On Wed, 25 Sep 2024 16:54:34 +1000 David Gibson <david(a)gibson.dropbear.id.au> wrote:podman issue #24045 pointed out that pasta's spliced forwarding logic can expose services within the namespace bound only to 127.0.0.1 or ::1 to the host. However, the namespace probably expects those to only be accessible to itself, so that's probably not what we want....that's what I thought would be desirable as you see from patch 1/2 and https://github.com/containers/podman/pull/24064. I think you're right in general but I would feel more confident applying this if 1. we briefly documented this in the man page and 2. we added an option to enable the current behaviour back (1. can be documented as part of documenting 2., then). The new fwd_nat_from_host() implementation seems to make this relatively trivial, but I'm not really familiar with it yet so I might be wrong. -- Stefano