From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=XXBp5JbG;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id D83285A004C
	for <passt-dev@passt.top>; Wed, 25 Sep 2024 10:20:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1727252415;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=WL+Ku8iEUN4KCZmd+MrPWFsolnFs5BljQC1C3US9AIg=;
	b=XXBp5JbG7C7rbuLPxKt61Wv9J3a43NiV9WzyzqXWggEustDpgpXpS2R4zGfZxKiIOgfpvQ
	09UtNJyTl5IQTO0lfgVgabC20q7rrgktlQ9eCbF1Z7qfpIGvhPimV1JJnLirMN+sj3VDXr
	PCDFDfjLgyaEEKHhIlfTsG0alGa1NFI=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-591-VvpdcLdjO4eHAw5zkhgpww-1; Wed, 25 Sep 2024 04:20:14 -0400
X-MC-Unique: VvpdcLdjO4eHAw5zkhgpww-1
Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-42cbcf60722so49604225e9.1
        for <passt-dev@passt.top>; Wed, 25 Sep 2024 01:20:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1727252412; x=1727857212;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=WL+Ku8iEUN4KCZmd+MrPWFsolnFs5BljQC1C3US9AIg=;
        b=Yobyd0mtfNzyNIqEstBTQjjc24iAAnh5JIH/i8ZE9zam6+Na5nZS6w/QwJz2D2buW3
         Y8eigT+5JlYKS0tOBjPJEhTB5orEx7nDnTYbG7iJVh2BBAFesboZEOGWFIF2BPIHbZQK
         +QdU0XvWxMUopKvPA0PnSlnoBTa4s0TuRkTBlqeVw8qB4ZhncAlisHzLt+BRUEJlpT84
         FUeKnnIrxVjyChO57OfgId+/qWXw9FGF3CNz1Rp9oBHXNoa8vdkAeIEsotaQIZhRyPtU
         xaCkrnepUfCgz5RSlhgDOJMvYVOhpFQuCdY7z9tnDo/V6MvbQAJgYxDq5QePcJvx5RC0
         4TNg==
X-Gm-Message-State: AOJu0YyF6rltIQs4GtYTv3z/QyO82yeKbEhXTc/iMw+a8DGlZlKjQNwz
	Y0Z1ExidJV3lcfdgxUMzpWBA6bhgVqPgHKVwmA7UUAIIYwUyf59hKcRrwsLAyFTjhC0rxkc0TUO
	nPNMyhGYhfSLXKItBXEP1Nbn/NUGdWGDyxDq2vaIP/CSUv6YPCToCiJFGmQ==
X-Received: by 2002:a05:600c:1c05:b0:42c:bf79:78f7 with SMTP id 5b1f17b1804b1-42e96242e66mr12210235e9.32.1727252412515;
        Wed, 25 Sep 2024 01:20:12 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHHOxBrT+6ERzzkaBQRPO2ag4JtMup2KpdVAqF7yWkOGvmrgNSeEcHaPtLy7k7yZekO/AjS3w==
X-Received: by 2002:a05:600c:1c05:b0:42c:bf79:78f7 with SMTP id 5b1f17b1804b1-42e96242e66mr12210035e9.32.1727252412024;
        Wed, 25 Sep 2024 01:20:12 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42e969a48fasm11069185e9.0.2024.09.25.01.20.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Sep 2024 01:20:11 -0700 (PDT)
Date: Wed, 25 Sep 2024 10:20:09 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH 0/2] Don't expose container loopback services to the
 host
Message-ID: <20240925102009.62b9a0ce@elisabeth>
In-Reply-To: <20240925065436.2064995-1-david@gibson.dropbear.id.au>
References: <20240925065436.2064995-1-david@gibson.dropbear.id.au>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: AXPUSFGLFGESPYBLCWSKSRCWBPWDEDCI
X-Message-ID-Hash: AXPUSFGLFGESPYBLCWSKSRCWBPWDEDCI
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240925102009.62b9a0ce@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/AXPUSFGLFGESPYBLCWSKSRCWBPWDEDCI/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, 25 Sep 2024 16:54:34 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> podman issue #24045 pointed out that pasta's spliced forwarding logic
> can expose services within the namespace bound only to 127.0.0.1 or
> ::1 to the host.  However, the namespace probably expects those to
> only be accessible to itself, so that's probably not what we want.

...that's what I thought would be desirable as you see from patch 1/2
and https://github.com/containers/podman/pull/24064.

I think you're right in general but I would feel more confident
applying this if 1. we briefly documented this in the man page and 2.
we added an option to enable the current behaviour back (1. can be
documented as part of documenting 2., then).

The new fwd_nat_from_host() implementation seems to make this relatively
trivial, but I'm not really familiar with it yet so I might be wrong.

-- 
Stefano