From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=b4FkZvQS;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id 9A9B55A0624
	for <passt-dev@passt.top>; Tue, 13 Jan 2026 00:26:22 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768260381;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tzBk27hp7xjBy6MRrtnKyWG6q13jq33VsNa2g7ofcI0=;
	b=b4FkZvQSh/AmhpW7yfjGmosCzz1aEQKr9k8NbmnoLAiXuRIvYN2cV4KD4cSU84aq963cYz
	lX518GKCltzcc7LDfJaiLnfdJo/8K/tlxWmHJQPCt9yR5iEGHdv1CXlQpPMSE1JbLWGmZO
	oGvj9sGxItIa2azHQTKvG7aGioaQXxc=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-279-g22MTzA9NY2wkJ5rDb_liQ-1; Mon, 12 Jan 2026 18:26:20 -0500
X-MC-Unique: g22MTzA9NY2wkJ5rDb_liQ-1
X-Mimecast-MFC-AGG-ID: g22MTzA9NY2wkJ5rDb_liQ_1768260379
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4792bd2c290so81742995e9.1
        for <passt-dev@passt.top>; Mon, 12 Jan 2026 15:26:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768260378; x=1768865178;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=tzBk27hp7xjBy6MRrtnKyWG6q13jq33VsNa2g7ofcI0=;
        b=i+NfRnOOLEM58GLOJwJKP+rs8D6y9JgucwZ9q76Mb+I3wGj5osjGg0QFcUIxJnN2oV
         2Rptj5WMWB72Sl+21spoMCimZidcyli9hsGT2axvox48b1QDbsvduLZ3FwMwbZALeqa9
         Hp+buPHAes8P2TjrNoQH3S/HURv2u8nxch7BOyezO+FY3U4g+SSIUrwjUPNOU8cIVonU
         WMWutvIR6vW5hQkzfpVkfsEsDoqN+9Okb4n+WmZkv0J7/jvm8lF+B9TLY31UflJpshLt
         NoJ4ZuTIqsRq6QQTHIysRlvs7Esc5ujGWt7S0i5MjAdKeNdwBoY6PRPmANaEtYTSSrXz
         dlyQ==
X-Gm-Message-State: AOJu0YwGx5H0vLcmw8aD2X2P17qGtFzXUPCZ/1NsE0LHcPJ/Un3W4daa
	/a2ZivdZRtdzZ5goduDpXJ26IXqtqaiXLWXhxmyJU1SAw3emTFIN6ozKIX5R8t5IRveNCQGSkzE
	M0ltJzB9C681u9hoJo9babIqx2BGZTWLjyouX6VFmut1+pYUhQIxglKACyILUKw==
X-Gm-Gg: AY/fxX66KyW98cMYQtwLH6O/aUwNyNbC+oOwBoh/Ysq+vNtzWfW5GHncGC+XD3yY2B4
	WeZPuy0I3sX39IaDeSYnqeWRYMSXHCQqmgO16ARrWTBukl9sfzgbKk6N28irT1ocKaY1C2RRWXW
	N0U6LZha+Jpc/otc1QX16FRpCWT3Ake5svZJP1UdZrl47PzSbrNoZGSdfpGM3e4k7oApVGrYDzK
	8kAzIDGgFGiEsdCCg1rTKi4YJjU9u8B+2zZ0uJQABEgYrwGTBhS8sEJZFF4RQdpGWDSJUtvsXJ4
	H32KV+WLpw3zE9caBUXWGK/sJeRNfMJIf0vRsOibohDaxQrnTh+VoXczqITbaOto1kBbBl2B8Ko
	FdXMo9kpDDQJeX0/mbvPjhMmqDjGPyPbcfprxHw==
X-Received: by 2002:a05:600c:a317:b0:477:b734:8c52 with SMTP id 5b1f17b1804b1-47d85bf061cmr187892705e9.14.1768260378276;
        Mon, 12 Jan 2026 15:26:18 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGWz4HSuxOZd9UsQKMp08SeVxwwUroWaffKR+xRMkRAEevLstosa8vEBN6txWHjPbDGFmbsrw==
X-Received: by 2002:a05:600c:a317:b0:477:b734:8c52 with SMTP id 5b1f17b1804b1-47d85bf061cmr187892615e9.14.1768260377779;
        Mon, 12 Jan 2026 15:26:17 -0800 (PST)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47eda0fc249sm1846575e9.7.2026.01.12.15.26.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 12 Jan 2026 15:26:17 -0800 (PST)
Date: Tue, 13 Jan 2026 00:26:15 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v3 04/14] conf, fwd: Record "auto" port forwards in
 forwarding table
Message-ID: <20260113002615.53c73c8b@elisabeth>
In-Reply-To: <20260108022948.2657573-5-david@gibson.dropbear.id.au>
References: <20260108022948.2657573-1-david@gibson.dropbear.id.au>
	<20260108022948.2657573-5-david@gibson.dropbear.id.au>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: v3bPw9pgAZV2v9p2TAGWmsvUaB-yWSELgx0p7f_jCpQ_1768260379
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: J262JO2STBHICPYVZ3LXBSC3KVTX3N4O
X-Message-ID-Hash: J262JO2STBHICPYVZ3LXBSC3KVTX3N4O
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260113002615.53c73c8b@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/J262JO2STBHICPYVZ3LXBSC3KVTX3N4O/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu,  8 Jan 2026 13:29:38 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:

> Currently the forwarding table records details of explicit port forwards,
> but nothing for -[tTuU] auto.  That looks a little odd on the debug output,
> and will be a problem for future changes.
> 
> Extend the forward table to have rules for auto-scanned forwards,
> using a new FWD_SCAN flag.  For now the mechanism of auto port
> forwarding isn't updated, and we will only create a single FWD_SCAN
> rule per protocol and direction.  We'll better integrate auto scanning
> with other forward table mechanics in future.
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>  conf.c | 31 ++++++++++++++++++++++++++-----
>  fwd.c  | 18 +++++++++++-------
>  fwd.h  |  2 ++
>  3 files changed, 39 insertions(+), 12 deletions(-)
> 
> diff --git a/conf.c b/conf.c
> index b486fefe..0bcf80d7 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -135,7 +135,7 @@ static int parse_port_range(const char *s, char **endptr,
>   * @ifname:	Listening interface
>   * @first:	First port to forward
>   * @last:	Last port to forward
> - * @exclude:	Bitmap of ports to exclude
> + * @exclude:	Bitmap of ports to exclude (may be NULL)
>   * @to:		Port to translate @first to when forwarding
>   * @flags:	Flags for forwarding entries
>   */
> @@ -168,11 +168,11 @@ static void conf_ports_range_except(const struct ctx *c, char optname,
>  	}
>  
>  	for (base = first; base <= last; base++) {
> -		if (bitmap_isset(exclude, base))
> +		if (exclude && bitmap_isset(exclude, base))
>  			continue;
>  
>  		for (i = base; i <= last; i++) {
> -			if (bitmap_isset(exclude, i))
> +			if (exclude && bitmap_isset(exclude, i))
>  				break;
>  
>  			if (bitmap_isset(fwd->map, i)) {
> @@ -180,9 +180,9 @@ static void conf_ports_range_except(const struct ctx *c, char optname,
>  "Altering mapping of already mapped port number: %s", optarg);
>  			}
>  
> -			if (optname == 't')
> +			if (!(flags & FWD_SCAN) && optname == 't')
>  				fd = tcp_listen(c, PIF_HOST, addr, ifname, i);
> -			else if (optname == 'u')
> +			else if (!(flags & FWD_SCAN) && optname == 'u')
>  				fd = udp_listen(c, PIF_HOST, addr, ifname, i);
>  			else
>  				/* No way to check in advance for -T and -U */
> @@ -2202,6 +2202,27 @@ void conf(struct ctx *c, int argc, char **argv)
>  	if (!c->udp.fwd_out.mode)
>  		c->udp.fwd_out.mode = fwd_default;
>  
> +	if (c->tcp.fwd_in.mode == FWD_AUTO) {
> +		conf_ports_range_except(c, 't', "auto", &c->tcp.fwd_in,
> +					NULL, NULL, 1, NUM_PORTS - 1,
> +					NULL, 1, FWD_SCAN);
> +	}
> +	if (c->tcp.fwd_out.mode == FWD_AUTO) {
> +		conf_ports_range_except(c, 'T', "auto", &c->tcp.fwd_out,
> +					NULL, "lo", 1, NUM_PORTS - 1,
> +					NULL, 1, FWD_SCAN);
> +	}
> +	if (c->udp.fwd_in.mode == FWD_AUTO) {
> +		conf_ports_range_except(c, 'u', "auto", &c->udp.fwd_in,
> +					NULL, NULL, 1, NUM_PORTS - 1,
> +					NULL, 1, FWD_SCAN);
> +	}
> +	if (c->udp.fwd_out.mode == FWD_AUTO) {
> +		conf_ports_range_except(c, 'U', "auto", &c->udp.fwd_out,
> +					NULL, "lo", 1, NUM_PORTS - 1,
> +					NULL, 1, FWD_SCAN);
> +	}
> +
>  	if (!c->quiet)
>  		conf_print(c);
>  }
> diff --git a/fwd.c b/fwd.c
> index ad398e54..69aca441 100644
> --- a/fwd.c
> +++ b/fwd.c
> @@ -344,7 +344,7 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags,
>  		  in_port_t first, in_port_t last, in_port_t to)
>  {
>  	/* Flags which can be set from the caller */
> -	const uint8_t allowed_flags = FWD_WEAK;
> +	const uint8_t allowed_flags = FWD_WEAK | FWD_SCAN;
>  	struct fwd_rule *new;
>  	unsigned port;
>  
> @@ -375,7 +375,8 @@ void fwd_rule_add(struct fwd_ports *fwd, uint8_t flags,
>  
>  	for (port = new->first; port <= new->last; port++) {
>  		/* Fill in the legacy data structures to match the table */
> -		bitmap_set(fwd->map, port);
> +		if (!(new->flags & FWD_SCAN))
> +			bitmap_set(fwd->map, port);
>  		fwd->delta[port] = new->to - new->first;
>  	}
>  }
> @@ -391,19 +392,22 @@ void fwd_rules_print(const struct fwd_ports *fwd)
>  	for (i = 0; i < fwd->count; i++) {
>  		const struct fwd_rule *rule = &fwd->rules[i];
>  		const char *weak = rule->flags & FWD_WEAK ? " WEAK" : "";
> +		const char *scan = rule->flags & FWD_SCAN ? " AUTO" : "";
>  		const char *percent = *rule->ifname ? "%" : "";
>  		char addr[INANY_ADDRSTRLEN];
>  
>  		inany_ntop(fwd_rule_addr(rule), addr, sizeof(addr));
>  
>  		if (rule->first == rule->last) {
> -			info("    [%s]%s%s:%hu  =>  %hu %s",
> +			info("    [%s]%s%s:%hu  =>  %hu %s%s",
>  			     addr, percent, rule->ifname,
> -			     rule->first, rule->to, weak);
> +			     rule->first, rule->to, weak, scan);
>  		} else {
> -			info("    [%s]%s%s:%hu-%hu  =>  %hu-%hu %s",
> -			     addr, percent, rule->ifname, rule->first, rule->last,
> -			     rule->to, rule->last - rule->first + rule->to, weak);
> +			info("    [%s]%s%s:%hu-%hu  =>  %hu-%hu %s%s",
> +			     addr, percent, rule->ifname,
> +			     rule->first, rule->last,
> +			     rule->to, rule->last - rule->first + rule->to,
> +			     weak, scan);
>  		}
>  	}
>  }
> diff --git a/fwd.h b/fwd.h
> index 3dfc7959..94869c2a 100644
> --- a/fwd.h
> +++ b/fwd.h
> @@ -26,6 +26,7 @@ bool fwd_port_is_ephemeral(in_port_t port);
>   * @flags:	Flag mask
>   * 	FWD_DUAL_STACK_ANY - match any IPv4 or IPv6 address (@addr should be ::)
>   *	FWD_WEAK - Don't give an error if binds fail for some forwards
> + *	FWD_SCAN - Only forward if we scan a listener on the target

Nit: I guess this could be slightly more descriptive than "scan a
listener", mentioning for example "if the corresponding port is bound
on the target".

>   *
>   * FIXME: @addr and @ifname currently ignored for outbound tables
>   */
> @@ -35,6 +36,7 @@ struct fwd_rule {
>  	in_port_t first, last, to;
>  #define FWD_DUAL_STACK_ANY	BIT(0)
>  #define FWD_WEAK		BIT(1)
> +#define FWD_SCAN		BIT(2)
>  	uint8_t flags;
>  };
>  

-- 
Stefano