd_out.count) { + sewrite_u8(s, PIF_SPLICE); + sewrite_u32(s, fwd_out.count); + for (i = 0; i < fwd_out.count; i++) + fwd_rule_sewrite(s, &fwd_out.rules[i].rule); + } + + sewrite_u8(s, PIF_NONE); + exit(0); } diff --git a/pif.h b/pif.h index 7bb58e5..c96a090 100644 --- a/pif.h +++ b/pif.h @@ -35,6 +35,7 @@ enum pif_type { PIF_NUM_TYPES, }; +#ifndef PESTO extern const char *pif_type_str[]; static inline const char *pif_type(enum pif_type pt) @@ -66,5 +67,6 @@ void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, int pif_listen(const struct ctx *c, enum epoll_type type, uint8_t pif, const union inany_addr *addr, const char *ifname, in_port_t port, unsigned rule); +#endif /* !PESTO */ #endif /* PIF_H */ diff --git a/util.c b/util.c index ff5094e..069c126 100644 --- a/util.c +++ b/util.c @@ -990,6 +990,8 @@ bool snprintf_check(char *str, size_t size, const char *format, ...) * * Assumes that the random data is essential, and will die() if unable to obtain * it. + * + * #syscalls getrandom brk */ void raw_random(void *buf, size_t buflen) { -- 2.43.0

Age (days ago)

Last active (days ago)

List overview

Download

17 comments

2 participants

participants (2)

David Gibson
Stefano Brivio

[PATCH v2 00/15] RFC: Read-only dynamic update implementation

tags

participants (2)