[libnice] New method proposal: nice_agent_set_port_exclusions()

Thu Dec 5 17:11:17 UTC 2019

Done; we can track it here:
https://gitlab.freedesktop.org/libnice/libnice/merge_requests/82


On 5/12/19 17:13, Olivier Crête wrote:
> Hi,
>
> Yes do open a MR, it sounds like a good feature to have.
>
> Olivier
>
> On December 5, 2019 10:21:15 a.m. EST, Juan Navarro <juan.navarro at gmx.es> wrote:
>> Hi,
>>
>> I've been experimenting with the idea of adding a new method to
>> NiceAgent: a function similar to nice_agent_set_port_range() but with a
>> complimentary purpose. While set_port_range() is able to define, well,
>> a
>> port range that should be used for local candidates during the
>> gathering
>> process, a method such as nice_agent_set_port_exclusions() would be
>> able
>> to define a set of ports that should be _avoided_.
>>
>> The method would have a signature such as this:
>>
>> nice_agent_set_port_exclusions (
>>      NiceAgent *agent,
>>      guint stream_id,
>>      guint component_id,
>>      gchar* ports);
>>
>> And 'ports' would be a string such as this:
>>
>> "1234,5678,2000-4000"
>>
>> Meaning:
>> * Don't use port 1234
>> * Don't use port 5678
>> * Don't use any port between 2000 and 4000 (inclusive)
>>
>> The rationale for such feature is that it adapts better to the needs
>> that are common in typical cloud deployments, where a specific set of
>> control ports should not be made accessible from the outside, with no
>> reason whatsoever to prevent such access from all other ports in
>> between.
>>
>> For a concrete example: A quick glance at one test Kubernetes
>> deployment
>> shows that these ports are sensitive and shouldn't be opened up to the
>> public:
>>
>> 22/tcp
>> 25/tcp
>> 67/udp
>> 68/udp
>> 111/tcp
>> 111/udp
>> 123/udp
>> 137/udp
>> 138/udp
>> 139/tcp
>> 139/udp
>> 179/tcp
>> 445/tcp
>> 445/udp
>> 1214/udp
>> 1900/udp
>> 4662/tcp
>> 6346/tcp
>> 6346/udp
>> 6699/tcp
>>
>> These include control ports for Kubernetes itself.
>>
>> Instead of finding what is the biggest range that can be opened without
>> touching any of those ports, it would be just easier (and easier to
>> maintain for the Devops guys) to just specify a blacklist that includes
>> all these ports, and pass it to libnice:
>>
>> nice_agent_set_port_exclusions("22,25,67,68,111,123,137-139,179,445,1214,1900,4662,6346,6699")
>>
>>
>> I already have code that implements this, and having it in upstream is
>> always nicer than maintaining it downstream. Would this feature be
>> interesting for libnice? If so, I'd open a Merge Request for discussion
>> and code review.
>>
>> Regards,
>> Juan
>>
>>
>> --
>> Juan Navarro
>> Kurento maintainer & developer
>> j1elo @ Twitter <https://twitter.com/j1elo> / GitHub
>> <https://github.com/j1elo>