From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=A5nD8W4H;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id EC1A65A0276
	for <passt-user@passt.top>; Fri, 28 Nov 2025 02:10:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202510; t=1764292235;
	bh=S9rLjv53MlWIveYQSnWKcSqY2yMyo/cZvCfTf4Icr/I=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=A5nD8W4Ha2e+H46TCd0bLwDmYtt6KsTE1Z+a1vkeoNKRI5403fJ4onkPFbo9ABEI8
	 jzyrlBnn101SthK5065AUYytkPy/81jtSHLs2f8GNx3puqBqc6uviWVHgpi9xV7uDq
	 g9z24oN8YXhXbxZEz+E3+WjinLGpVTntxvlUxaKDdZ/WHNhZVX1GE4/36WBQCSNOYg
	 f9w3LQ27P7MMAPIR2G7VpV2e3wHYByE0l7WKsXZIF4jFgsBFKB046axZf4TO9a/XRW
	 7AsIjqlyImDNJwAnDvSrcYGAjkryz/MyL/iaT0mfFo6xNmRVza/RtEbUnfyDYh9/Gi
	 uux24P/GG6f3A==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4dHZwq5flqz4wHD; Fri, 28 Nov 2025 12:10:35 +1100 (AEDT)
Date: Fri, 28 Nov 2025 12:10:32 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Jan Wrobel <jan@mixedbit.org>
Subject: Re: Auto forwarding ports, but only to localhost
Message-ID: <aSj2iG1GeRbwSfJB@zatzit>
References: <CACm05o8+8FRr9KGVq+wF7BcnwRR9XXi5QyuDvArv9GiT=xXnrw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="WsaP0S1uFstzlH+D"
Content-Disposition: inline
In-Reply-To: <CACm05o8+8FRr9KGVq+wF7BcnwRR9XXi5QyuDvArv9GiT=xXnrw@mail.gmail.com>
Message-ID-Hash: A6HO65T5FG6D6LELLTRJP4XTQTHLB2ZN
X-Message-ID-Hash: A6HO65T5FG6D6LELLTRJP4XTQTHLB2ZN
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-user@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/aSj2iG1GeRbwSfJB@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/A6HO65T5FG6D6LELLTRJP4XTQTHLB2ZN/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>


--WsaP0S1uFstzlH+D
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 27, 2025 at 01:48:54PM +0100, Jan Wrobel wrote:
> Hi,
>=20
> For pasta, would you consider an option to enable automatic forwarding
> of ports bound in a namespace, but make the forwarded ports available
> only via localhost, not all addresses?
>=20
> I'm working on a sandboxing program which uses pasta. The option -t
> "auto" is super convenient, but requires extra care, without proper
> firewall setup bound ports become automatically available to outside
> world. For a sandboxing program like mine, it is not a safe default to
> run with, because the program shouldn't assume the user will have a
> firewall configured.
>=20
> If something like "localhost/auto" was supported, it would match the
> convenience of "auto", no manual port mapping config would be needed,
> but would be safer for uses cases where exposing ports to outside
> world is problematic.

Short answer: yes, but it might be a while.

Long answer:

We want to make our forwarding / NAT configuration more flexible in
ways that would allow a bunch of things, including this.  There are a
lot of different features people have requested, each individually
simple, but together adding up to quite a lot of work.  I'm actively
working on making our internal data structures more flexible to allow
more general configuration.  However, it's fairly slow going, between
other firefighting and unravelling some technical debt.

If you want to make sure your specific use case isn't forgotten, the
best way would be to file a ticket for it on passt.top - it will
probably be blocked on https://bugs.passt.top/show_bug.cgi?id=3D140 but
that will keep a record to look back at later.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--WsaP0S1uFstzlH+D
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmko9ocACgkQzQJF27ox
2GcAgw//XvfIYzbYuZaO9s2lvo4uS2ISRdMdUlvTBwLdrYrbxPn5OH/06Nt3kt2G
u8kWwBcp0XXE+9Npzhbnl7IeTmD3VZLwbLj1BHu8I/Yku57lxEK7IGCpRtJaZEGI
h3VzN5Hb4hxACT4hSwM04vqnv1rKACOFERoB4170dOjLqt3qvd5u+0HzWs2TQy0R
MP4Oyu01aK+lQid7QgYiTuMgSRcyxdG/huPWywkBvt60E0hUxTMUtr87qbcVUec/
wwxm6ZXTyIdYSuPzLcgI73roavmUt8nTk0WibtBtI/DQ3l4JJPv7Z5yGvMcte5PT
ooEjveHiP+YGHJNZmBiB75pi5lS5AJuujmojmXH0LM2z3c5hj8wg4trpUGBDldkH
0wPWQ1CbEQmKbMpkNH+uKPp13B8fHCAVqJbNCC2T05blTd0DSi/L8h46JlJpdcYa
8qpxOgYnYKLEZay71ynq9skidTpyOo0qckhmjOsJOOcxYL0agPmwbmi3KWQK4s8T
zMnomYmXVEU2DU120xMfqHvmyNfnqRkcpGOv6f9uejbl82cOJoUoT4ZHI/udDhVk
6zTE8NkpVTe4pwbIllTc28iDPeN3fD5ohP4xR8jZK5AeXqt9Kap/qLRKX+DYBeL7
AO6KBPog2Hdrnu+6LKVRPeslQ1UMVSBZ/F9z/3ljXU/d2UKeGqA=
=ygrL
-----END PGP SIGNATURE-----

--WsaP0S1uFstzlH+D--