From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 035555A0280 for ; Thu, 15 Feb 2024 01:40:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1707957620; bh=EFZRSeSMLGnfDIphEx5saghcu4FOus4D/CnDCn5rKWo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=aHWatO3YrEdQo4m46vVCYr7un94NF9UbCF7oYe9/AEWoJ6LFX+Wm0IWhex0BiwA0e uUMPftUQRnU7ZAXWBxTX2d9m+BklREF2ngp8ZaBk6Fk91aJcST5kjB3RPe8vbKwJsh Sv0jmVB3a0l6LJ/D/ecvvtliXLhAytgmDd29uWhuuqsnfpU6WUUdLgb92Ir9IA9+a3 UyZeBvvPs5XX01vjgk+o1enpNrTFPiXj3VInOowNGxWnjVWsk29fpr0Fc15+dpl+nA LZEEVXg2Dtp9gACfCwpPiEmqj/7MN8QQpuJYig9Snmwm4HZgFFgxY1rtvEYJJMcMcY TNL14sOXyjUXw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4TZx6r4Y2jz4wcp; Thu, 15 Feb 2024 11:40:20 +1100 (AEDT) Date: Thu, 15 Feb 2024 11:07:14 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] conf, passt.1: Exit if we can't bind a forwarded port, except for -[tu] all Message-ID: References: <20240214091538.3995295-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="iqH19kjRh95Ga4kQ" Content-Disposition: inline In-Reply-To: <20240214091538.3995295-1-sbrivio@redhat.com> Message-ID-Hash: 5LQ54E6NMVFBKK4FIBN7ULMMNAKHCIEE X-Message-ID-Hash: 5LQ54E6NMVFBKK4FIBN7ULMMNAKHCIEE X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --iqH19kjRh95Ga4kQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 14, 2024 at 10:15:38AM +0100, Stefano Brivio wrote: > ...or similar, that is, if only excluded ranges are given (implying > we'll forward any other available port). In that case, we'll usually > forward large sets of ports, and it might be inconvenient for the > user to skip excluding single ports that are already taken. >=20 > The existing behaviour, that is, exiting only if we fail to bind all > the ports for one given forwarding option, turns out to be > problematic for several aspects raised by Paul: >=20 > - Podman merges ranges anyway, so we might fail to bind all the ports > from a specific range given by the user, but we'll not fail anyway > because Podman merges it with another one where we succeed to bind > at least one port. At the same time, there should be no semantic > difference between multiple ranges given by a single option and > multiple ranges given as multiple options: it's unexpected and > not documented >=20 > - the user might actually rely on a given port to be forwarded to a > given container or a virtual machine, and if connections are > forwarded to an unrelated process, this might raise security > concerns >=20 > - given that we can try and fail to bind multiple ports before > exiting (in case we can't bind any), we don't have a specific error > code we can return to the user, so we don't give the user helpful > indication as to why we couldn't bind ports. >=20 > Exit as soon as we fail to create or bind a socket for a given > forwarded port, and report the actual error. >=20 > Keep the current behaviour, however, in case the user wants to > forward all the (available) ports for a given protocol, or all the > ports with excluded ranges only. There, it's more reasonable that > the user is expecting partial failures, and it's probably convenient > that we continue with the ports we could forward. >=20 > Update the manual page to reflect the new behaviour, and the old > behaviour too in the cases where we keep it. >=20 > Suggested-by: Paul Holzinger > Link: https://github.com/containers/podman/pull/21563#issuecomment-193702= 4642 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson I think this is about as good a compromise for the semantics as we can hope for. --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --iqH19kjRh95Ga4kQ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmXNVaIACgkQzQJF27ox 2GergA/+KdOQsRyBmdSMLlB1R6Ya/R9jT07pPgAA7C/OTQ+kx+mRxeLIrWOW0P4t c0oU9e9zw+7wLxosi1/y6pi4a94IYEmMfY/NUSgRbi3u4wIEFSBT1PdgtgBulHjb NKlHgIoeGa4kfCx3Ew6aVYkGX05wVcMF23dcmKG0cUSf3nyPcLHpD0Ie1BkZrkML rnwguOcCvTrrqqONRBguLIm8dqb9xqyqO9SWHVrovn6PjyaqbITwa8GF1MYSwbpC OO9YM628aP9IkAybumoTy1rCFobdldq3KxJJtM6IA+9EflOXWt0WHe+ELHInrZ55 souQNtKj74HCX71Vy6yMjzVF9gdGoO4lAoWC8/tmhJdrj3ZKu/XGZ3htiSkpjRxx hFjKXn98KHS8AeVT4HRwzoMhlOUr3UvAgt4uYI+tKocunTYz7X/RunkZ/G2DQxX1 24CwlIoA0zVbMxlwCgyDS4KG4q1lMhe174glkV2Xl8C2B98eypsnEZD0E3sNasfR fYfB5NYmZAM8ReaUGRSlr1wM/0b4IYHFNygLaE3/0LfHd5tcGzuqwni4x3hT7Vgm 4eQAOK9lKORAWGIavCJDSiu/g4+nRlCkQlBNWHrJOfS3l1cAV/lT3yzKrz3Hlt1L LdX/M9VPPYfM0gcLmEwZPo06GWYsiMYGCi5GDN1xaesfJTKhlNA= =n2Cz -----END PGP SIGNATURE----- --iqH19kjRh95Ga4kQ--