Timeline for Does Linux have a system for reserving certain network ports for particular utilties, namely for a VM host to reserve for VMs?
Current License: CC BY-SA 4.0
15 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 19, 2024 at 15:24 | vote | accept | vfclists | ||
| Nov 18, 2024 at 0:20 | comment | added | Vorac | "If some other software requests a port without checking with the host it should find it blocked as though it is in use." Stupid solution: keep them open via a dummy program until ready to be bound by the VMs. | |
| Nov 12, 2024 at 11:42 | comment | added | Tom Yan | If some other software requests a port without checking with the host it should find it blocked as though it is in use. So maybe your real question is, whether there is an API provided by the kernel that can be used to query "sockets" being DNAT'd / port forwarded? it should find it blocked as though it is in use What's the point though? I mean, unless it is fine for it to just listen to a random port, which is at least usually not the case for "incoming ports", otherwise it will just fail and bail out? (Besides, usually you can config which port or port range it listen to, no?) | |
| Nov 12, 2024 at 11:34 | comment | added | Tom Yan | As for the SNAT/MASQUERADE, it will retain the source port picked by the VM unless it is being used by the host or you instruct it not to in the rule. Just like the mapping between the IPs, "conntrack" will "remember" the mapping between the ports and "reverse DNAT" will take care of the replies for the VM. | |
| Nov 12, 2024 at 11:31 | comment | added | Tom Yan | I'm not really seeing what's the real concern here to be frank. First of all if your VM host has DNAT rules that forwards traffics destined at certain ports to the VM, then in case anything running on the VM host listen to those ports as well, they will effectively be "hidden" by the DNAT rules, meaning that the processes will be able to listen on the ports but they will not receive traffics, until/unless the DNAT rules are removed. | |
| Nov 12, 2024 at 5:10 | answer | added | Sotto Voce | timeline score: 2 | |
| Nov 11, 2024 at 17:09 | history | became hot network question | |||
| Nov 11, 2024 at 15:55 | answer | added | Marcus Müller | timeline score: 2 | |
| Nov 11, 2024 at 9:49 | history | edited | muru | edited tags | |
| Nov 11, 2024 at 9:37 | comment | added | Jim L. | I edited your post to reflect that additional information. | |
| Nov 11, 2024 at 9:37 | history | edited | Jim L. | CC BY-SA 4.0 | added 316 characters in body |
| Nov 11, 2024 at 9:33 | comment | added | vfclists | @JimL The VMs share the IP address with the host, and some incoming ports need to be forwarded to services running on the VMs or the containers. I don't know if the outgoing ports need to be reserved unless they will interfere with the listening services. I guess the iptables rules can distinguish them, or not. | |
| Nov 11, 2024 at 9:19 | history | edited | Jim L. | edited tags | |
| Nov 11, 2024 at 9:15 | comment | added | Jim L. | It would help immensely if you would specify whether you mean incoming or outgoing ports; whether the VM has its own IP or if it shares an IP with other VMs and/or the physical host (guessing that it does, but an explicit acknowledgement would lend focus); and why you think this is necessary. | |
| Nov 11, 2024 at 9:09 | history | asked | vfclists | CC BY-SA 4.0 |