From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=eZoAHIaF;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id E4BD75A026E
	for <passt-dev@passt.top>; Thu, 16 Apr 2026 03:47:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1776304043;
	bh=v6IHLtBTJA3Ajp1ikjkHBdD3OZ/34HsyWQ811VWvUr4=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=eZoAHIaFMbgck3ldcpifzyPdI1CXQpvXPsFJkhVbD7PqViK+KTyv6mADP6NkYZht2
	 Co4tbFkoTcmk+BqaX27ji6hqvRtMHZsybkgOu1/F+/Vou8eGakDvc7ee6rvHoac8xp
	 DOjGrqNZP19SzctJ3a+J2bO+RHu9NbB2tfCRGGwv7woWxdE40m0/PXXbInNKpQEtmV
	 GCF0zpCSlHeC/WRBVg0oIoO6d8+aotnv/iSkOcjLcsIHAFQC4IIs72SYoOOapCCI7W
	 DTaKRkhDXLBkKv9nAyp7T4Z0ulUx3RwRHrMdUlG0TXuL3k8POBNywF5FcICkxRG2Qu
	 OVeeA1TV57rhw==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4fx19755Tnz4wTk; Thu, 16 Apr 2026 11:47:23 +1000 (AEST)
Date: Thu, 16 Apr 2026 11:37:57 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH v2 16/23] conf: Move "all" handling to port specifier
Message-ID: <aeA9dezP8RgV0pOy@zatzit>
References: <20260410010309.736855-1-david@gibson.dropbear.id.au>
 <20260410010309.736855-17-david@gibson.dropbear.id.au>
 <20260416000443.5372dc46@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="5DloA6kT0u2mSHZ6"
Content-Disposition: inline
In-Reply-To: <20260416000443.5372dc46@elisabeth>
Message-ID-Hash: DYFMBGGTND3LNWEAGPAKYZEZGOGLQUJX
X-Message-ID-Hash: DYFMBGGTND3LNWEAGPAKYZEZGOGLQUJX
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aeA9dezP8RgV0pOy@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/DYFMBGGTND3LNWEAGPAKYZEZGOGLQUJX/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--5DloA6kT0u2mSHZ6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 16, 2026 at 12:04:43AM +0200, Stefano Brivio wrote:
> On Fri, 10 Apr 2026 11:03:02 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>=20
> > Currently -[tTuU] all is handled separately in conf_ports() before call=
ing
> > conf_ports_spec().  Earlier changes mean we can now move this handling =
to
> > conf_ports_spec().  This makes the code slightly simpler, but more
> > importantly it allows some useful combinations we couldn't previously d=
o,
> > such as
> > 	-t 127.0.0.1/all
> > or
> > 	-u %eth2/all
> >=20
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >  conf.c  | 25 ++++++++++---------------
> >  passt.1 | 28 ++++++++++++++++++++--------
> >  2 files changed, 30 insertions(+), 23 deletions(-)
> >=20
> > diff --git a/conf.c b/conf.c
> > index 5d6517c3..f62109b5 100644
> > --- a/conf.c
> > +++ b/conf.c
> > @@ -251,6 +251,11 @@ static void conf_ports_spec(const struct ctx *c,
> >  	const char *p, *ep;
> >  	unsigned i;
> > =20
> > +	if (!strcmp(spec, "all")) {
> > +		/* Treat "all" as equivalent to "": all non-ephemeral ports */
> > +		spec =3D "";
> > +	}
> > +
> >  	/* Mark all exclusions first, they might be given after base ranges */
> >  	for_each_chunk(p, ep, spec, ",") {
> >  		struct port_range xrange;
> > @@ -372,19 +377,6 @@ static void conf_ports(const struct ctx *c, char o=
ptname, const char *optarg,
> >  		return;
> >  	}
> > =20
> > -	if (!strcmp(optarg, "all")) {
> > -		uint8_t exclude[PORT_BITMAP_SIZE] =3D { 0 };
> > -
> > -		/* Exclude ephemeral ports */
> > -		fwd_port_map_ephemeral(exclude);
> > -
> > -		conf_ports_range_except(c, optname, optarg, fwd,
> > -					proto, NULL, NULL,
> > -					1, NUM_PORTS - 1, exclude,
> > -					1, FWD_WEAK);
> > -		return;
> > -	}
> > -
> >  	strncpy(buf, optarg, sizeof(buf) - 1);
> > =20
> >  	if ((spec =3D strchr(buf, '/'))) {
> > @@ -1039,14 +1031,17 @@ static void usage(const char *name, FILE *f, in=
t status)
> >  		"    can be specified multiple times\n"
> >  		"    SPEC can be:\n"
> >  		"      'none': don't forward any ports\n"
> > -		"      'all': forward all unbound, non-ephemeral ports\n"
> >  		"%s"
> >  		"      [ADDR[%%IFACE]/]PORTS: forward specific ports\n"
> > -		"        PORTS is a comma-separated list of ports, optionally\n"
> > +		"        PORTS is either 'all' (forward all unbound, non-ephemeral\n"
> > +		"        ports), or a comma-separated list of ports, optionally\n"
> >  		"        ranged with '-' and optional target ports after ':'.\n"
> >  		"        Ranges can be reduced by excluding ports or ranges\n"
> >  		"        prefixed by '~'\n"
> >  		"        Examples:\n"
> > +		"        -t all         Forward all ports\n"
>=20
> Nit: the examples below have a tab as a separator, which makes it
> slightly easier to ensure we indent them properly.

Oops, fixed.

> > +		"        -t 127.0.0.1/all Forward all ports from local address\n"
> > +		"                         127.0.0.1\n"
>=20
> This makes things pretty hard on eyes as it's not consistent with the
> rest of the "table". Could we perhaps do:
>=20
> 		"        -t ::1/all	Forward all ports from ::1\n"
>=20
> ?

Ah, good idea.  Done.

>=20
> >  		"        -t 22		Forward local port 22 to 22 on %s\n"
> >  		"        -t 22:23	Forward local port 22 to 23 on %s\n"
> >  		"        -t 22,25	Forward ports 22, 25 to ports 22, 25\n"
> > diff --git a/passt.1 b/passt.1
> > index d329f8f0..3ba447d5 100644
> > --- a/passt.1
> > +++ b/passt.1
> > @@ -434,12 +434,6 @@ Configure TCP port forwarding to guest or namespac=
e. \fIspec\fR can be one of:
> >  .BR none
> >  Don't forward any ports
> > =20
> > -.TP
> > -.BR all
> > -Forward all unbound, non-ephemeral ports, as permitted by current capa=
bilities.
> > -For low (< 1024) ports, see \fBNOTES\fR. No failures are reported for
> > -unavailable ports, unless no ports could be forwarded at all.
> > -
> >  .TP
> >  .BR auto " " (\fBpasta\fR " " only)
> >  Dynamically forward ports bound in the namespace. The list of ports is
> > @@ -449,10 +443,20 @@ periodically derived (every second) from listenin=
g sockets reported by
> >  .TP
> >  [\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ...
> >  Specific ports to forward.  Optionally, a specific listening address
> > -and interface name (since Linux 5.7) can be specified.  \fIports\fR is
> > -a comma-separated list of entries which may be any of:
> > +and interface name (since Linux 5.7) can be specified.  \fIports\fR
> > +may be either:
> >  .RS
> >  .TP
> > +\fBall\fR
> > +Forward all unbound, non-ephemeral ports, as permitted by current
> > +capabilities.  For low (< 1024) ports, see \fBNOTES\fR. No failures
> > +are reported for unavailable ports, unless no ports could be forwarded
> > +at all.
> > +.RE
> > +
> > +.RS
> > +or a comma-separated list of entries which may be any of:
> > +.TP
> >  \fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\f=
R]]
> >  Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR
> >  (inclusive) to ports between \fItofirst\fR and \fItolast\fR.  If
> > @@ -473,6 +477,14 @@ unavailable ports, unless no ports could be forwar=
ded at all.
> >  Examples:
> >  .RS
> >  .TP
> > +-t all
> > +Forward all unbound, non-ephemeral ports as permitted by current
> > +capabilities to the corresponding port on the guest or namespace
> > +.TP
> > +-t 127.0.0.1/all
> > +For the local address 127.0.0.1, forward all unbound, non-ephemeral
> > +ports as permitted by current capabilities.
>=20
> Nit: all the other examples have no dot at the end (I tend to think
> it fits better this type of list, but all I care about is that it's
> consistent).

Fixed.  Also changed to ::1 for consistency with the usage() example.

>=20
> > +.TP
> >  -t 22
> >  Forward local port 22 to port 22 on the guest or namespace
> >  .TP
>=20
> --=20
> Stefano
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--5DloA6kT0u2mSHZ6
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmngPXQACgkQzQJF27ox
2Gc7MQ//XuIs0mm5Xrwjg52Loxi5kOWpmAKyQcoVm44cqvxLrIvDvsr7t2pOz/V6
u9LQiBkoV2ZEwE9oJuFvfamQciBEYpnx2GVh/VkQvpyv8YnWBwwryOBXYomUMKD3
4+K7+yoJ8JlHWXSASplci6M8p68LYJdZkc6eNZsH/ltuTivweFrmsqkJgbG85xIK
THXFOCt2+omFxGuPrtdwn5umqx+e40q1fYadqNFNov1lcTxPzgBH4IqrYe5Mw2Hx
jeDU+ISbZ7LIwv3dIF+n+/Mq0CUcKxNwSqZ55DEfqwCaTIdsNZXUEp8VnrklU44z
od+CPpNSxCX4LGWNwH+JXnmRY91AGE9BSkRlHPkQPMuKwIrkCIz9QXfMsW+vVZ+j
oR+UkGpk9519iP9Y5q9jHyv5tti+8PkfTGu58O4XHGXzpKqNL8bwA3h970xhSWgg
932ldP8xuRERZ+qDly0vvJHi4YkEQTJ8jygPYWIrGAkCW9ngyNTGN0IKZvud6fBr
VO7MT53GQ73GIrI/uk0OXO9ymr+QRtEC3FOJ8ugSa3eeFY8WkEp5ajZu8wLdseUg
Gpz0zPqnD2gMwD1OfbRijQJ7+gbCP59VcdjG2Pe1ID97EvXjnw2nBmUqKV8f2a/W
MwfiQJMy/aIpkTOwuhkiJN7DKm8o62TeK+o8n3JOkvdcDVWU7VA=
=mOoa
-----END PGP SIGNATURE-----

--5DloA6kT0u2mSHZ6--