That was by accident, let me put this back into the list. So, to recap, I guess the to-do list is: - add option to bind ports to specific addresses, per-port ...anything else? I would wait a couple more days for any > additional feedback and then come back with the changes. I think one big question would be packaging passt/pasta in distros. I don't think it is a good user experience when users cannot get this from the official repos. Dan, Brent, Matt, Giuseppe WDYT? On Wed, Feb 23, 2022 at 5:46 PM Stefano Brivio <sbrivio(a)redhat.com&gt; wrote: > [Note: you didn't send this to the list, I guess it's by accident, but > I'm answering in private just in case -- if it's really by accident, > I'll also answer on list ;)] > On Wed, 23 Feb 2022 16:35:54 +0100 > Paul Holzinger <pholzing(a)redhat.com&gt; wrote: > > > > > Perhaps it would be reasonable to make it non-default in the options > > > passed by Podman ("-t none -u none" if no ports are passed), and keep > > > it the default in pasta (it saves some typing). > > > That would be fine, I don't care about the pasta default as long as > podman > > uses the secure option by default this is fine for me. > Okay, I'll change that in the patch (and in the demo). > > > Perhaps we could also allow restricting the amount of ports (say, five) > > > that can be bound automatically. Would something like that preferable > as > > > default? > > > I don't think this helps much, we should only add ports that were > > explicitly set with podman run -p ... > > A container should not be able to alter the host by default. > > > > The interface isn't really shared, but yes, ports can be directly bound > > > both ways. > > > I see, I got confused because reverse mapping was working. > > > > Another question, does pasta support binding only a specific host > address? > > I only see the port:port syntax in the man page. In podman you can do -p > > ipv4:port:port or [ipv6]:port:port. > Not explicitly: one can pass a host interface that's used to source the > address -- by default, that's the interface with the first returned > least-specific route for IPv4, i.e. the default gateway, or for IPv6 if > IPv4 is disabled/not available. > Addresses can also be overridden with "-a" (separately for IPv4 and IPv6) > -- > and the configured address will be used. > ...but not with different per-port addresses. I can definitely add an > option for that. > Now, passt doesn't use dynamic memory allocation (for security reasons), so > I'll need to move the binding routines to the command line argument parsing > stage (ports are stored as bitmaps, I can't store an arbitrary number of > addresses), but it's a quick change. > So, to recap, I guess the to-do list is: > - drop automatic port bindings (both ways) in default configuration > options passed by Podman > - drop also the loopback trick (by default) > - add option to bind ports to specific addresses, per-port > ...anything else? I would wait a couple more days for any > additional feedback and then come back with the changes. > -- > Stefano