Because some network services and clients might bind(2) (or even connect(2)) to a legitimate range of ports (e.g. to improve the number of concurrent connections between internal services), it would be useful to be able to extend the landlock_net_port_attr struct with a port_last field.
We should note that this can already be controlled system-wide with the port range defined with /proc/sys/net/ipv4/ip_local_port_range (for IPv4 and IPv6) when allowing to bind on port 0, but this is a limitation.
Implementing an efficient port range matching will require a dedicated data structure (different than the current ruleset's root_net_port red-black tree), keeping in mind #1.
Because some network services and clients might
bind(2)
(or evenconnect(2)
) to a legitimate range of ports (e.g. to improve the number of concurrent connections between internal services), it would be useful to be able to extend thelandlock_net_port_attr
struct with aport_last
field.We should note that this can already be controlled system-wide with the port range defined with
/proc/sys/net/ipv4/ip_local_port_range
(for IPv4 and IPv6) when allowing to bind on port 0, but this is a limitation.Implementing an efficient port range matching will require a dedicated data structure (different than the current ruleset's
root_net_port
red-black tree), keeping in mind #1.See thread: https://lore.kernel.org/netdev/b4440d19-93b9-e234-007b-4fc4f987550b@digikod.net/
Related to #15
Cc @BoardzMaster