From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=GuRam9oz; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id AF5C55A0274 for ; Sun, 30 Nov 2025 11:43:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1764499380; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0gv8h/pjeYg+gGRxCMh9AFxKw3wXno0FW99KIR9Wkw8=; b=GuRam9ozuYbtSLZigZQ8tu4m+uyENLKq9MLTEWnedn2PiN2TPz0EgdCwhqAvPUyOpJ8Dp4 6kVOz5sXYAeM1EzUg/476/Be03qMSSCt0QF78lyfJfwDu/6oCFKPP38QwD18g5QQmfW3kd ya3wGfUyXYq3NcRtQNYqrANshreMycU= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-145-dLp_g2jYNNGTDg1iPGTX7Q-1; Sun, 30 Nov 2025 05:42:58 -0500 X-MC-Unique: dLp_g2jYNNGTDg1iPGTX7Q-1 X-Mimecast-MFC-AGG-ID: dLp_g2jYNNGTDg1iPGTX7Q_1764499377 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-477563e531cso29613575e9.1 for ; Sun, 30 Nov 2025 02:42:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764499377; x=1765104177; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=r4/U/UzGuVVMb1rrztwYp06NKl083FOkuXV458yyJ7o=; b=kIheCGz8ezteVhwoWQlby0sjoBZNiKsJmAVnJ8XwNBgJyNp0NbKEXxJXGH/lbVAlF0 xGf3dgXLvEIWuZjqUQ5L2NKSMMiXkwV3+7xm5Jy70AfMWrh5rRG3Bkb55Y/9cxR3JTKk +tCWd3+u0afSEtJ0U7CRLvUANIzF7J3zw9NoNw9+XdxfM3Ev/rg1TfBbrSb7fx5/e5cj Gcs7MHJ7CUS3wFI1Y4P9Bwvo1jzJtLi10MkA0MaWviO6q70IKM5BI/NGAiSE3AMZOar5 hiBf27srqhymR/jfWb5gzjImhUMSAnvodwHSRNrk2gqAa/H3ZRyJGYJSCKVW9YmYnf6f Vn+g== X-Forwarded-Encrypted: i=1; AJvYcCWXyZEL8cqRi/k/1LzWpgAxAot4aIiRPna7Sb/BEAvG01V7ubj79ezl+uqaAn03jCqa0oBe88TQMbDv@passt.top X-Gm-Message-State: AOJu0YzNqXX+kbsIAUdapmz2bUbVvEjDZ+GG+bPYoy2MAYzQjWuVIM7B iTh2isnzTuhxw/a7AOWyfmmHvOnQDmqRA3riWoXAfB+drvXUpccpYJZE+bAfgC3LR6Yxvjrsxuj tus0LBODxI8iGLNCFohRDBdV6sSvJ3/fP/8sxc3zqaCDLTkVjvpRTEkk= X-Gm-Gg: ASbGncu+5nk1XoltJtI9+VdYfZa4JpAvbuqPhr/JZkUCtUkMCVEegKq5enPzLs3BLnI n7c2MI38z518IBwvi1096MU8IHAbim8WY8ZTMuvAqiscvixQI/KNtIrGM6CppTsZS6vOiPJCZGq 7F3/YKaODiUHy06aOPGQVmz2FYggqZVOQb9lZRao2/Ksi8rVLBC1EFlT5wZqvnaHSSKkcbbyu9K 3CL/ZALZwsckHdfR11jzX+3YQYR54+uRLyngktMn7w9QqFK2mXLLObZrJe9JWgZ6crp7OmvDhsO 8CHeenQHiQ2X59xrdyQkzzYqImRb7YXMrVr5EHSF6F32UAGOIKY6a6CbU5yoKTBymbX5h/22HZ7 bmipRB0Ens9Jr9bGxhDWk X-Received: by 2002:a05:600c:8b35:b0:477:832c:86ae with SMTP id 5b1f17b1804b1-477c111b94fmr392925775e9.12.1764499377260; Sun, 30 Nov 2025 02:42:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IGxTpELErDeg5xPrFnzD2tGQTaeZexfL9qX59iAplfhmhzBfVmnUXdl/Iism1uMRxKW8GEi9Q== X-Received: by 2002:a05:600c:8b35:b0:477:832c:86ae with SMTP id 5b1f17b1804b1-477c111b94fmr392925525e9.12.1764499376829; Sun, 30 Nov 2025 02:42:56 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4790b0c3a28sm252986645e9.9.2025.11.30.02.42.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 02:42:55 -0800 (PST) Date: Sun, 30 Nov 2025 11:42:54 +0100 From: Stefano Brivio To: Jan Wrobel Subject: Re: Auto forwarding ports, but only to localhost Message-ID: <20251130114254.3ed409d8@elisabeth> In-Reply-To: References: Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: YTBo-wxuqfkhA0CEQ_3N1Dq2Oz7WLZg3R2nv1BQEg8c_1764499377 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: YI4IW4I4C5JYIYD64DECUJF7QCOEDZKW X-Message-ID-Hash: YI4IW4I4C5JYIYD64DECUJF7QCOEDZKW X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson , passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri, 28 Nov 2025 12:03:06 +0100 Jan Wrobel wrote: > On Fri, Nov 28, 2025 at 2:10=E2=80=AFAM David Gibson > wrote: > > > > On Thu, Nov 27, 2025 at 01:48:54PM +0100, Jan Wrobel wrote: =20 > > > Hi, > > > > > > For pasta, would you consider an option to enable automatic forwardin= g > > > of ports bound in a namespace, but make the forwarded ports available > > > only via localhost, not all addresses? > > > > > > I'm working on a sandboxing program which uses pasta. The option -t > > > "auto" is super convenient, but requires extra care, without proper > > > firewall setup bound ports become automatically available to outside > > > world. For a sandboxing program like mine, it is not a safe default t= o > > > run with, because the program shouldn't assume the user will have a > > > firewall configured. > > > > > > If something like "localhost/auto" was supported, it would match the > > > convenience of "auto", no manual port mapping config would be needed, > > > but would be safer for uses cases where exposing ports to outside > > > world is problematic. =20 > > > > Short answer: yes, but it might be a while. > > > > Long answer: > > > > We want to make our forwarding / NAT configuration more flexible in > > ways that would allow a bunch of things, including this. There are a > > lot of different features people have requested, each individually > > simple, but together adding up to quite a lot of work. I'm actively > > working on making our internal data structures more flexible to allow > > more general configuration. However, it's fairly slow going, between > > other firefighting and unravelling some technical debt. > > > > If you want to make sure your specific use case isn't forgotten, the > > best way would be to file a ticket for it on passt.top - it will > > probably be blocked on https://bugs.passt.top/show_bug.cgi?id=3D140 but > > that will keep a record to look back at later. =20 >=20 > Thanks, for considering adding this feature! >=20 > I'll add the ticket, but currently there is some problem with the > passt ticket system. I've seen it working at some point but today and > yesterday https://passt.top/passt/bugs is just an empty page, and > https://bugs.passt.top/index.cgi gives 403 error Weird, sorry for the inconvenience, both work for me. I did some maintenance last week but I didn't expect any downtime as a result. Can you try again and, if things fail, give me an exact timestamp of when you tried, so that I can try to find out something from logs? --=20 Stefano