[libnice] New method proposal: nice_agent_set_port_exclusions()

Thu Dec 5 16:13:32 UTC 2019

Hi,

Yes do open a MR, it sounds like a good feature to have.

Olivier

On December 5, 2019 10:21:15 a.m. EST, Juan Navarro <juan.navarro at gmx.es> wrote:
>Hi,
>
>I've been experimenting with the idea of adding a new method to
>NiceAgent: a function similar to nice_agent_set_port_range() but with a
>complimentary purpose. While set_port_range() is able to define, well,
>a
>port range that should be used for local candidates during the
>gathering
>process, a method such as nice_agent_set_port_exclusions() would be
>able
>to define a set of ports that should be _avoided_.
>
>The method would have a signature such as this:
>
>nice_agent_set_port_exclusions (
>     NiceAgent *agent,
>     guint stream_id,
>     guint component_id,
>     gchar* ports);
>
>And 'ports' would be a string such as this:
>
>"1234,5678,2000-4000"
>
>Meaning:
>* Don't use port 1234
>* Don't use port 5678
>* Don't use any port between 2000 and 4000 (inclusive)
>
>The rationale for such feature is that it adapts better to the needs
>that are common in typical cloud deployments, where a specific set of
>control ports should not be made accessible from the outside, with no
>reason whatsoever to prevent such access from all other ports in
>between.
>
>For a concrete example: A quick glance at one test Kubernetes
>deployment
>shows that these ports are sensitive and shouldn't be opened up to the
>public:
>
>22/tcp
>25/tcp
>67/udp
>68/udp
>111/tcp
>111/udp
>123/udp
>137/udp
>138/udp
>139/tcp
>139/udp
>179/tcp
>445/tcp
>445/udp
>1214/udp
>1900/udp
>4662/tcp
>6346/tcp
>6346/udp
>6699/tcp
>
>These include control ports for Kubernetes itself.
>
>Instead of finding what is the biggest range that can be opened without
>touching any of those ports, it would be just easier (and easier to
>maintain for the Devops guys) to just specify a blacklist that includes
>all these ports, and pass it to libnice:
>
>nice_agent_set_port_exclusions("22,25,67,68,111,123,137-139,179,445,1214,1900,4662,6346,6699")
>
>
>I already have code that implements this, and having it in upstream is
>always nicer than maintaining it downstream. Would this feature be
>interesting for libnice? If so, I'd open a Merge Request for discussion
>and code review.
>
>Regards,
>Juan
>
>
>--
>Juan Navarro
>Kurento maintainer & developer
>j1elo @ Twitter <https://twitter.com/j1elo> / GitHub
><https://github.com/j1elo>

-- 
Olivier Crête
olivier.crete at collabora.com