fix: Expose only selected ports with Passt (#891)

### How do I expose network ports?

  You can expose ports just by adding them to your compose file. If you want to be able to connect to the SSH service of the machine for example, you would add it like this:

  When using bridge networking, you can expose ports by adding them to your compose file. If you want to be able to connect to the SSH service of the machine for example, you would add it like this:

  ```yaml

  ports:

  This will make port 2222 on your host redirect to port 22 of the virtual machine.

  When using user-mode networking (for example when running under Podman), you will also need to add those ports to the `USER_PORTS` variable like this:

  ```yaml

  environment:

    USER_PORTS: "22,80,443"

  ```

### How do I assign an individual IP address to the container?

  By default, the container uses bridge networking, which shares the IP address with the host.

  return 0

}

getUserPorts() {

  local args=""

  local list=$1

  local ssh="22"

  [[ "${BOOT_MODE:-}" == "windows"* ]] && ssh="3389"

  [ -z "$list" ] && list="$ssh" || list+=",$ssh"

compat() {

  list="${list//,/ }"

  list="${list## }"

  list="${list%% }"

  local gateway="$1"

  local interface="$2"

  local samba="20.20.20.1"

  for port in $list; do

    proto="tcp"

    num="$port"

  [[ "$samba" == "$gateway" ]] && return 0

  [[ "${BOOT_MODE:-}" != "windows"* ]] && return 0

    if [[ "$port" == */udp ]]; then

      proto="udp"

      num="${port%/udp}"

    elif [[ "$port" == */tcp ]]; then

      proto="tcp"

      num="${port%/tcp}"

  if [[ "$interface" != "${interface:0:8}" ]]; then

    error "Bridge name too long!" && return 1

  fi

    args+="hostfwd=$proto::$num-$VM_NET_IP:$num,"

  done

  # Backwards compatibility with old installations

  if ip address add dev "$interface" "$samba/24" label "$interface:compat"; then

    SAMBA_INTERFACE="$samba"

  else

    warn "failed to configure IP alias!"

  fi

  echo "${args%?}"

  return 0

}

    [ -z "$list" ] && list="$WSD_PORT" || list+=",$WSD_PORT"

  fi

  if [[ "${NETWORK,,}" == "passt" ]]; then

    local DNS_PORT="53"

    local SAMBA_PORT="445"

  echo "$list"

  return 0

}

    if [[ "${DNSMASQ_DISABLE:-}" != [Yy1]* ]]; then

      [ -z "$list" ] && list="$DNS_PORT" || list+=",$DNS_PORT"

    fi

getUserPorts() {

    if [[ "${BOOT_MODE:-}" == "windows"* ]]; then

      if [[ "${SAMBA:-}" != [Nn]* ]]; then

        [ -z "$list" ] && list="$SAMBA_PORT" || list+=",$SAMBA_PORT"

      fi

    fi

  local args=""

  local list=$1

  list=$(echo "${list// /}" | sed 's/,*$//g')

  fi

  local ssh="22"

  [[ "${BOOT_MODE:-}" == "windows"* ]] && ssh="3389"

  [ -z "$list" ] && list="$ssh" || list+=",$ssh"

  echo "$list"

  return 0

}

compat() {

getSlirp() {

  local gateway="$1"

  local interface="$2"

  local samba="20.20.20.1"

  local args=""

  local list=""

  [[ "$samba" == "$gateway" ]] && return 0

  [[ "${BOOT_MODE:-}" != "windows"* ]] && return 0

  list=$(getUserPorts)

  list="${list//,/ }"

  list="${list## }"

  list="${list%% }"

  if [[ "$interface" != "${interface:0:8}" ]]; then

    error "Bridge name too long!" && return 1

  fi

  for port in $list; do

  # Backwards compatibility with old installations

  if ip address add dev "$interface" "$samba/24" label "$interface:compat"; then

    SAMBA_INTERFACE="$samba"

  else

    warn "failed to configure IP alias!"

    proto="tcp"

    num="${port%/tcp}"

    if [[ "$port" == *"/udp" ]]; then

      proto="udp"

      num="${port%/udp}"

    elif [[ "$port" != *"/tcp" ]]; then

      args+="hostfwd=$proto::$num-$VM_NET_IP:$num,"

      proto="udp"

      num="${port%/udp}"

    fi

    args+="hostfwd=$proto::$num-$VM_NET_IP:$num,"

  done

  echo "${args%?}"

  return 0

}

  NET_OPTS="-netdev user,id=hostnet0,ipv4=on,host=$gateway,net=${gateway%.*}.0/24,dhcpstart=$ip,${ipv6}hostname=$VM_NET_HOST"

  local forward

  local forward=""

  forward=$(getUserPorts "${USER_PORTS:-}")

  [ -n "$forward" ] && NET_OPTS+=",$forward"

  if [[ "${DNSMASQ_DISABLE:-}" != [Yy1]* ]]; then

    cp /etc/resolv.conf /etc/resolv.dnsmasq

    echo -e "nameserver 127.0.0.1\nsearch .\noptions ndots:0" >/etc/resolv.conf

    configureDNS "lo" "$ip" "$VM_NET_MAC" "$VM_NET_HOST" "$VM_NET_MASK" "$gateway" || return 1

    echo -e "nameserver 127.0.0.1\nsearch .\noptions ndots:0" >/etc/resolv.conf

  fi

  VM_NET_IP="$ip"

  PASST_OPTS+=" -n $VM_NET_MASK"

  [ -n "$PASST_MTU" ] && PASST_OPTS+=" -m $PASST_MTU"

  exclude=$(getHostPorts "$HOST_PORTS")

  local forward=""

  forward=$(getUserPorts "${USER_PORTS:-}")

  forward="${forward///tcp}"

  forward="${forward///udp}"

  if [ -z "$exclude" ]; then

    exclude="%${VM_NET_DEV}/all"

  else

    exclude="%${VM_NET_DEV}/~${exclude//,/,~}"

  if [ -n "$forward" ]; then

    forward="%${VM_NET_DEV}/$forward"

    PASST_OPTS+=" -t $forward"

    PASST_OPTS+=" -u $forward"

  fi

  PASST_OPTS+=" -t $exclude"

  PASST_OPTS+=" -u $exclude"

  PASST_OPTS+=" -H $VM_NET_HOST"

  PASST_OPTS+=" -M $GATEWAY_MAC"

  PASST_OPTS+=" -P /var/run/passt.pid"

  [ -z "$MTU" ] && MTU="$mtu"

  [ -z "$MTU" ] && MTU="0"

  if [ "$MTU" -gt "1500" ]; then

    [[ "$DEBUG" == [Yy1]* ]] && echo "MTU size is too large: $MTU, ignoring..."

    MTU="0"

  fi

  if [[ "${ADAPTER,,}" != "virtio-net-pci" ]]; then

    if [[ "$MTU" != "0" && "$MTU" != "1500" ]]; then

      warn "MTU size is $MTU, but cannot be set for $ADAPTER adapters!" && MTU="0"

      if ! configureSlirp; then

        error "Failed to configure user-mode networking!"

        exit 24

      fi

      if [ -z "$USER_PORTS" ]; then

        info "Notice: slirp networking is active, so when you want to expose ports, you will need to map them using this variable: \"USER_PORTS=80,443\"."

      fi ;;

    *)

      error "Unrecognized NETWORK value: \"$NETWORK\"" && exit 24 ;;

  esac

  case "${NETWORK,,}" in

    "passt" | "slirp" )

      if [ -z "$USER_PORTS" ]; then

        info "Notice: because user-mode networking is active, if you need to expose ports, add them to the \"USER_PORTS\" variable."

      fi ;;

  esac

fi

NET_OPTS+=" -device $ADAPTER,id=net0,netdev=hostnet0,romfile=,mac=$VM_NET_MAC"