public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: passt-dev@passt.top
Subject: Re: [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options
Date: Thu, 02 Jul 2026 09:14:17 +0200 (CEST)	[thread overview]
Message-ID: <20260702091415.46b49159@elisabeth> (raw)
In-Reply-To: <20260702063143.676932-13-david@gibson.dropbear.id.au>

On Thu,  2 Jul 2026 16:31:42 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> Currently we handle -t all and the like as a special case, it can't be
> combined with other port specifier options.  Remove that restriction,
> allowing combined options like:
>      -t all,~9999          # Forward everything non-ephemeral except 9999
>      -t all,auto           # Equivalent to -t auto
>      -t all,33000          # Forward non-ephemeral plus port 33,000
> 
> This isn't particularly useful immediately, but will become important for
> destination address specification - it provides a place to attach the
> target address for "all" or exclude only mappings.  It will also work
> better with some parsing reworks we want to make.
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>  conf.c     | 11 +++++------
>  fwd_rule.c | 39 ++++++++++++++++++++-------------------
>  passt.1    | 33 ++++++++++++++++-----------------
>  3 files changed, 41 insertions(+), 42 deletions(-)
> 
> diff --git a/conf.c b/conf.c
> index c4a36dee..a610c0c6 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -660,11 +660,9 @@ static void usage(const char *name, FILE *f, int status)
>  		"    SPEC can be:\n"
>  		"      'none': don't forward any ports\n"
>  		"      [ADDR[%%IFACE]/]PORTS: forward specific ports\n"
> -		"        PORTS is either 'all' (forward all unbound, non-ephemeral\n"
> -		"        ports), or a comma-separated list of ports, optionally\n"
> -		"        ranged with '-' and optional target ports after ':'.\n"
> -		"        Ranges can be reduced by excluding ports or ranges\n"
> -		"        prefixed by '~'.\n"
> +		"        PORTS is comma-separated list of ports, either\n"

I didn't really consider this change as worth updating usage and man
page (the previous version wouldn't be entirely accurate anymore but
practically speaking rather clear, I thought). If it is:

- PORTS is _a_ comma-separated ...

- I think we should maintain the description for 'all' (forward all
  unbound, non-ephemeral ports), because otherwise just "Forward all
  ports" below becomes particularly misleading


> +		"        'all', a port number or range. Ranges can be reduced\n"
> +		"        by excluding ports or ranges prefixed by '~'.\n"
>  		"%s"
>  		"        Examples:\n"
>  		"        -t all		Forward all ports\n"
> @@ -677,7 +675,8 @@ static void usage(const char *name, FILE *f, int status)
>  		"			corresponding port numbers plus 10\n"
>  		"        -t 192.0.2.1/5	Bind port 5 of 192.0.2.1 to %s\n"
>  		"        -t 5-25,~10-20	Forward ports 5 to 9, and 21 to 25\n"
> -		"        -t ~25		Forward all ports except for 25\n"
> +		"        -t ~25,all\n"
> +		"        -t 25		Forward all ports except for 25\n"

I think the previous version makes more sense. This isn't an exhaustive
description, it just shows how to quickly do things. This is missing a
~ by the way.

>  		"%s"
>  		"    default: %s\n"
>  		"  -u, --udp-ports SPEC	UDP port forwarding to %s\n"
> diff --git a/fwd_rule.c b/fwd_rule.c
> index 6d7ec2c5..b14df340 100644
> --- a/fwd_rule.c
> +++ b/fwd_rule.c
> @@ -471,20 +471,13 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
>  	uint8_t flags = 0;
>  	unsigned i;
>  
> -	if (!strcmp(spec, "all")) {
> -		/* Treat "all" as equivalent to "": all non-ephemeral ports */
> -		spec = "";
> -	}
> -
>  	/* Parse excluded ranges and "auto" in the first pass */
>  	for_each_chunk(p, ep, spec, ",") {
>  		struct port_range xrange;
>  
> -		if (isdigit(*p)) {
> -			/* Include range, parse later */
> -			exclude_only = false;
> +		/* Include range, parse later */
> +		if (parse_literal(&p, "all") || isdigit(*p))
>  			continue;
> -		}
>  
>  		if (parse_literal(&p, "auto")) {
>  			if (p != ep) /* Garbage after the keyword */
> @@ -512,20 +505,18 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
>  			bitmap_set(exclude, i);
>  	}
>  
> -	if (exclude_only) {
> -		/* Exclude ephemeral ports */
> -		fwd_port_map_ephemeral(exclude);
> -
> -		fwd_rule_range_except(fwd, del, proto, addr, ifname,
> -				      1, NUM_PORTS - 1, exclude,
> -				      1, flags | FWD_WEAK);
> -		return;
> -	}
> -
>  	/* Now process base ranges, skipping exclusions */
>  	for_each_chunk(p, ep, spec, ",") {
>  		struct port_range orig_range, mapped_range;
>  
> +		/* Handle "all" like exclude only */
> +		if (parse_literal(&p, "all")) {
> +			if (p != ep) /* Garbage after the keyword */
> +				goto bad;
> +
> +			continue;
> +		}
> +
>  		if (!isdigit(*p))
>  			/* Already parsed */
>  			continue;
> @@ -533,6 +524,8 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
>  		if (!parse_port_range(&p, &orig_range))
>  			goto bad;
>  
> +		exclude_only = false;
> +
>  		if (parse_literal(&p, ":")) {
>  			/* There's a range to map to as well */
>  			if (!parse_port_range(&p, &mapped_range))
> @@ -553,6 +546,14 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
>  				      mapped_range.first, flags);
>  	}
>  
> +	/* Finally handle "all" and exclude only specs */
> +	if (exclude_only) {
> +		fwd_port_map_ephemeral(exclude);
> +
> +		fwd_rule_range_except(fwd, del, proto, addr, ifname,
> +				      1, NUM_PORTS - 1, exclude,
> +				      1, flags | FWD_WEAK);
> +	}
>  	return;
>  bad:
>  	die("Invalid port specifier '%s'", spec);
> diff --git a/passt.1 b/passt.1
> index 908fd4a4..c3722ef9 100644
> --- a/passt.1
> +++ b/passt.1
> @@ -432,29 +432,22 @@ Send \fIname\fR as Client FQDN: DHCP option 81 and DHCPv6 option 39.
>  
>  .TP
>  .BR \-t ", " \-\-tcp-ports " " \fIspec
> -Configure TCP port forwarding to guest or namespace. \fIspec\fR can be one of:
> +Configure TCP port forwarding to guest or namespace. \fIspec\fR can be either:
>  .RS
>  
>  .TP
>  .BR none
>  Don't forward any ports
>  
> +or
>  .TP
>  [\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ...
> -Specific ports to forward.  Optionally, a specific listening address
> -and interface name (since Linux 5.7) can be specified.  \fIports\fR
> -may be either:
> -.RS
> -.TP
> -\fBall\fR
> -Forward all unbound, non-ephemeral ports, as permitted by current
> -capabilities.  For low (< 1024) ports, see \fBNOTES\fR. No failures
> -are reported for unavailable ports, unless no ports could be forwarded
> -at all.
> +
> +Ports to forward.  Optionally, a specific listening address and
> +interface name (since Linux 5.7) can be specified.
>  .RE
>  
> -.RS
> -or a comma-separated list of entries which may be any of:
> +\fIports\fR is a comma-separated list of entries which may be any of:
>  .TP
>  \fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\fR]]
>  Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR
> @@ -468,6 +461,13 @@ as \fIfirst\fR.
>  Exclude range.  Don't forward port numbers between \fIfirst\fR and
>  \fIlast\fR.  This takes precedences over include ranges.
>  
> +.TP
> +.BR all
> +Forward all unbound, non-ephemeral ports, not covered by exclude
> +ranges above, as permitted by current capabilities.  For low (< 1024)
> +ports, see \fBNOTES\fR. No failures are reported for unavailable
> +ports, unless no ports could be forwarded at all.
> +
>  .TP
>  .BR auto
>  \fBpasta\fR only.  Only forward ports in the specified set if the
> @@ -477,10 +477,9 @@ periodically derived (every second) from listening sockets reported by
>  .RE
>  
>  Specifying excluded ranges only implies that all other non-ephemeral
> -ports are forwarded. Specifying no ranges at all implies forwarding
> -all non-ephemeral ports permitted by current capabilities.  In this
> -case, no failures are reported for unavailable ports, unless no ports
> -could be forwarded at all.
> +ports are forwarded. Specifying no ranges is equivalent
> +to '\fBall\fR'.  In this case, no failures are reported for
> +unavailable ports, unless no ports could be forwarded at all.

Nit: this could use a few more columns (I think it's slightly more
readable as source), say:

ports are forwarded.  Specifying no ranges is equivalent to '\fBall\fR'.  In
this case, no failures are reported for unavailable ports, unless no ports could
be forwarded at all.

-- 
Stefano


  reply	other threads:[~2026-07-02  7:14 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  6:31 [PATCH v4 00/13] Rework option parsing in preparation for destination remapping David Gibson
2026-07-02  6:31 ` [PATCH v4 01/13] Makefile: Add missing PESTO_HEADERS variable David Gibson
2026-07-02  6:31 ` [PATCH v4 02/13] conf: Use parameter instead of global in conf_nat() David Gibson
2026-07-02  6:31 ` [PATCH v4 03/13] parse: Start splitting out parsing helpers David Gibson
2026-07-02  6:31 ` [PATCH v4 04/13] conf: Remove duplicate parsing of -F option David Gibson
2026-07-02  6:31 ` [PATCH v4 05/13] conf: Clean up conf_ip4_prefix() David Gibson
2026-07-02  6:31 ` [PATCH v4 06/13] parse: Add helper to parse unsigned integer values David Gibson
2026-07-02  6:31 ` [PATCH v4 07/13] parse: Move parse_port_range() to new parsing framework David Gibson
2026-07-02  6:31 ` [PATCH v4 08/13] parse: Add helpers for parsing IP addresses David Gibson
2026-07-02  6:31 ` [PATCH v4 09/13] conf: Move address configuration into helper function David Gibson
2026-07-02  6:31 ` [PATCH v4 10/13] conf: Remove unnecessary mode checks from conf_addr() David Gibson
2026-07-02  6:31 ` [PATCH v4 11/13] conf: Use new parsing tools to handle -a option David Gibson
2026-07-02  6:31 ` [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options David Gibson
2026-07-02  7:14   ` Stefano Brivio [this message]
2026-07-02  6:31 ` [PATCH v4 13/13] fwd_rule: Rewrite forward rule parsing using parse.c helpers David Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702091415.46b49159@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).