From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ic2m8T4N; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 1AF815A0262 for ; Thu, 02 Jul 2026 09:14:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1782976462; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WliOsMf8WV8poIlBJ6cZ/HXSHxl1BQcMugTftqI4smI=; b=ic2m8T4NnCKSQBr+3wCsJO00HRhwtXBnXy14gZTpFxX2IgdIUijFClGFKZELjw0IA7w6kw tmOB/giJ/bRLkKf2yMh0+r//kMgsQfsM9pJVnxpHA3W03xmxp8VDwJsoho55fLd/Df5Al6 IdiMzF759lNhir0DgWBr6vwSQ5DtWS0= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-375-Num98gctNBSLmlugezrFOQ-1; Thu, 02 Jul 2026 03:14:20 -0400 X-MC-Unique: Num98gctNBSLmlugezrFOQ-1 X-Mimecast-MFC-AGG-ID: Num98gctNBSLmlugezrFOQ_1782976459 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4926596eebcso12926405e9.3 for ; Thu, 02 Jul 2026 00:14:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782976459; x=1783581259; h=date:content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WliOsMf8WV8poIlBJ6cZ/HXSHxl1BQcMugTftqI4smI=; b=A+Pld1nzi+fKEIBAP3Lu5oRu47u+0px3mU6FExo3xO02FczggR1PFXX01Qgge5kgi6 KVGdWM+5vurq8Z6vnCwosqMGSZF9pB0UCSb1NAByqLYX17z3nET/GZp3MS3VWQe2eYZv rzf8M6B78Hy5dBbFs9KxINhEkGVVyUThSarH4DYdgtNl3BM+uo/AmIjyLM5b9XR+i6aE O9vD1csTwA5thBp7IheBN02+7EhTrmJjYmgWkp48w25leiy72YHH24Fhev8sU/Mk+baE /o6PTQfHJHcqvSYgtGWmcFXmim5ziRCc8c1PNeeqrDYD2tDeIf99XhTcT8aPpVKaNqqu NQKg== X-Gm-Message-State: AOJu0YxV/hTYyJ3t7VDMmHTsIM4Mh7OPqhXLuiKAmX8xP0WxQIf2UABF xErLsm12L3xEZehErDuzAtb+PTRO2OteFTaGtnfkdYKvEhjb21PqGWQsbsrEdIuFNK6LbRSpQq4 zhHQSEJgrMN4Olu4j/UsU6SRql1OFd+WEwYqZomgUfQ2T+uD5ulL2pixoYCXcoA== X-Gm-Gg: AfdE7ck2lB0U9DzJVFk8wqgmPLQMH2rVvpRppY8pPmezD2dvzMGlZVLihUqfSc1OAA/ WVIodSKoO7cI0lG60Cv2SkPlEisguDMLDXOoUfwPlLu/VCKL0Me3au2vowq5Ke9Eh8McGoaCAU0 LjxL7lKw5MBfk++0dALmipYiaODI7bfmQ1x2I2ssjxKtXpLTEGChJ2s+kIfGLx3XcEUrJrr7RSi V/cf/7KJasTkWQtSiZSqtUiap7jD5eq7ZT9dgHVPT+kiyJRlBOYCLz4TMZE453RxqX/vXlq9fLc pXZOKL3EnLrLNt2AX9lhtd0rzMz+dN/2jvXoFjVHk42Zl1iEgKJicjL2UOzq4ZNBkSDWZU0C1j/ azQu2ucPI+5ukbfqcoYpBo+OKMU9QRh0lyboOzHU= X-Received: by 2002:a05:600c:5297:b0:492:7019:caca with SMTP id 5b1f17b1804b1-493c3cfaba5mr46512655e9.26.1782976459266; Thu, 02 Jul 2026 00:14:19 -0700 (PDT) X-Received: by 2002:a05:600c:5297:b0:492:7019:caca with SMTP id 5b1f17b1804b1-493c3cfaba5mr46512305e9.26.1782976458731; Thu, 02 Jul 2026 00:14:18 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493bef183e7sm130276735e9.2.2026.07.02.00.14.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jul 2026 00:14:18 -0700 (PDT) From: Stefano Brivio To: David Gibson Subject: Re: [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options Message-ID: <20260702091415.46b49159@elisabeth> In-Reply-To: <20260702063143.676932-13-david@gibson.dropbear.id.au> References: <20260702063143.676932-1-david@gibson.dropbear.id.au> <20260702063143.676932-13-david@gibson.dropbear.id.au> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Date: Thu, 02 Jul 2026 09:14:17 +0200 (CEST) X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: pNRyx7SiQFbPc_8bS6lAhzGbA4Ub3PPEWLCKevf8czQ_1782976459 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: 6AKJYQCFR5SMDW225STGCAU2Z5QKQ63X X-Message-ID-Hash: 6AKJYQCFR5SMDW225STGCAU2Z5QKQ63X X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 2 Jul 2026 16:31:42 +1000 David Gibson wrote: > Currently we handle -t all and the like as a special case, it can't be > combined with other port specifier options. Remove that restriction, > allowing combined options like: > -t all,~9999 # Forward everything non-ephemeral except 9999 > -t all,auto # Equivalent to -t auto > -t all,33000 # Forward non-ephemeral plus port 33,000 > > This isn't particularly useful immediately, but will become important for > destination address specification - it provides a place to attach the > target address for "all" or exclude only mappings. It will also work > better with some parsing reworks we want to make. > > Signed-off-by: David Gibson > --- > conf.c | 11 +++++------ > fwd_rule.c | 39 ++++++++++++++++++++------------------- > passt.1 | 33 ++++++++++++++++----------------- > 3 files changed, 41 insertions(+), 42 deletions(-) > > diff --git a/conf.c b/conf.c > index c4a36dee..a610c0c6 100644 > --- a/conf.c > +++ b/conf.c > @@ -660,11 +660,9 @@ static void usage(const char *name, FILE *f, int status) > " SPEC can be:\n" > " 'none': don't forward any ports\n" > " [ADDR[%%IFACE]/]PORTS: forward specific ports\n" > - " PORTS is either 'all' (forward all unbound, non-ephemeral\n" > - " ports), or a comma-separated list of ports, optionally\n" > - " ranged with '-' and optional target ports after ':'.\n" > - " Ranges can be reduced by excluding ports or ranges\n" > - " prefixed by '~'.\n" > + " PORTS is comma-separated list of ports, either\n" I didn't really consider this change as worth updating usage and man page (the previous version wouldn't be entirely accurate anymore but practically speaking rather clear, I thought). If it is: - PORTS is _a_ comma-separated ... - I think we should maintain the description for 'all' (forward all unbound, non-ephemeral ports), because otherwise just "Forward all ports" below becomes particularly misleading > + " 'all', a port number or range. Ranges can be reduced\n" > + " by excluding ports or ranges prefixed by '~'.\n" > "%s" > " Examples:\n" > " -t all Forward all ports\n" > @@ -677,7 +675,8 @@ static void usage(const char *name, FILE *f, int status) > " corresponding port numbers plus 10\n" > " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to %s\n" > " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > - " -t ~25 Forward all ports except for 25\n" > + " -t ~25,all\n" > + " -t 25 Forward all ports except for 25\n" I think the previous version makes more sense. This isn't an exhaustive description, it just shows how to quickly do things. This is missing a ~ by the way. > "%s" > " default: %s\n" > " -u, --udp-ports SPEC UDP port forwarding to %s\n" > diff --git a/fwd_rule.c b/fwd_rule.c > index 6d7ec2c5..b14df340 100644 > --- a/fwd_rule.c > +++ b/fwd_rule.c > @@ -471,20 +471,13 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, > uint8_t flags = 0; > unsigned i; > > - if (!strcmp(spec, "all")) { > - /* Treat "all" as equivalent to "": all non-ephemeral ports */ > - spec = ""; > - } > - > /* Parse excluded ranges and "auto" in the first pass */ > for_each_chunk(p, ep, spec, ",") { > struct port_range xrange; > > - if (isdigit(*p)) { > - /* Include range, parse later */ > - exclude_only = false; > + /* Include range, parse later */ > + if (parse_literal(&p, "all") || isdigit(*p)) > continue; > - } > > if (parse_literal(&p, "auto")) { > if (p != ep) /* Garbage after the keyword */ > @@ -512,20 +505,18 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, > bitmap_set(exclude, i); > } > > - if (exclude_only) { > - /* Exclude ephemeral ports */ > - fwd_port_map_ephemeral(exclude); > - > - fwd_rule_range_except(fwd, del, proto, addr, ifname, > - 1, NUM_PORTS - 1, exclude, > - 1, flags | FWD_WEAK); > - return; > - } > - > /* Now process base ranges, skipping exclusions */ > for_each_chunk(p, ep, spec, ",") { > struct port_range orig_range, mapped_range; > > + /* Handle "all" like exclude only */ > + if (parse_literal(&p, "all")) { > + if (p != ep) /* Garbage after the keyword */ > + goto bad; > + > + continue; > + } > + > if (!isdigit(*p)) > /* Already parsed */ > continue; > @@ -533,6 +524,8 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, > if (!parse_port_range(&p, &orig_range)) > goto bad; > > + exclude_only = false; > + > if (parse_literal(&p, ":")) { > /* There's a range to map to as well */ > if (!parse_port_range(&p, &mapped_range)) > @@ -553,6 +546,14 @@ static void fwd_rule_parse_ports(struct fwd_table *fwd, bool del, uint8_t proto, > mapped_range.first, flags); > } > > + /* Finally handle "all" and exclude only specs */ > + if (exclude_only) { > + fwd_port_map_ephemeral(exclude); > + > + fwd_rule_range_except(fwd, del, proto, addr, ifname, > + 1, NUM_PORTS - 1, exclude, > + 1, flags | FWD_WEAK); > + } > return; > bad: > die("Invalid port specifier '%s'", spec); > diff --git a/passt.1 b/passt.1 > index 908fd4a4..c3722ef9 100644 > --- a/passt.1 > +++ b/passt.1 > @@ -432,29 +432,22 @@ Send \fIname\fR as Client FQDN: DHCP option 81 and DHCPv6 option 39. > > .TP > .BR \-t ", " \-\-tcp-ports " " \fIspec > -Configure TCP port forwarding to guest or namespace. \fIspec\fR can be one of: > +Configure TCP port forwarding to guest or namespace. \fIspec\fR can be either: > .RS > > .TP > .BR none > Don't forward any ports > > +or > .TP > [\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ... > -Specific ports to forward. Optionally, a specific listening address > -and interface name (since Linux 5.7) can be specified. \fIports\fR > -may be either: > -.RS > -.TP > -\fBall\fR > -Forward all unbound, non-ephemeral ports, as permitted by current > -capabilities. For low (< 1024) ports, see \fBNOTES\fR. No failures > -are reported for unavailable ports, unless no ports could be forwarded > -at all. > + > +Ports to forward. Optionally, a specific listening address and > +interface name (since Linux 5.7) can be specified. > .RE > > -.RS > -or a comma-separated list of entries which may be any of: > +\fIports\fR is a comma-separated list of entries which may be any of: > .TP > \fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\fR]] > Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR > @@ -468,6 +461,13 @@ as \fIfirst\fR. > Exclude range. Don't forward port numbers between \fIfirst\fR and > \fIlast\fR. This takes precedences over include ranges. > > +.TP > +.BR all > +Forward all unbound, non-ephemeral ports, not covered by exclude > +ranges above, as permitted by current capabilities. For low (< 1024) > +ports, see \fBNOTES\fR. No failures are reported for unavailable > +ports, unless no ports could be forwarded at all. > + > .TP > .BR auto > \fBpasta\fR only. Only forward ports in the specified set if the > @@ -477,10 +477,9 @@ periodically derived (every second) from listening sockets reported by > .RE > > Specifying excluded ranges only implies that all other non-ephemeral > -ports are forwarded. Specifying no ranges at all implies forwarding > -all non-ephemeral ports permitted by current capabilities. In this > -case, no failures are reported for unavailable ports, unless no ports > -could be forwarded at all. > +ports are forwarded. Specifying no ranges is equivalent > +to '\fBall\fR'. In this case, no failures are reported for > +unavailable ports, unless no ports could be forwarded at all. Nit: this could use a few more columns (I think it's slightly more readable as source), say: ports are forwarded. Specifying no ranges is equivalent to '\fBall\fR'. In this case, no failures are reported for unavailable ports, unless no ports could be forwarded at all. -- Stefano