On Wed, Feb 14, 2024 at 10:15:38AM +0100, Stefano Brivio wrote:
> ...or similar, that is, if only excluded ranges are given (implying
> we'll forward any other available port). In that case, we'll usually
> forward large sets of ports, and it might be inconvenient for the
> user to skip excluding single ports that are already taken.
> 
> The existing behaviour, that is, exiting only if we fail to bind all
> the ports for one given forwarding option, turns out to be
> problematic for several aspects raised by Paul:
> 
> - Podman merges ranges anyway, so we might fail to bind all the ports
>   from a specific range given by the user, but we'll not fail anyway
>   because Podman merges it with another one where we succeed to bind
>   at least one port. At the same time, there should be no semantic
>   difference between multiple ranges given by a single option and
>   multiple ranges given as multiple options: it's unexpected and
>   not documented
> 
> - the user might actually rely on a given port to be forwarded to a
>   given container or a virtual machine, and if connections are
>   forwarded to an unrelated process, this might raise security
>   concerns
> 
> - given that we can try and fail to bind multiple ports before
>   exiting (in case we can't bind any), we don't have a specific error
>   code we can return to the user, so we don't give the user helpful
>   indication as to why we couldn't bind ports.
> 
> Exit as soon as we fail to create or bind a socket for a given
> forwarded port, and report the actual error.
> 
> Keep the current behaviour, however, in case the user wants to
> forward all the (available) ports for a given protocol, or all the
> ports with excluded ranges only. There, it's more reasonable that
> the user is expecting partial failures, and it's probably convenient
> that we continue with the ports we could forward.
> 
> Update the manual page to reflect the new behaviour, and the old
> behaviour too in the cases where we keep it.
> 
> Suggested-by: Paul Holzinger <pholzing@redhat.com>
> Link: https://github.com/containers/podman/pull/21563#issuecomment-1937024642
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

I think this is about as good a compromise for the semantics as we can
hope for.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson