From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=mixedbit.org Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=mixedbit.org header.i=@mixedbit.org header.a=rsa-sha256 header.s=mixedbit header.b=eHLHxAnA; dkim-atps=neutral Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by passt.top (Postfix) with ESMTPS id 34B135A0274 for ; Fri, 28 Nov 2025 12:03:18 +0100 (CET) Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-47775fb6cb4so11547955e9.0 for ; Fri, 28 Nov 2025 03:03:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mixedbit.org; s=mixedbit; t=1764327797; x=1764932597; darn=passt.top; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3zmcjOQvpg6NYlNCbcIlXwYbhfyysmD83rd199mX5IA=; b=eHLHxAnAlNsLsKUTMyTydGci30UX3rOH6FdVZHt5vHlirK0vETUE1Frxqzdnb6F48J 6nsu9g4p8xTHVZSD5spM/UnmxCcl+0vq5KSV9uOh1ymko2ItIzjy/UabaCbw26HboqWp oMDRrZvEkqOPfDR/xttpSzyZ91p1gBwpciCTs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764327797; x=1764932597; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3zmcjOQvpg6NYlNCbcIlXwYbhfyysmD83rd199mX5IA=; b=k2tmwRajyOXZWuTMdNDc9u8Di9o9RfrFQPl/3CB/XOhGwaBELfXt942tJ7Gfyzchl5 aDW3P/Q2d2df/W6StxOqdyY3d5oxYN75/bTmfsEK0BAjcbIrqvBQJdxB44fP+f0Ex/5h g3hXEfSX0L1K9MW79Eg3rkCOrb0daLTGSYxyTVkDq4pzsDFzis1KsyCBmUzUcxA0FtTo pET8rgxbj1JWfwyIJ6ZzIKsThOs1JsHvBQl/BL/lM5MV9BDXhYuQW5WhafalNj50lYZ7 fahk6zo0AegnigErirIsdc/0qoFBvVn+5nODUJdyH6AbZ3MrhyAo960X4275v0g7uZxx S9KA== X-Gm-Message-State: AOJu0Yx6Q96RLpB8iEKw2NuL69wSshsaESx1cu8I0/eEiz5XoSSiSBF6 uwH8q9FddEnzvv3eIHdYsEmAq0yCHfEcD/sW+lwuzOr5sOu+n575DZM7vliEckBok1Yi012kyV0 9+iVhUnmwBMi+zwkdx1KSVAFfSewIbV1shWz6Z2zW1g== X-Gm-Gg: ASbGncuOndbyj71FM9ND9fqEDXOqWM9nvombXd/88HWdWsMSKOQZCRm5nm8YRm7FtyX xI2LeQb2y0tz09RN8QWgoROwW6HfRdOr+tPzWsdf0O/GdvSezT8QSj7/tdGVqwNhMrZ3LPIwm8o 9LR3pbOX1jdyZRshUmjk/SzFV6UrfmzedvFvzysw7ltGJhwjpGC+65GdQq1ReqNCXJuxDhq/QtC pe5Fft/bSWTDhlqzjuR3fXSQ1kFuKwjSygZs6Zc5EcTuSVkNVH55F8LPdCWbxP/gT0RjxFktCpW CZNwoxJDp5KKgSp9+6HRnLvc6jF/ X-Google-Smtp-Source: AGHT+IHHAW4XPPAKT1/7ObnfJJ3ALtZ/C1EcI9ae3h6y7o4/hkrNmjgQoe2cvnTua+Rltm7UZoxr2SuAp2FfWGKBuaA= X-Received: by 2002:a05:600c:1c98:b0:46e:37fc:def0 with SMTP id 5b1f17b1804b1-477c10d4887mr241158485e9.9.1764327797162; Fri, 28 Nov 2025 03:03:17 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Jan Wrobel Date: Fri, 28 Nov 2025 12:03:06 +0100 X-Gm-Features: AWmQ_bkf8PvQ8y41_9kKEbGrZtGVI6BLqdZ9OT7pFmgOpI9QtdBYElOGep0Hquc Message-ID: Subject: Re: Auto forwarding ports, but only to localhost To: David Gibson Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: GT7JNOGJFHIO4SGODVYQZV6KXQSGJRJL X-Message-ID-Hash: GT7JNOGJFHIO4SGODVYQZV6KXQSGJRJL X-MailFrom: jan@mixedbit.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri, Nov 28, 2025 at 2:10=E2=80=AFAM David Gibson wrote: > > On Thu, Nov 27, 2025 at 01:48:54PM +0100, Jan Wrobel wrote: > > Hi, > > > > For pasta, would you consider an option to enable automatic forwarding > > of ports bound in a namespace, but make the forwarded ports available > > only via localhost, not all addresses? > > > > I'm working on a sandboxing program which uses pasta. The option -t > > "auto" is super convenient, but requires extra care, without proper > > firewall setup bound ports become automatically available to outside > > world. For a sandboxing program like mine, it is not a safe default to > > run with, because the program shouldn't assume the user will have a > > firewall configured. > > > > If something like "localhost/auto" was supported, it would match the > > convenience of "auto", no manual port mapping config would be needed, > > but would be safer for uses cases where exposing ports to outside > > world is problematic. > > Short answer: yes, but it might be a while. > > Long answer: > > We want to make our forwarding / NAT configuration more flexible in > ways that would allow a bunch of things, including this. There are a > lot of different features people have requested, each individually > simple, but together adding up to quite a lot of work. I'm actively > working on making our internal data structures more flexible to allow > more general configuration. However, it's fairly slow going, between > other firefighting and unravelling some technical debt. > > If you want to make sure your specific use case isn't forgotten, the > best way would be to file a ticket for it on passt.top - it will > probably be blocked on https://bugs.passt.top/show_bug.cgi?id=3D140 but > that will keep a record to look back at later. Thanks, for considering adding this feature! I'll add the ticket, but currently there is some problem with the passt ticket system. I've seen it working at some point but today and yesterday https://passt.top/passt/bugs is just an empty page, and https://bugs.passt.top/index.cgi gives 403 error Cheers, Jan