From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH v2 1/2] fwd_rule: Parse target addresses for forwarding rules
Date: Tue, 7 Jul 2026 14:27:07 +1000 [thread overview]
Message-ID: <akyAG7PW6n-1fV03@zatzit> (raw)
In-Reply-To: <20260707004829.09651fb7@elisabeth>
[-- Attachment #1: Type: text/plain, Size: 5640 bytes --]
On Tue, Jul 07, 2026 at 12:48:30AM +0200, Stefano Brivio wrote:
> On Mon, 6 Jul 2026 13:08:29 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>
> > On Sat, Jul 04, 2026 at 05:27:06PM +0200, Stefano Brivio wrote:
> > > On Thu, 2 Jul 2026 17:32:14 +1000
> > > David Gibson <david@gibson.dropbear.id.au> wrote:
[snip]
> > > I wonder: if !addr, shouldn't we replace it, for the moment, with
> > > inany_any4 or inany_any6 depending on !!inany_v4(tgt_addr)?
> > >
> > > I see that an empty address already works with -4 or -6, and I
> > > understand that, by doing this, we'll have a change in behaviour once
> > > forwarding between IP versions is implemented.
> > >
> > > But it will take a while before we get there, and, meanwhile, I guess
> > > almost all users will just want to do stuff like -t 8080:192.0.2.1/80,
> > > just to hit:
> > >
> > > Forwarding between IP versions (* => 192.0.2.1) not implemented
> > >
> > > which isn't obvious if you aren't familiar with the implementation. I
> > > can also picture a constant flow of incoming tickets as a result.
> >
> > That's a reasonable concern. I did think about this and came to the
> > tentative conclusion that automatically restricting to one family
> > would be worse, but I'm open to persuasion otherwise. Reasoning as
> > follows.
> >
> > First, it is a little awkward to implement: I think we should still
> > prevent an explicit *:192.0.2.1, which means we'd have to distinguish
> > the explicit * and implicit any cases.
>
> Fair, and I think we should, but that looks relatively simple judging
> from fwd_rule_range_except() and callers.
Ok.
> > Mind you, we probably want
> > something similar when we allow listening addresses for -[TU], so it's
> > not such a big deal.
> >
> > More importly this would become the _only_ place where the target
> > designation affects where and how we listen - in all other ways,
> > that's fully determined by the first part of the spec plus global
> > flags like -[46]. This gets particularly striking when looking at
> > something like:
> > -t 5000,5001:192.0.2.1
> >
> > With an automatic restriction, we'd end up listening on *:5000, but
> > only on 0.0.0.0:5001, which seems pretty confusing.
>
> So... I wasn't really aware or the fact that:
>
> - t x,y
>
> would always be equivalent to:
>
> -t x -t y
>
> as it is now. I originally intended , as a separator for ports and
> ports only, but originally we just had ports as port forwarding
> specifications. Then forwarding specifiers grew and I missed that, but
> it wasn't my intention.
Right. Nonetheless, it's been that way for a good long while.
> I think that, eventually, we should make -t x_0,...,x_n a mere port
> specifier like it already is for ranges, because it's rather intuitive,
> as opposed as, say:
>
> -t 5000 -t 5001:192.0.2.1
>
> where it's clear that we want to map port 5001 to 192.0.2.1 as
> destination address. If we say -t 5000,5001:192.0.2.1, it's rather
> obvious that we do *not*, and yet that's the outcome.
Agreed in principle. However, to do it differently we'd need to work
out how it interacts with target port specifiers. I don't think the
meaning of -t 5000,6000:7000 is particularly clear one way or the
other.
> On the other hand, "fixing" this is clearly behind the scope of this
> series, so, unless you have in mind a quick way to implement it, let's
> forget about this, and go ahead with this approach which is consistent
> with the existing situation, I'd say.
I don't see a quick way to implement it, but more than that it's not
really clear to me what our options are for syntax without breaking
backwards compatibility too badly.
> > > The change in behaviour once we implement forwarding between IP
> > > versions, by the way, looks a bit like an extension rather than a real
> > > change that could reasonably cause trouble to anybody.
> >
> > I'd argue that's even more the case with the errors as is: things that
> > weren't possible before become possible.
>
> Indeed. I was just suggesting that even with the other option we would
> add an extension at some point, rather than a bug.
>
> > > > + char bstr[INANY_ADDRSTRLEN];
> > > > +
> > > > + die(
> > > > +"Forwarding between IP versions (%s => %s) not implemented",
> > > > + inany_ntop(addr, bstr, sizeof(bstr)),
> > > > + inany_ntop(tgt_addr, astr, sizeof(astr)));
> > > > + }
> > >
> > > About both validations: shouldn't they live in fwd_rule_add(), where
> > > we already have this kind of stuff? Or at least be duplicated there?
> >
> > Yes, yes they should. Which also means it needs to move to the second
> > patch (or fwd_add_rule() doesn't see the target address - there's
> > nowhere for it in the structure).
> >
> > For the next spin, I've moved this validation to fwd_rule_add() in
> > patch 2. I've also tweaked the messages a bit, which might at least
> > slightly mitigate the concerns above.
>
> Maybe, given that these error messages are temporary, we could indulge
> into some extra message like:
>
> "Did you want to say 0.0.0.0/... instead?"
>
> same for ::1, along with the rest of the forwarding specifier. Users
> would see that when their containers fail to start and they could fix
> their syntax right away.
Good idea, done.
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-07-07 4:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 7:32 [PATCH v2 0/2] Target address mapping David Gibson
2026-07-02 7:32 ` [PATCH v2 1/2] fwd_rule: Parse target addresses for forwarding rules David Gibson
2026-07-04 15:27 ` Stefano Brivio
2026-07-06 3:08 ` David Gibson
2026-07-06 22:48 ` Stefano Brivio
2026-07-07 4:27 ` David Gibson [this message]
2026-07-02 7:32 ` [PATCH v2 2/2] fwd, fwd_rule: Implement configurable target address mapping David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akyAG7PW6n-1fV03@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).