aboutgitcodebugslistschat
path: root/contrib/selinux
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2024-02-14 02:26:24 +0100
committerStefano Brivio <sbrivio@redhat.com>2024-02-16 08:47:14 +0100
commitf57a2fb4d5ee8728d92250fc6eb45ffeab221990 (patch)
treef14fdd7e6a9df77a568c16770dd412a38ecb2290 /contrib/selinux
parent927cb84fffed22dc3906baa33111f918bd1a622a (diff)
downloadpasst-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar
passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.gz
passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.bz2
passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.lz
passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.xz
passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.tar.zst
passt-f57a2fb4d5ee8728d92250fc6eb45ffeab221990.zip
conf, passt.1: Exit if we can't bind a forwarded port, except for -[tu] all
...or similar, that is, if only excluded ranges are given (implying we'll forward any other available port). In that case, we'll usually forward large sets of ports, and it might be inconvenient for the user to skip excluding single ports that are already taken. The existing behaviour, that is, exiting only if we fail to bind all the ports for one given forwarding option, turns out to be problematic for several aspects raised by Paul: - Podman merges ranges anyway, so we might fail to bind all the ports from a specific range given by the user, but we'll not fail anyway because Podman merges it with another one where we succeed to bind at least one port. At the same time, there should be no semantic difference between multiple ranges given by a single option and multiple ranges given as multiple options: it's unexpected and not documented - the user might actually rely on a given port to be forwarded to a given container or a virtual machine, and if connections are forwarded to an unrelated process, this might raise security concerns - given that we can try and fail to bind multiple ports before exiting (in case we can't bind any), we don't have a specific error code we can return to the user, so we don't give the user helpful indication as to why we couldn't bind ports. Exit as soon as we fail to create or bind a socket for a given forwarded port, and report the actual error. Keep the current behaviour, however, in case the user wants to forward all the (available) ports for a given protocol, or all the ports with excluded ranges only. There, it's more reasonable that the user is expecting partial failures, and it's probably convenient that we continue with the ports we could forward. Update the manual page to reflect the new behaviour, and the old behaviour too in the cases where we keep it. Suggested-by: Paul Holzinger <pholzing@redhat.com> Link: https://github.com/containers/podman/pull/21563#issuecomment-1937024642 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Paul Holzinger <pholzing@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'contrib/selinux')
0 files changed, 0 insertions, 0 deletions