On Wed, Apr 08, 2026 at 01:14:41AM +0200, Stefano Brivio wrote: 11;rgb:ffff/ffff/ffff> On Tue, 7 Apr 2026 13:16:16 +1000 > David Gibson wrote: > > > The man page currently has two fairly large, near-identical sections > > Not entirely identical also because: > > > separately describing the -t and -u options for passt and pasta. This is > > bulky and potentially confusing. It will make this information more > > tedious to update as we alter what's possible here with the forwarding > > table. Consolidate both descriptions to a single one in the common > > options, noting the few passt/pasta difference inline. > > > > There's similar duplication usage(), consolidate that as well. > > > > Signed-off-by: David Gibson > > --- > > conf.c | 54 +++++--------- > > passt.1 | 216 ++++++++++++++++++-------------------------------------- > > 2 files changed, 85 insertions(+), 185 deletions(-) > > > > diff --git a/conf.c b/conf.c > > index f3b36bb6..751e500f 100644 > > --- a/conf.c > > +++ b/conf.c > > @@ -1023,18 +1023,12 @@ static void usage(const char *name, FILE *f, int status) > > " --freebind Bind to any address for forwarding\n" > > " --no-map-gw Don't map gateway address to host\n" > > " -4, --ipv4-only Enable IPv4 operation only\n" > > - " -6, --ipv6-only Enable IPv6 operation only\n"); > > - > > - if (strstr(name, "pasta")) > > - goto pasta_opts; > > - > > - FPRINTF(f, > > - " -1, --one-off Quit after handling one single client\n" > > + " -6, --ipv6-only Enable IPv6 operation only\n" > > " -t, --tcp-ports SPEC TCP port forwarding to guest\n" > > " can be specified multiple times\n" > > " SPEC can be:\n" > > " 'none': don't forward any ports\n" > > - " 'all': forward all unbound, non-ephemeral ports\n" > > + "%s" > > " a comma-separated list, optionally ranged with '-'\n" > > " and optional target ports after ':', with optional\n" > > " address specification suffixed by '/' and optional\n" > > @@ -1050,43 +1044,29 @@ static void usage(const char *name, FILE *f, int status) > > " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to guest\n" > > " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > > " -t ~25 Forward all ports except for 25\n" > > - " default: none\n" > > + " default: %s\n" > > " -u, --udp-ports SPEC UDP port forwarding to guest\n" > > ...this is "guest" for passt and "namespace" for pasta. Now, I know > that you use those terms interchangeably and the code does as well, but > this is directly visible to users so I think we shouldn't confuse them > with "guests" for... containers. > > To reaffirm the difference between terms used in the code and terms > used in documentation, could we perhaps do something like: > > char *guest = (mode == MODE_PASTA) ? "namespace" : "guest"; > > ? And then use that later? It might be worth doing that for the > "default" strings too. Sure, done. > > > " SPEC is as described for TCP above\n" > > - " default: none\n"); > > + " default: %s\n", > > + strstr(name, "pasta") ? > > + " 'auto': forward all ports currently bound in namespace\n" > > + : > > + " 'all': forward all unbound, non-ephemeral ports\n", > > + strstr(name, "pasta") ? "auto" : "none", > > + strstr(name, "pasta") ? "auto" : "none"); > > + > > + if (strstr(name, "pasta")) > > + goto pasta_opts; > > + > > + FPRINTF(f, > > + " -1, --one-off Quit after handling one single client\n" > > + ); > > > > passt_exit(status); > > > > pasta_opts: > > > > FPRINTF(f, > > - " -t, --tcp-ports SPEC TCP port forwarding to namespace\n" > > - " can be specified multiple times\n" > > - " SPEC can be:\n" > > - " 'none': don't forward any ports\n" > > - " 'auto': forward all ports currently bound in namespace\n" > > - " a comma-separated list, optionally ranged with '-'\n" > > - " and optional target ports after ':', with optional\n" > > - " address specification suffixed by '/' and optional\n" > > - " interface prefixed by '%%'. Examples:\n" > > - " -t 22 Forward local port 22 to port 22 in netns\n" > > - " -t 22:23 Forward local port 22 to port 23\n" > > - " -t 22,25 Forward ports 22, 25 to ports 22, 25\n" > > - " -t 22-80 Forward ports 22 to 80\n" > > - " -t 22-80:32-90 Forward ports 22 to 80 to\n" > > - " corresponding port numbers plus 10\n" > > - " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to namespace\n" > > - " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > > - " -t ~25 Forward all bound ports except for 25\n" > > - " default: auto\n" > > - " IPv6 bound ports are also forwarded for IPv4\n" > > - " -u, --udp-ports SPEC UDP port forwarding to namespace\n" > > - " SPEC is as described for TCP above\n" > > - " default: auto\n" > > - " IPv6 bound ports are also forwarded for IPv4\n" > > - " unless specified, with '-t auto', UDP ports with numbers\n" > > - " corresponding to forwarded TCP port numbers are\n" > > - " forwarded too\n" > > " -T, --tcp-ns SPEC TCP port forwarding to init namespace\n" > > " SPEC is as described above\n" > > " default: auto\n" > > diff --git a/passt.1 b/passt.1 > > index 13e8df9d..a9a8a42a 100644 > > --- a/passt.1 > > +++ b/passt.1 > > @@ -425,78 +425,6 @@ Send \fIname\fR as DHCP option 12 (hostname). > > FQDN to configure the client with. > > Send \fIname\fR as Client FQDN: DHCP option 81 and DHCPv6 option 39. > > > > -.SS \fBpasst\fR-only options > > - > > -.TP > > -.BR \-s ", " \-\-socket-path ", " \-\-socket " " \fIpath > > -Path for UNIX domain socket used by \fBqemu\fR(1) or \fBqrap\fR(1) to connect to > > -\fBpasst\fR. > > -Default is to probe a free socket, not accepting connections, starting from > > -\fI/tmp/passt_1.socket\fR to \fI/tmp/passt_64.socket\fR. > > - > > -.TP > > -.BR \-\-vhost-user > > -Enable vhost-user. The vhost-user command socket is provided by \fB--socket\fR. > > - > > -.TP > > -.BR \-\-print-capabilities > > -Print back-end capabilities in JSON format, only meaningful for vhost-user mode. > > - > > -.TP > > -.BR \-\-repair-path " " \fIpath > > -Path for UNIX domain socket used by the \fBpasst-repair\fR(1) helper to connect > > -to \fBpasst\fR in order to set or clear the TCP_REPAIR option on sockets, during > > -migration. \fB--repair-path none\fR disables this interface (if you need to > > -specify a socket path called "none" you can prefix the path by \fI./\fR). > > - > > -Default, for \-\-vhost-user mode only, is to append \fI.repair\fR to the path > > -chosen for the hypervisor UNIX domain socket. No socket is created if not in > > -\-\-vhost-user mode. > > - > > -.TP > > -.BR \-\-migrate-exit " " (DEPRECATED) > > -Exit after a completed migration as source. By default, \fBpasst\fR keeps > > -running and the migrated guest can continue using its connection, or a new guest > > -can connect. > > - > > -Note that this configuration option is \fBdeprecated\fR and will be removed in a > > -future version. It is not expected to be of any use, and it simply reflects a > > -legacy behaviour. If you have any use for this, refer to \fBREPORTING BUGS\fR > > -below. > > - > > -.TP > > -.BR \-\-migrate-no-linger " " (DEPRECATED) > > -Close TCP sockets on the source instance once migration completes. > > - > > -By default, sockets are kept open, and events on data sockets are ignored, so > > -that any further message reaching sockets after the source migrated is silently > > -ignored, to avoid connection resets in case data is received after migration. > > - > > -Note that this configuration option is \fBdeprecated\fR and will be removed in a > > -future version. It is not expected to be of any use, and it simply reflects a > > -legacy behaviour. If you have any use for this, refer to \fBREPORTING BUGS\fR > > -below. > > - > > -.TP > > -.BR \-F ", " \-\-fd " " \fIFD > > -Pass a pre-opened, connected socket to \fBpasst\fR. Usually the socket is opened > > -in the parent process and \fBpasst\fR inherits it when run as a child. This > > -allows the parent process to open sockets using another address family or > > -requiring special privileges. > > - > > -This option implies the behaviour described for \-\-one-off, once this socket > > -is closed. > > - > > -.TP > > -.BR \-1 ", " \-\-one-off > > -Quit after handling a single client connection, that is, once the client closes > > -the socket, or once we get a socket error. > > - > > -\fBNote\fR: this option has no effect after \fBpasst\fR completes a migration as > > -source, because, in that case, exiting would close sockets for active > > -connections, which would in turn cause connection resets if any further data is > > -received. See also the description of \fI\-\-migrate-no-linger\fR. > > - > > .TP > > .BR \-t ", " \-\-tcp-ports " " \fIspec > > Configure TCP port forwarding to guest. \fIspec\fR can be one of: > > @@ -507,11 +435,17 @@ Configure TCP port forwarding to guest. \fIspec\fR can be one of: > > Don't forward any ports > > > > .TP > > -.BR all > > +.BR all (\fBpasst\fR only) > > This is rendered as "passtonly". You need \fBpasst\fR " " only. While > this one goes away in 5/18, Fixed. (In fact I think I might have fixed that before, then accidentally discarded it; oops). > > Forward all unbound, non-ephemeral ports, as permitted by current capabilities. > > For low (< 1024) ports, see \fBNOTES\fR. No failures are reported for > > unavailable ports, unless no ports could be forwarded at all. > > > > +.TP > > +.BR auto (\fBpasta\fR only) > > ...this one doesn't. > > > +Dynamically forward ports bound in the namespace. The list of ports is > > +periodically derived (every second) from listening sockets reported by > > +\fI/proc/net/tcp\fR and \fI/proc/net/tcp6\fR, see \fBproc\fR(5). > > + > > .TP > > .BR ports > > A comma-separated list of ports, optionally ranged with \fI-\fR, and, > > @@ -563,7 +497,7 @@ and 30 > > Forward all ports to the guest, except for the range from 20000 to 20010 > > .RE > > > > -Default is \fBnone\fR. > > +Default is \fBnone\fR for \fBpasst\fR and \fBauto\fR for \fBpasta\fR. > > .RE > > > > .TP > > @@ -575,101 +509,87 @@ Note: unless overridden, UDP ports with numbers corresponding to forwarded TCP > > port numbers are forwarded too, without, however, any port translation. IPv6 > > bound ports are also forwarded for IPv4. > > > > -Default is \fBnone\fR. > > +Default is \fBnone\fR for \fBpasst\fR and \fBauto\fR for \fBpasta\fR. > > > > -.SS \fBpasta\fR-only options > > +.SS \fBpasst\fR-only options > > > > .TP > > -.BR \-I ", " \-\-ns-ifname " " \fIname > > -Name of tap interface to be created in target namespace. > > -By default, the same interface name as the external, routable interface is used. > > -If no such interface exists, the name \fItap0\fR will be used instead. > > +.BR \-s ", " \-\-socket-path ", " \-\-socket " " \fIpath > > +Path for UNIX domain socket used by \fBqemu\fR(1) or \fBqrap\fR(1) to connect to > > +\fBpasst\fR. > > +Default is to probe a free socket, not accepting connections, starting from > > +\fI/tmp/passt_1.socket\fR to \fI/tmp/passt_64.socket\fR. > > > > .TP > > -.BR \-t ", " \-\-tcp-ports " " \fIspec > > -Configure TCP port forwarding to namespace. \fIspec\fR can be one of: > > -.RS > > +.BR \-\-vhost-user > > +Enable vhost-user. The vhost-user command socket is provided by \fB--socket\fR. > > > > .TP > > -.BR none > > -Don't forward any ports > > +.BR \-\-print-capabilities > > +Print back-end capabilities in JSON format, only meaningful for vhost-user mode. > > > > .TP > > -.BR auto > > -Dynamically forward ports bound in the namespace. The list of ports is > > -periodically derived (every second) from listening sockets reported by > > -\fI/proc/net/tcp\fR and \fI/proc/net/tcp6\fR, see \fBproc\fR(5). > > +.BR \-\-repair-path " " \fIpath > > +Path for UNIX domain socket used by the \fBpasst-repair\fR(1) helper to connect > > +to \fBpasst\fR in order to set or clear the TCP_REPAIR option on sockets, during > > +migration. \fB--repair-path none\fR disables this interface (if you need to > > +specify a socket path called "none" you can prefix the path by \fI./\fR). > > + > > +Default, for \-\-vhost-user mode only, is to append \fI.repair\fR to the path > > +chosen for the hypervisor UNIX domain socket. No socket is created if not in > > +\-\-vhost-user mode. > > > > .TP > > -.BR ports > > -A comma-separated list of ports, optionally ranged with \fI-\fR, and, > > -optionally, with target ports after \fI:\fR, if they differ. Specific addresses > > -can be bound as well, separated by \fI/\fR, and also, since Linux 5.7, limited > > -to specific interfaces, prefixed by \fI%\fR. Within given ranges, selected ports > > -and ranges can be excluded by an additional specification prefixed by \fI~\fR. > > +.BR \-\-migrate-exit " " (DEPRECATED) > > +Exit after a completed migration as source. By default, \fBpasst\fR keeps > > +running and the migrated guest can continue using its connection, or a new guest > > +can connect. > > > > -Specifying excluded ranges only implies that all other ports are forwarded. In > > -this case, no failures are reported for unavailable ports, unless no ports could > > -be forwarded at all. > > +Note that this configuration option is \fBdeprecated\fR and will be removed in a > > +future version. It is not expected to be of any use, and it simply reflects a > > +legacy behaviour. If you have any use for this, refer to \fBREPORTING BUGS\fR > > +below. > > > > -Examples: > > -.RS > > -.TP > > --t 22 > > -Forward local port 22 to 22 in the target namespace > > ...the passt equivalent says "guest". I think we should replace all > these occurrences by "guest or namespace" at this point. I started doing that, but thought it looked awkwardly bulky, without adding much clarity, so I left it at least for the first draft (there are also some existing places in the man page which use "guest" to refer to either a VM or namespace). But, given your preference I've substituted "guest or namespace" for v2. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson