From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202606 header.b=FTfOfDfZ; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id E62805A0626 for ; Thu, 02 Jul 2026 08:31:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202606; t=1782973907; bh=9SCm+RzKsBV3HHgzUTh3gRp/jiFeFUOGsrb0U70sZVw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FTfOfDfZpKDtoNHh/ZhHW/geRxnbm2z5WNLFJWAwpQDoDfZNJcRKpiCMJF8UQ5957 61kZvKDS4RUcITRBomSheCv/mHhNEqv1372I1C58CJff8FGcAUpaz5QQA3T2cimkV2 OxSAr5fNo7VijMJItUewJiGVcYsWSJYC/npZ0DX7V04HZqJotjOcy0ZjYZHDb6gTnN FBJrsXow1n2PE0ulL7q39dqymHsqeEuZgdPByBh3UuORFP4mZ6BG++FOx8RhK/10eN k5+Y43Q+EgSh874Wr576kS8DlrQwbs8ZZi8LJVnZTKgBWhG7L+Pa+6GxcZzFEghW1C np+52n0gNPpCg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4grRql2MN0z58n6; Thu, 02 Jul 2026 16:31:47 +1000 (AEST) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options Date: Thu, 2 Jul 2026 16:31:42 +1000 Message-ID: <20260702063143.676932-13-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702063143.676932-1-david@gibson.dropbear.id.au> References: <20260702063143.676932-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: EKUG3YJ2MQ4V6UWPNBB2FMPRKOEIJMX5 X-Message-ID-Hash: EKUG3YJ2MQ4V6UWPNBB2FMPRKOEIJMX5 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Currently we handle -t all and the like as a special case, it can't be combined with other port specifier options. Remove that restriction, allowing combined options like: -t all,~9999 # Forward everything non-ephemeral except 9999 -t all,auto # Equivalent to -t auto -t all,33000 # Forward non-ephemeral plus port 33,000 This isn't particularly useful immediately, but will become important for destination address specification - it provides a place to attach the target address for "all" or exclude only mappings. It will also work better with some parsing reworks we want to make. Signed-off-by: David Gibson --- conf.c | 11 +++++------ fwd_rule.c | 39 ++++++++++++++++++++------------------- passt.1 | 33 ++++++++++++++++----------------- 3 files changed, 41 insertions(+), 42 deletions(-) diff --git a/conf.c b/conf.c index c4a36dee..a610c0c6 100644 --- a/conf.c +++ b/conf.c @@ -660,11 +660,9 @@ static void usage(const char *name, FILE *f, int status) " SPEC can be:\n" " 'none': don't forward any ports\n" " [ADDR[%%IFACE]/]PORTS: forward specific ports\n" - " PORTS is either 'all' (forward all unbound, non-ephemeral\n" - " ports), or a comma-separated list of ports, optionally\n" - " ranged with '-' and optional target ports after ':'.\n" - " Ranges can be reduced by excluding ports or ranges\n" - " prefixed by '~'.\n" + " PORTS is comma-separated list of ports, either\n" + " 'all', a port number or range. Ranges can be reduced\n" + " by excluding ports or ranges prefixed by '~'.\n" "%s" " Examples:\n" " -t all Forward all ports\n" @@ -677,7 +675,8 @@ static void usage(const char *name, FILE *f, int status) " corresponding port numbers plus 10\n" " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to %s\n" " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" - " -t ~25 Forward all ports except for 25\n" + " -t ~25,all\n" + " -t 25 Forward all ports except for 25\n" "%s" " default: %s\n" " -u, --udp-ports SPEC UDP port forwarding to %s\n" diff --git a/fwd_rule.c b/fwd_rule.c index 6d7ec2c5..b14df340 100644 --- a/fwd_rule.c +++ b/fwd_rule.c @@ -471,20 +471,13 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, uint8_t flags = 0; unsigned i; - if (!strcmp(spec, "all")) { - /* Treat "all" as equivalent to "": all non-ephemeral ports */ - spec = ""; - } - /* Parse excluded ranges and "auto" in the first pass */ for_each_chunk(p, ep, spec, ",") { struct port_range xrange; - if (isdigit(*p)) { - /* Include range, parse later */ - exclude_only = false; + /* Include range, parse later */ + if (parse_literal(&p, "all") || isdigit(*p)) continue; - } if (parse_literal(&p, "auto")) { if (p != ep) /* Garbage after the keyword */ @@ -512,20 +505,18 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, bitmap_set(exclude, i); } - if (exclude_only) { - /* Exclude ephemeral ports */ - fwd_port_map_ephemeral(exclude); - - fwd_rule_range_except(fwd, del, proto, addr, ifname, - 1, NUM_PORTS - 1, exclude, - 1, flags | FWD_WEAK); - return; - } - /* Now process base ranges, skipping exclusions */ for_each_chunk(p, ep, spec, ",") { struct port_range orig_range, mapped_range; + /* Handle "all" like exclude only */ + if (parse_literal(&p, "all")) { + if (p != ep) /* Garbage after the keyword */ + goto bad; + + continue; + } + if (!isdigit(*p)) /* Already parsed */ continue; @@ -533,6 +524,8 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, if (!parse_port_range(&p, &orig_range)) goto bad; + exclude_only = false; + if (parse_literal(&p, ":")) { /* There's a range to map to as well */ if (!parse_port_range(&p, &mapped_range)) @@ -553,6 +546,14 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, mapped_range.first, flags); } + /* Finally handle "all" and exclude only specs */ + if (exclude_only) { + fwd_port_map_ephemeral(exclude); + + fwd_rule_range_except(fwd, del, proto, addr, ifname, + 1, NUM_PORTS - 1, exclude, + 1, flags | FWD_WEAK); + } return; bad: die("Invalid port specifier '%s'", spec); diff --git a/passt.1 b/passt.1 index 908fd4a4..c3722ef9 100644 --- a/passt.1 +++ b/passt.1 @@ -432,29 +432,22 @@ Send \fIname\fR as Client FQDN: DHCP option 81 and DHCPv6 option 39. .TP .BR \-t ", " \-\-tcp-ports " " \fIspec -Configure TCP port forwarding to guest or namespace. \fIspec\fR can be one of: +Configure TCP port forwarding to guest or namespace. \fIspec\fR can be either: .RS .TP .BR none Don't forward any ports +or .TP [\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ... -Specific ports to forward. Optionally, a specific listening address -and interface name (since Linux 5.7) can be specified. \fIports\fR -may be either: -.RS -.TP -\fBall\fR -Forward all unbound, non-ephemeral ports, as permitted by current -capabilities. For low (< 1024) ports, see \fBNOTES\fR. No failures -are reported for unavailable ports, unless no ports could be forwarded -at all. + +Ports to forward. Optionally, a specific listening address and +interface name (since Linux 5.7) can be specified. .RE -.RS -or a comma-separated list of entries which may be any of: +\fIports\fR is a comma-separated list of entries which may be any of: .TP \fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\fR]] Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR @@ -468,6 +461,13 @@ as \fIfirst\fR. Exclude range. Don't forward port numbers between \fIfirst\fR and \fIlast\fR. This takes precedences over include ranges. +.TP +.BR all +Forward all unbound, non-ephemeral ports, not covered by exclude +ranges above, as permitted by current capabilities. For low (< 1024) +ports, see \fBNOTES\fR. No failures are reported for unavailable +ports, unless no ports could be forwarded at all. + .TP .BR auto \fBpasta\fR only. Only forward ports in the specified set if the @@ -477,10 +477,9 @@ periodically derived (every second) from listening sockets reported by .RE Specifying excluded ranges only implies that all other non-ephemeral -ports are forwarded. Specifying no ranges at all implies forwarding -all non-ephemeral ports permitted by current capabilities. In this -case, no failures are reported for unavailable ports, unless no ports -could be forwarded at all. +ports are forwarded. Specifying no ranges is equivalent +to '\fBall\fR'. In this case, no failures are reported for +unavailable ports, unless no ports could be forwarded at all. Examples: .RS -- 2.55.0