On 2025/07/14 18:21, Matthieu Herrb wrote:
> - it cannot run with reduced privileges unless it only listens to
>   ports > 1024, needing pf level redirects to get 443 ou 80.

this is sadly common in a lot of "modern" software, the number of
docs I've read telling you to use 'setcap CAP_NET_BIND_SERVICE' on
linux is way too high...(especially software written in go)

> - also it cannot listen on both IPv4 and IPv6 sockets; it relies on
>   Linux default behaviour of v6 sockets accepting v4 connexions too.

I don't run into this quite as often any more, but there are still
a few (including the Javan elephant in the room) where you cannot
run a single instance of the software dual-stack (and it's often
impossible/unfeasible to run two copies concurrently) so the best
you can do is to run in v6 mode, use some af-to mess for incoming,
and DNS64 for outgoing... Not sure what can be done about it but
it's a real problem in some cases.