From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JZFfYyGZ; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 202EF5A0271 for ; Mon, 22 Dec 2025 23:51:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1766443874; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vbcO7xAPJeQa3rnVF9Mbz9fWleoAlWIFXL0bB6AD1TE=; b=JZFfYyGZCCzNXByo41s1+Duj/rpWWKgZusakLY2v5pOWnLjbIcZFWdUfNPN6bxWsCwFGhi xJ7Rw/yc8jOsAYKKhaHHioT2g5/kivXox6GmMhWtdZcixoPPuKYjW2rBfqoLykibFEl0yV /ded2lehr9nZMI2PFqaVw6qq6vFHjCo= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-62-QudXEtnwPwKsGjdMz85fsA-1; Mon, 22 Dec 2025 17:51:13 -0500 X-MC-Unique: QudXEtnwPwKsGjdMz85fsA-1 X-Mimecast-MFC-AGG-ID: QudXEtnwPwKsGjdMz85fsA_1766443872 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-4779981523fso54249415e9.2 for ; Mon, 22 Dec 2025 14:51:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766443872; x=1767048672; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vbcO7xAPJeQa3rnVF9Mbz9fWleoAlWIFXL0bB6AD1TE=; b=R4fTxR3MZQqW+JD0DqcJCTbhNBzG6094mPLWfOvI3B80f+YVBa0AMzaqA2cdhXMlir DdjRtIa++veybxzOnObRvoi3hvU9/0VwGqqKWBNpzE25BLCK/9VKos+qeEnd3+Eq2i1A op3xv5mX3kCasoi4aWeOtNByveOd4B1m6hqy606/Ql7kp4vpPils7s5SNdORcAQI4ZNI GgSk9IC0CXqPvleE52+AwgQNhfT1yiyRriE2c1rDa9U6mP3SRCm6hlicMHvGB82TJZpd tCELTWbAQVflidGOugswmDx2cDCcWAkPTw4IF5URNN9q1wralCKInvaZLe/cS3XNjruP 67Hw== X-Gm-Message-State: AOJu0Yy10kynIzolk3ri6+Thfb/MWxYYAnC2sMJYVHLqGXEWWeeALKnl dkByU5pYLEjpd7nyYlMNGYUvGjotTah3/0MbCyF0QV5FTfpbMfGaclab7+Mn6jTXfgm2dqMP3ek lWkr43vqeArnk+63gs2raXXzutb8MN++N1WlQsdkezcLUTVoh0vKEbAk= X-Gm-Gg: AY/fxX5Lu4gF++Wt7O8UBAzbPmV7MA9JmcyICf2W9dO/yh0ypf+h7tS9A7nB5PpHonc tVjkRTalZXhKGyEZOL5zBI14XJr6xRbJohf4H5RgDqONLBVv0vbjW3AF5X+L6rD3ajtr/4flaVp X8xJbMjsbfFLs7+FhAFl5ypA8ZuNYIVexWpYGChE65t8qfvHb1RCAFNfku6zG3RSbD+aCJ7JI/q P0q9YCjT+YeGR9MsaxJbckbR10YGlKhoqM/ZV13gkhZLp/6ihy/MLub1pqty3Kn1urWFja3gCpo 2NbpyS7tH3H8VenPw/eDazUrVe3bFNTAq+J5KNuQegM9IjHGaj7NJ8tEcqRWKgfmdTmESn5NL6K Ju2L/6Grse9NWY06MvJjplVTeqFfcVWDi9Tm8XQ== X-Received: by 2002:a05:600c:620c:b0:475:dde5:d91b with SMTP id 5b1f17b1804b1-47d3639489cmr5014775e9.17.1766443871737; Mon, 22 Dec 2025 14:51:11 -0800 (PST) X-Google-Smtp-Source: AGHT+IFv+1fRidYJZrAXITNdeh3LRJwGwN0u6UvMOWIloEpDisLrT+n92/HylDmi88Y8rK4gm4c0nw== X-Received: by 2002:a05:600c:620c:b0:475:dde5:d91b with SMTP id 5b1f17b1804b1-47d3639489cmr5014555e9.17.1766443871266; Mon, 22 Dec 2025 14:51:11 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be2723d19sm290870465e9.2.2025.12.22.14.51.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Dec 2025 14:51:10 -0800 (PST) Date: Mon, 22 Dec 2025 23:51:09 +0100 From: Stefano Brivio To: Felix Rubio Subject: Re: Connecting back to the host through a dummy veth interface Message-ID: <20251222235109.23703ffe@elisabeth> In-Reply-To: <3627291.QJadu78ljV@altair> References: <176606116131.2775.3279769610610037541@maja> <5105334.31r3eYUQgx@altair> <20251221114722.2a613e94@elisabeth> <3627291.QJadu78ljV@altair> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: WQlq6kH8yp5_J1zunbyplI8jDpP_pf6UmaTTsqny9gw_1766443872 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: YLKL35S2LMPN442HC7OKEZRKKD2O7ZRO X-Message-ID-Hash: YLKL35S2LMPN442HC7OKEZRKKD2O7ZRO X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Let me answer your latest three email separately, because actually there are valid open questions in all of them (and yes, we need https://bugs.passt.top/show_bug.cgi?id=144 and some "howto" section beyond man pages and Podman documentation, but it won't be for this year either...) On Sun, 21 Dec 2025 16:17:37 +0100 Felix Rubio wrote: > Ciao, Stefano > > I have just discovered how little I know about rootless networking in containers: I thought > that when using host.containers.internal I was really connecting back to the loopback > interface (127.0.0.1). > > Indeed, this works > - Terminal 1, user 1: podman run --rm -ti -p 8089:80 traefik/whoami > - Terminal 2, user 2: podman run --rm -ti alpine /bin/sh -c "apk add curl; curl > host.containers.internal:8089" > > As I have a smtp server listening on that interface, port 25, I have run this experiment, > which does not work: > podman run --rm -ti alpine /bin/sh -c "apk add busybox-extras; telnet > host.containers.internal 25" > telnet: can't connect to remote host (169.254.1.2): Connection refused Because it's probably binding to localhost (something in 127.0.0.1/8 or ::1 or both), but the destination of this connection attempt is not a loopback address. > I only seem to be able to connect, using rootless pasta, to ports that are published by > other containers. In case any container gets compromised connections from that > container could only be established to services run by other containers, then? ...or other hosts. But there's a way to override that. From pasta(1), emphasis mine: --map-host-loopback addr Translate addr to refer to the host. Packets from the guest to addr will be redirected to the host. ** On the host such packets will appear to have both source and destination of 127.0.0.1 or ::1. ** ...and yes, I guess we should rephrase this as well, but with this option you would be able to connect to services that bind to loopback addresses (too). Podman doesn't enable this by default (it would be a bad default for security) so you would need to issue something like 'podman run --net=pasta:--map-host-loopback,169.254.1.2 ...'. > Similarly... > Could I create another "network of pods" by using map-guest-addr with another ip (say > 169.254.1.3) and the pods in 169.254.1.2 and 169.254.1.3 would not be able to talk to > each other? It all depends on what ports are exposed and what interface and address they are bound to, on the host. But yes, you could do something like that. Eventually, *after* https://bugs.passt.top/show_bug.cgi?id=140 is done, we might consider implementing proper inter-container communication with a single instance of pasta. That would make things easier... but we're not quite there yet. > So the solution for my use case is then to bind e.g., port 1636 to both 10.255.255.1 and to > 169.254.1.2, so that external connections to it can get through, but also connections from > other rootless pods? You could do that, yes. -- Stefano