Sync from SUSE:SLFO:Main passt revision a6d7406fcf24b3fa1b7257c2f2f9fae3

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
     <param name="versionformat">%cs.%h</param>
-    <param name="revision">2024_06_24.1ee2eca</param>
+    <param name="revision">2025_04_15.2340bbf</param>
   </service>
   <service mode="manual" name="recompress">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://passt.top/passt</param>
-              <param name="changesrevision">1ee2ecade3f41e2a3e51c1e580b08cba977a7c8d</param></service></servicedata>
+              <param name="changesrevision">2340bbf867e6c3c3b5ac67345b0e841ab49bbaa5</param></service></servicedata>

passt.changes

@@ -1,3 +1,582 @@
+-------------------------------------------------------------------
+Wed Apr 16 06:17:16 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250415.2340bbf:
+  * udp: Propagate errors on listening and brand new sockets
+  * udp: Minor re-organisation of udp_sock_recverr()
+  * udp: Add udp_pktinfo() helper
+  * udp: Deal with errors as we go in udp_sock_fwd()
+  * udp: Pass socket & flow information direction to error handling functions
+  * udp: Be quieter about errors on UDP receive
+  * udp: Fix breakage of UDP error handling by PKTINFO support
+  * conf: Honour --dns-forward for local resolver even with --no-map-gw
+  * conf: Split add_dns_resolv() into separate IPv4 and IPv6 versions
+  * udp, udp_flow: Track our specific address on socket interfaces
+  * inany: Improve ASSERT message for bad socket family
+  * udp: Use PKTINFO cmsgs to get destination address for received datagrams
+  * tcp_splice: Don't clobber errno before checking for EAGAIN
+  * tcp_splice: Don't double count bytes read on EINTR
+  * conf: Add missing return in conf_nat(), fix --map-guest-addr none
+  * udp_flow: Save 8 bytes in struct udp_flow on 64-bit architectures
+  * udp_flow: Don't discard packets that arrive between bind() and connect()
+  * udp: Fold udp_splice_prepare and udp_splice_send into udp_sock_to_sock
+  * udp: Rework udp_listen_sock_data() into udp_sock_fwd()
+  * udp_flow: Take pif and port as explicit parameters to udp_flow_from_sock()
+  * udp: Move UDP_MAX_FRAMES to udp.c
+  * udp: Merge vhost-user and "buf" listening socket paths
+  * udp: Split spliced forwarding path from udp_buf_reply_sock_data()
+  * udp: Parameterize number of datagrams handled by udp_*_reply_sock_data()
+  * udp: Don't bother to batch datagrams from "listening" socket
+  * udp: Polish udp_vu_sock_info() and remove from vu specific code
+  * udp: Make udp_sock_recv() take max number of frames as a parameter
+  * udp: Use connect()ed sockets for initiating side
+  * udp: support traceroute in direction tap-socket
+  * passt-repair: Ensure that read buffer is NULL-terminated
+  * udp: Correct some seccomp filter annotations
+  * udp: Simplify updates to UDP flow timestamp
+  * udp: Remove redundant udp_at_sidx() call in udp_tap_handler()
+  * passt-repair: Correct off-by-one error verifying name
+  * migrate, tcp: bind() migrated sockets in repair mode
+  * platform requirements: Add test for address conflicts with TCP_REPAIR
+  * platform requirements: Add attributes to die() function
+  * platform requirements: Fix clang-tidy warning
+  * udp: Improve name of UDP related ICMP sending functions
+  * udp: Don't attempt to forward ICMP socket errors to other sockets
+  * pasta, passt-repair: Support multiple events per read() in inotify handlers
+  * udp: correct source address for ICMP messages
+  * build: normalize arm targets
+  * udp: Add helper function for creating connected UDP socket
+  * udp: Always hash socket facing flowsides
+  * udp: Better handling of failure to forward from reply socket
+  * udp: Share more logic between vu and non-vu reply socket paths
+  * udp_vu: Factor things out of udp_vu_reply_sock_data() loop
+  * udp: Simplify checking of epoll event bits
+  * udp: Common invocation of udp_sock_errs() for vhost-user and "buf" paths
+  * packet: Upgrade severity of most packet errors
+  * packet: ASSERT on signs of pool corruption
+  * util: Add abort_with_msg() and ASSERT_WITH_MSG() helpers
+  * packet: Rework packet_get() versus packet_get_try()
+  * packet: Move checks against PACKET_MAX_LEN to packet_check_range()
+  * packet: Avoid integer overflows in packet_get_do()
+  * packet: Correct type of PACKET_MAX_LEN
+  * tap: Clarify calculation of TAP_MSGS
+  * tap: Make size of pool_tap[46] purely a tuning parameter
+  * packet: More cautious checks to avoid pointer arithmetic UB
+  * vu_common: Tighten vu_packet_check_range()
+
+-------------------------------------------------------------------
+Thu Mar 20 14:38:07 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250320.32f6212:
+  * Makefile: Enable -Wformat-security
+  * conf: Include libgen.h for basename(), fix build against musl
+  * tcp: Flush socket before checking for more data in active close state
+  * migrate: Bump migration version number
+  * migrate, tcp: Migrate RFC 7323 timestamp
+  * migrate, tcp: More careful marshalling of mss parameter during migration
+  * passt-repair: Fix build with -Werror=format-security
+  * tcp, flow: Better use flow specific logging heleprs
+  * conf: Unify several paths in conf_ports()
+  * test/perf: Simplify iperf3 server lifetime management
+  * conf: Limit maximum MTU based on backend frame size
+  * pcap: Correctly set snaplen based on tap backend type
+  * Simplify sizing of pkt_buf
+  * tap: Use explicit defines for maximum length of L2 frame
+  * packet: Remove redundant TAP_BUF_BYTES define
+  * packet: Give explicit name to maximum packet size
+  * conf: Detect vhost-user mode earlier
+  * conf: Move mode detection into helper function
+  * conf: Use the same optstring for passt and pasta modes
+  * flow, repair: Wait for a short while for passt-repair to connect
+  * passt-repair: Add directory watch
+  * cppcheck: Add suppressions for "logically" exported functions
+  * vhost_user: Don't export several functions
+  * tcp: Don't export tcp_update_csum()
+  * checksum: Don't export various functions
+  * log: Don't export passt_vsyslog()
+  * treewide: Mark assorted functions static
+  * udp: create and send ICMPv6 to local peer when applicable
+  * tap: break out building of udp header from tap_udp6_send function
+  * udp: create and send ICMPv4 to local peer when applicable
+  * tap: break out building of udp header from tap_udp4_send function
+  * conf: Be more precise about minimum MTUs
+  * tcp: Send RST in response to guest packets that match no connection
+  * tap: Consider IPv6 flow label when building packet sequences
+  * ip: Helpers to access IPv6 flow label
+  * migrate, tcp: Don't flow_alloc_cancel() during incoming migration
+  * tcp: Unconditionally move to CLOSED state on tcp_rst()
+  * tcp: Correct error code handling from tcp_flow_repair_socket()
+  * migrate, flow: Don't attempt to migrate TCP flows without passt-repair
+  * migrate, flow: Trivially succeed if migrating with no flows
+  * selinux: Fixes/workarounds for passt and passt-repair, mostly for libvirt usage
+  * seccomp.sh: Silence stty errors
+  * tap: always set the no_frag flag in IPv4 headers
+  * contrib/fedora: Actually install passt-repair SELinux policy file
+  * dhcp: Add option code byte in calculation for OPT_MAX boundary check
+  * Makefile: Use mmap2() as alternative for mmap() in valgrind extra syscalls
+  * conf: Use 0 instead of -1 as "unassigned" mtu value
+  * conf: More thorough error checking when parsing --mtu option
+  * flow: Clean up and generalise flow traversal macros
+  * flow: Remove unneeded bound parameter from flow traversal macros
+  * flow: Remove unneeded index from foreach_* macros
+  * flow: Add flow_perror() helper
+  * tcp: Don't pass both flow pointer and flow index
+  * tcp: Remove spurious prototype for tcp_flow_migrate_shrink_window
+  * tcp: More type safety for tcp_flow_migrate_target_ext()
+  * tcp_vu: head_cnt need not be global
+  * tap: Remove unused ETH_HDR_INIT() macro
+  * packet: Don't pass start and offset separately to packet_check_range()
+  * packet: Use flexible array member in struct pool
+  * dhcp: Remove option 255 length byte
+
+-------------------------------------------------------------------
+Thu Mar  6 10:50:13 UTC 2025 - Dan Čermák <dcermak@suse.com>
+
+- Introduce apparmor subpackage, fixes bsc#1238597
+
+-------------------------------------------------------------------
+Mon Feb 17 13:53:53 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250217.a1e48a0:
+  * test: Add migration tests
+  * migrate: Migrate TCP flows
+  * repair, passt-repair: Build and warning fixes for musl
+  * tcp_splice: A typo three years ago and SO_RCVLOWAT is gone
+  * tcp_splice: Don't wake up on input data if we can't write it anywhere
+  * vhost_user: Clear ring address on GET_VRING_BASE
+  * tcp, tcp_splice: Don't set SO_SNDBUF and SO_RCVBUF to maximum values
+  * tcp: Keep updating window and checking for socket data after FIN from guest
+  * contrib/selinux: Enable mapping guest memory for libvirt guests
+  * selinux: Add rules needed to run tests
+  * rampstream: Add utility to test for corruption of data streams
+  * tcp: Get bound address for connected inbound sockets too
+  * vhost_user: Make source quit after reporting migration state
+  * Add interfaces and configuration bits for passt-repair
+  * migrate: Migrate guest observed addresses
+  * migrate: Skeleton of live migration logic
+  * passt-repair: Fix off-by-one in check for number of file descriptors
+  * tcp_vu: Fix off-by one in header count array adjustment
+  * tcp: Implement conservative zero-window probe on ACK timeout
+  * tcp: Don't discard window information on keep-alive segments
+  * dhcp, dhcpv6: Add hostname and client fqdn ops
+  * conf: Don't map DNS traffic to host, if host gateway is a resolver
+  * passt-repair: Send one confirmation *per command*, not *per socket*
+  * dhcp: Don't re-use request message for reply
+  * passt-repair: Dodge "structurally unreachable code" warning from Coverity
+  * passt-repair: Fix calculation of payload length from cmsg_len
+  * passt-repair: Don't use perror(), accept ECONNRESET as termination
+  * conf, passt.1: Un-deprecate --host-lo-to-ns-lo
+  * debug: Add tcpdump to mbuto.img
+  * apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user
+  * passt-repair.1: Fix indication of TCP_REPAIR constants
+  * passt-repair: Build fixes for musl
+  * passt-repair: use _exit() over return
+  * treewide: use _exit() over exit()
+  * tcp: Simplify handling of getsockname()
+  * migrate: Fix several errors with passt-repair
+  * doc: Add mock of migration source and target
+  * tcp: Get socket port and address using getsockname() when connecting from guest
+  * Introduce passt-repair
+  * vhost_user: Turn some vhost-user message reports to trace()
+  * util: Add read_remainder() and read_all_buf()
+  * tcp_splice, udp_flow: fcntl64() support on PPC64 depends on glibc version
+  * vhost_user: On 32-bit ARM, mmap() is not available, mmap2() is used instead
+  * tcp: Don't reset outbound connection on SYN retries
+  * pasta.te: fix demo.sh and remove one duplicate rule
+  * tcp: Add HOSTSIDE(x), HOSTFLOW(x) macros
+  * util: Rename and make global vu_remove_watch()
+  * tcp: Always pass NULL event with EPOLL_CTL_DEL
+  * vhost-user: Implement an empty VHOST_USER_SEND_RARP command
+  * netlink: Skip loopback interface while looking for a template
+
+-------------------------------------------------------------------
+Wed Jan 22 08:34:13 UTC 2025 - dcermak@suse.com
+
+- Update to version 20250121.4f2c8e7:
+  * vhost_user: Drop packet with unsupported iovec array
+  * tcp: Set PSH flag for last incoming packets in a batch
+  * tcp: Set ACK flag on *all* RST segments, even for client in SYN-SENT state
+  * tcp: Disable Nagle's algorithm (set TCP_NODELAY) on all sockets
+  * tcp: Buffer sizes are *not* inherited on accept()/accept4()
+  * vhost_user: remove ASSERT() on iovec number
+  * vhost-user: Report to front-end we support VHOST_USER_PROTOCOL_F_DEVICE_STATE
+  * vhost-user: add VHOST_USER_SET_DEVICE_STATE_FD command
+  * vhost-user: add VHOST_USER_CHECK_DEVICE_STATE command
+  * vhost-user: Report to front-end we support VHOST_USER_PROTOCOL_F_LOG_SHMFD
+  * vhost-user: add VHOST_USER_SET_LOG_BASE command
+  * vhost-user: Pass vu_dev to more virtio functions
+  * vhost-user: add VHOST_USER_SET_LOG_FD command
+  * vhost-user: update protocol features and commands list
+  * tcp: Mask EPOLLIN altogether if we're blocked waiting on an ACK from the guest
+  * tcp: Set EPOLLET when when reading from a socket fails with EAGAIN
+  * tcp: Don't subscribe to EPOLLOUT events on STALLED
+  * tcp: Fix ACK sequence getting out of sync on EPOLLOUT wake-up
+  * vhost_user: fix multibuffer from linux
+  * test/pasta_podman: Run Podman tests on a single CPU thread
+  * checksum: fix checksum with odd base address
+  * tcp_splice: Set (again) TCP_NODELAY on both sides
+  * seccomp: Unconditionally allow accept(2) even if accept4(2) is present
+  * virtio: Use const pointer for vu_dev
+  * udp_flow: Don't block multicast and broadcast messages
+  * Makefile: Report error and stop if we can't set TARGET
+  * README: Mark vhost-user as supported
+
+-------------------------------------------------------------------
+Thu Dec 12 13:41:51 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241211.09478d5:
+  * treewide: Dodge dynamic memory allocation in strerror() from glibc > 2.40
+  * pasta: make it possible to disable socket splicing
+  * tap: Call vu_init() with --fd
+  * tap: Use a common function to start a new connection
+  * udp_vu: update segment size
+  * flow: Remove over-zealous sanity checks in flow_sidx_hash()
+  * udp: Improve detail of UDP endpoint sanity checking
+  * perf/passt_vu_tcp: Make it shine
+  * tcp_vu: Compute IPv4 header checksum if dlen changes
+  * Makefile: Use make internal string functions
+  * tcp_vu: Remove unnecessary tcp_vu_update_check() function
+  * tcp: Merge tcp_fill_headers[46]() with each other
+  * tcp: Merge tcp_update_check_tcp[46]()
+  * tcp: Pass TCP header and payload separately to tcp_fill_headers[46]()
+  * tcp: Pass TCP header and payload separately to tcp_update_check_tcp[46]()
+  * iov, checksum: Replace csum_iov() with csum_iov_tail()
+  * iov: iov tail helpers
+  * tcp_vu: Change 'dlen' to ssize_t in tcp_vu_data_from_sock()
+  * Fix build on 32bit target
+  * virtio: check if avail ring is configured
+  * tcp: Move tcp_l2_buf_fill_headers() to tcp_buf.c
+  * test: Add tests for passt in vhost-user mode
+  * vhost-user: add vhost-user
+  * passt: rename tap_sock_init() to tap_backend_init()
+  * tcp: Export headers functions
+  * udp: Prepare udp.c to be shared with vhost-user
+  * vhost-user: introduce vhost-user API
+  * vhost-user: introduce virtio API
+  * packet: replace struct desc by struct iovec
+
+-------------------------------------------------------------------
+Wed Nov 27 14:19:40 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241127.c0fbc7e:
+  * dhcp: Honour broadcast flag (RFC 2131, 4.1)
+  * dhcp: Introduce support for Rapid Commit (option 80, RFC 4039)
+  * dhcp: Use -1 as "missing option" length instead of 0
+  * treewide: Introduce 'local mode' for disconnected setups
+  * test: Improve logic for waiting for SLAAC & DAD to complete in NDP tests
+  * ndp: Don't send first periodic router advertisement right after guest connects
+  * test/perf: Select a single IPv6 namespace address in pasta tests
+  * conf, passt.1: Update --mac-addr default in usage() and man page
+  * passt.1: Fix "default" note about --map-guest-addr
+
+-------------------------------------------------------------------
+Mon Nov 25 07:27:04 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241121.238c69f:
+  * tcp: Acknowledge keep-alive segments, ignore them for the rest
+  * tcp: Reset ACK_TO_TAP_DUE flag whenever an ACK isn't needed anymore
+  * ndp: Don't send unsolicited RAs if NDP is disabled
+  * ndp: Don't send unsolicited router advertisement if we can't, yet
+  * selinux: Use auth_read_passwd() interface for all our getpwnam() needs
+  * ndp: Send unsolicited Router Advertisements
+  * passt: Seed libc's pseudo random number generator
+  * util: Add general low-level random bytes helper
+  * ndp: Make route lifetime a #define
+  * ndp: Use struct assignment in preference to memcpy() for IPv6 addresses
+  * ndp: Split out helpers for sending specific NDP message types
+  * ndp: Add ndp_send() helper
+  * ndp: Remove redundant update to addr_seen
+  * cppcheck: Don't check the system headers
+  * linux_dep: Fix CLOSE_RANGE_UNSHARE availability handling
+  * linux_dep: Move close_range() conditional handling to linux_dep.h
+  * log: Only check for FALLOC_FL_COLLAPSE_RANGE availability at runtime
+  * tap, tcp, util: Add some missing SOCK_CLOEXEC flags
+  * passt: Use NOLINT clang-tidy block instead of NOLINTNEXTLINE
+  * util: Define small and big thresholds for socket buffers as unsigned long long
+  * tap: Cast TAP_BUF_BYTES - ETH_MAX_MTU to ssize_t, not TAP_BUF_BYTES
+  * dhcpv6: Turn some option headers pointers to const
+  * dhcpv6: Use for loop instead of goto to avoid false positive cppcheck warning
+  * tcp: unify payload and flags l2 frames array
+  * test: Improve test for NDP assigned prefix
+  * test: Don't require 64-bit prefixes in perf tests
+  * test: Make nstool hold robust against interruptions to control clients
+  * test: Rename propagating signal handler
+  * util: Work around cppcheck bug 6936
+  * udp: Don't dereference uflow before NULL check in udp_reply_sock_handler()
+  * ndp: Use const pointer for ndp_ns packet
+  * linux_dep: Generalise tcp_info.h to handling Linux extension compatibility
+  * fwd: Squash different-signedness comparison warning
+  * util: Remove unused ffsl() function
+  * clang: Add rudimentary clangd configuration
+  * Makefile: Don't attempt to auto-detect stack size
+  * Makefile: Use -DARCH for qrap only
+  * seccomp: Simplify handling of AUDIT_ARCH
+  * Makefile: Move NETNS_RUN_DIR definition to C code
+  * netlink: RTA_PAYLOAD() returns int, not size_t
+  * flow: Correct type of flowside_at_sidx()
+  * arch: Avoid explicit access to 'environ'
+  * clang: Move clang-tidy configuration from Makefile to .clang-tidy
+  * Makefile: Simplify exclusion of qrap from static checks
+  * clang: Add .clang-format file
+  * test: Adjust misplaced sleeps in two_guests code
+  * tap: Explicitly cast TUNSETIFF to fix build warning with musl on ppc64le
+  * tcp: Fix build against musl, __sum16 comes from linux/types.h
+
+-------------------------------------------------------------------
+Mon Nov 04 10:10:37 UTC 2024 - dcermak@suse.com
+
+- Update to version 20241030.ee7d0b6:
+  * util: Don't use errno after a successful call in __daemon()
+  * udp: Take care of cert-int09-c clang-tidy warning for enum udp_iov_idx
+  * treewide: Address cert-err33-c clang-tidy warnings for clock and timer functions
+  * treewide: Suppress clang-tidy warning if we already use O_CLOEXEC
+  * Makefile: Disable readability-math-missing-parentheses clang-tidy check
+  * treewide: Silence cert-err33-c clang-tidy warnings for fprintf()
+  * treewide: Comply with CERT C rule ERR33-C for snprintf()
+  * Makefile: Exclude qrap.c from clang-tidy checks
+  * tcp: unify l2 TCPv4 and TCPv6 queues and structures
+  * tcp: set ip and eth headers in l2 tap queues on the fly
+  * test: remove obsolete images
+  * tcp: cleanup tcp_buf_data_from_sock()
+  * tcp: Use runtime tests for TCP_INFO fields
+  * tcp: Generalise probing for tcpi_snd_wnd field
+  * tcp: Remove compile-time dependency on struct tcp_info version
+  * tcp_splice: fcntl(2) returns the size of the pipe, if F_SETPIPE_SZ succeeds
+  * tcp_splice: splice() all we have to the writing side, not what we just read
+  * tcp: Use structures to construct initial TCP options
+  * fwd: Direct inbound spliced forwards to the guest's external address
+  * test: Clarify test for spliced inbound transfers
+  * passt.1: Clarify and update "Handling of local addresses" section
+  * passt.1: Mark --stderr as deprecated more prominently
+  * test: Wait for DAD on DHCPv6 addresses
+  * test: Explicitly wait for DAD to complete on SLAAC addresses
+  * arp: Fix a handful of small warts
+  * tcp: Send "empty" handshake ACK before first data segment
+  * test: Pass TRACE from run_term() into ./run from_term
+  * test/lib/term: Always use printf for messages with escape sequences
+  * conf: Add --dns-host option to configure host side nameserver
+  * conf: Add command line switch to enable IP_FREEBIND socket option
+  * udp: Update UDP checksum using an iovec array
+  * tcp: Update TCP checksum using an iovec array
+  * checksum: Add an offset argument in csum_iov()
+  * pcap: Add an offset argument in pcap_iov()
+  * tcp: Use tcp_payload_t rather than tcphdr
+  * test: Kernel binary can now be passed via the KERNEL environmental variable
+  * inany: Add inany_pton() helper
+  * tcp, udp: Make {tcp,udp}_sock_init() take an inany address
+  * util, pif: Replace sock_l4() with pif_sock_l4()
+  * udp: Don't attempt to get dual-stack sockets in nonsensical cases
+  * tcp: Allow checksum to be disabled
+  * udp: Allow checksum to be disabled
+  * util: Remove possible quadratic behaviour from write_remainder()
+  * util: Add helper to write() all of a buffer
+  * tcp: Make tcp_update_seqack_wnd()s force_seq parameter explicitly boolean
+  * tcp: Simplify ifdef logic in tcp_update_seqack_wnd()
+  * tcp: Clean up tcpi_snd_wnd probing
+  * tcp: Make some extra functions private
+  * tcp: Avoid overlapping memcpy() in DUP_ACK handling
+  * tcp: Remove redundant initialisation of iov[TCP_IOV_ETH].iov_base
+
+-------------------------------------------------------------------
+Thu Sep 12 11:08:38 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Fix passt-selinux to use selinux macros instead of calling semodule
+  by hand, which leads to unwanted policy reload on Micro (bsc#1229132)
+
+-------------------------------------------------------------------
+Mon Sep 09 06:57:41 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240906.6b38f07:
+  * apparmor: Allow read access to /proc/sys/net/ipv4/ip_local_port_range
+  * selinux: Allow read access to /proc/sys/net/ipv4/ip_local_port_range
+  * tap: Don't risk truncating frames on full buffer in tap_pasta_input()
+  * tap: Restructure in tap_pasta_input()
+  * tap: Improve handling of EINTR in tap_passt_input()
+  * tap: Split out handling of EPOLLIN events
+  * util: Fix order of operands and carry of one second in timespec_diff_us()
+  * cppcheck: Work around some cppcheck 2.15.0 redundantInitialization warnings
+  * tcp: Use EPOLLET for any state of not established connections
+  * udp: Handle more error conditions in udp_sock_errs()
+  * udp: Treat errors getting errors as unrecoverable
+  * udp: Split socket error handling out from udp_sock_recv()
+  * flow: Helpers to log details of a flow
+  * udp: Allow UDP flows to be prematurely closed
+  * flow: Fix incorrect hash probe in flowside_lookup()
+  * log: Don't prefix log file messages with time and severity if they're continuations
+  * Makefile: Enable _FORTIFY_SOURCE iff needed
+  * fwd, conf: Probe host's ephemeral ports
+  * conf, fwd: Don't attempt to forward port 0
+  * conf, fwd: Make ephemeral port logic more flexible
+  * seccomp.sh: Try to account for terminal width while formatting list of system calls
+  * udp: Use dual stack sockets for port forwarding when possible
+  * udp: Remove unnnecessary local from udp_sock_init()
+  * udp: Merge udp[46]_mh_recv arrays
+  * test: Look for possible sshd-session paths (if it's there at all) in mbuto's profile
+
+-------------------------------------------------------------------
+Thu Aug 22 08:15:06 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240821.1d6142f:
+  * README: pasta is indeed a supported back-end for rootless Docker
+  * util: Don't stop on unrelated values when looking for --fd in close_open_files()
+  * test: Update list of dependencies in README.md
+  * tcp, udp: Allow timerfd_gettime64() and recvmmsg_time64() on arm (armhf)
+  * util: Provide own version of close_range(), and no-op fallback
+  * udp_flow: Add missing unistd.h include for close()
+  * test: Duplicate existing recvfrom() valgrind suppression for recv()
+  * test/passt.mbuto: Install sshd-session OpenSSH's split process
+  * test/passt.mbuto: Run sshd from vsock proxy with absolute path
+  * test/lib/setup: Transform i686 kernel architecture name into QEMU name (i386)
+  * treewide: Allow additional system calls for i386/i686
+  * fwd, conf: Allow NAT of the guest's assigned address
+  * fwd: Distinguish translatable from untranslatable addresses on inbound
+  * conf: Allow address remapped to host to be configured
+  * test: Reconfigure IPv6 address after changing MTU
+  * conf, fwd: Split notion of gateway/router from guest-visible host address
+  * Don't take "our" MAC address from the host
+  * fwd: Split notion of "our tap address" from gateway for IPv4
+  * fwd: Helpers to clarify what host addresses aren't guest accessible
+  * Initialise our_tap_ll to ip6.gw when suitable
+  * Clarify which addresses in ip[46]_ctx are meaningful where
+  * treewide: Change misleading 'addr_ll' name
+  * util: Correct sock_l4() binding for link local addresses
+  * conf: Remove incorrect initialisation of addr_ll_seen
+  * conf: Treat --dns addresses as guest visible addresses
+  * conf: Correct setting of dns_match address in add_dns6()
+  * conf: Move adding of a nameserver from resolv.conf into subfunction
+  * conf: Move DNS array bounds checks into add_dns[46]
+  * conf: More accurately count entries added in get_dns()
+  * conf: Use array indices rather than pointers for DNS array slots
+  * treewide: Use struct assignment instead of memcpy() for IP addresses
+  * treewide: Rename MAC address fields for clarity
+  * util: Helper for formatting MAC addresses
+  * treewide: Use "our address" instead of "forwarding address"
+  * netlink: Fix typo in function comment for nl_addr_set()
+  * pasta: Disable neighbour solicitations on device up to prevent DAD
+  * netlink, pasta: Fetch link-local address from namespace interface once it's up
+  * netlink, pasta: Disable DAD for link-local addresses on namespace interface
+  * netlink, pasta: Turn nl_link_up() into a generic function to set link flags
+  * netlink, pasta: Split MTU setting functionality out of nl_link_up()
+  * netlink: Fix typo in function comment for nl_addr_get()
+  * test: Speed up by cutting on eye candy and performance test duration
+
+-------------------------------------------------------------------
+Thu Aug 15 06:18:55 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240814.61c0b0d:
+  * flow: Don't crash if guest attempts to connect to port 0
+  * conf: Don't ignore -t and -u options after -D
+  * ndp.c: Turn NDP responder into more declarative implementation
+  * conf: Delay handling -D option until after addresses are configured
+  * Correct inaccurate comments on ip[46]_ctx::addr
+  * log: Don't prefix message with timestamp on --debug if it's a continuation
+  * conf: Stop parsing options at first non-option argument
+  * passt, util: Close any open file that the parent might have leaked
+  * nstool: Propagate SIGTERM to processes executed in the namespace
+  * nstool: Fix some trivial typos
+  * log: Avoid duplicate calls to logtime()
+  * log: Handle errors from clock_gettime()
+  * log: Correct formatting of timestamps
+  * util: Some corrections for timespec_diff_us
+  * conf, pasta: Make -g and -a skip route/addresses copy for matching IP version only
+
+-------------------------------------------------------------------
+Tue Aug 06 16:58:22 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240806.ee36266:
+  * log, passt: Keep printing to stderr when passt is running in foreground
+  * tcp_splice: Fix side in OUT_WAIT flag setting
+  * util: Use unsigned (size_t) value for iov length
+  * udp_flow: move all udp_flow functions to udp_flow.c
+  * udp_flow: Remove udp_meta_t from the parameters of udp_flow_from_sock()
+  * log: Make logfile_write() private
+  * pasta: Save errno on signal handler entry, restore on return when needed
+  * pasta: modify hostname when detaching new namespace
+  * Fix typo in README file
+  * fedora/rpkg: List myself as author for changelog entries
+
+-------------------------------------------------------------------
+Thu Aug 01 05:57:09 UTC 2024 - dcermak@suse.com
+
+- Update to version 20240726.57a21d2:
+  * tap: Improve handling of partially received frames on qemu socket
+  * tap: Correctly handle frames of odd length
+  * tap: Don't use EPOLLET on Qemu sockets
+  * tap: Don't attempt to carry on if we get a bad frame length from qemu
+  * tap: Better report errors receiving from QEMU socket
+  * log: Fetch log times with CLOCK_MONOTONIC, not CLOCK_REALTIME
+  * log: Initialise timestamp for relative log time also if we use a log file
+  * log, util: Fix sub-second part in relative log time calculation
+  * test/lib/perf_report: Fix highlight
+  * test: Fix spurious test failure with systemd-resolved
+  * fwd: Broaden what we consider for DNS specific forwarding rules
+  * fwd: Refactor tests in fwd_nat_from_tap() for clarity
+  * conf: Accept addresses enclosed by square brackets in port forwarding specifiers
+  * tap: Exit if we fail to bind a UNIX domain socket with explicit path
+  * test: iperf3 3.16 introduces multiple threads, drop our own implementation of that
+  * test: Update names of symbols and slabinfo entries
+  * test: Fix memory/passt tests, --netns-only is not a valid option for passt
+  * log: Drop newlines in the middle of the perror()-like messages
+  * tcp: Change SO_PEEK_OFF support message to debug()
+  * tap: Don't quit if pasta gets EIO on writev() to tap, interface might be down
+  * tcp: Correctly update SO_PEEK_OFF when tcp_send_frames() drops frames
+  * tcp: probe for SO_PEEK_OFF both in tcpv4 and tcp6
+  * udp: Rename UDP listening sockets
+  * udp: Remove rdelta port forwarding maps
+  * udp: Remove obsolete socket tracking
+  * udp: Direct datagrams from host to guest via flow table
+  * udp: Find or create flows for datagrams from tap interface
+  * udp: Remove obsolete splice tracking
+  * udp: Handle "spliced" datagrams with per-flow sockets
+  * udp: Create flows for datagrams from originating sockets
+  * fwd: Update flow forwarding logic for UDP
+  * flow, icmp: Use general flow forwarding rules for ICMP
+  * flow, tcp: Flow based NAT and port forwarding for TCP
+  * icmp: Manage outbound socket address via flow table
+  * flow: Helper to create sockets based on flowside
+  * icmp: Eliminate icmp_id_map
+  * icmp: Look up ping flows using flow hash
+  * icmp: Obtain destination addresses from the flowsides
+  * icmp: Remove redundant id field from flow table entry
+  * tcp: Re-use flow hash for initial sequence number generation
+  * flow, tcp: Generalise TCP hash table to general flow hash table
+  * tcp, flow: Replace TCP specific hash function with general flow hash
+  * tcp_splice: Eliminate SPLICE_V6 flag
+  * tcp: Simplify endpoint validation using flowside information
+  * tcp: Manage outbound address via flow table
+  * tcp: Obtain guest address from flowside
+  * tcp, flow: Remove redundant information, repack connection structures
+  * flow: Common address information for target side
+  * flow: Common address information for initiating side
+  * doc: Extend zero-recv test with methods using msghdr
+  * doc: Test behaviour of closing duplicate UDP sockets
+  * tcp_splice: Use parameterised macros for per-side event/flag bits
+  * flow: Introduce flow_foreach_sidei() macro
+  * flow, tcp_splice: Prefer 'sidei' for variables referring to side index
+  * flow, icmp, tcp: Clean up helpers for getting flow from index
+  * udp: Handle errors on UDP sockets
+  * util: Add AF_UNSPEC support to sockaddr_ntop()
+  * udp, tcp: Tweak handling of no_udp and no_tcp flags
+  * udp: Make udp_sock_recv static
+  * conf: Don't configure port forwarding for a disabled protocol
+  * tcp: handle shrunk window advertisements from guest
+  * tcp: leverage support of SO_PEEK_OFF socket option when available
+  * doc: Trivial fix for reuseaddr-priority
+  * doc: Test behaviour of zero length datagram recv()s
+  * doc: Add program to document and test assumptions about SO_REUSEADDR
+  * udp: Consolidate datagram batching
+  * udp: Move some more of sock_handler tasks into sub-functions
+  * udp: Don't repeatedly initialise udp[46]_eth_hdr
+  * udp: Unify udp[46]_l2_iov
+  * udp: Unify udp[46]_mh_splice
+  * udp: Rename IOV and mmsghdr arrays
+  * udp: Pass full epoll reference through more of sock handler path
+  * flow: Add flow_sidx_valid() helper
+  * util: sock_l4() determine protocol from epoll type rather than the reverse
+  * conf: Use the right maximum buffer size for c->sock_path
+  * tcp_splice: Check return value of setsockopt() for SO_RCVLOWAT
+  * conf: Copy up to MAXDNSRCH - 1 bytes, not MAXDNSRCH
+
 -------------------------------------------------------------------
 Thu Jul  4 16:34:45 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
 

passt.spec

@@ -43,8 +43,9 @@
 %endif
 %endif
 
+%global selinuxtype targeted
 Name:           passt
-Version:        20240624.1ee2eca
+Version:        20250415.2340bbf
 Release:        0
 Summary:        User-mode networking daemons for virtual machines and namespaces
 License:        GPL-2.0-or-later AND BSD-3-Clause
@@ -62,6 +63,7 @@ BuildRequires:  selinux-policy-targeted
 %endif
 %if %{with apparmor}
 BuildRequires:  apparmor-abstractions, apparmor-rpm-macros, libapparmor-devel
+Requires:       (%{name}-apparmor if apparmor-abstractions)
 %endif
 
 %description
@@ -75,6 +77,18 @@ for network namespaces: traffic is forwarded using a tap interface inside the
 namespace, without the need to create further interfaces on the host, hence not
 requiring any capabilities or privileges.
 
+%if %{with apparmor}
+%package        apparmor
+BuildArch:      noarch
+Summary:        Apparmor profiles for passt and pasta
+Requires:       %{name} = %{version}-%{release}
+Requires:       apparmor-abstractions
+Requires(post): apparmor-parser
+
+%description apparmor
+This package contains Apparmor profiles for passt and pasta.
+%endif
+
 %if %{with selinux}
 %package    selinux
 BuildArch:  noarch
@@ -129,19 +143,27 @@ popd
 %endif
 
 %if %{with apparmor}
-%post
+%post apparmor
 %apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.passt
 %apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.pasta
 %endif
 
 %if %{with selinux}
-%post selinux
-semodule -i %{_datadir}/selinux/packages/%{name}/passt.pp 2>/dev/null || :
-semodule -i %{_datadir}/selinux/packages/%{name}/pasta.pp 2>/dev/null || :
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
 
-%preun selinux
-semodule -r passt 2>/dev/null || :
-semodule -r pasta 2>/dev/null || :
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/passt.pp
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}/pasta.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+        %selinux_modules_uninstall -s %{selinuxtype} passt
+        %selinux_modules_uninstall -s %{selinuxtype} pasta
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
 %endif
 
 %files
@@ -152,16 +174,11 @@ semodule -r pasta 2>/dev/null || :
 %{_bindir}/passt
 %{_bindir}/pasta
 %{_bindir}/qrap
-%if %{with apparmor}
-%dir %{_sysconfdir}/apparmor.d
-%dir %{_sysconfdir}/apparmor.d/abstractions/
-%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.passt
-%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.pasta
-%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/pas*
-%endif
+%{_bindir}/passt-repair
 %{_mandir}/man1/passt.1*
 %{_mandir}/man1/pasta.1*
 %{_mandir}/man1/qrap.1*
+%{_mandir}/man1/passt-repair.1*
 %ifarch x86_64
 %{_bindir}/passt.avx2
 %{_mandir}/man1/passt.avx2.1*
@@ -178,4 +195,13 @@ semodule -r pasta 2>/dev/null || :
 %{_datadir}/selinux/devel/include/distributed/passt.if
 %endif
 
+%if %{with apparmor}
+%files apparmor
+%dir %{_sysconfdir}/apparmor.d
+%dir %{_sysconfdir}/apparmor.d/abstractions/
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.passt
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.pasta
+%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/pas*
+%endif
+
 %changelog