conf, passt.1: Exit if we can't bind a forwarded port, except for -[tu] all

...or similar, that is, if only excluded ranges are given (implying
we'll forward any other available port). In that case, we'll usually
forward large sets of ports, and it might be inconvenient for the
user to skip excluding single ports that are already taken.

The existing behaviour, that is, exiting only if we fail to bind all
the ports for one given forwarding option, turns out to be
problematic for several aspects raised by Paul:

- Podman merges ranges anyway, so we might fail to bind all the ports
  from a specific range given by the user, but we'll not fail anyway
  because Podman merges it with another one where we succeed to bind
  at least one port. At the same time, there should be no semantic
  difference between multiple ranges given by a single option and
  multiple ranges given as multiple options: it's unexpected and
  not documented

- the user might actually rely on a given port to be forwarded to a
  given container or a virtual machine, and if connections are
  forwarded to an unrelated process, this might raise security
  concerns

- given that we can try and fail to bind multiple ports before
  exiting (in case we can't bind any), we don't have a specific error
  code we can return to the user, so we don't give the user helpful
  indication as to why we couldn't bind ports.

Exit as soon as we fail to create or bind a socket for a given
forwarded port, and report the actual error.

Keep the current behaviour, however, in case the user wants to
forward all the (available) ports for a given protocol, or all the
ports with excluded ranges only. There, it's more reasonable that
the user is expecting partial failures, and it's probably convenient
that we continue with the ports we could forward.

Update the manual page to reflect the new behaviour, and the old
behaviour too in the cases where we keep it.

Suggested-by: Paul Holzinger <pholzing@redhat.com>
Link: https://github.com/containers/podman/pull/21563#issuecomment-1937024642
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Paul Holzinger <pholzing@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

1 files changed, 12 insertions, 3 deletions

diff --git a/passt.1 b/passt.1
index cc678ed..dc2d719 100644
--- a/passt.1
+++ b/passt.1
@@ -355,7 +355,8 @@ Don't forward any ports
 .TP
 .BR all
 Forward all unbound, non-ephemeral ports, as permitted by current capabilities.
-For low (< 1024) ports, see \fBNOTES\fR.
+For low (< 1024) ports, see \fBNOTES\fR. No failures are reported for
+unavailable ports, unless no ports could be forwarded at all.
 
 .TP
 .BR ports
@@ -364,7 +365,11 @@ optionally, with target ports after \fI:\fR, if they differ. Specific addresses
 can be bound as well, separated by \fI/\fR, and also, since Linux 5.7, limited
 to specific interfaces, prefixed by \fI%\fR. Within given ranges, selected ports
 and ranges can be excluded by an additional specification prefixed by \fI~\fR.
-Specifying excluded ranges only implies that all other ports are forwarded.
+
+Specifying excluded ranges only implies that all other ports are forwarded. In
+this case, no failures are reported for unavailable ports, unless no ports could
+be forwarded at all.
+
 Examples:
 .RS
 .TP
@@ -447,7 +452,11 @@ optionally, with target ports after \fI:\fR, if they differ. Specific addresses
 can be bound as well, separated by \fI/\fR, and also, since Linux 5.7, limited
 to specific interfaces, prefixed by \fI%\fR. Within given ranges, selected ports
 and ranges can be excluded by an additional specification prefixed by \fI~\fR.
-Specifying excluded ranges only implies that all other ports are forwarded.
+
+Specifying excluded ranges only implies that all other ports are forwarded. In
+this case, no failures are reported for unavailable ports, unless no ports could
+be forwarded at all.
+
 Examples:
 .RS
 .TP