Sync from SUSE:SLFO:Main passt revision c6400eef2467e9a3dbafc9289b411e3c

2024-09-17 14:40:23 +02:00 · 2024-09-17 14:40:23 +02:00 · 6fc7e38c5e
commit 6fc7e38c5e
parent 9933c6e284
6 changed files with 221 additions and 12 deletions
--- a/2
+++ b/2
@ -4,7 +4,7 @@
    <param name="scm">git</param>
    <param name="changesgenerate">enable</param>
    <param name="versionformat">%cs.%h</param>
-    <param name="revision">2024_06_24.1ee2eca</param>
+    <param name="revision">2024_09_06.6b38f07</param>
  </service>
  <service mode="manual" name="recompress">
    <param name="file">*.tar</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://passt.top/passt</param>
-              <param name="changesrevision">1ee2ecade3f41e2a3e51c1e580b08cba977a7c8d</param></service></servicedata>
+              <param name="changesrevision">6b38f0723949f8b4b2787ee55d4330249a1a4a3e</param></service></servicedata>
--- a/passt-20240624.1ee2eca.tar.zst
+++ b/passt-20240624.1ee2eca.tar.zst
--- a/passt-20240906.6b38f07.tar.zst
+++ b/passt-20240906.6b38f07.tar.zst
--- a/passt.changes
+++ b/passt.changes
@ -1,3 +1,203 @@
+-------------------------------------------------------------------
+Thu Sep 12 11:08:38 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Fix passt-selinux to use selinux macros instead of calling semodule
+  by hand, which leads to unwanted policy reload on Micro (bsc#1229132)
+
+-------------------------------------------------------------------
+Mon Sep 09 06:57:41 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240906.6b38f07:
+  * apparmor: Allow read access to /proc/sys/net/ipv4/ip_local_port_range
+  * selinux: Allow read access to /proc/sys/net/ipv4/ip_local_port_range
+  * tap: Don't risk truncating frames on full buffer in tap_pasta_input()
+  * tap: Restructure in tap_pasta_input()
+  * tap: Improve handling of EINTR in tap_passt_input()
+  * tap: Split out handling of EPOLLIN events
+  * util: Fix order of operands and carry of one second in timespec_diff_us()
+  * cppcheck: Work around some cppcheck 2.15.0 redundantInitialization warnings
+  * tcp: Use EPOLLET for any state of not established connections
+  * udp: Handle more error conditions in udp_sock_errs()
+  * udp: Treat errors getting errors as unrecoverable
+  * udp: Split socket error handling out from udp_sock_recv()
+  * flow: Helpers to log details of a flow
+  * udp: Allow UDP flows to be prematurely closed
+  * flow: Fix incorrect hash probe in flowside_lookup()
+  * log: Don't prefix log file messages with time and severity if they're continuations
+  * Makefile: Enable _FORTIFY_SOURCE iff needed
+  * fwd, conf: Probe host's ephemeral ports
+  * conf, fwd: Don't attempt to forward port 0
+  * conf, fwd: Make ephemeral port logic more flexible
+  * seccomp.sh: Try to account for terminal width while formatting list of system calls
+  * udp: Use dual stack sockets for port forwarding when possible
+  * udp: Remove unnnecessary local from udp_sock_init()
+  * udp: Merge udp[46]_mh_recv arrays
+  * test: Look for possible sshd-session paths (if it's there at all) in mbuto's profile
+
+-------------------------------------------------------------------
+Thu Aug 22 08:15:06 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240821.1d6142f:
+  * README: pasta is indeed a supported back-end for rootless Docker
+  * util: Don't stop on unrelated values when looking for --fd in close_open_files()
+  * test: Update list of dependencies in README.md
+  * tcp, udp: Allow timerfd_gettime64() and recvmmsg_time64() on arm (armhf)
+  * util: Provide own version of close_range(), and no-op fallback
+  * udp_flow: Add missing unistd.h include for close()
+  * test: Duplicate existing recvfrom() valgrind suppression for recv()
+  * test/passt.mbuto: Install sshd-session OpenSSH's split process
+  * test/passt.mbuto: Run sshd from vsock proxy with absolute path
+  * test/lib/setup: Transform i686 kernel architecture name into QEMU name (i386)
+  * treewide: Allow additional system calls for i386/i686
+  * fwd, conf: Allow NAT of the guest's assigned address
+  * fwd: Distinguish translatable from untranslatable addresses on inbound
+  * conf: Allow address remapped to host to be configured
+  * test: Reconfigure IPv6 address after changing MTU
+  * conf, fwd: Split notion of gateway/router from guest-visible host address
+  * Don't take "our" MAC address from the host
+  * fwd: Split notion of "our tap address" from gateway for IPv4
+  * fwd: Helpers to clarify what host addresses aren't guest accessible
+  * Initialise our_tap_ll to ip6.gw when suitable
+  * Clarify which addresses in ip[46]_ctx are meaningful where
+  * treewide: Change misleading 'addr_ll' name
+  * util: Correct sock_l4() binding for link local addresses
+  * conf: Remove incorrect initialisation of addr_ll_seen
+  * conf: Treat --dns addresses as guest visible addresses
+  * conf: Correct setting of dns_match address in add_dns6()
+  * conf: Move adding of a nameserver from resolv.conf into subfunction
+  * conf: Move DNS array bounds checks into add_dns[46]
+  * conf: More accurately count entries added in get_dns()
+  * conf: Use array indices rather than pointers for DNS array slots
+  * treewide: Use struct assignment instead of memcpy() for IP addresses
+  * treewide: Rename MAC address fields for clarity
+  * util: Helper for formatting MAC addresses
+  * treewide: Use "our address" instead of "forwarding address"
+  * netlink: Fix typo in function comment for nl_addr_set()
+  * pasta: Disable neighbour solicitations on device up to prevent DAD
+  * netlink, pasta: Fetch link-local address from namespace interface once it's up
+  * netlink, pasta: Disable DAD for link-local addresses on namespace interface
+  * netlink, pasta: Turn nl_link_up() into a generic function to set link flags
+  * netlink, pasta: Split MTU setting functionality out of nl_link_up()
+  * netlink: Fix typo in function comment for nl_addr_get()
+  * test: Speed up by cutting on eye candy and performance test duration
+
+-------------------------------------------------------------------
+Thu Aug 15 06:18:55 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240814.61c0b0d:
+  * flow: Don't crash if guest attempts to connect to port 0
+  * conf: Don't ignore -t and -u options after -D
+  * ndp.c: Turn NDP responder into more declarative implementation
+  * conf: Delay handling -D option until after addresses are configured
+  * Correct inaccurate comments on ip[46]_ctx::addr
+  * log: Don't prefix message with timestamp on --debug if it's a continuation
+  * conf: Stop parsing options at first non-option argument
+  * passt, util: Close any open file that the parent might have leaked
+  * nstool: Propagate SIGTERM to processes executed in the namespace
+  * nstool: Fix some trivial typos
+  * log: Avoid duplicate calls to logtime()
+  * log: Handle errors from clock_gettime()
+  * log: Correct formatting of timestamps
+  * util: Some corrections for timespec_diff_us
+  * conf, pasta: Make -g and -a skip route/addresses copy for matching IP version only
+
+-------------------------------------------------------------------
+Tue Aug 06 16:58:22 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240806.ee36266:
+  * log, passt: Keep printing to stderr when passt is running in foreground
+  * tcp_splice: Fix side in OUT_WAIT flag setting
+  * util: Use unsigned (size_t) value for iov length
+  * udp_flow: move all udp_flow functions to udp_flow.c
+  * udp_flow: Remove udp_meta_t from the parameters of udp_flow_from_sock()
+  * log: Make logfile_write() private
+  * pasta: Save errno on signal handler entry, restore on return when needed
+  * pasta: modify hostname when detaching new namespace
+  * Fix typo in README file
+  * fedora/rpkg: List myself as author for changelog entries
+
+-------------------------------------------------------------------
+Thu Aug 01 05:57:09 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240726.57a21d2:
+  * tap: Improve handling of partially received frames on qemu socket
+  * tap: Correctly handle frames of odd length
+  * tap: Don't use EPOLLET on Qemu sockets
+  * tap: Don't attempt to carry on if we get a bad frame length from qemu
+  * tap: Better report errors receiving from QEMU socket
+  * log: Fetch log times with CLOCK_MONOTONIC, not CLOCK_REALTIME
+  * log: Initialise timestamp for relative log time also if we use a log file
+  * log, util: Fix sub-second part in relative log time calculation
+  * test/lib/perf_report: Fix highlight
+  * test: Fix spurious test failure with systemd-resolved
+  * fwd: Broaden what we consider for DNS specific forwarding rules
+  * fwd: Refactor tests in fwd_nat_from_tap() for clarity
+  * conf: Accept addresses enclosed by square brackets in port forwarding specifiers
+  * tap: Exit if we fail to bind a UNIX domain socket with explicit path
+  * test: iperf3 3.16 introduces multiple threads, drop our own implementation of that
+  * test: Update names of symbols and slabinfo entries
+  * test: Fix memory/passt tests, --netns-only is not a valid option for passt
+  * log: Drop newlines in the middle of the perror()-like messages
+  * tcp: Change SO_PEEK_OFF support message to debug()
+  * tap: Don't quit if pasta gets EIO on writev() to tap, interface might be down
+  * tcp: Correctly update SO_PEEK_OFF when tcp_send_frames() drops frames
+  * tcp: probe for SO_PEEK_OFF both in tcpv4 and tcp6
+  * udp: Rename UDP listening sockets
+  * udp: Remove rdelta port forwarding maps
+  * udp: Remove obsolete socket tracking
+  * udp: Direct datagrams from host to guest via flow table
+  * udp: Find or create flows for datagrams from tap interface
+  * udp: Remove obsolete splice tracking
+  * udp: Handle "spliced" datagrams with per-flow sockets
+  * udp: Create flows for datagrams from originating sockets
+  * fwd: Update flow forwarding logic for UDP
+  * flow, icmp: Use general flow forwarding rules for ICMP
+  * flow, tcp: Flow based NAT and port forwarding for TCP
+  * icmp: Manage outbound socket address via flow table
+  * flow: Helper to create sockets based on flowside
+  * icmp: Eliminate icmp_id_map
+  * icmp: Look up ping flows using flow hash
+  * icmp: Obtain destination addresses from the flowsides
+  * icmp: Remove redundant id field from flow table entry
+  * tcp: Re-use flow hash for initial sequence number generation
+  * flow, tcp: Generalise TCP hash table to general flow hash table
+  * tcp, flow: Replace TCP specific hash function with general flow hash
+  * tcp_splice: Eliminate SPLICE_V6 flag
+  * tcp: Simplify endpoint validation using flowside information
+  * tcp: Manage outbound address via flow table
+  * tcp: Obtain guest address from flowside
+  * tcp, flow: Remove redundant information, repack connection structures
+  * flow: Common address information for target side
+  * flow: Common address information for initiating side
+  * doc: Extend zero-recv test with methods using msghdr
+  * doc: Test behaviour of closing duplicate UDP sockets
+  * tcp_splice: Use parameterised macros for per-side event/flag bits
+  * flow: Introduce flow_foreach_sidei() macro
+  * flow, tcp_splice: Prefer 'sidei' for variables referring to side index
+  * flow, icmp, tcp: Clean up helpers for getting flow from index
+  * udp: Handle errors on UDP sockets
+  * util: Add AF_UNSPEC support to sockaddr_ntop()
+  * udp, tcp: Tweak handling of no_udp and no_tcp flags
+  * udp: Make udp_sock_recv static
+  * conf: Don't configure port forwarding for a disabled protocol
+  * tcp: handle shrunk window advertisements from guest
+  * tcp: leverage support of SO_PEEK_OFF socket option when available
+  * doc: Trivial fix for reuseaddr-priority
+  * doc: Test behaviour of zero length datagram recv()s
+  * doc: Add program to document and test assumptions about SO_REUSEADDR
+  * udp: Consolidate datagram batching
+  * udp: Move some more of sock_handler tasks into sub-functions
+  * udp: Don't repeatedly initialise udp[46]_eth_hdr
+  * udp: Unify udp[46]_l2_iov
+  * udp: Unify udp[46]_mh_splice
+  * udp: Rename IOV and mmsghdr arrays
+  * udp: Pass full epoll reference through more of sock handler path
+  * flow: Add flow_sidx_valid() helper
+  * util: sock_l4() determine protocol from epoll type rather than the reverse
+  * conf: Use the right maximum buffer size for c->sock_path
+  * tcp_splice: Check return value of setsockopt() for SO_RCVLOWAT
+  * conf: Copy up to MAXDNSRCH - 1 bytes, not MAXDNSRCH
+
 -------------------------------------------------------------------
 Thu Jul  4 16:34:45 UTC 2024 - Danish Prakash <danish.prakash@suse.com>

--- a/passt.spec
+++ b/passt.spec
@ -43,8 +43,9 @@
 %endif
 %endif

+%global selinuxtype targeted
 Name:           passt
-Version:        20240624.1ee2eca
+Version:        20240906.6b38f07
 Release:        0
 Summary:        User-mode networking daemons for virtual machines and namespaces
 License:        GPL-2.0-or-later AND BSD-3-Clause
@ -135,13 +136,21 @@ popd
 %endif

 %if %{with selinux}
-%post selinux
-semodule -i %{_datadir}/selinux/packages/%{name}/passt.pp 2>/dev/null || :
-semodule -i %{_datadir}/selinux/packages/%{name}/pasta.pp 2>/dev/null || :
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}

-%preun selinux
-semodule -r passt 2>/dev/null || :
-semodule -r pasta 2>/dev/null || :
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/passt.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/pasta.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+	%selinux_modules_uninstall -s %{selinuxtype} passt
+	%selinux_modules_uninstall -s %{selinuxtype} pasta
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
 %endif

 %files