From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ir3UJV6v; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 913565A026E for ; Thu, 26 Feb 2026 13:47:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1772110068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Bwh5bcBL1aHVZnHzxWIphiZ1RUwDMRKsL2U/xnrtx4A=; b=Ir3UJV6vCPpBxMc53BJ3Zap/gxXxJKf9vdo6mKW0QVCB7Zy3lkVJ/iFwcdKoUQ8eZer70v HVszMQyctrLy2/NIUEnBN1UhL2BGrqpnf62byYcvWZJbX0BFqdAOUM1xvYnhotWdYMgECj f2V5MvhmyGTyXpHsupqTb/IY3czt8lA= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-447-YfRSwVFwOoG7xD_bilokSg-1; Thu, 26 Feb 2026 07:47:40 -0500 X-MC-Unique: YfRSwVFwOoG7xD_bilokSg-1 X-Mimecast-MFC-AGG-ID: YfRSwVFwOoG7xD_bilokSg_1772110059 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-4398fd66f02so490975f8f.1 for ; Thu, 26 Feb 2026 04:47:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772110059; x=1772714859; h=date:content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Bwh5bcBL1aHVZnHzxWIphiZ1RUwDMRKsL2U/xnrtx4A=; b=iVHS1JP+IR2fzIVnwnW3rEm+gAC1ErbZYn7Hn/DkEwwzYyMH7oQflFCc/XkGBSzjkh T+YabtKjTiu1SVKZAs+tlK4zZDGD/1jqnNxCMpoPKG1RS2k9gUdWTwIzSL4KUB5WeEus 1RHNr8iupcyj6SsxTTSJKEoBbbVgIppNz7O7hoMVpNWZSc6F6feO+6VnG+0FpGRxrKGR L7pacvozs2wEn/cC24dQBbTomPmPET+0VYXWWU14aOd7QfUKYO1jgtJmPnDDCIiNRrCr Ghzom7l0G5x74dUPmz9PIoec/W3DVyqsvt9xlQHsEhkjqK8LB+bBEM7tN7+qc0k9qGRP 0gMg== X-Gm-Message-State: AOJu0Yx05JIvZqEhSyfYpKQ0EFCkBdRd9fzWlRBgLOOGSu+PoBoUtSwb M/KSXmDBzMwwivqZeQKK2E6jAeW3kzlYphL08bJwS1arKSOV3BE2unhh6uK0LfMJhL8O3JeLsAJ VJfYDqbGuLy3E4MdsRbUpM8WRib2cYXxsc5ReEv8+e4WLfCwdv3Xbuw== X-Gm-Gg: ATEYQzw+JZBUUa7Fa/aSFWug2cX4qobKYgBy5JxCITvX77lYO/QjN077X9ES4mLcZDo 0Nag2DCpqxAhUTUDvBJvRES2Dn/r0Ur7GqZ9nEXhJJssr9tB6aEo23clJY+GPs5CMTERC6obZpC l8gFIPpHKJfhTVNC3tLxdNx96oN9dIqvPYO+QA7aiTq0Ex1l/EJOm7Fa+QiSaYtLB9iKVhXrVh1 oIskyojQUqsE9X4IDfqj6B0gdkf4C/ze/313OGtrNYfmZlLYPyBxbyUOmM6s9LU7MMPInLP7VR7 5P4AqaWTiBIc2eMLF04USLnpDQMt/OfVTR2BEQWoBgsfBs+fXHyQfUIKOEAGI3abgwvlBqOXoAN QvHWvy1UFOsslreXibH+gRym7RMyUe9BZ/6V1FBhlvdI9DBTucA== X-Received: by 2002:a05:6000:2510:b0:439:8e9c:35b4 with SMTP id ffacd0b85a97d-4399430574fmr7763748f8f.53.1772110059397; Thu, 26 Feb 2026 04:47:39 -0800 (PST) X-Received: by 2002:a05:6000:2510:b0:439:8e9c:35b4 with SMTP id ffacd0b85a97d-4399430574fmr7763689f8f.53.1772110058820; Thu, 26 Feb 2026 04:47:38 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970bf9fb2sm41549459f8f.1.2026.02.26.04.47.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 04:47:38 -0800 (PST) From: Stefano Brivio To: Peter Foley Subject: Re: Support for equivalent to slirp guestfwd Message-ID: <20260226134736.7d5782bc@elisabeth> In-Reply-To: References: Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Date: Thu, 26 Feb 2026 13:47:37 +0100 (CET) X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: gBYiPwqzXbxri_UWI2CTDn75XosGn6OFC9_sn_Ql-5Q_1772110059 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: XD4XFOZBPAUDSCIQH3PDZCQPN2JIVLNG X-Message-ID-Hash: XD4XFOZBPAUDSCIQH3PDZCQPN2JIVLNG X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Felix Wu X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 25 Feb 2026 17:35:06 -0500 Peter Foley wrote: > Hi, > > I'm investigating migrating Google-internal uses of qemu's slirp-based > networking to passt. > One major gap I've discovered is the apparent lack of support in passt for > something like the "guestfwd" flag the slirp network backend handles: > https://www.qemu.org/docs/master/system/invocation.html > This allows us to open outbound connections from the VM to an external > service listening on a known port. I think libslirp's "guestfwd", strictly speaking, is only needed if you want to map ports to a character device or standard streams of a process that's started upon outbound connections (neither one is your case I guess). In all other cases, you could, with both libslirp and passt, connect from the VM to a local (non-loopback) address configured on the host, to reach other services running there. But I guess you want specific addressing (both for source and destination), so: > As far as I can tell, passt's tcp-ports and udp-ports flags appear to map > to slirp's hostfwd flags, only allowing traffic to flow into the VM. > > Am I missing something? ...yes, the --map-guest-addr and --map-host-loopback options. By default, connections from the VM to the address of the default gateway shown to the guest (a somewhat arbitrary choice that was convenient for KubeVirt's usage) are mapped to the host, with loopback source, see the "Handling of traffic with loopback destination and source addresses" note in the man page. You can change this address using --map-host-loopback. With it, the traffic will still appear as coming from the host's loopback. Or you can use specify an address with --map-guest-addr, and outbound connections will be seen on the host as coming from a local, but non-loopback address. The current description in the man page might be a bit confusing, see also https://bugs.passt.top/show_bug.cgi?id=132. This takes care of the first part of 'guestfwd', that is, instead of "guestfwd=tcp:10.0.2.100:1234-..." you would simply use --map-guest-addr 10.0.2.100. For the second part of it: > If this functionality indeed isn't supported, are > there plans to add it? ...there's ongoing effort to make this more flexible, by adding support for generic NAT rules (https://bugs.passt.top/show_bug.cgi?id=140) so that you can specifically map different ports and addresses to specific ports and addresses. And do so dynamically, at runtime, too. We now have a rather generic "forwarding rules" table implementation, even if not entirely complete: https://archives.passt.top/passt-dev/20260116005926.616085-1-david@gibson.dropbear.id.au/ and a very rudimentary draft of pesto(1), the client that would enable configuring all that at runtime (I'm working on it these days): https://archives.passt.top/passt-dev/20260204234209.455262-1-sbrivio@redhat.com/ ...there's quite a bit left to do, and patches are warmly welcome. -- Stefano