diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2024-02-14 02:26:24 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2024-02-16 08:47:14 +0100 |
commit | f57a2fb4d5ee8728d92250fc6eb45ffeab221990 (patch) | |
tree | f14fdd7e6a9df77a568c16770dd412a38ecb2290 /contrib/selinux | |
parent | 927cb84fffed22dc3906baa33111f918bd1a622a (diff) | |
download | passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.gz passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.bz2 passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.lz passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.xz passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.zst passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.zip |
conf, passt.1: Exit if we can't bind a forwarded port, except for -[tu] all
...or similar, that is, if only excluded ranges are given (implying
we'll forward any other available port). In that case, we'll usually
forward large sets of ports, and it might be inconvenient for the
user to skip excluding single ports that are already taken.
The existing behaviour, that is, exiting only if we fail to bind all
the ports for one given forwarding option, turns out to be
problematic for several aspects raised by Paul:
- Podman merges ranges anyway, so we might fail to bind all the ports
from a specific range given by the user, but we'll not fail anyway
because Podman merges it with another one where we succeed to bind
at least one port. At the same time, there should be no semantic
difference between multiple ranges given by a single option and
multiple ranges given as multiple options: it's unexpected and
not documented
- the user might actually rely on a given port to be forwarded to a
given container or a virtual machine, and if connections are
forwarded to an unrelated process, this might raise security
concerns
- given that we can try and fail to bind multiple ports before
exiting (in case we can't bind any), we don't have a specific error
code we can return to the user, so we don't give the user helpful
indication as to why we couldn't bind ports.
Exit as soon as we fail to create or bind a socket for a given
forwarded port, and report the actual error.
Keep the current behaviour, however, in case the user wants to
forward all the (available) ports for a given protocol, or all the
ports with excluded ranges only. There, it's more reasonable that
the user is expecting partial failures, and it's probably convenient
that we continue with the ports we could forward.
Update the manual page to reflect the new behaviour, and the old
behaviour too in the cases where we keep it.
Suggested-by: Paul Holzinger <pholzing@redhat.com>
Link: https://github.com/containers/podman/pull/21563#issuecomment-1937024642
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Paul Holzinger <pholzing@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'contrib/selinux')
0 files changed, 0 insertions, 0 deletions