You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* tart run: introduce --net-softnet-expose
* --net-softnet-expose: add discussion
* --net-softnet-expose: add a note about Softnet restrictions
...and how to disable them.
* LAN → local network
* Better clarify what --net-softnet does
And how --net-softnet-allow can change that behavior.
@Flag(help:ArgumentHelp("Use software networking instead of the default shared (NAT) networking",
187
-
discussion:"Learn how to configure Softnet for use with Tart here: https://github.com/cirruslabs/softnet"))
186
+
@Flag(help:ArgumentHelp("Use software networking provided by Softnet instead of the default shared (NAT) networking",
187
+
discussion:"""
188
+
Softnet provides better network isolation and alleviates DHCP shortage on production systems. Tart invokes Softnet when this option is specified as a sub-process and communicates with it over socketpair(2).
189
+
190
+
It is essentially a userspace packet filter which restricts the VM networking and prevents a class of security issues, such as ARP spoofing. By default, the VM will only be able to:
191
+
192
+
* send traffic from its own MAC-address
193
+
* send traffic from the IP-address assigned to it by the DHCP
194
+
* send traffic to globally routable IPv4 addresses
195
+
* send traffic to gateway IP of the vmnet bridge (this would normally be \"bridge100\" interface)
196
+
* receive any incoming traffic
197
+
198
+
In addition, Softnet tunes macOS built-in DHCP server to decrease its lease time from the default 86,400 seconds (one day) to 600 seconds (10 minutes). This is especially important when you use Tart to clone and run a lot of ephemeral VMs over a period of one day.
199
+
200
+
More on Softnet here: https://github.com/cirruslabs/softnet
201
+
"""))
188
202
varnetSoftnet:Bool=false
189
203
190
-
@Option(help:ArgumentHelp("Comma-separated list of CIDRs to allow the traffic to when using Softnet isolation\n(e.g. --net-softnet-allow=192.168.0.0/24)", valueName:"comma-separated CIDRs"))
204
+
@Option(help:ArgumentHelp("Comma-separated list of CIDRs to allow the traffic to when using Softnet isolation\n(e.g. --net-softnet-allow=192.168.0.0/24)", discussion:"""
205
+
This option allows you bypass the private IPv4 address space restrctions imposed by --net-softnet.
206
+
207
+
For example, you can allow the VM to communicate with the local network with e.g. --net-softnet-allow=10.0.0.0/16 or to completely disable the destination based restrictions with --net-softnet-allow=0.0.0.0/0.
208
+
""", valueName:"comma-separated CIDRs"))
191
209
varnetSoftnetAllow:String?
192
210
211
+
@Option(help:ArgumentHelp("Comma-separated list of TCP ports to expose (e.g. --net-softnet-expose 2222:22,8080:80)", discussion:"""
212
+
Options are comma-separated and are as follows:
213
+
214
+
* EXTERNAL_PORT:INTERNAL_PORT — forward TCP traffic from the EXTERNAL_PORT on a host's egress interface (automatically detected and could be Wi-Fi, Ethernet and a VPN interface) to the INTERNAL_PORT on guest's IP (as reported by "tart ip")
215
+
216
+
Note that your software should either listen on 0.0.0.0 inside of a VM or on an IP address assigned to that VM for the port forwarding to work correctly.
217
+
218
+
Another thing to keep in mind is that regular Softnet restrictions will still apply even to port forwarding. So if you're planning to access your VM from local network, and your local network is 192.168.0.0/24, for example, then add --net-softnet-allow=192.168.0.0/24. If you only need port forwarding, to completely disable Softnet restrictions you can use --net-softnet-allow=0.0.0.0/0.
219
+
""", valueName:"comma-separated port specifications"))
220
+
varnetSoftnetExpose:String?
221
+
193
222
@Flag(help:ArgumentHelp("Restrict network access to the host-only network"))
0 commit comments