From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202606 header.b=d3qHCGon; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 5B9AE5A0262 for ; Fri, 03 Jul 2026 05:54:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202606; t=1783050892; bh=Uhotr1OwFXKVfG4mf6J0rfVju1ydysLjoryZ4vySA50=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=d3qHCGonCwP+fFdCPIK2/hA+ZMAnhBZzdv2SjRgCQUyLgX6/tIzM9SRVHvlTeduiq EnnwRFfWfw6voZXhk6dzyYjXlDoVujWO+su8mF6eYwZ743yt6Z0gA08F4ev6ScuZQY A5MvME8KoKgEikDlPaZcYUQ8nSyhUM0/LGtSslRb5v485CJZd1dL5gT0LX39jfk5ZZ A4yloZQFem+RN2JD7WFCVU7Ik/793+JImQu8yDeIX+2SiqrpWBu1FEDuSehTcoEWTD kOYYddsTWRlXnTYRhML9o//CLhfIO7pwneMcqmwbxNmJ52wWDm1ohC8Q3fy6b6DNSK PorOOjW3mSm7Q== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4gs0JD18hhz4xT2; Fri, 03 Jul 2026 13:54:52 +1000 (AEST) Date: Fri, 3 Jul 2026 13:52:41 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v4 12/13] fwd_rule: Allow "all" port specs to be combined with other options Message-ID: References: <20260702063143.676932-1-david@gibson.dropbear.id.au> <20260702063143.676932-13-david@gibson.dropbear.id.au> <20260702091415.46b49159@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="T978ouKqu0gb0+O/" Content-Disposition: inline In-Reply-To: <20260702091415.46b49159@elisabeth> Message-ID-Hash: 7FI6ULFQV7J4KVGBOU2Z2JQOUDSMNDW7 X-Message-ID-Hash: 7FI6ULFQV7J4KVGBOU2Z2JQOUDSMNDW7 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --T978ouKqu0gb0+O/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 02, 2026 at 09:14:17AM +0200, Stefano Brivio wrote: > On Thu, 2 Jul 2026 16:31:42 +1000 > David Gibson wrote: >=20 > > Currently we handle -t all and the like as a special case, it can't be > > combined with other port specifier options. Remove that restriction, > > allowing combined options like: > > -t all,~9999 # Forward everything non-ephemeral except 99= 99 > > -t all,auto # Equivalent to -t auto > > -t all,33000 # Forward non-ephemeral plus port 33,000 > >=20 > > This isn't particularly useful immediately, but will become important f= or > > destination address specification - it provides a place to attach the > > target address for "all" or exclude only mappings. It will also work > > better with some parsing reworks we want to make. > >=20 > > Signed-off-by: David Gibson > > --- > > conf.c | 11 +++++------ > > fwd_rule.c | 39 ++++++++++++++++++++------------------- > > passt.1 | 33 ++++++++++++++++----------------- > > 3 files changed, 41 insertions(+), 42 deletions(-) > >=20 > > diff --git a/conf.c b/conf.c > > index c4a36dee..a610c0c6 100644 > > --- a/conf.c > > +++ b/conf.c > > @@ -660,11 +660,9 @@ static void usage(const char *name, FILE *f, int s= tatus) > > " SPEC can be:\n" > > " 'none': don't forward any ports\n" > > " [ADDR[%%IFACE]/]PORTS: forward specific ports\n" > > - " PORTS is either 'all' (forward all unbound, non-ephemeral\n" > > - " ports), or a comma-separated list of ports, optionally\n" > > - " ranged with '-' and optional target ports after ':'.\n" > > - " Ranges can be reduced by excluding ports or ranges\n" > > - " prefixed by '~'.\n" > > + " PORTS is comma-separated list of ports, either\n" >=20 > I didn't really consider this change as worth updating usage and man > page (the previous version wouldn't be entirely accurate anymore but > practically speaking rather clear, I thought). I think we should update the manpage, since it is pretty detailed (and now wrong). usage() I'll grant is borderline at best. > If it is: >=20 > - PORTS is _a_ comma-separated ... Fixed. > - I think we should maintain the description for 'all' (forward all > unbound, non-ephemeral ports), because otherwise just "Forward all > ports" below becomes particularly misleading Good point. I've reworded again, I think it's better. >=20 > > + " 'all', a port number or range. Ranges can be reduced\n" > > + " by excluding ports or ranges prefixed by '~'.\n" > > "%s" > > " Examples:\n" > > " -t all Forward all ports\n" > > @@ -677,7 +675,8 @@ static void usage(const char *name, FILE *f, int st= atus) > > " corresponding port numbers plus 10\n" > > " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to %s\n" > > " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25\n" > > - " -t ~25 Forward all ports except for 25\n" > > + " -t ~25,all\n" > > + " -t 25 Forward all ports except for 25\n" >=20 > I think the previous version makes more sense. This isn't an exhaustive > description, it just shows how to quickly do things. This is missing a > ~ by the way. Oops, yes. I dropped these lines. >=20 > > "%s" > > " default: %s\n" > > " -u, --udp-ports SPEC UDP port forwarding to %s\n" > > diff --git a/fwd_rule.c b/fwd_rule.c > > index 6d7ec2c5..b14df340 100644 > > --- a/fwd_rule.c > > +++ b/fwd_rule.c > > @@ -471,20 +471,13 @@ static void fwd_rule_parse_ports(struct fwd_table= *fwd, bool del, uint8_t proto, > > uint8_t flags =3D 0; > > unsigned i; > > =20 > > - if (!strcmp(spec, "all")) { > > - /* Treat "all" as equivalent to "": all non-ephemeral ports */ > > - spec =3D ""; > > - } > > - > > /* Parse excluded ranges and "auto" in the first pass */ > > for_each_chunk(p, ep, spec, ",") { > > struct port_range xrange; > > =20 > > - if (isdigit(*p)) { > > - /* Include range, parse later */ > > - exclude_only =3D false; > > + /* Include range, parse later */ > > + if (parse_literal(&p, "all") || isdigit(*p)) > > continue; > > - } > > =20 > > if (parse_literal(&p, "auto")) { > > if (p !=3D ep) /* Garbage after the keyword */ > > @@ -512,20 +505,18 @@ static void fwd_rule_parse_ports(struct fwd_table= *fwd, bool del, uint8_t proto, > > bitmap_set(exclude, i); > > } > > =20 > > - if (exclude_only) { > > - /* Exclude ephemeral ports */ > > - fwd_port_map_ephemeral(exclude); > > - > > - fwd_rule_range_except(fwd, del, proto, addr, ifname, > > - 1, NUM_PORTS - 1, exclude, > > - 1, flags | FWD_WEAK); > > - return; > > - } > > - > > /* Now process base ranges, skipping exclusions */ > > for_each_chunk(p, ep, spec, ",") { > > struct port_range orig_range, mapped_range; > > =20 > > + /* Handle "all" like exclude only */ > > + if (parse_literal(&p, "all")) { > > + if (p !=3D ep) /* Garbage after the keyword */ > > + goto bad; > > + > > + continue; > > + } > > + > > if (!isdigit(*p)) > > /* Already parsed */ > > continue; > > @@ -533,6 +524,8 @@ static void fwd_rule_parse_ports(struct fwd_table *= fwd, bool del, uint8_t proto, > > if (!parse_port_range(&p, &orig_range)) > > goto bad; > > =20 > > + exclude_only =3D false; > > + > > if (parse_literal(&p, ":")) { > > /* There's a range to map to as well */ > > if (!parse_port_range(&p, &mapped_range)) > > @@ -553,6 +546,14 @@ static void fwd_rule_parse_ports(struct fwd_table = *fwd, bool del, uint8_t proto, > > mapped_range.first, flags); > > } > > =20 > > + /* Finally handle "all" and exclude only specs */ > > + if (exclude_only) { > > + fwd_port_map_ephemeral(exclude); > > + > > + fwd_rule_range_except(fwd, del, proto, addr, ifname, > > + 1, NUM_PORTS - 1, exclude, > > + 1, flags | FWD_WEAK); > > + } > > return; > > bad: > > die("Invalid port specifier '%s'", spec); > > diff --git a/passt.1 b/passt.1 > > index 908fd4a4..c3722ef9 100644 > > --- a/passt.1 > > +++ b/passt.1 > > @@ -432,29 +432,22 @@ Send \fIname\fR as Client FQDN: DHCP option 81 an= d DHCPv6 option 39. > > =20 > > .TP > > .BR \-t ", " \-\-tcp-ports " " \fIspec > > -Configure TCP port forwarding to guest or namespace. \fIspec\fR can be= one of: > > +Configure TCP port forwarding to guest or namespace. \fIspec\fR can be= either: > > .RS > > =20 > > .TP > > .BR none > > Don't forward any ports > > =20 > > +or > > .TP > > [\fIaddress\fR[\fB%\fR\fIinterface\fR]\fB/\fR]\fIports\fR ... > > -Specific ports to forward. Optionally, a specific listening address > > -and interface name (since Linux 5.7) can be specified. \fIports\fR > > -may be either: > > -.RS > > -.TP > > -\fBall\fR > > -Forward all unbound, non-ephemeral ports, as permitted by current > > -capabilities. For low (< 1024) ports, see \fBNOTES\fR. No failures > > -are reported for unavailable ports, unless no ports could be forwarded > > -at all. > > + > > +Ports to forward. Optionally, a specific listening address and > > +interface name (since Linux 5.7) can be specified. > > .RE > > =20 > > -.RS > > -or a comma-separated list of entries which may be any of: > > +\fIports\fR is a comma-separated list of entries which may be any of: > > .TP > > \fIfirst\fR[\fB-\fR\fIlast\fR][\fB:\fR\fItofirst\fR[\fB-\fR\fItolast\f= R]] > > Include range. Forward port numbers between \fIfirst\fR and \fIlast\fR > > @@ -468,6 +461,13 @@ as \fIfirst\fR. > > Exclude range. Don't forward port numbers between \fIfirst\fR and > > \fIlast\fR. This takes precedences over include ranges. > > =20 > > +.TP > > +.BR all > > +Forward all unbound, non-ephemeral ports, not covered by exclude > > +ranges above, as permitted by current capabilities. For low (< 1024) > > +ports, see \fBNOTES\fR. No failures are reported for unavailable > > +ports, unless no ports could be forwarded at all. > > + > > .TP > > .BR auto > > \fBpasta\fR only. Only forward ports in the specified set if the > > @@ -477,10 +477,9 @@ periodically derived (every second) from listening= sockets reported by > > .RE > > =20 > > Specifying excluded ranges only implies that all other non-ephemeral > > -ports are forwarded. Specifying no ranges at all implies forwarding > > -all non-ephemeral ports permitted by current capabilities. In this > > -case, no failures are reported for unavailable ports, unless no ports > > -could be forwarded at all. > > +ports are forwarded. Specifying no ranges is equivalent > > +to '\fBall\fR'. In this case, no failures are reported for > > +unavailable ports, unless no ports could be forwarded at all. >=20 > Nit: this could use a few more columns (I think it's slightly more > readable as source), say: Huh, odd. For some reason emacs M-q was making it narrower. Fixed manually. > ports are forwarded. Specifying no ranges is equivalent to '\fBall\fR'. = In > this case, no failures are reported for unavailable ports, unless no port= s could > be forwarded at all. >=20 > --=20 > Stefano >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --T978ouKqu0gb0+O/ Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmpHMfsACgkQzQJF27ox 2Gdfmg//dETXRNyRVuF10S5g3QEmXtqvG+rFdeWlDOyzY13i81DnuTTbhxZi+5IU L8pQkYzCgzmqyIs2tT6YA6kKp27r5vY74b2nLRlsXhpqHPhZgHcTNyBE4atzuEPd 935w1AbaPkBUPtb4Vqv7WNLAg1NtibQdDJ0YT8ubsS73JGTolqdBA+bL+vGpkbdG QxhoPugs9dQpyr8EuA8Kpa73eNzG3tcBDZq8KXoXbVO5znGSHSuDNxgO9uCMwUJH NdSJ5qBYk8azTNgD3Fv+DepjzEUNmzklyn7trVjZEwtRuYY8DPw6T2SAOh9XQQov Ww0E/zHfcIDVWb+b8csPijN0cnNZTxd2JRXghJVavOtfg9kBD3gAItbKbn6ZzcXX RXStoPbP5OKyRKSq6qRi952/4eEj7RgNIpdphfZ9DDm0jwpWAHcyu/ciVgWX6IBJ ZUlvia0hWEWcTEoOUNLevqZbo7wq2icAgBj+4YO8TErY6mMoXGw24yWJ13s/r08i jvIRfH3T9kNTmLzncAB01DVrPUV4qFTevY7b5xYDk2h5u+S10ai2l8HcIfI7jr24 HB/FNaKmofEUZNusU9ZyZEmmFRf+vLc5fuqoQZgCjhiavU57yqrtGiDhBZcJ3wAV z4GWpcBxsfAS+tcAWC0iGFLjcS4Gwmd9+iKshZpL5j+PKTx9zBk= =kRFe -----END PGP SIGNATURE----- --T978ouKqu0gb0+O/--