2021-10-19 10:43:28 +00:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
#
|
|
|
|
# PASST - Plug A Simple Socket Transport
|
|
|
|
# for qemu/UNIX domain socket mode
|
|
|
|
#
|
|
|
|
# PASTA - Pack A Subtle Tap Abstraction
|
|
|
|
# for network namespace/tap device mode
|
|
|
|
#
|
|
|
|
# Copyright (c) 2021 Red Hat GmbH
|
|
|
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
2020-07-13 20:55:46 +00:00
|
|
|
CFLAGS += -Wall -Wextra -pedantic
|
passt: Add PASTA mode, major rework
PASTA (Pack A Subtle Tap Abstraction) provides quasi-native host
connectivity to an otherwise disconnected, unprivileged network
and user namespace, similarly to slirp4netns. Given that the
implementation is largely overlapping with PASST, no separate binary
is built: 'pasta' (and 'passt4netns' for clarity) both link to
'passt', and the mode of operation is selected depending on how the
binary is invoked. Usage example:
$ unshare -rUn
# echo $$
1871759
$ ./pasta 1871759 # From another terminal
# udhcpc -i pasta0 2>/dev/null
# ping -c1 pasta.pizza
PING pasta.pizza (64.190.62.111) 56(84) bytes of data.
64 bytes from 64.190.62.111 (64.190.62.111): icmp_seq=1 ttl=255 time=34.6 ms
--- pasta.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 34.575/34.575/34.575/0.000 ms
# ping -c1 spaghetti.pizza
PING spaghetti.pizza(2606:4700:3034::6815:147a (2606:4700:3034::6815:147a)) 56 data bytes
64 bytes from 2606:4700:3034::6815:147a (2606:4700:3034::6815:147a): icmp_seq=1 ttl=255 time=29.0 ms
--- spaghetti.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 28.967/28.967/28.967/0.000 ms
This entails a major rework, especially with regard to the storage of
tracked connections and to the semantics of epoll(7) references.
Indexing TCP and UDP bindings merely by socket proved to be
inflexible and unsuitable to handle different connection flows: pasta
also provides Layer-2 to Layer-2 socket mapping between init and a
separate namespace for local connections, using a pair of splice()
system calls for TCP, and a recvmmsg()/sendmmsg() pair for UDP local
bindings. For instance, building on the previous example:
# ip link set dev lo up
# iperf3 -s
$ iperf3 -c ::1 -Z -w 32M -l 1024k -P2 | tail -n4
[SUM] 0.00-10.00 sec 52.3 GBytes 44.9 Gbits/sec 283 sender
[SUM] 0.00-10.43 sec 52.3 GBytes 43.1 Gbits/sec receiver
iperf Done.
epoll(7) references now include a generic part in order to
demultiplex data to the relevant protocol handler, using 24
bits for the socket number, and an opaque portion reserved for
usage by the single protocol handlers, in order to track sockets
back to corresponding connections and bindings.
A number of fixes pertaining to TCP state machine and congestion
window handling are also included here.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2021-07-17 06:34:53 +00:00
|
|
|
CFLAGS += -DRLIMIT_STACK_VAL=$(shell ulimit -s)
|
2021-09-26 21:19:40 +00:00
|
|
|
CFLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE)
|
2021-09-29 14:11:06 +00:00
|
|
|
CFLAGS += -DNETNS_RUN_DIR=\"/run/netns\"
|
2021-10-13 20:25:03 +00:00
|
|
|
CFLAGS += -DPASST_AUDIT_ARCH=AUDIT_ARCH_$(shell uname -m | tr [a-z] [A-Z])
|
2020-07-13 20:55:46 +00:00
|
|
|
|
2021-10-19 15:28:18 +00:00
|
|
|
# On gcc 11.2, with -O2 and -flto, tcp_hash() and siphash_20b(), if inlined,
|
|
|
|
# seem to be hitting something similar to:
|
|
|
|
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78993
|
|
|
|
# from the pointer arithmetic used from the tcp_tap_handler() path to get the
|
|
|
|
# remote connection address.
|
|
|
|
ifeq ($(shell $(CC) -dumpversion),11)
|
|
|
|
ifneq (,$(filter -flto%,$(CFLAGS)))
|
|
|
|
ifneq (,$(filter -O2,$(CFLAGS)))
|
|
|
|
CFLAGS += -DTCP_HASH_NOINLINE
|
|
|
|
CFLAGS += -DSIPHASH_20B_NOINLINE
|
|
|
|
endif
|
|
|
|
endif
|
|
|
|
endif
|
|
|
|
|
2021-08-19 18:23:04 +00:00
|
|
|
prefix ?= /usr/local
|
|
|
|
|
passt: Add PASTA mode, major rework
PASTA (Pack A Subtle Tap Abstraction) provides quasi-native host
connectivity to an otherwise disconnected, unprivileged network
and user namespace, similarly to slirp4netns. Given that the
implementation is largely overlapping with PASST, no separate binary
is built: 'pasta' (and 'passt4netns' for clarity) both link to
'passt', and the mode of operation is selected depending on how the
binary is invoked. Usage example:
$ unshare -rUn
# echo $$
1871759
$ ./pasta 1871759 # From another terminal
# udhcpc -i pasta0 2>/dev/null
# ping -c1 pasta.pizza
PING pasta.pizza (64.190.62.111) 56(84) bytes of data.
64 bytes from 64.190.62.111 (64.190.62.111): icmp_seq=1 ttl=255 time=34.6 ms
--- pasta.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 34.575/34.575/34.575/0.000 ms
# ping -c1 spaghetti.pizza
PING spaghetti.pizza(2606:4700:3034::6815:147a (2606:4700:3034::6815:147a)) 56 data bytes
64 bytes from 2606:4700:3034::6815:147a (2606:4700:3034::6815:147a): icmp_seq=1 ttl=255 time=29.0 ms
--- spaghetti.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 28.967/28.967/28.967/0.000 ms
This entails a major rework, especially with regard to the storage of
tracked connections and to the semantics of epoll(7) references.
Indexing TCP and UDP bindings merely by socket proved to be
inflexible and unsuitable to handle different connection flows: pasta
also provides Layer-2 to Layer-2 socket mapping between init and a
separate namespace for local connections, using a pair of splice()
system calls for TCP, and a recvmmsg()/sendmmsg() pair for UDP local
bindings. For instance, building on the previous example:
# ip link set dev lo up
# iperf3 -s
$ iperf3 -c ::1 -Z -w 32M -l 1024k -P2 | tail -n4
[SUM] 0.00-10.00 sec 52.3 GBytes 44.9 Gbits/sec 283 sender
[SUM] 0.00-10.43 sec 52.3 GBytes 43.1 Gbits/sec receiver
iperf Done.
epoll(7) references now include a generic part in order to
demultiplex data to the relevant protocol handler, using 24
bits for the socket number, and an opaque portion reserved for
usage by the single protocol handlers, in order to track sockets
back to corresponding connections and bindings.
A number of fixes pertaining to TCP state machine and congestion
window handling are also included here.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2021-07-17 06:34:53 +00:00
|
|
|
all: passt pasta passt4netns qrap
|
2020-07-13 20:55:46 +00:00
|
|
|
|
2021-07-26 05:18:50 +00:00
|
|
|
avx2: CFLAGS += -Ofast -mavx2 -ftree-vectorize -funroll-loops
|
|
|
|
avx2: clean all
|
|
|
|
|
2021-10-16 04:15:05 +00:00
|
|
|
static: CFLAGS += -static -DGLIBC_NO_STATIC_NSS
|
2021-07-26 05:18:50 +00:00
|
|
|
static: clean all
|
|
|
|
|
2021-10-13 20:25:03 +00:00
|
|
|
seccomp.h: *.c $(filter-out seccomp.h,$(wildcard *.h))
|
|
|
|
@ ./seccomp.sh
|
|
|
|
|
|
|
|
passt: $(filter-out qrap.c,$(wildcard *.c)) \
|
|
|
|
$(filter-out qrap.h,$(wildcard *.h)) seccomp.h
|
|
|
|
$(CC) $(CFLAGS) $(filter-out qrap.c,$(wildcard *.c)) -o passt
|
2020-07-13 20:55:46 +00:00
|
|
|
|
passt: Add PASTA mode, major rework
PASTA (Pack A Subtle Tap Abstraction) provides quasi-native host
connectivity to an otherwise disconnected, unprivileged network
and user namespace, similarly to slirp4netns. Given that the
implementation is largely overlapping with PASST, no separate binary
is built: 'pasta' (and 'passt4netns' for clarity) both link to
'passt', and the mode of operation is selected depending on how the
binary is invoked. Usage example:
$ unshare -rUn
# echo $$
1871759
$ ./pasta 1871759 # From another terminal
# udhcpc -i pasta0 2>/dev/null
# ping -c1 pasta.pizza
PING pasta.pizza (64.190.62.111) 56(84) bytes of data.
64 bytes from 64.190.62.111 (64.190.62.111): icmp_seq=1 ttl=255 time=34.6 ms
--- pasta.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 34.575/34.575/34.575/0.000 ms
# ping -c1 spaghetti.pizza
PING spaghetti.pizza(2606:4700:3034::6815:147a (2606:4700:3034::6815:147a)) 56 data bytes
64 bytes from 2606:4700:3034::6815:147a (2606:4700:3034::6815:147a): icmp_seq=1 ttl=255 time=29.0 ms
--- spaghetti.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 28.967/28.967/28.967/0.000 ms
This entails a major rework, especially with regard to the storage of
tracked connections and to the semantics of epoll(7) references.
Indexing TCP and UDP bindings merely by socket proved to be
inflexible and unsuitable to handle different connection flows: pasta
also provides Layer-2 to Layer-2 socket mapping between init and a
separate namespace for local connections, using a pair of splice()
system calls for TCP, and a recvmmsg()/sendmmsg() pair for UDP local
bindings. For instance, building on the previous example:
# ip link set dev lo up
# iperf3 -s
$ iperf3 -c ::1 -Z -w 32M -l 1024k -P2 | tail -n4
[SUM] 0.00-10.00 sec 52.3 GBytes 44.9 Gbits/sec 283 sender
[SUM] 0.00-10.43 sec 52.3 GBytes 43.1 Gbits/sec receiver
iperf Done.
epoll(7) references now include a generic part in order to
demultiplex data to the relevant protocol handler, using 24
bits for the socket number, and an opaque portion reserved for
usage by the single protocol handlers, in order to track sockets
back to corresponding connections and bindings.
A number of fixes pertaining to TCP state machine and congestion
window handling are also included here.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2021-07-17 06:34:53 +00:00
|
|
|
pasta: passt
|
|
|
|
ln -s passt pasta
|
2021-08-19 18:23:04 +00:00
|
|
|
ln -s passt.1 pasta.1
|
passt: Add PASTA mode, major rework
PASTA (Pack A Subtle Tap Abstraction) provides quasi-native host
connectivity to an otherwise disconnected, unprivileged network
and user namespace, similarly to slirp4netns. Given that the
implementation is largely overlapping with PASST, no separate binary
is built: 'pasta' (and 'passt4netns' for clarity) both link to
'passt', and the mode of operation is selected depending on how the
binary is invoked. Usage example:
$ unshare -rUn
# echo $$
1871759
$ ./pasta 1871759 # From another terminal
# udhcpc -i pasta0 2>/dev/null
# ping -c1 pasta.pizza
PING pasta.pizza (64.190.62.111) 56(84) bytes of data.
64 bytes from 64.190.62.111 (64.190.62.111): icmp_seq=1 ttl=255 time=34.6 ms
--- pasta.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 34.575/34.575/34.575/0.000 ms
# ping -c1 spaghetti.pizza
PING spaghetti.pizza(2606:4700:3034::6815:147a (2606:4700:3034::6815:147a)) 56 data bytes
64 bytes from 2606:4700:3034::6815:147a (2606:4700:3034::6815:147a): icmp_seq=1 ttl=255 time=29.0 ms
--- spaghetti.pizza ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 28.967/28.967/28.967/0.000 ms
This entails a major rework, especially with regard to the storage of
tracked connections and to the semantics of epoll(7) references.
Indexing TCP and UDP bindings merely by socket proved to be
inflexible and unsuitable to handle different connection flows: pasta
also provides Layer-2 to Layer-2 socket mapping between init and a
separate namespace for local connections, using a pair of splice()
system calls for TCP, and a recvmmsg()/sendmmsg() pair for UDP local
bindings. For instance, building on the previous example:
# ip link set dev lo up
# iperf3 -s
$ iperf3 -c ::1 -Z -w 32M -l 1024k -P2 | tail -n4
[SUM] 0.00-10.00 sec 52.3 GBytes 44.9 Gbits/sec 283 sender
[SUM] 0.00-10.43 sec 52.3 GBytes 43.1 Gbits/sec receiver
iperf Done.
epoll(7) references now include a generic part in order to
demultiplex data to the relevant protocol handler, using 24
bits for the socket number, and an opaque portion reserved for
usage by the single protocol handlers, in order to track sockets
back to corresponding connections and bindings.
A number of fixes pertaining to TCP state machine and congestion
window handling are also included here.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2021-07-17 06:34:53 +00:00
|
|
|
|
|
|
|
passt4netns: passt
|
|
|
|
ln -s passt passt4netns
|
|
|
|
|
2020-07-20 14:41:49 +00:00
|
|
|
qrap: qrap.c passt.h
|
2021-09-26 02:05:34 +00:00
|
|
|
$(CC) $(CFLAGS) -DARCH=\"$(shell uname -m)\" \
|
|
|
|
qrap.c -o qrap
|
2020-07-17 23:02:39 +00:00
|
|
|
|
2020-07-13 20:55:46 +00:00
|
|
|
.PHONY: clean
|
|
|
|
clean:
|
2021-10-13 20:25:03 +00:00
|
|
|
-${RM} passt *.o seccomp.h qrap pasta pasta.1 passt4netns \
|
2021-08-19 23:11:57 +00:00
|
|
|
passt.tar passt.tar.gz *.deb *.rpm
|
2021-08-19 18:23:04 +00:00
|
|
|
|
|
|
|
install: passt pasta qrap
|
2021-10-19 07:50:18 +00:00
|
|
|
mkdir -p $(DESTDIR)$(prefix)/bin $(DESTDIR)$(prefix)/share/man/man1
|
2021-10-19 07:42:08 +00:00
|
|
|
cp -d passt pasta qrap $(DESTDIR)$(prefix)/bin
|
2021-10-19 07:50:18 +00:00
|
|
|
cp -d passt.1 pasta.1 qrap.1 $(DESTDIR)$(prefix)/share/man/man1
|
2021-08-19 18:23:04 +00:00
|
|
|
|
|
|
|
uninstall:
|
2021-10-19 07:42:08 +00:00
|
|
|
-${RM} $(DESTDIR)$(prefix)/bin/passt
|
|
|
|
-${RM} $(DESTDIR)$(prefix)/bin/pasta
|
|
|
|
-${RM} $(DESTDIR)$(prefix)/bin/qrap
|
2021-10-19 07:50:18 +00:00
|
|
|
-${RM} $(DESTDIR)$(prefix)/share/man/man1/passt.1
|
|
|
|
-${RM} $(DESTDIR)$(prefix)/share/man/man1/pasta.1
|
|
|
|
-${RM} $(DESTDIR)$(prefix)/share/man/man1/qrap.1
|
2021-08-19 23:11:57 +00:00
|
|
|
|
|
|
|
pkgs:
|
|
|
|
tar cf passt.tar -P --xform 's//\/usr\/bin\//' passt pasta qrap
|
|
|
|
tar rf passt.tar -P --xform 's//\/usr\/share\/man\/man1\//' \
|
|
|
|
passt.1 pasta.1 qrap.1
|
|
|
|
gzip passt.tar
|
|
|
|
EMAIL="sbrivio@redhat.com" fakeroot alien --to-deb \
|
|
|
|
--description="User-mode networking for VMs and namespaces" \
|
|
|
|
-k --version=$(shell git rev-parse --short HEAD) \
|
|
|
|
passt.tar.gz
|
|
|
|
fakeroot alien --to-rpm --target=$(shell uname -m) \
|
|
|
|
--description="User-mode networking for VMs and namespaces" \
|
|
|
|
-k --version=g$(shell git rev-parse --short HEAD) passt.tar.gz
|
2021-10-19 22:05:11 +00:00
|
|
|
|
|
|
|
# Checkers currently disabled for clang-tidy:
|
|
|
|
# - llvmlibc-restrict-system-libc-headers
|
|
|
|
# TODO: this is Linux-only for the moment, nice to fix eventually
|
|
|
|
#
|
|
|
|
# - bugprone-macro-parentheses
|
|
|
|
# - google-readability-braces-around-statements
|
|
|
|
# - hicpp-braces-around-statements
|
|
|
|
# - readability-braces-around-statements
|
|
|
|
# Debatable whether that improves readability, right now it would look
|
|
|
|
# like a mess
|
|
|
|
#
|
|
|
|
# - readability-magic-numbers
|
|
|
|
# - cppcoreguidelines-avoid-magic-numbers
|
|
|
|
# TODO: in most cases they are justified, but probably not everywhere
|
|
|
|
#
|
|
|
|
# - clang-analyzer-valist.Uninitialized
|
|
|
|
# TODO: enable once https://bugs.llvm.org/show_bug.cgi?id=41311 is fixed
|
|
|
|
#
|
|
|
|
# - clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling
|
|
|
|
# Probably not doable to impement this without plain memcpy(), memset()
|
|
|
|
#
|
|
|
|
# - cppcoreguidelines-init-variables
|
|
|
|
# Dubious value, would kill readability
|
|
|
|
#
|
|
|
|
# - hicpp-signed-bitwise
|
|
|
|
# Those are needed for syscalls, epoll_wait flags, etc.
|
|
|
|
#
|
|
|
|
# - bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp
|
|
|
|
# This flags _GNU_SOURCE, currently needed
|
|
|
|
#
|
|
|
|
# - llvm-include-order
|
|
|
|
# TODO: not really important, but nice to fix eventually
|
|
|
|
#
|
|
|
|
# - readability-isolate-declaration
|
|
|
|
# Dubious value, would kill readability
|
|
|
|
#
|
|
|
|
# - android-cloexec-open
|
|
|
|
# - android-cloexec-pipe
|
|
|
|
# - android-cloexec-pipe2
|
|
|
|
# - android-cloexec-epoll-create1
|
|
|
|
# TODO: check, fix except for the few cases where we need to share fds
|
|
|
|
#
|
|
|
|
# - bugprone-narrowing-conversions
|
|
|
|
# - cppcoreguidelines-narrowing-conversions
|
|
|
|
# TODO: nice to fix eventually
|
|
|
|
#
|
|
|
|
# - cppcoreguidelines-avoid-non-const-global-variables
|
|
|
|
# TODO: check, fix, and more in general constify wherever possible
|
|
|
|
#
|
|
|
|
# - bugprone-suspicious-string-compare
|
|
|
|
# Return value of memcmp(), not really suspicious
|
|
|
|
clang-tidy: $(wildcard *.c)
|
|
|
|
clang-tidy -checks=*,-modernize-*,\
|
|
|
|
-clang-analyzer-valist.Uninitialized,\
|
|
|
|
-cppcoreguidelines-init-variables,\
|
|
|
|
-bugprone-macro-parentheses,\
|
|
|
|
-google-readability-braces-around-statements,\
|
|
|
|
-hicpp-braces-around-statements,\
|
|
|
|
-readability-braces-around-statements,\
|
|
|
|
-readability-magic-numbers,\
|
|
|
|
-llvmlibc-restrict-system-libc-headers,\
|
|
|
|
-hicpp-signed-bitwise,\
|
|
|
|
-bugprone-reserved-identifier,-cert-dcl37-c,-cert-dcl51-cpp,\
|
|
|
|
-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,\
|
|
|
|
-llvm-include-order,\
|
|
|
|
-cppcoreguidelines-avoid-magic-numbers,\
|
|
|
|
-readability-isolate-declaration,\
|
|
|
|
-android-cloexec-open,-android-cloexec-pipe,-android-cloexec-pipe2,\
|
|
|
|
-android-cloexec-epoll-create1,\
|
|
|
|
-bugprone-narrowing-conversions,\
|
|
|
|
-cppcoreguidelines-narrowing-conversions,\
|
|
|
|
-cppcoreguidelines-avoid-non-const-global-variables,\
|
|
|
|
-bugprone-suspicious-string-compare \
|
|
|
|
--warnings-as-errors=* $(wildcard *.c) -- $(CFLAGS)
|