From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: passt-dev@passt.top
Subject: Re: [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options
Date: Thu, 02 Jul 2026 09:14:17 +0200 (CEST) [thread overview]
Message-ID: <20260702091415.46b49159@elisabeth> (raw)
In-Reply-To: <20260702063143.676932-13-david@gibson.dropbear.id.au>
On Thu, 2 Jul 2026 16:31:42 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:
> Currently we handle -t all and the like as a special case, it can't be
> combined with other port specifier options. Remove that restriction,
> allowing combined options like:
> -t all,~9999 # Forward everything non-ephemeral except 9999
> -t all,auto # Equivalent to -t auto
> -t all,33000 # Forward non-ephemeral plus port 33,000
>
> This isn't particularly useful immediately, but will become important for
> destination address specification - it provides a place to attach the
> target address for "all" or exclude only mappings. It will also work
> better with some parsing reworks we want to make.
>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> conf.c | 11 +++++------
> fwd_rule.c | 39 ++++++++++++++++++++-------------------
> passt.1 | 33 ++++++++++++++++-----------------
> 3 files changed, 41 insertions(+), 42 deletions(-)
>
> diff --git a/conf.c b/conf.c
> index c4a36dee..a610c0c6 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -660,11 +660,9 @@ static void usage(const char *name, FILE *f, int status)
> " SPEC can be:\n"
> " 'none': don't forward any ports\n"
> " [ADDR[%%IFACE]/]PORTS: forward specific ports\n"
> - " PORTS is either 'all' (forward all unbound, non-ephemeral\n"
> - " ports), or a comma-separated list of ports, optionally\n"
> - " ranged with '-' and optional target ports after ':'.\n"
> - " Ranges can be reduced by excluding ports or ranges\n"
> - " prefixed by '~'.\n"
> + " PORTS is comma-separated list of ports, either\n"
I didn't really consider this change as worth updating usage and man
page (the previous version wouldn't be entirely accurate anymore but
practically speaking rather clear, I thought). If it is:
- PORTS is _a_ comma-separated ...
- I think we should maintain the description for 'all' (forward all
unbound, non-ephemeral ports), because otherwise just "Forward all
ports" below becomes particularly misleading
> + " 'all', a port number or range. Ranges can be reduced\n"
> + " by excluding ports or ranges prefixed by '~'.\n"
> "%s"
> " Examples:\n"
> " -t all Forward all ports\n"
> @@ -677,7 +675,8 @@ static void usage(const char *name, FILE *f, int status)
> " corresponding port numbers plus 10\n"
> " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to %s\n"
> " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n"
> - " -t ~25 Forward all ports except for 25\n"
> + " -t ~25,all\n"
> + " -t 25 Forward all ports except for 25\n"
I think the previous version makes more sense. This isn't an exhaustive
description, it just shows how to quickly do things. This is missing a
~ by the way.
> "%s"
> " default: %s\n"
> " -u, --udp-ports SPEC UDP port forwarding to %s\n"
> diff --git a/fwd_rule.c b/fwd_rule.c
> index 6d7ec2c5..b14df340 100644
> --- a/fwd_rule.c
> +++ b/fwd_rule.c
> @@ -471,20 +471,13 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
> uint8_t flags = 0;
> unsigned i;
>
> - if (!strcmp(spec, "all")) {
> - /* Treat "all" as equivalent to "": all non-ephemeral ports */
> - spec = "";
> - }
> -
> /* Parse excluded ranges and "auto" in the first pass */
> for_each_chunk(p, ep, spec, ",") {
> struct port_range xrange;
>
> - if (isdigit(*p)) {
> - /* Include range, parse later */
> - exclude_only = false;
> + /* Include range, parse later */
> + if (parse_literal(&p, "all") || isdigit(*p))
> continue;
> - }
>
> if (parse_literal(&p, "auto")) {
> if (p != ep) /* Garbage after the keyword */
> @@ -512,20 +505,18 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
> bitmap_set(exclude, i);
> }
>
> - if (exclude_only) {
> - /* Exclude ephemeral ports */
> - fwd_port_map_ephemeral(exclude);
> -
> - fwd_rule_range_except(fwd, del, proto, addr, ifname,
> - 1, NUM_PORTS - 1, exclude,
> - 1, flags | FWD_WEAK);
> - return;
> - }
> -
> /* Now process base ranges, skipping exclusions */
> for_each_chunk(p, ep, spec, ",") {
> struct port_range orig_range, mapped_range;
>
> + /* Handle "all" like exclude only */
> + if (parse_literal(&p, "all")) {
> + if (p != ep) /* Garbage after the keyword */
> + goto bad;
> +
> + continue;
> + }
> +
> if (!isdigit(*p))
> /* Already parsed */
> continue;
> @@ -533,6 +524,8 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
> if (!parse_port_range(&p, &orig_range))
> goto bad;
>
> + exclude_only = false;
> +
> if (parse_literal(&p, ":")) {
> /* There's a range to map to as well */
> if (!parse_port_range(&p, &mapped_range))
> @@ -553,6 +546,14 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto,
> mapped_range.first, flags);
> }
>
> + /* Finally handle "all" and exclude only specs */
> + if (exclude_only) {
> + fwd_port_map_ephemeral(exclude);
> +
> + fwd_rule_range_except(fwd, del, proto, addr, ifname,
> + 1, NUM_PORTS - 1, exclude,
> + 1, flags | FWD_WEAK);
> + }
> return;
> bad:
> die("Invalid port specifier '%s'", spec);
> diff --git a/passt.1 b/passt.1
> index 908fd4a4..c3722ef9 100644
> --- a/passt.1
> +++ b/passt.1
> @@ -432,29 +432,22 @@ Send \fIname\fR as Client FQDN: DHCP option 81 and DHCPv6 option 39.
>
> .TP
> .BR \-t ", " \-\-tcp-ports " " \fIspec
> -Configure TCP port forwarding to guest or namespace. \fIspec\fR can be one of:
> +Configure TCP port forwarding to guest or namespace. \fIspec\fR can be either:
> .RS
>
> .TP
> .BR none
> Don't forward any ports
>
> +or
> .TP
> [\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ...
> -Specific ports to forward. Optionally, a specific listening address
> -and interface name (since Linux 5.7) can be specified. \fIports\fR
> -may be either:
> -.RS
> -.TP
> -\fBall\fR
> -Forward all unbound, non-ephemeral ports, as permitted by current
> -capabilities. For low (< 1024) ports, see \fBNOTES\fR. No failures
> -are reported for unavailable ports, unless no ports could be forwarded
> -at all.
> +
> +Ports to forward. Optionally, a specific listening address and
> +interface name (since Linux 5.7) can be specified.
> .RE
>
> -.RS
> -or a comma-separated list of entries which may be any of:
> +\fIports\fR is a comma-separated list of entries which may be any of:
> .TP
> \fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\fR]]
> Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR
> @@ -468,6 +461,13 @@ as \fIfirst\fR.
> Exclude range. Don't forward port numbers between \fIfirst\fR and
> \fIlast\fR. This takes precedences over include ranges.
>
> +.TP
> +.BR all
> +Forward all unbound, non-ephemeral ports, not covered by exclude
> +ranges above, as permitted by current capabilities. For low (< 1024)
> +ports, see \fBNOTES\fR. No failures are reported for unavailable
> +ports, unless no ports could be forwarded at all.
> +
> .TP
> .BR auto
> \fBpasta\fR only. Only forward ports in the specified set if the
> @@ -477,10 +477,9 @@ periodically derived (every second) from listening sockets reported by
> .RE
>
> Specifying excluded ranges only implies that all other non-ephemeral
> -ports are forwarded. Specifying no ranges at all implies forwarding
> -all non-ephemeral ports permitted by current capabilities. In this
> -case, no failures are reported for unavailable ports, unless no ports
> -could be forwarded at all.
> +ports are forwarded. Specifying no ranges is equivalent
> +to '\fBall\fR'. In this case, no failures are reported for
> +unavailable ports, unless no ports could be forwarded at all.
Nit: this could use a few more columns (I think it's slightly more
readable as source), say:
ports are forwarded. Specifying no ranges is equivalent to '\fBall\fR'. In
this case, no failures are reported for unavailable ports, unless no ports could
be forwarded at all.
--
Stefano
next prev parent reply other threads:[~2026-07-02 7:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 6:31 [PATCH v4 00/13] Rework option parsing in preparation for destination remapping David Gibson
2026-07-02 6:31 ` [PATCH v4 01/13] Makefile: Add missing PESTO_HEADERS variable David Gibson
2026-07-02 6:31 ` [PATCH v4 02/13] conf: Use parameter instead of global in conf_nat() David Gibson
2026-07-02 6:31 ` [PATCH v4 03/13] parse: Start splitting out parsing helpers David Gibson
2026-07-02 6:31 ` [PATCH v4 04/13] conf: Remove duplicate parsing of -F option David Gibson
2026-07-02 6:31 ` [PATCH v4 05/13] conf: Clean up conf_ip4_prefix() David Gibson
2026-07-02 6:31 ` [PATCH v4 06/13] parse: Add helper to parse unsigned integer values David Gibson
2026-07-02 6:31 ` [PATCH v4 07/13] parse: Move parse_port_range() to new parsing framework David Gibson
2026-07-02 6:31 ` [PATCH v4 08/13] parse: Add helpers for parsing IP addresses David Gibson
2026-07-02 6:31 ` [PATCH v4 09/13] conf: Move address configuration into helper function David Gibson
2026-07-02 6:31 ` [PATCH v4 10/13] conf: Remove unnecessary mode checks from conf_addr() David Gibson
2026-07-02 6:31 ` [PATCH v4 11/13] conf: Use new parsing tools to handle -a option David Gibson
2026-07-02 6:31 ` [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options David Gibson
2026-07-02 7:14 ` Stefano Brivio [this message]
2026-07-02 6:31 ` [PATCH v4 13/13] fwd_rule: Rewrite forward rule parsing using parse.c helpers David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702091415.46b49159@elisabeth \
--to=sbrivio@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).