From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202606 header.b=MhwPAuDu; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 09D235A026D for ; Wed, 01 Jul 2026 09:08:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202606; t=1782889694; bh=jTQ7cAmwjyFr1nrNJwAZd0h70Tv6mzdQV8L3hXdYZd0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MhwPAuDuEOQzwYoXKACG0Vy6SGdvLLrlS5+gLwnkbjbIQOdgz87HVGM+AREFP0Lot eNF2K0BPZjO0rm0sPyEQRxBT8xvrbpYz5vgX7r8cKjMDUTYqH65V9QyIBOT6PXiSFV /qqaVmUnepALN/4acdeCn3VE7H0NVePoacaKGdU+6Xfjd39XPw7Ojw1zo55EAjL9WD 0ioEFe18e3AWqYnPosCtx/cxfq59ZF3JS5ECoG6JCpNzggRCu0kfi6IxGohpiXs1lc FJ2tw0j19CgiqB3MFCrzhFJRXKL1RHs9gHE5Z68Axp84SmsLYrzk5n5kOwejBu4QLZ DPbT20CqgDh8g== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4gqrhG4mBWz58dk; Wed, 01 Jul 2026 17:08:14 +1000 (AEST) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH 2/3] fwd: Clarify semantics of --host-lo-to-ns-lo Date: Wed, 1 Jul 2026 17:08:10 +1000 Message-ID: <20260701070811.1944139-3-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260701070811.1944139-1-david@gibson.dropbear.id.au> References: <20260701070811.1944139-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 33AIGQVEI74GL2GJECFSM7I4A26BUJJN X-Message-ID-Hash: 33AIGQVEI74GL2GJECFSM7I4A26BUJJN X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: The semantics of --host-lo-to-ns-lo as described in the man page don't quite make sense: It says without the option forwarded packets will appear to come _from_ the guest's public address, which is not usually true. Instead the packets will arrive *to* the guest's public address. The exact semantics are also a bit confusing in general. Rewrite both the man page and code to clarify this. The new rule is that it redirects connections addressed to a host loopback address to the same loopback address in the guest. This is notionally different from what we had in two ways: * We can now deliver to nonstandard loopback addresses within the guest, not just the default one. This is technically a behavioural change, but I think will be less surprising behaviour. * The decision is now made on the original _destination_ address, rather than source address. That's different theoreically, but not in practice, since loopback packets must have loopback addresses for both source and destination. We make it explicitly incompatible with --no-splice - previously it was allowed, but would have no effect in that case. As well as being more precise right now, these semantics will intersect better with upcoming remapping of target address by forwarding rules. Signed-off-by: David Gibson --- conf.c | 2 ++ fwd.c | 22 ++++++++++------------ passt.1 | 9 +++++---- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/conf.c b/conf.c index c4a36dee..912543fa 100644 --- a/conf.c +++ b/conf.c @@ -1792,6 +1792,8 @@ void conf(struct ctx *c, int argc, char **argv) if (c->splice_only) die("--splice-only is for pasta mode only"); } + if (c->no_splice && c->host_lo_to_ns_lo) + die("--host-lo-to-ns-lo is incompatible with --no-splice"); if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) diff --git a/fwd.c b/fwd.c index 042158cf..659f8d9f 100644 --- a/fwd.c +++ b/fwd.c @@ -1036,21 +1036,19 @@ uint8_t fwd_nat_from_host(const struct ctx *c, * In either case, let the kernel pick the source address to * match. */ - if (inany_v4(&ini->eaddr)) { - if (c->host_lo_to_ns_lo) - tgt->eaddr = inany_loopback4; - else - tgt->eaddr = inany_from_v4(c->ip4.addr_seen); + if (c->host_lo_to_ns_lo && inany_is_loopback(&ini->oaddr)) + tgt->eaddr = ini->oaddr; + else if (inany_v4(&ini->eaddr)) + tgt->eaddr = inany_from_v4(c->ip4.addr_seen); + else + tgt->eaddr.a6 = c->ip6.addr_seen; + + /* Let the kernel pick source address and port */ + if (inany_v4(&tgt->eaddr)) tgt->oaddr = inany_any4; - } else { - if (c->host_lo_to_ns_lo) - tgt->eaddr = inany_loopback6; - else - tgt->eaddr.a6 = c->ip6.addr_seen; + else tgt->oaddr = inany_any6; - } - /* Let the kernel pick source port */ tgt->oport = 0; if (proto == IPPROTO_UDP) /* But for UDP preserve the source port */ diff --git a/passt.1 b/passt.1 index 908fd4a4..d057aebc 100644 --- a/passt.1 +++ b/passt.1 @@ -650,10 +650,11 @@ Default is \fBauto\fR. .TP .BR \-\-host-lo-to-ns-lo -If specified, connections forwarded with \fB\-t\fR and \fB\-u\fR from -the host's loopback address will appear on the loopback address in the -guest as well. Without this option such forwarded packets will appear -to come from the guest's public address. +If specified, connections to a host loopback address forwarded with +\fB\-t\fR or \fB\-u\fR will be delivered to the same loopback address +on the guest. Without this option such connections are forwarded to +the guest's public address. This option is incompatible with +\fB--no-splice\fR. .TP .BR \-\-userns " " \fIspec -- 2.54.0