October 2025 - dev

[PATCH v3 2/8] util, flow, pif: Simplify sock_l4_sa() interface
by David Gibson 20 Nov '25

20 Nov '25

sock_l4_sa() has a somewhat confusing 'v6only' option controlling whether to set the IPV6_V6ONLY socket option. Usually it's set when the given address is IPv6, but not when we want to create a dual stack listening socket. The latter only makes sense when the address is :: however. Clarify this by only keeping the v6only option in an internal helper sock_l4_(). External users will call either sock_l4() which always creates a socket bound to a specific IP version, or sock_l4_dualstack() which creates a dual stack socket, but takes only a port not an address. We drop the '_sa' suffix while we're at it - it exists because this used to be an internal version with a sock_l4() wrapper. The wrapper no longer exists so the '_sa' is no longer useful. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- flow.c | 6 ++---- pif.c | 10 +++------- util.c | 27 +++++++++++++++++++++++---- util.h | 8 +++++--- 4 files changed, 33 insertions(+), 18 deletions(-) diff --git a/flow.c b/flow.c index 9926f408..fd530ddb 100644 --- a/flow.c +++ b/flow.c @@ -186,8 +186,7 @@ static int flowside_sock_splice(void *arg) ns_enter(a->c); - a->fd = sock_l4_sa(a->c, a->type, a->sa, NULL, - a->sa->sa_family == AF_INET6, a->data); + a->fd = sock_l4(a->c, a->type, a->sa, NULL, a->data); a->err = errno; return 0; @@ -222,8 +221,7 @@ int flowside_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, else if (sa.sa_family == AF_INET6) ifname = c->ip6.ifname_out; - return sock_l4_sa(c, type, &sa, ifname, - sa.sa_family == AF_INET6, data); + return sock_l4(c, type, &sa, ifname, data); case PIF_SPLICE: { struct flowside_sock_args args = { diff --git a/pif.c b/pif.c index 31723b29..5fb1f455 100644 --- a/pif.c +++ b/pif.c @@ -75,11 +75,7 @@ int pif_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, const union inany_addr *addr, const char *ifname, in_port_t port, uint32_t data) { - union sockaddr_inany sa = { - .sa6.sin6_family = AF_INET6, - .sa6.sin6_addr = in6addr_any, - .sa6.sin6_port = htons(port), - }; + union sockaddr_inany sa; ASSERT(pif_is_socket(pif)); @@ -90,8 +86,8 @@ int pif_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, } if (!addr) - return sock_l4_sa(c, type, &sa, ifname, false, data); + return sock_l4_dualstack(c, type, port, ifname, data); pif_sockaddr(c, &sa, pif, addr, port); - return sock_l4_sa(c, type, &sa, ifname, sa.sa_family == AF_INET6, data); + return sock_l4(c, type, &sa, ifname, data); } diff --git a/util.c b/util.c index 976fcabe..c94efae4 100644 --- a/util.c +++ b/util.c @@ -40,7 +40,7 @@ #endif /** - * sock_l4_sa() - Create and bind socket to socket address, add to epoll list + * sock_l4_() - Create and bind socket to socket address, add to epoll list * @c: Execution context * @type: epoll type * @sa: Socket address to bind to @@ -50,9 +50,9 @@ * * Return: newly created socket, negative error code on failure */ -int sock_l4_sa(const struct ctx *c, enum epoll_type type, - const union sockaddr_inany *sa, const char *ifname, - bool v6only, uint32_t data) +static int sock_l4_(const struct ctx *c, enum epoll_type type, + const union sockaddr_inany *sa, const char *ifname, + bool v6only, uint32_t data) { sa_family_t af = sa->sa_family; union epoll_ref ref = { .type = type, .data = data }; @@ -182,6 +182,25 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type, return fd; } +int sock_l4(const struct ctx *c, enum epoll_type type, + const union sockaddr_inany *sa, const char *ifname, + uint32_t data) +{ + return sock_l4_(c, type, sa, ifname, sa->sa_family == AF_INET6, data); +} + +int sock_l4_dualstack(const struct ctx *c, enum epoll_type type, + in_port_t port, const char *ifname, uint32_t data) +{ + union sockaddr_inany sa = { + .sa6.sin6_family = AF_INET6, + .sa6.sin6_addr = in6addr_any, + .sa6.sin6_port = htons(port), + }; + + return sock_l4_(c, type, &sa, ifname, 0, data); +} + /** * sock_unix() - Create and bind AF_UNIX socket * @sock_path: Socket path. If empty, set on return (UNIX_SOCK_PATH as prefix) diff --git a/util.h b/util.h index e1a1ebc9..7f0cf686 100644 --- a/util.h +++ b/util.h @@ -203,9 +203,11 @@ int do_clone(int (*fn)(void *), char *stack_area, size_t stack_size, int flags, struct ctx; union sockaddr_inany; -int sock_l4_sa(const struct ctx *c, enum epoll_type type, - const union sockaddr_inany *sa, const char *ifname, - bool v6only, uint32_t data); +int sock_l4(const struct ctx *c, enum epoll_type type, + const union sockaddr_inany *sa, const char *ifname, + uint32_t data); +int sock_l4_dualstack(const struct ctx *c, enum epoll_type type, + in_port_t port, const char *ifname, uint32_t data); int sock_unix(char *sock_path); void sock_probe_mem(struct ctx *c); long timespec_diff_ms(const struct timespec *a, const struct timespec *b); -- 2.51.0

2 7

[PATCH v3 0/8] Reduce differences between inbound and outbound socket binding
by David Gibson 18 Nov '25

18 Nov '25

The fact that outbound forwarding sockets are bound to the loopback address, whereas inbound forwarding sockets are (by default) bound to the unspecified address leads to some unexpected differences between the paths setting up each of them. An idea for tackling bug 100 suggested a different approach which will also reduce some of those differences and allow more code to be shared between the two paths. I've since discovered that this approach may not help for bug 100, but it might still be worthwhile for the clean up. Patches 1..6/8 are cleanups which shouldn't change behaviour, and I think are ready to merge. 7/8 is (arguably) a behavioural change, but I've made my case for it in the patch comment. 8/8 needs some further consideration, since I've discovered it does not fix bug 100 as is, I'm including it for advance review, though. v3: - A number of additional fixes covering the handling of IPV6_V6ONLY sockopt - Assorted trivial changes v2: - Some rearrangements and rewordings for clarity David Gibson (8): inany: Let length of sockaddr_inany be implicit from the family util, flow, pif: Simplify sock_l4_sa() interface tcp: Merge tcp_ns_sock_init[46]() into tcp_sock_init_one() udp: Unify some more inbound/outbound parts of udp_sock_init() udp: Move udp_sock_init() special case to its caller util: Fix setting of IPV6_V6ONLY socket option tcp, udp: Remove fallback if creating dual stack socket fails [RFC, DO NOT APPLY] tcp, udp: Bind outbound listening sockets by interface instead of address conf.c | 4 +- flow.c | 19 +++--- icmp.c | 3 +- inany.h | 18 ++++++ pif.c | 26 ++------ pif.h | 2 +- tcp.c | 164 +++++++++++++++++++-------------------------------- tcp.h | 5 +- tcp_splice.c | 5 +- udp.c | 102 +++++++++++++++----------------- udp.h | 5 +- util.c | 55 +++++++++++++---- util.h | 9 ++- 13 files changed, 201 insertions(+), 216 deletions(-) -- 2.51.0

2 11

[PATCH v3 1/8] inany: Let length of sockaddr_inany be implicit from the family
by David Gibson 13 Nov '25

13 Nov '25

sockaddr_inany can contain either an IPv4 or IPv6 socket address, so the relevant length for bind() or connect() can vary. In pif_sockaddr() we return that length, and in sock_l4_sa() we take it as an extra parameter. However, sockaddr_inany always contains exactly a sockaddr_in or a sockaddr_in6 each with a fixed size. Therefore we can derive the relevant length from the family, and don't need to pass it around separately. Make a tiny helper to get the relevant address length, and update all interfaces to use that approach instead. In the process, fix a buglet in tcp_flow_repair_bind(): we passed sizeof(union sockaddr_inany) to bind() instead of the specific length for the address family. Since the sizeof() is always longer than the specific length, this is probably fine, but not theoretically correct. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- flow.c | 17 +++++++---------- icmp.c | 3 ++- inany.h | 18 ++++++++++++++++++ pif.c | 14 ++++---------- pif.h | 2 +- tcp.c | 20 +++++++++----------- tcp_splice.c | 5 ++--- udp.c | 8 +++----- util.c | 9 ++++----- util.h | 5 +++-- 10 files changed, 53 insertions(+), 48 deletions(-) diff --git a/flow.c b/flow.c index feefda3c..9926f408 100644 --- a/flow.c +++ b/flow.c @@ -170,8 +170,7 @@ struct flowside_sock_args { int fd; int err; enum epoll_type type; - const struct sockaddr *sa; - socklen_t sl; + const union sockaddr_inany *sa; const char *path; uint32_t data; }; @@ -187,7 +186,7 @@ static int flowside_sock_splice(void *arg) ns_enter(a->c); - a->fd = sock_l4_sa(a->c, a->type, a->sa, a->sl, NULL, + a->fd = sock_l4_sa(a->c, a->type, a->sa, NULL, a->sa->sa_family == AF_INET6, a->data); a->err = errno; @@ -209,11 +208,10 @@ int flowside_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, { const char *ifname = NULL; union sockaddr_inany sa; - socklen_t sl; ASSERT(pif_is_socket(pif)); - pif_sockaddr(c, &sa, &sl, pif, &tgt->oaddr, tgt->oport); + pif_sockaddr(c, &sa, pif, &tgt->oaddr, tgt->oport); switch (pif) { case PIF_HOST: @@ -224,13 +222,13 @@ int flowside_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, else if (sa.sa_family == AF_INET6) ifname = c->ip6.ifname_out; - return sock_l4_sa(c, type, &sa, sl, ifname, + return sock_l4_sa(c, type, &sa, ifname, sa.sa_family == AF_INET6, data); case PIF_SPLICE: { struct flowside_sock_args args = { .c = c, .type = type, - .sa = &sa.sa, .sl = sl, .data = data, + .sa = &sa, .data = data, }; NS_CALL(flowside_sock_splice, &args); errno = args.err; @@ -259,10 +257,9 @@ int flowside_connect(const struct ctx *c, int s, uint8_t pif, const struct flowside *tgt) { union sockaddr_inany sa; - socklen_t sl; - pif_sockaddr(c, &sa, &sl, pif, &tgt->eaddr, tgt->eport); - return connect(s, &sa.sa, sl); + pif_sockaddr(c, &sa, pif, &tgt->eaddr, tgt->eport); + return connect(s, &sa.sa, socklen_inany(&sa)); } /** flow_log_ - Log flow-related message diff --git a/icmp.c b/icmp.c index 6dffafb0..62b3bed8 100644 --- a/icmp.c +++ b/icmp.c @@ -301,8 +301,9 @@ int icmp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t af, ASSERT(flow_proto[pingf->f.type] == proto); pingf->ts = now->tv_sec; - pif_sockaddr(c, &sa, &msh.msg_namelen, PIF_HOST, &tgt->eaddr, 0); + pif_sockaddr(c, &sa, PIF_HOST, &tgt->eaddr, 0); msh.msg_name = &sa; + msh.msg_namelen = socklen_inany(&sa); msh.msg_iov = iov; msh.msg_iovlen = cnt; msh.msg_control = NULL; diff --git a/inany.h b/inany.h index 7ca5cbd3..e3cae2a8 100644 --- a/inany.h +++ b/inany.h @@ -67,6 +67,24 @@ union sockaddr_inany { struct sockaddr_in6 sa6; }; +/** socklen_inany() - Return relevant size of an sockaddr_inany + * @sa: sockaddr_iany socket address + * + * Returns the correct socket address length to pass to bind() or connect() with + * @sa, based on whether it is an IPv4 or IPv6 address. + */ +static inline socklen_t socklen_inany(const union sockaddr_inany *sa) +{ + switch (sa->sa_family) { + case AF_INET: + return sizeof(sa->sa4); + case AF_INET6: + return sizeof(sa->sa6); + default: + ASSERT(0); + } +} + /** inany_v4 - Extract IPv4 address, if present, from IPv[46] address * @addr: IPv4 or IPv6 address * diff --git a/pif.c b/pif.c index 592fafaa..31723b29 100644 --- a/pif.c +++ b/pif.c @@ -29,12 +29,11 @@ static_assert(ARRAY_SIZE(pif_type_str) == PIF_NUM_TYPES, /** pif_sockaddr() - Construct a socket address suitable for an interface * @c: Execution context * @sa: Pointer to sockaddr to fill in - * @sl: Updated to relevant length of initialised @sa * @pif: Interface to create the socket address * @addr: IPv[46] address * @port: Port (host byte order) */ -void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, socklen_t *sl, +void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, uint8_t pif, const union inany_addr *addr, in_port_t port) { const struct in_addr *v4 = inany_v4(addr); @@ -46,7 +45,6 @@ void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, socklen_t *sl, sa->sa4.sin_addr = *v4; sa->sa4.sin_port = htons(port); memset(&sa->sa4.sin_zero, 0, sizeof(sa->sa4.sin_zero)); - *sl = sizeof(sa->sa4); } else { sa->sa_family = AF_INET6; sa->sa6.sin6_addr = addr->a6; @@ -56,7 +54,6 @@ void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, socklen_t *sl, else sa->sa6.sin6_scope_id = 0; sa->sa6.sin6_flowinfo = 0; - *sl = sizeof(sa->sa6); } } @@ -83,7 +80,6 @@ int pif_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, .sa6.sin6_addr = in6addr_any, .sa6.sin6_port = htons(port), }; - socklen_t sl; ASSERT(pif_is_socket(pif)); @@ -94,10 +90,8 @@ int pif_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, } if (!addr) - return sock_l4_sa(c, type, &sa, sizeof(sa.sa6), - ifname, false, data); + return sock_l4_sa(c, type, &sa, ifname, false, data); - pif_sockaddr(c, &sa, &sl, pif, addr, port); - return sock_l4_sa(c, type, &sa, sl, - ifname, sa.sa_family == AF_INET6, data); + pif_sockaddr(c, &sa, pif, addr, port); + return sock_l4_sa(c, type, &sa, ifname, sa.sa_family == AF_INET6, data); } diff --git a/pif.h b/pif.h index f029282b..0f7f6672 100644 --- a/pif.h +++ b/pif.h @@ -57,7 +57,7 @@ static inline bool pif_is_socket(uint8_t pif) return pif == PIF_HOST || pif == PIF_SPLICE; } -void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, socklen_t *sl, +void pif_sockaddr(const struct ctx *c, union sockaddr_inany *sa, uint8_t pif, const union inany_addr *addr, in_port_t port); int pif_sock_l4(const struct ctx *c, enum epoll_type type, uint8_t pif, const union inany_addr *addr, const char *ifname, diff --git a/tcp.c b/tcp.c index 0f9e9b3f..d63a16bf 100644 --- a/tcp.c +++ b/tcp.c @@ -1443,12 +1443,11 @@ static void tcp_bind_outbound(const struct ctx *c, { const struct flowside *tgt = &conn->f.side[TGTSIDE]; union sockaddr_inany bind_sa; - socklen_t sl; - pif_sockaddr(c, &bind_sa, &sl, PIF_HOST, &tgt->oaddr, tgt->oport); + pif_sockaddr(c, &bind_sa, PIF_HOST, &tgt->oaddr, tgt->oport); if (!inany_is_unspecified(&tgt->oaddr) || tgt->oport) { - if (bind(s, &bind_sa.sa, sl)) { + if (bind(s, &bind_sa.sa, socklen_inany(&bind_sa))) { char sstr[INANY_ADDRSTRLEN]; flow_dbg_perror(conn, @@ -1508,7 +1507,6 @@ static void tcp_conn_from_tap(const struct ctx *c, sa_family_t af, union flow *flow; int s = -1, mss; uint64_t hash; - socklen_t sl; if (!(flow = flow_alloc())) return; @@ -1541,7 +1539,7 @@ static void tcp_conn_from_tap(const struct ctx *c, sa_family_t af, if ((s = tcp_conn_sock(af)) < 0) goto cancel; - pif_sockaddr(c, &sa, &sl, PIF_HOST, &tgt->eaddr, tgt->eport); + pif_sockaddr(c, &sa, PIF_HOST, &tgt->eaddr, tgt->eport); /* Use bind() to check if the target address is local (EADDRINUSE or * similar) and already bound, and set the LOCAL flag in that case. @@ -1553,7 +1551,7 @@ static void tcp_conn_from_tap(const struct ctx *c, sa_family_t af, * * So, if bind() succeeds, close the socket, get a new one, and proceed. */ - if (bind(s, &sa.sa, sl)) { + if (bind(s, &sa.sa, socklen_inany(&sa))) { if (errno != EADDRNOTAVAIL && errno != EACCES) conn_flag(c, conn, LOCAL); } else { @@ -1593,7 +1591,7 @@ static void tcp_conn_from_tap(const struct ctx *c, sa_family_t af, tcp_bind_outbound(c, conn, s); - if (connect(s, &sa.sa, sl)) { + if (connect(s, &sa.sa, socklen_inany(&sa))) { if (errno != EINPROGRESS) { tcp_rst(c, conn); goto cancel; @@ -1612,7 +1610,8 @@ static void tcp_conn_from_tap(const struct ctx *c, sa_family_t af, tcp_epoll_ctl(c, conn); if (c->mode == MODE_VU) { /* To rebind to same oport after migration */ - sl = sizeof(sa); + socklen_t sl = sizeof(sa); + if (getsockname(s, &sa.sa, &sl) || inany_from_sockaddr(&tgt->oaddr, &tgt->oport, &sa) < 0) err_perror("Can't get local address for socket %i", s); @@ -3592,11 +3591,10 @@ static int tcp_flow_repair_bind(const struct ctx *c, struct tcp_tap_conn *conn) { const struct flowside *sockside = HOSTFLOW(conn); union sockaddr_inany a; - socklen_t sl; - pif_sockaddr(c, &a, &sl, PIF_HOST, &sockside->oaddr, sockside->oport); + pif_sockaddr(c, &a, PIF_HOST, &sockside->oaddr, sockside->oport); - if (bind(conn->sock, &a.sa, sizeof(a))) { + if (bind(conn->sock, &a.sa, socklen_inany(&a))) { int rc = -errno; flow_perror(conn, "Failed to bind socket for migrated flow"); return rc; diff --git a/tcp_splice.c b/tcp_splice.c index 26cb6306..174a64d9 100644 --- a/tcp_splice.c +++ b/tcp_splice.c @@ -351,7 +351,6 @@ static int tcp_splice_connect(const struct ctx *c, struct tcp_splice_conn *conn) sa_family_t af = inany_v4(&tgt->eaddr) ? AF_INET : AF_INET6; uint8_t tgtpif = conn->f.pif[TGTSIDE]; union sockaddr_inany sa; - socklen_t sl; int one = 1; if (tgtpif == PIF_HOST) @@ -379,9 +378,9 @@ static int tcp_splice_connect(const struct ctx *c, struct tcp_splice_conn *conn) conn->s[1]); } - pif_sockaddr(c, &sa, &sl, tgtpif, &tgt->eaddr, tgt->eport); + pif_sockaddr(c, &sa, tgtpif, &tgt->eaddr, tgt->eport); - if (connect(conn->s[1], &sa.sa, sl)) { + if (connect(conn->s[1], &sa.sa, socklen_inany(&sa))) { if (errno != EINPROGRESS) { flow_trace(conn, "Couldn't connect socket for splice: %s", strerror_(errno)); diff --git a/udp.c b/udp.c index 86585b7e..8f96495d 100644 --- a/udp.c +++ b/udp.c @@ -773,7 +773,6 @@ static void udp_sock_to_sock(const struct ctx *c, int from_s, int n, const struct udp_flow *uflow = udp_at_sidx(tosidx); uint8_t topif = pif_at_sidx(tosidx); int to_s = uflow->s[tosidx.sidei]; - socklen_t sl; int i; if ((n = udp_sock_recv(c, from_s, udp_mh_recv, n)) <= 0) @@ -784,7 +783,7 @@ static void udp_sock_to_sock(const struct ctx *c, int from_s, int n, = udp_mh_recv[i].msg_len; } - pif_sockaddr(c, &udp_splice_to, &sl, topif, + pif_sockaddr(c, &udp_splice_to, topif, &toside->eaddr, toside->eport); sendmmsg(to_s, udp_mh_splice, n, MSG_NOSIGNAL); @@ -986,7 +985,6 @@ int udp_tap_handler(const struct ctx *c, uint8_t pif, flow_sidx_t tosidx; in_port_t src, dst; uint8_t topif; - socklen_t sl; ASSERT(!c->no_udp); @@ -1028,7 +1026,7 @@ int udp_tap_handler(const struct ctx *c, uint8_t pif, s = uflow->s[tosidx.sidei]; ASSERT(s >= 0); - pif_sockaddr(c, &to_sa, &sl, topif, &toside->eaddr, toside->eport); + pif_sockaddr(c, &to_sa, topif, &toside->eaddr, toside->eport); for (i = 0, j = 0; i < (int)p->count - idx && j < UIO_MAXIOV; i++) { const struct udphdr *uh_send; @@ -1041,7 +1039,7 @@ int udp_tap_handler(const struct ctx *c, uint8_t pif, return p->count - idx; mm[i].msg_hdr.msg_name = &to_sa; - mm[i].msg_hdr.msg_namelen = sl; + mm[i].msg_hdr.msg_namelen = socklen_inany(&to_sa); if (data.cnt) { int cnt; diff --git a/util.c b/util.c index c492f904..976fcabe 100644 --- a/util.c +++ b/util.c @@ -44,7 +44,6 @@ * @c: Execution context * @type: epoll type * @sa: Socket address to bind to - * @sl: Length of @sa * @ifname: Interface for binding, NULL for any * @v6only: Set IPV6_V6ONLY socket option * @data: epoll reference portion for protocol handlers @@ -52,10 +51,10 @@ * Return: newly created socket, negative error code on failure */ int sock_l4_sa(const struct ctx *c, enum epoll_type type, - const void *sa, socklen_t sl, - const char *ifname, bool v6only, uint32_t data) + const union sockaddr_inany *sa, const char *ifname, + bool v6only, uint32_t data) { - sa_family_t af = ((const struct sockaddr *)sa)->sa_family; + sa_family_t af = sa->sa_family; union epoll_ref ref = { .type = type, .data = data }; bool freebind = false; struct epoll_event ev; @@ -152,7 +151,7 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type, } } - if (bind(fd, sa, sl) < 0) { + if (bind(fd, &sa->sa, socklen_inany(sa)) < 0) { /* We'll fail to bind to low ports if we don't have enough * capabilities, and we'll fail to bind on already bound ports, * this is fine. This might also fail for ICMP because of a diff --git a/util.h b/util.h index 22eaac56..e1a1ebc9 100644 --- a/util.h +++ b/util.h @@ -201,10 +201,11 @@ int do_clone(int (*fn)(void *), char *stack_area, size_t stack_size, int flags, #include "packet.h" struct ctx; +union sockaddr_inany; int sock_l4_sa(const struct ctx *c, enum epoll_type type, - const void *sa, socklen_t sl, - const char *ifname, bool v6only, uint32_t data); + const union sockaddr_inany *sa, const char *ifname, + bool v6only, uint32_t data); int sock_unix(char *sock_path); void sock_probe_mem(struct ctx *c); long timespec_diff_ms(const struct timespec *a, const struct timespec *b); -- 2.51.0

2 2

[PATCH v7 0/5] Retry SYNs for inbound connections
by Yumei Huang 10 Nov '25

10 Nov '25

When a client connects, SYN would be sent to guest only once. If the guest is not connected or ready at that time, the connection will be reset in 10s. These patches introduce the SYN retry mechanism using the similar backoff timeout as linux kernel. Also update the data retransmission timeout using the backoff timeout. v7: - Update read_file() and read_file_integer() - Rename tcp_syn_params_init() to tcp_get_rto_params() - Modify the implementation of the timeout assignment - Add a patch to clamp the retry timeout Yumei Huang (5): tcp: Rename "retrans" to "retries" util: Introduce read_file() and read_file_integer() function tcp: Resend SYN for inbound connections tcp: Update data retransmission timeout tcp: Clamp the retry timeout tcp.c | 86 ++++++++++++++++++++++++++++++++++++++++++------------ tcp.h | 6 ++++ tcp_conn.h | 12 ++++---- util.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ util.h | 2 ++ 5 files changed, 168 insertions(+), 24 deletions(-) -- 2.49.0

3 33

Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro
by Stefano Brivio 05 Nov '25

05 Nov '25

Hi Danish, On Mon, 27 Oct 2025 14:19:14 +0530 Danish Prakash <contact(a)danishpraka.sh> wrote: > On 10/16/25 4:26 PM, Max Chernoff wrote: > > Hi Stefano, > > > > On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote: > >> On Thu, 16 Oct 2025 13:10:41 +0530 > >> Danish Prakash <contact(a)danishpraka.sh> wrote: > >>> It might be possible to avoid using non-standard bash macro (%USERID), > > > > It's not a Bash macro, it's a SELinux template. This doesn't seem to be > > documented anywhere (which isn't terribly surprising with SELinux), but > > it's defined in this file: > > > > https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/gen… > > Thanks Max, I wasn't aware of it being an SELinux template. > > > > >> I wonder if > >> Max remembers any reason why we couldn't do this in the first place. > > > > The Fedora SELinux policy always uses %{USERID}, and so I copied it from > > there: > > > > $ grep -RnF '%{USERID}' policy/ > > policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_tmp_t,s0) > > policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) > > policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) > > policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) > > policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) > > policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) > > policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) > > policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.* <<none>> > > policy/modules/system/userdomain.fc:38:/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) > > policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+ <<none>> > > > > $ grep -RnF '[0-9]+' policy/ | grep -v /dev/ > > policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) > > policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) > > policy/modules/kernel/devices.if:6958:## Allow read the hfi1_[0-9]+ devices > > > >>> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec > >>> index 663289f53d97..d1bcf4a74338 100644 > >>> --- a/contrib/fedora/passt.spec > >>> +++ b/contrib/fedora/passt.spec > >>> [...] > >> > >> At a glance, this looks like a better solution regardless of the > >> reported issue. It sounds too good to be true, though > > > > I agree that it looks like a good solution, which makes me wonder why > > the base SELinux policies don't do it that way. The containers SELinux > > policy appears to do things this way > > > > $ grep -RnF '[0-9]+' > > container_selinux.8:166: /run/user/[0-9]+/gvfs > > $ grep -RnF '%{USERID}'; echo $? > > 1 > > > > so it's probably (?) okay though. > > That's helpful, I guess we can go ahead with this. Stefano, Paul? Sure. But back to my question about the original problem... what was the original problem? :) Could it be something similar to: https://bugzilla.redhat.com/show_bug.cgi?id=2401764 ? In general, there are a bunch of current SELinux issues reported on Fedora/RHEL (and I assume they would be exactly the same on openSUSE/SLES): https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&columnlist=shor… and I'm trying to find out if this change might fix some of them. Most of those are stuff I didn't investigate yet. -- Stefano

3 12

[PATCH 0/8] RFC: Cleanups to auto port scanning
by David Gibson 03 Nov '25

03 Nov '25

One of the trickiest parts of implementing the improved forwarding table is integrating it properly with automatic forwarding (-t auto etc.). Here are some preliminary cleanups to the automatic port scanning that will make the job a bit easier. David Gibson (8): icmp: Remove vestiges of ICMP timer tcp, udp, fwd: Run all port scanning from a single timer fwd: Consolidate scans (not rebinds) in fwd.c fwd: Move port exclusion handling from procfs_scan_listen() to callers fwd: Share port scanning logic between init and timer cases fwd: Check forwarding mode in fwd_scan_ports_*() rather than caller fwd: Update all port maps before applying exclusions tcp, udp: Don't exclude ports in {tcp,udp}_port_rebind() fwd.c | 107 ++++++++++++++++++++++++++++++++++++++------------------ fwd.h | 7 ++-- icmp.h | 2 -- passt.c | 8 ++--- tcp.c | 34 +++++++++--------- tcp.h | 3 +- udp.c | 31 ++++------------ udp.h | 4 +-- util.c | 23 ++++++++++++ util.h | 1 + 10 files changed, 129 insertions(+), 91 deletions(-) -- 2.51.0

2 12

[PATCH v2 0/8] Cleanups to auto port scanning
by David Gibson 01 Nov '25

01 Nov '25

One of the trickiest parts of implementing the improved forwarding table is integrating it properly with automatic forwarding (-t auto etc.). Here are some preliminary cleanups to the automatic port scanning that will make the job a bit easier. v2: * Rename bitmap_andc() to bitmap_and_not() (4/8) * Fixed comment formatting error (4/8) * Updated commit message based on further information from Stefano (7,8/8) * All other patches unchanged, except for trivial rebase fixes David Gibson (8): icmp: Remove vestiges of ICMP timer tcp, udp, fwd: Run all port scanning from a single timer fwd: Consolidate scans (not rebinds) in fwd.c fwd: Move port exclusion handling from procfs_scan_listen() to callers fwd: Share port scanning logic between init and timer cases fwd: Check forwarding mode in fwd_scan_ports_*() rather than caller fwd: Update all port maps before applying exclusions tcp, udp: Don't exclude ports in {tcp,udp}_port_rebind() fwd.c | 107 ++++++++++++++++++++++++++++++++++++++------------------ fwd.h | 7 ++-- icmp.h | 2 -- passt.c | 8 ++--- tcp.c | 34 +++++++++--------- tcp.h | 3 +- udp.c | 31 ++++------------ udp.h | 4 +-- util.c | 24 +++++++++++++ util.h | 2 ++ 10 files changed, 131 insertions(+), 91 deletions(-) -- 2.51.0

2 9

[PATCH 3/3] test: Re-implement pasta NDP tests using tunbridge & exeter
by David Gibson 31 Oct '25

31 Oct '25

Convert the pasta NDP tests from shell and our own DSL to Python using the exeter test protocol and tunbridge network simulation library. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- test/Makefile | 2 +- test/pasta/dhcp | 5 ++++ test/pasta/ndp.py | 59 ++++++++++++++++++++++++++++++++++++++++++ test/run | 6 +++-- test/tasst/__init__.py | 4 +++ test/tasst/pasta.py | 40 ++++++++++++++++++++++++++++ 6 files changed, 113 insertions(+), 3 deletions(-) create mode 100755 test/pasta/ndp.py create mode 100644 test/tasst/pasta.py diff --git a/test/Makefile b/test/Makefile index f66c7e7e..95e3d75e 100644 --- a/test/Makefile +++ b/test/Makefile @@ -67,7 +67,7 @@ ASSETS = $(DOWNLOAD_ASSETS) $(LOCAL_ASSETS) EXETER_SH = smoke/smoke.sh build/static_checkers.sh EXETER_PYPATH = exeter/py3:tunbridge/:. -EXETER_PYTHON = smoke/smoke.py build/build.py +EXETER_PYTHON = smoke/smoke.py build/build.py pasta/ndp.py EXETER_BATS = $(EXETER_SH:%=%.bats) $(EXETER_PYTHON:%=%.bats) BATS_FILES = $(EXETER_BATS) \ podman/test/system/505-networking-pasta.bats diff --git a/test/pasta/dhcp b/test/pasta/dhcp index e1c66be6..61279fbf 100644 --- a/test/pasta/dhcp +++ b/test/pasta/dhcp @@ -18,6 +18,11 @@ test Interface name nsout IFNAME ip -j link show | jq -rM '.[] | select(.link_type == "ether").ifname' check [ -n "__IFNAME__" ] +# Bring up the interface +ns ip link set dev __IFNAME__ up +# Wait for SLAAC & DAD to complete +ns while ! ip -j -6 addr show dev __IFNAME__ | jq -e '.[].addr_info.[] | select(.protocol == "kernel_ra")'; do sleep 0.1; done + test DHCP: address ns /sbin/dhclient -4 --no-pid __IFNAME__ nsout ADDR ip -j -4 addr show|jq -rM '.[] | select(.ifname == "__IFNAME__").addr_info[0].local' diff --git a/test/pasta/ndp.py b/test/pasta/ndp.py new file mode 100755 index 00000000..8c7ce31e --- /dev/null +++ b/test/pasta/ndp.py @@ -0,0 +1,59 @@ +#! /usr/bin/env python3 +# +# SPDX-License-Identifier: GPL-2.0-or-later +# +# test/pasta/ndp.py - pasta NDP functionality +# +# Copyright Red Hat +# Author: David Gibson <david(a)gibson.dropbear.id.au> + +import contextlib +import dataclasses +from typing import Iterator + +import exeter +import tunbridge +import tasst + + +(a)dataclasses.dataclass +class UnconfiguredScenario(exeter.Scenario): + """Tests for a pasta instance without --config-net""" + + host: tunbridge.Site + guest: tunbridge.Site + ifname: str + addr6: tunbridge.ip.AddrMask6 + gw6: tunbridge.ip.Addr6 + + @exeter.scenariotest + def test_ifname(self) -> None: + ifs = tunbridge.ip.ifs(self.guest) + exeter.assert_eq(set(ifs), {'lo', self.ifname}) + + @tunbridge.ndp.NdpScenario.subscenario + def test_ndp(self) -> tunbridge.ndp.NdpScenario: + tunbridge.ip.ifup(self.guest, self.ifname) + return tunbridge.ndp.NdpScenario(client=self.guest, + ifname=self.ifname, + network=self.addr6.network, + gateway=self.gw6) + + +(a)UnconfiguredScenario.test +(a)contextlib.contextmanager +def simh_pasta_setup() -> Iterator[UnconfiguredScenario]: + with (tunbridge.sample.simple_host('host') as simh, + tunbridge.sample.isolated('guest', simh.site) as guest): + assert simh.ip6 is not None + assert simh.gw6_ll is not None + with tasst.pasta.pasta(simh.site, guest): + yield UnconfiguredScenario(host=simh.site, + guest=guest, + ifname=simh.ifname, + addr6=simh.ip6, + gw6=simh.gw6_ll) + + +if __name__ == '__main__': + exeter.main() diff --git a/test/run b/test/run index 3872a56e..4f09d767 100755 --- a/test/run +++ b/test/run @@ -43,8 +43,10 @@ KERNEL=${KERNEL:-"/boot/vmlinuz-$(uname -r)"} COMMIT="$(git log --oneline --no-decorate -1)" -# Let exeter tests written in Python find their modules +# Let exeter tests written in Python find their modules and binaries to run export PYTHONPATH=${BASEPATH}/exeter/py3:${BASEPATH}/tunbridge:${BASEPATH} +export PASTA=${PASTA:-${BASEPATH}/../pasta} + . lib/util . lib/context @@ -75,8 +77,8 @@ run() { exeter build/build.py exeter build/static_checkers.sh + exeter pasta/ndp.py setup pasta - test pasta/ndp test pasta/dhcp test pasta/tcp test pasta/udp diff --git a/test/tasst/__init__.py b/test/tasst/__init__.py index fd4fe9a8..f5386b3a 100644 --- a/test/tasst/__init__.py +++ b/test/tasst/__init__.py @@ -8,3 +8,7 @@ # # Copyright Red Hat # Author: David Gibson <david(a)gibson.dropbear.id.au> + +from . import pasta + +__all__ = ['pasta'] diff --git a/test/tasst/pasta.py b/test/tasst/pasta.py new file mode 100644 index 00000000..91f59036 --- /dev/null +++ b/test/tasst/pasta.py @@ -0,0 +1,40 @@ +#! /usr/bin/env python3 +# +# SPDX-License-Identifier: GPL-2.0-or-later +# +# TASST - Test A Simple Socket Transport +# +# test/tasst/pasta.py - Helpers for seeting up pasta instances +# +# Copyright Red Hat +# Author: David Gibson <david(a)gibson.dropbear.id.au> + +import contextlib +import os +from typing import Iterator + +import tunbridge + + +(a)contextlib.contextmanager +def pasta(host: tunbridge.Site, guest: tunbridge.Site, *opts: str) \ + -> Iterator[tunbridge.site.SiteProcess]: + if tunbridge.unshare.parent(guest) is not host: + raise ValueError("pasta guest must be a namespace under host site") + + # This implies guest is a namespace site + assert isinstance(guest, tunbridge.unshare.NsenterSite) + + exe = os.environ['PASTA'] + + with host.tempdir() as piddir: + pidfile = os.path.join(piddir, 'pasta.pid') + cmd = [exe, '-f', '-P', pidfile] + list(opts) + [f'{guest.pid}'] + with host.bg(*cmd, stop=True) as pasta: + # Wait for the PID file to be written + pidstr = None + while not pidstr: + pidstr = host.readfile(pidfile, check=False) + pid = int(pidstr) + print(f'pasta started, host: {host}, guest: {guest}, pid: {pid}') + yield pasta -- 2.51.0

2 10

[PATCH v5 0/7] Refactor epoll handling in preparation for multithreading
by Laurent Vivier 30 Oct '25

30 Oct '25

This series refactors how epoll file descriptors are managed throughout the codebase in preparation for introducing multithreading support. Currently, passt uses a single global epollfd accessed through the context structure. With multithreading, each thread will need its own epollfd managing its subset of flows. The key changes are: 1. Centralize epoll management by extracting helper functions into a new epoll_ctl.c/h module and moving union epoll_ref from passt.h to its more logical location in epoll_ctl.h. 2. Simplify epoll_del() to take the epollfd directly rather than extracting it from the context structure, reducing coupling between epoll operations and the global context. 3. Move epoll registration out of sock_l4_sa() into protocol-specific code, giving callers explicit control over which epoll instance manages each socket. 4. Replace the boolean in_epoll flag in TCP connections with an epollid (epoll identifier) field in flow_common. This serves dual purposes: tracking registration status (EPOLLFD_ID_INVALID = not registered) and identifying which epoll instance manages the flow. An epoll ID to epoll fd mapping allows retrieving the actual epoll file descriptor. The epollid field is 8 bits, limiting values to 0-254 (255 = EPOLLFD_ID_INVALID). 5. Apply this pattern consistently across all protocol handlers (TCP, ICMP, UDP), storing the managing epoll ID in each flow's common structure. 6. Extract the event loop processing logic into a separate passt_worker() function, preparing the structure for future threading where this will become a worker thread callback. These changes make epoll instance ownership explicit in the flow tracking system, enabling flows to be managed by different epoll instances, a prerequisite for per-thread epollfd design in upcoming multithreading work. Changes since v1: - New patch: "epoll_ctl: Extract epoll operations" - centralizes epoll helpers into a dedicated module and relocates union epoll_ref from passt.h to epoll_ctl.h - Changed epollfd type in flow_common from int to 8-bit bitfield to avoid exceeding cacheline size threshold - Added flow_epollfd_valid() helper to check epoll registration status - Added flow_set_epollfd() helper to set the epoll instance for a flow Changes since v2: - Renamed field in flow_common from epollfd to threadnb (thread number) to better reflect that flows are now associated with threads rather than directly with epoll file descriptors - Introduced thread-to-epollfd mapping via threadnb_to_epollfd[] array in flow.c, providing an indirection layer between threads and their epoll instances - Renamed/refactored helper functions: - flow_set_epollfd() -> flow_epollfd_set() - now takes thread number and epollfd parameters - Added flow_epollfd_get() - retrieves the epoll fd for a flow's thread - flow_epollfd_valid() - now checks threadnb instead of epollfd - Updated constants: replaced EPOLLFD_* with FLOW_THREADNB_* equivalents (e.g., EPOLLFD_INVALID -> FLOW_THREADNB_INVALID) - Applied thread-based pattern consistently across TCP, ICMP, and UDP Changes since v3: - Change warn() by err() in epoll_add() - Renamed flow_epollfd_valid() to flow_in_epoll(), flow_epollfd_get() to flow_epollfd(). - Added flow_thread_register() to register an epollfd to a thread number, and called it from main() to register c->epollfd for thread 0 (main loop) - Replaced flow_epollfd_set() by flow_thread_set() to set the thread number of a flow. - Added new patch: "passt: Move main event loop processing into passt_worker()" Changes since v4: - Renamed field in flow_common from threadnb to epollid (epoll identifier) to better reflect the abstraction - flows are associated with an epoll instance identifier rather than specifically a thread number - Renamed mapping array from threadnb_to_epollfd[] to epoll_id_to_fd[] - Renamed/refactored helper functions: - flow_thread_set() -> flow_epollid_set() - sets the epoll ID - flow_thread_register() -> flow_epollid_register() - registers the epollfd for a given epoll ID - Added flow_epollid_clear() - explicitly clears the epoll ID - Updated constants: replaced FLOW_THREADNB_* with EPOLLFD_ID_* equivalents (e.g., FLOW_THREADNB_INVALID -> EPOLLFD_ID_INVALID, FLOW_THREADNB_MAX -> EPOLLFD_ID_MAX) - Added EPOLLFD_ID_DEFAULT constant for the default (main loop) epoll instance - Clarified that EPOLLFD_ID_BITS limits the number of epoll instances, not threads (though initially there will be one epoll instance per thread) Laurent Vivier (7): util: Simplify epoll_del() interface to take epollfd directly epoll_ctl: Extract epoll operations util: Move epoll registration out of sock_l4_sa() tcp, flow: Replace per-connection in_epoll flag with an epollid in flow_common icmp: Use epoll instance management for ICMP flows udp: Use epoll instance management for UDP flows passt: Move main event loop processing into passt_worker() Makefile | 22 +++---- epoll_ctl.c | 45 ++++++++++++++ epoll_ctl.h | 51 ++++++++++++++++ flow.c | 71 +++++++++++++++++++--- flow.h | 15 ++++- icmp.c | 23 +++++--- passt.c | 163 ++++++++++++++++++++++++++++----------------------- passt.h | 34 ----------- pasta.c | 7 +-- pif.c | 32 +++++++--- repair.c | 18 +++--- tap.c | 15 ++--- tcp.c | 46 +++++++++------ tcp_conn.h | 8 +-- tcp_splice.c | 26 ++++---- udp.c | 2 +- udp_flow.c | 23 ++++++-- util.c | 28 +-------- util.h | 6 +- vhost_user.c | 14 ++--- vu_common.c | 2 +- 21 files changed, 403 insertions(+), 248 deletions(-) create mode 100644 epoll_ctl.c create mode 100644 epoll_ctl.h -- 2.51.0

3 13

[PATCH v15 0/9] Use true MAC address of LAN local remote hosts
by Jon Maloy 30 Oct '25

30 Oct '25

Bug #120 asks us to use the true MAC addresses of LAN local remote hosts, since some programs need this information. These commits introduces this for ARP, NDP, UDP, TCP and ICMP. --- v3: Updated according to feedback from Stefano and David: - Made the ARP/NDP lookup call filter out the requested address by itself, qualified by the index if the template interface - Moved the flow specific MAC address from struct flowside to struct flow_common. v4: - Updated according to feedback from David and Stefan - Added a cache table for ARP/NDP table contents v5: - Updated according to feedback from David and Stefan - Added cache table entries to FIFO/LRU queue - New criteria for when to consult ARP/NDP v6: - Simplified and merged mac cache table commits - Other changes after feedback from David. v7: - Fixes in patch #2 based on feedback from David and Stefano. v8: - Redesigned netlink and cache table part to be based on a subscription model. v8: - Small fix to patch #2 so that we cover the case when a MAC addess for a host has changed. - Added a commit where we send a gratuitous ARP/ unsolicitated NA to the guest when a new host is added to the neighbour cache table. v10: - Some fixes after feedback from David Gibson - Reordered: Moved patch #9 to position #3. - Added synchronization step between ARP/NDP table contents and the neigbour table at initialization. This reduces the number of "false" ARP/NDP replies drastically, but not completly. - (Next step could be to scan over the flow table and update affeced entries when we receive a MAC address update.) v11: - Corrected the gratuitous ARP implementation to use the "ARP Announcement" model instead of the "Gratuitous ARP reply" model. v12: - Updated based on feedback from David and Stefano - Added special handling of default GW and loopback addresses. v13: - Updated based on discussion with David and Stefano - Conceptually moved to only considering guest-side visible addresss. A lot of things became simpler and clearer through this change. Thank you, David. - Introduced a 'permanent' flag in the special entries representing addessed mapping to own host and conditionally the guest gw. This flag indicates those entries cannot be altered by possible remote hosts shadowed by these addresses. Suggested by Stefano. - Reordered patch ##4 and 5, since #5 cannot work correctly for NDP unsolicited NA until #4 is in place. - Added a new commit #2 to get later access to the flag no_map_gw. It was wrong to call fwd_neigh_table_init() from inside conf(), it has to be done in main() after random_init() and tap_backend_init(). v14: - Some fixes after feedback from David Gibson, notably - Moved the call to nat_inbound() from fwd.c to netlink.c - Added RFC quotes to explain the format of ARP announce messages. v15: - More fixes, after feedback and discussions. Notably: - Added a secondary lookup in fwd_neigh_mac_get(), so that we respond with the guest GW's MAC address in case the primary lookup fails. - Removed guest_gw IP address as 'blocker' entry in the neighbor table. It is ok to let the host GW MAC address go through if the GW addresses match, and even when they don't we found it isn't needed. - Removed previous patch #2 about no_map_gw, since the change it introduced only was needed by the the functionality we just removed as described above. Jon Maloy (9): netlink: add subscription on changes in NDP/ARP table fwd: Add cache table for ARP/NDP contents arp/ndp: respond with true MAC address of LAN local remote hosts arp/ndp: send ARP announcement / unsolicited NA when neigbour entry added flow: add MAC address of LAN local remote hosts to flow udp: forward external source MAC address through tap interface tcp: forward external source MAC address through tap interface tap: change signature of function tap_push_l2h() icmp: let icmp use mac address from flowside structure arp.c | 59 +++++++++++++- arp.h | 2 + epoll_type.h | 2 + flow.c | 2 + flow.h | 2 + fwd.c | 212 +++++++++++++++++++++++++++++++++++++++++++++++++ fwd.h | 7 ++ icmp.c | 8 +- inany.c | 1 + ndp.c | 16 +++- ndp.h | 1 + netlink.c | 208 +++++++++++++++++++++++++++++++++++++++++++++++- netlink.h | 4 + passt.c | 17 ++-- passt.h | 3 +- pasta.c | 2 +- tap.c | 24 +++--- tap.h | 7 +- tcp.c | 20 ++++- tcp.h | 2 +- tcp_buf.c | 37 ++++----- tcp_internal.h | 4 +- tcp_vu.c | 5 +- udp.c | 57 ++++++++----- udp.h | 2 +- util.h | 2 + 26 files changed, 623 insertions(+), 83 deletions(-) -- 2.50.1

3 11