Re: [PATCH v7 07/13] netlink, pasta: refactor function pasta_ns_conf()

26 May 2026

On Sun, Apr 12, 2026 at 08:53:13PM -0400, Jon Maloy wrote:
...
After the previous changes in this series it becomes possible
to simplify the pasta_ns_conf() function.
We extract address and route configuration into helper functions
pasta_conf_addrs() and pasta_conf_routes(), reducing nesting
and improving readability.
To allow pasta_conf_addrs() to handle both address families
uniformly, we change nl_addr_set() to take a union inany_addr pointer
instead of void pointer, moving the address family handling into
the function itself.
We also fix a bug where the IPv6 code path incorrectly wrote to
req.set.a4.rta_l.rta_type instead of req.set.a6.rta_l.rta_type.
Signed-off-by: Jon Maloy 
Reviewed-by: David Gibson 

Very happy to see the confusing gotos gone.

Couple of minor suggestions below, plus noted a pre-existing oddity
that might be worth altering / commenting as a separate matter.
...
---
v7: -Removed redundant argument 'af' in nl_addr_set()
    -Removed redundant label and 'goto's in pasta_ns_conf()
    -Since I excluded addition of all LINKLOCAL addresses from host
     address array in a previous commit I can now omit this test
     in pasta_conf_addrs()  as suggested by David.
    -Here is the example of agnostic usage of inany_prefix_len()
     I referred to in a previous commit.
---
 netlink.c |  17 ++--
 netlink.h |   4 +-
 pasta.c   | 232 ++++++++++++++++++++++++++----------------------------
 3 files changed, 123 insertions(+), 130 deletions(-)

diff --git a/netlink.c b/netlink.c
index 3f5a812..3d25212 100644
--- a/netlink.c
+++ b/netlink.c
@@ -863,15 +863,15 @@ int nl_addr_get_ll(int s, unsigned int ifi, struct in6_addr *addr)
  * nl_addr_set() - Set IP addresses for given interface and address family
  * @s:		Netlink socket
  * @ifi:	Interface index
- * @af:		Address family
  * @addr:	Global address to set
  * @prefix_len:	Mask or prefix length to set
  *
  * Return: 0 on success, negative error code on failure
  */
-int nl_addr_set(int s, unsigned int ifi, sa_family_t af,
-		const void *addr, int prefix_len)
+int nl_addr_set(int s, unsigned int ifi, const union inany_addr *addr,
+		int prefix_len)
 {
+	sa_family_t af = inany_af(addr);
  struct req_t {
      struct nlmsghdr nlh;
      struct ifaddrmsg ifa;
@@ -905,21 +905,22 @@ int nl_addr_set(int s, unsigned int ifi, sa_family_t af,
len = offsetof(struct req_t, set.a6) + sizeof(req.set.a6);
-		memcpy(&req.set.a6.l, addr, sizeof(req.set.a6.l));
+		memcpy(&req.set.a6.l, &addr->a6, sizeof(req.set.a6.l));
      req.set.a6.rta_l.rta_len = rta_len;
-		req.set.a4.rta_l.rta_type = IFA_LOCAL;
-		memcpy(&req.set.a6.a, addr, sizeof(req.set.a6.a));
+		req.set.a6.rta_l.rta_type = IFA_LOCAL;
+		memcpy(&req.set.a6.a, &addr->a6, sizeof(req.set.a6.a));
      req.set.a6.rta_a.rta_len = rta_len;
      req.set.a6.rta_a.rta_type = IFA_ADDRESS;
  } else {
+		const struct in_addr *v4 = inany_v4(addr);
I suspect the static checkers won't be able to deduce that this cannot
be NULL, because of the earlier inany_af() call - in a sense you're
checking the address family twice.

I think it would be more elegant (and avoid possible checker false
positives) to have the if based on the return value from inany_v4(),
then set req.ifa.ifa_family to constant values in each branch
...
size_t rta_len = RTA_LENGTH(sizeof(req.set.a4.l));
len = offsetof(struct req_t, set.a4) + sizeof(req.set.a4);
-		memcpy(&req.set.a4.l, addr, sizeof(req.set.a4.l));
+		memcpy(&req.set.a4.l, v4, sizeof(req.set.a4.l));
      req.set.a4.rta_l.rta_len = rta_len;
      req.set.a4.rta_l.rta_type = IFA_LOCAL;
-		memcpy(&req.set.a4.a, addr, sizeof(req.set.a4.a));
+		memcpy(&req.set.a4.a, v4, sizeof(req.set.a4.a));
      req.set.a4.rta_a.rta_len = rta_len;
      req.set.a4.rta_a.rta_type = IFA_ADDRESS;
  }
diff --git a/netlink.h b/netlink.h
index 3af6d58..ec859b7 100644
--- a/netlink.h
+++ b/netlink.h
@@ -22,8 +22,8 @@ int nl_route_dup(int s_src, unsigned int ifi_src,
 int nl_addr_get_all(struct ctx *c, int s, unsigned int ifi, sa_family_t af);
 bool nl_neigh_mac_get(int s, const union inany_addr *addr, int ifi,
            unsigned char *mac);
-int nl_addr_set(int s, unsigned int ifi, sa_family_t af,
-		const void *addr, int prefix_len);
+int nl_addr_set(int s, unsigned int ifi, const union inany_addr *addr,
+		int prefix_len);
 int nl_addr_get_ll(int s, unsigned int ifi, struct in6_addr *addr);
 int nl_addr_set_ll_nodad(int s, unsigned int ifi);
 int nl_addr_dup(int s_src, unsigned int ifi_src,
diff --git a/pasta.c b/pasta.c
index b3936f5..f949dc2 100644
--- a/pasta.c
+++ b/pasta.c
@@ -46,6 +46,7 @@
#include "util.h"
 #include "passt.h"
+#include "conf.h"
 #include "isolation.h"
 #include "netlink.h"
 #include "log.h"
@@ -303,13 +304,69 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid,
      die_perror("Failed to join network namespace");
 }
+/**
+ * pasta_conf_addrs() - Configure addresses for one address family in namespace
+ * @c:		Execution context
+ * @af:		Address family (AF_INET or AF_INET6)
+ * @ifi:	Host interface index for this address family
+ * @no_copy:	If true, set addresses from c->addrs; if false, copy from host
+ *
+ * Return: 0 on success, negative error code on failure
+ */
+static int pasta_conf_addrs(struct ctx *c, sa_family_t af,
+			    int ifi, bool no_copy)
+{
+	const struct guest_addr *a;
+
+	if (!ifi)
+		return 0;
+
+	if (!no_copy)
+		return nl_addr_dup(nl_sock, ifi, nl_sock_ns, c->pasta_ifi, af);
+
+	for_each_addr(a, c->addrs, c->addr_count, af) {
+		int rc;
+
+		rc = nl_addr_set(nl_sock_ns, c->pasta_ifi, &a->addr,
+				 inany_prefix_len(&a->addr, a->prefix_len));
+		if (rc < 0)
+			return rc;
+	}
+	return 0;
+}
+
+/**
+ * pasta_conf_routes() - Configure routes for one address family in namespace
+ * @c:		Execution context
+ * @af:		Address family (AF_INET or AF_INET6)
+ * @ifi:	Host interface index for this address family
+ * @no_copy:	If true, set default route; if false, copy routes from host
+ *
+ * Return: 0 on success, negative error code on failure
+ */
+static int pasta_conf_routes(struct ctx *c, sa_family_t af, int ifi,
+			     bool no_copy)
+{
+	const void *gw = (af == AF_INET) ?
+		(const void *)&c->ip4.guest_gw : (const void *)&c->ip6.guest_gw;
+
+	if (!ifi)
+		return 0;
+
+	if (no_copy)
It'd be nicer to have the !no_copy branch first for consistency with
pasta_conf_addrs().
...
+		return nl_route_set_def(nl_sock_ns, c->pasta_ifi, af, gw);
+
+	return nl_route_dup(nl_sock, ifi, nl_sock_ns, c->pasta_ifi, af);
+}
+
 /**
  * pasta_ns_conf() - Set up loopback and tap interfaces in namespace as needed
  * @c:		Execution context
  */
 void pasta_ns_conf(struct ctx *c)
 {
-	int rc = 0;
+	unsigned int flags = IFF_UP;
+	int rc;
rc = nl_link_set_flags(nl_sock_ns, 1 /* lo */, IFF_UP, IFF_UP);
  if (rc < 0)
@@ -328,127 +385,62 @@ void pasta_ns_conf(struct ctx *c)
      die("Couldn't set MAC address in namespace: %s",
          strerror_(-rc));
-	if (c->pasta_conf_ns) {
-		unsigned int flags = IFF_UP;
-		const struct guest_addr *a;
-		int plen;
-
-		if (c->mtu)
-			nl_link_set_mtu(nl_sock_ns, c->pasta_ifi, c->mtu);
-
-		if (c->ifi6) /* Avoid duplicate address detection on link up */
-			flags |= IFF_NOARP;
-
-		nl_link_set_flags(nl_sock_ns, c->pasta_ifi, flags, flags);
-
-		if (c->ifi4) {
-			if (c->ip4.no_copy_addrs) {
-				for_each_addr(a, c->addrs, c->addr_count, AF_INET) {
-					plen = inany_prefix_len(&a->addr,
-								a->prefix_len);
-					rc = nl_addr_set(nl_sock_ns,
-							 c->pasta_ifi, AF_INET,
-							 inany_v4(&a->addr),
-							 plen);
-					if (rc < 0)
-						break;
-				}
-			} else {
-				rc = nl_addr_dup(nl_sock, c->ifi4,
-						 nl_sock_ns, c->pasta_ifi,
-						 AF_INET);
-			}
-
-			if (c->ifi4 == -1 && rc == -ENOTSUP) {
-				warn("IPv4 not supported, disabling");
-				c->ifi4 = 0;
-				goto ipv4_done;
-			}
-
-			if (rc < 0) {
-				die("Couldn't set IPv4 address(es) in namespace: %s",
-				    strerror_(-rc));
-			}
-
-			if (c->ip4.no_copy_routes) {
-				rc = nl_route_set_def(nl_sock_ns, c->pasta_ifi,
-						      AF_INET,
-						      &c->ip4.guest_gw);
-			} else {
-				rc = nl_route_dup(nl_sock, c->ifi4, nl_sock_ns,
-						  c->pasta_ifi, AF_INET);
-			}
-
-			if (rc < 0) {
-				die("Couldn't set IPv4 route(s) in guest: %s",
-				    strerror_(-rc));
-			}
-		}
-ipv4_done:
-
-		if (c->ifi6) {
-			rc = nl_addr_get_ll(nl_sock_ns, c->pasta_ifi,
-					    &c->ip6.addr_ll_seen);
-			if (rc < 0) {
-				warn("Can't get LL address from namespace: %s",
-				    strerror_(-rc));
-			}
-
-			rc = nl_addr_set_ll_nodad(nl_sock_ns, c->pasta_ifi);
-			if (rc < 0) {
-				warn("Can't set nodad for LL in namespace: %s",
-				    strerror_(-rc));
-			}
-
-			/* We dodged DAD: re-enable neighbour solicitations */
-			nl_link_set_flags(nl_sock_ns, c->pasta_ifi,
-					  0, IFF_NOARP);
-
-			if (c->ip6.no_copy_addrs) {
-				for_each_addr(a, c->addrs, c->addr_count, AF_INET6) {
-					rc = nl_addr_set(nl_sock_ns,
-							 c->pasta_ifi,
-							 AF_INET6, &a->addr.a6,
-							 a->prefix_len);
-					if (rc < 0)
-						break;
-				}
-			} else {
-				rc = nl_addr_dup(nl_sock, c->ifi6,
-						 nl_sock_ns, c->pasta_ifi,
-						 AF_INET6);
-			}
-
-			if (rc < 0) {
-				die("Couldn't set IPv6 address(es) in namespace: %s",
-				    strerror_(-rc));
-			}
-
-			if (c->ip6.no_copy_routes) {
-				rc = nl_route_set_def(nl_sock_ns, c->pasta_ifi,
-						      AF_INET6,
-						      &c->ip6.guest_gw);
-			} else {
-				rc = nl_route_dup(nl_sock, c->ifi6,
-						  nl_sock_ns, c->pasta_ifi,
-						  AF_INET6);
-			}
-
-			if (c->ifi6 == -1 && rc == -ENOTSUP) {
-				warn("IPv6 not supported, disabling");
-				c->ifi6 = 0;
-				goto ipv6_done;
-			}
-
-			if (rc < 0) {
-				die("Couldn't set IPv6 route(s) in guest: %s",
-				    strerror_(-rc));
-			}
-		}
+	proto_update_l2_buf(c->guest_mac);
+
+	if (!c->pasta_conf_ns)
+		return;
+
+	if (c->mtu)
+		nl_link_set_mtu(nl_sock_ns, c->pasta_ifi, c->mtu);
+
+	if (c->ifi6) /* Avoid duplicate address detection on link up */
+		flags |= IFF_NOARP;
Pre-existing, but this looks weird.  Why are we setting a property for
IPv6 next to the IPv4 configuration code?  And does IFF_NOARP actually
affect IPv6 DAD? I thought that was the IFA_F_NODAD flag which we use
elsewhere.
...
+
+	nl_link_set_flags(nl_sock_ns, c->pasta_ifi, flags, flags);
+
+	/* IPv4 configuration */
+	rc = pasta_conf_addrs(c, AF_INET, c->ifi4, c->ip4.no_copy_addrs);
+	if (c->ifi4 == -1 && rc == -ENOTSUP) {
+		warn("IPv4 not supported, disabling");
+		c->ifi4 = 0;
+	} else if (rc < 0) {
+		die("Couldn't set IPv4 address(es): %s", strerror_(-rc));
+	} else if (c->ifi4) {
+		rc = pasta_conf_routes(c, AF_INET, c->ifi4,
+				       c->ip4.no_copy_routes);
+		if (rc < 0)
+			die("Couldn't set IPv4 route(s): %s", strerror_(-rc));
  }
-ipv6_done:
-	proto_update_l2_buf(c->guest_mac);
+	if (!c->ifi6)
+		return;
+
+	rc = nl_addr_get_ll(nl_sock_ns, c->pasta_ifi,
+			    &c->ip6.addr_ll_seen);
+	if (rc < 0)
+		warn("Can't get LL address from namespace: %s",
+		     strerror_(-rc));
+
+	rc = nl_addr_set_ll_nodad(nl_sock_ns, c->pasta_ifi);
+	if (rc < 0)
+		warn("Can't set nodad for LL in namespace: %s",
+		     strerror_(-rc));
+
+	/* We dodged DAD: re-enable neighbour solicitations */
+	nl_link_set_flags(nl_sock_ns, c->pasta_ifi, 0, IFF_NOARP);
+
+	rc = pasta_conf_addrs(c, AF_INET6, c->ifi6, c->ip6.no_copy_addrs);
+	if (c->ifi6 == -1 && rc == -ENOTSUP) {
+		warn("IPv6 not supported, disabling");
+		c->ifi6 = 0;
+	} else if (rc < 0) {
+		die("Couldn't set IPv6 address(es): %s", strerror_(-rc));
+	} else {
+		rc = pasta_conf_routes(c, AF_INET6, c->ifi6,
+				       c->ip6.no_copy_routes);
+		if (rc < 0)
+			die("Couldn't set IPv6 route(s): %s", strerror_(-rc));
+	}
 }
/**
-- 
2.52.0
-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

    