public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH v2 1/2] fwd_rule: Parse target addresses for forwarding rules
Date: Tue, 7 Jul 2026 14:27:07 +1000	[thread overview]
Message-ID: <akyAG7PW6n-1fV03@zatzit> (raw)
In-Reply-To: <20260707004829.09651fb7@elisabeth>

[-- Attachment #1: Type: text/plain, Size: 5640 bytes --]

On Tue, Jul 07, 2026 at 12:48:30AM +0200, Stefano Brivio wrote:
> On Mon, 6 Jul 2026 13:08:29 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
> 
> > On Sat, Jul 04, 2026 at 05:27:06PM +0200, Stefano Brivio wrote:
> > > On Thu,  2 Jul 2026 17:32:14 +1000
> > > David Gibson <david@gibson.dropbear.id.au> wrote:
[snip]
> > > I wonder: if !addr, shouldn't we replace it, for the moment, with
> > > inany_any4 or inany_any6 depending on !!inany_v4(tgt_addr)?
> > > 
> > > I see that an empty address already works with -4 or -6, and I
> > > understand that, by doing this, we'll have a change in behaviour once
> > > forwarding between IP versions is implemented.
> > > 
> > > But it will take a while before we get there, and, meanwhile, I guess
> > > almost all users will just want to do stuff like -t 8080:192.0.2.1/80,
> > > just to hit:
> > > 
> > >   Forwarding between IP versions (* => 192.0.2.1) not implemented
> > > 
> > > which isn't obvious if you aren't familiar with the implementation. I
> > > can also picture a constant flow of incoming tickets as a result.  
> > 
> > That's a reasonable concern.  I did think about this and came to the
> > tentative conclusion that automatically restricting to one family
> > would be worse, but I'm open to persuasion otherwise.  Reasoning as
> > follows.
> > 
> > First, it is a little awkward to implement: I think we should still
> > prevent an explicit *:192.0.2.1, which means we'd have to distinguish
> > the explicit * and implicit any cases.
> 
> Fair, and I think we should, but that looks relatively simple judging
> from fwd_rule_range_except() and callers.

Ok.

> > Mind you, we probably want
> > something similar when we allow listening addresses for -[TU], so it's
> > not such a big deal.
> > 
> > More importly this would become the _only_ place where the target
> > designation affects where and how we listen - in all other ways,
> > that's fully determined by the first part of the spec plus global
> > flags like -[46].  This gets particularly striking when looking at
> > something like:
> > 	-t 5000,5001:192.0.2.1
> > 
> > With an automatic restriction, we'd end up listening on *:5000, but
> > only on 0.0.0.0:5001, which seems pretty confusing.
> 
> So... I wasn't really aware or the fact that:
> 
>   - t x,y
> 
> would always be equivalent to:
> 
>   -t x -t y
> 
> as it is now. I originally intended , as a separator for ports and
> ports only, but originally we just had ports as port forwarding
> specifications. Then forwarding specifiers grew and I missed that, but
> it wasn't my intention.

Right.  Nonetheless, it's been that way for a good long while.

> I think that, eventually, we should make -t x_0,...,x_n a mere port
> specifier like it already is for ranges, because it's rather intuitive,
> as opposed as, say:
> 
>   -t 5000 -t 5001:192.0.2.1
> 
> where it's clear that we want to map port 5001 to 192.0.2.1 as
> destination address. If we say -t 5000,5001:192.0.2.1, it's rather
> obvious that we do *not*, and yet that's the outcome.

Agreed in principle.  However, to do it differently we'd need to work
out how it interacts with target port specifiers.  I don't think the
meaning of -t 5000,6000:7000 is particularly clear one way or the
other.

> On the other hand, "fixing" this is clearly behind the scope of this
> series, so, unless you have in mind a quick way to implement it, let's
> forget about this, and go ahead with this approach which is consistent
> with the existing situation, I'd say.

I don't see a quick way to implement it, but more than that it's not
really clear to me what our options are for syntax without breaking
backwards compatibility too badly.

> > > The change in behaviour once we implement forwarding between IP
> > > versions, by the way, looks a bit like an extension rather than a real
> > > change that could reasonably cause trouble to anybody.  
> > 
> > I'd argue that's even more the case with the errors as is: things that
> > weren't possible before become possible.
> 
> Indeed. I was just suggesting that even with the other option we would
> add an extension at some point, rather than a bug.
> 
> > > > +			char bstr[INANY_ADDRSTRLEN];
> > > > +
> > > > +			die(
> > > > +"Forwarding between IP versions (%s => %s) not implemented",
> > > > +			    inany_ntop(addr, bstr, sizeof(bstr)),
> > > > +			    inany_ntop(tgt_addr, astr, sizeof(astr)));
> > > > +		}  
> > > 
> > > About both validations: shouldn't they live in fwd_rule_add(), where
> > > we already have this kind of stuff? Or at least be duplicated there?  
> > 
> > Yes, yes they should.  Which also means it needs to move to the second
> > patch (or fwd_add_rule() doesn't see the target address - there's
> > nowhere for it in the structure).
> > 
> > For the next spin, I've moved this validation to fwd_rule_add() in
> > patch 2.  I've also tweaked the messages a bit, which might at least
> > slightly mitigate the concerns above.
> 
> Maybe, given that these error messages are temporary, we could indulge
> into some extra message like:
> 
>   "Did you want to say 0.0.0.0/... instead?"
> 
> same for ::1, along with the rest of the forwarding specifier. Users
> would see that when their containers fail to start and they could fix
> their syntax right away.

Good idea, done.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2026-07-07  4:27 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  7:32 [PATCH v2 0/2] Target address mapping David Gibson
2026-07-02  7:32 ` [PATCH v2 1/2] fwd_rule: Parse target addresses for forwarding rules David Gibson
2026-07-04 15:27   ` Stefano Brivio
2026-07-06  3:08     ` David Gibson
2026-07-06 22:48       ` Stefano Brivio
2026-07-07  4:27         ` David Gibson [this message]
2026-07-02  7:32 ` [PATCH v2 2/2] fwd, fwd_rule: Implement configurable target address mapping David Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=akyAG7PW6n-1fV03@zatzit \
    --to=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=sbrivio@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).