On Thu, Nov 27, 2025 at 01:48:54PM +0100, Jan Wrobel wrote:
> Hi,
> 
> For pasta, would you consider an option to enable automatic forwarding
> of ports bound in a namespace, but make the forwarded ports available
> only via localhost, not all addresses?
> 
> I'm working on a sandboxing program which uses pasta. The option -t
> "auto" is super convenient, but requires extra care, without proper
> firewall setup bound ports become automatically available to outside
> world. For a sandboxing program like mine, it is not a safe default to
> run with, because the program shouldn't assume the user will have a
> firewall configured.
> 
> If something like "localhost/auto" was supported, it would match the
> convenience of "auto", no manual port mapping config would be needed,
> but would be safer for uses cases where exposing ports to outside
> world is problematic.

Short answer: yes, but it might be a while.

Long answer:

We want to make our forwarding / NAT configuration more flexible in
ways that would allow a bunch of things, including this.  There are a
lot of different features people have requested, each individually
simple, but together adding up to quite a lot of work.  I'm actively
working on making our internal data structures more flexible to allow
more general configuration.  However, it's fairly slow going, between
other firefighting and unravelling some technical debt.

If you want to make sure your specific use case isn't forgotten, the
best way would be to file a ticket for it on passt.top - it will
probably be blocked on https://bugs.passt.top/show_bug.cgi?id=140 but
that will keep a record to look back at later.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson