From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=iDjtFbli; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 5F1E85A0274 for ; Sun, 30 Nov 2025 08:26:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202510; t=1764487564; bh=NBC0Bl0jTIFkL/YTpV+F3QvYCJH2/F1d1eFiBRL2RCY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iDjtFbli3RilzErPSCsYDgBOkEv8fq1G9s22Ym5dR/vlMUwX7OuO/NAtsCCLcjtE2 rGUs7xA/vaeto8kA2mie4xAUD5XS7TlX4RpnDKkLT7llwlgSauvSOsNgEpzZfyxLIM foHlIr5LZspzmr7FizzyUEt09Pih4ZtVTNC7vIXr4dLbUXdth8TDGwWJcygz5yHsLI UvZRJxZP7b16klmEObY09lxsi566nSiWvr13awos1f91rRD+pm1+Splj2Dd6q+jC3R pZEflKsGx7DMIuxc39rEk5uCkkgXtBLX/TUjH5BCe0q28bU1hjq2OmCWWTs/ePWFss V2uH2cKACmHWw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4dJz9809S5z4wCp; Sun, 30 Nov 2025 18:26:04 +1100 (AEDT) Date: Sun, 30 Nov 2025 18:24:01 +1100 From: David Gibson To: Jan Wrobel Subject: Re: Auto forwarding ports, but only to localhost Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="DkyyJIKvLpezYrdS" Content-Disposition: inline In-Reply-To: Message-ID-Hash: UODAMNVFQHZUTNS7T2L72MSLY6JZAJJA X-Message-ID-Hash: UODAMNVFQHZUTNS7T2L72MSLY6JZAJJA X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --DkyyJIKvLpezYrdS Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 28, 2025 at 12:03:06PM +0100, Jan Wrobel wrote: > On Fri, Nov 28, 2025 at 2:10=E2=80=AFAM David Gibson > wrote: > > > > On Thu, Nov 27, 2025 at 01:48:54PM +0100, Jan Wrobel wrote: > > > Hi, > > > > > > For pasta, would you consider an option to enable automatic forwarding > > > of ports bound in a namespace, but make the forwarded ports available > > > only via localhost, not all addresses? > > > > > > I'm working on a sandboxing program which uses pasta. The option -t > > > "auto" is super convenient, but requires extra care, without proper > > > firewall setup bound ports become automatically available to outside > > > world. For a sandboxing program like mine, it is not a safe default to > > > run with, because the program shouldn't assume the user will have a > > > firewall configured. > > > > > > If something like "localhost/auto" was supported, it would match the > > > convenience of "auto", no manual port mapping config would be needed, > > > but would be safer for uses cases where exposing ports to outside > > > world is problematic. > > > > Short answer: yes, but it might be a while. > > > > Long answer: > > > > We want to make our forwarding / NAT configuration more flexible in > > ways that would allow a bunch of things, including this. There are a > > lot of different features people have requested, each individually > > simple, but together adding up to quite a lot of work. I'm actively > > working on making our internal data structures more flexible to allow > > more general configuration. However, it's fairly slow going, between > > other firefighting and unravelling some technical debt. > > > > If you want to make sure your specific use case isn't forgotten, the > > best way would be to file a ticket for it on passt.top - it will > > probably be blocked on https://bugs.passt.top/show_bug.cgi?id=3D140 but > > that will keep a record to look back at later. >=20 > Thanks, for considering adding this feature! >=20 > I'll add the ticket, but currently there is some problem with the > passt ticket system. I've seen it working at some point but today and > yesterday https://passt.top/passt/bugs is just an empty page, and > https://bugs.passt.top/index.cgi gives 403 error Oh, weird. https://bugs.passt.top is the address to use, but I haven't noticed it being down in the last couple of days. It seems to me working for me right now. Note that signing up for an account is likely to be somewhat slow - Stefano has to manually intervene for each sign up, to avoid inundation by bots. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --DkyyJIKvLpezYrdS Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmkr8QIACgkQzQJF27ox 2GfO1xAAlDNeUvTtOOSJjF4fIr0/YBGh6B/Ijgrlw5n1Lhet21DZZvIBi5YlBgwk jSSWwY1qAqM8bmPjO8N+e0O259Pn8BZNQxNUZn3i+9qlQ+BFjlhR0aPY9HRG/7W9 XUvNY14+Ma4ESrttE4fiwuhRDFu/Q+ezT714qE+h3PFhqw0SQeBJ1cBBltXI1OJE uXHsylfl7m14GYP/r+KIlrlpnF1M4SqHS6bmnab2VBLlSAcm/LzZkDFKWMNPbvf4 dBmVLYdCy8L0TShFgnc112e+LOzctkV6lEWzszu4FhWBV3qyX4ovQ4afTxCt+K4+ yLmzPKVgdSSXfbgf+xC6ffWqqI+PU2TLpNH0PMqLTikd5zWoEdwyosrfZ3Zr/9Ug +RM69fryG5hQSBREF9S1456KPObdSbw8gdE18TWRl5vQNyRAVv1JRbYsqqpWe/Q4 8lkzk6USrmnhDdpd9xAiKbo+eUa//Jxmt27pLaObTFHSKxq04vP8AZvi/8oluYGq 2Kb7fZ5dtAGfJ0wMnrBQSYf01l7gPTHyngKYflcaaR33mgXYLYTExIL06JlwNgFu GWF4yb3Ata3tqdsh368QQpdH5if1h47EQX//EhDYAXk9Vdw+LjOlGCY/A/YLqN4K M+BEkv5qUBIUOdS7d7IoUFRlpqmvMJJd3i0iHB8QVWfOOAbcYF8= =S0oM -----END PGP SIGNATURE----- --DkyyJIKvLpezYrdS--