From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=u9QH3syZ;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 9614E5A0619
	for <passt-user@passt.top>; Mon, 27 Oct 2025 02:46:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202510; t=1761529600;
	bh=cO6bLxsr5q5QvrzyRWzPfSNpAgous/GSoORXaRWZfe8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=u9QH3syZbRINV5rmwLFQ7p966Ipvkm+QtuMiodwdRU+GWcfAjTxd4a4u1XcFpCZSq
	 lLcinfMh6dHEQTDwMIJnI8so8MyzO++Gzt70KKwo62fp2iwJH7WAPqOqfsD+nSZQyY
	 bY/+yVXkqQEM7k5csmXiylF5wWOMrhfehvjhH6yf70W/A9doJSIbDBXHrT6YkBXScv
	 vLWpbO9oQ58ehAznwp88oWAe2VFRb+HW+mm7Y5/6wNv1P6VjqTslL39pq6daW/YXYt
	 3bGN2pRaEvUJrfJ6jAeQLafG0n4K+qhif0Pl53poljQlRPA894Hxo2lnLQRqQAWzkW
	 agc0+12TJUWOw==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4cvxFD51Zbz4wCy; Mon, 27 Oct 2025 12:46:40 +1100 (AEDT)
Date: Mon, 27 Oct 2025 12:46:36 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: baleti <baleti3266@gmail.com>
Subject: Re: port forward from guest to host- inquiry
Message-ID: <aP7O_CjWPSSMzIOv@zatzit>
References: <69c1a8e2-2f28-4905-8bc5-682f3cfa1eb8@gmail.com>
 <aPyG1HLJ30ZrnZCB@zatzit>
 <bf419075-6938-432f-9f74-2ce56e9899a4@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="Ftn1seeEs5I85o3+"
Content-Disposition: inline
In-Reply-To: <bf419075-6938-432f-9f74-2ce56e9899a4@gmail.com>
Message-ID-Hash: WG3QQNKL55DXUYUSOXI3LWFWBNWFFQRC
X-Message-ID-Hash: WG3QQNKL55DXUYUSOXI3LWFWBNWFFQRC
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-user@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/aP7O_CjWPSSMzIOv@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/WG3QQNKL55DXUYUSOXI3LWFWBNWFFQRC/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>


--Ftn1seeEs5I85o3+
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 25, 2025 at 10:23:07PM +0100, baleti wrote:
> Thanks for explaining David, that makes sense. I've added --no-map-gw to =
my
> setup and ended up forwarding diod using vsock and socat. Sorry are you
> saying that guest still has access to services listening on the host? Is
> there a way to block it and any other private IPs? I was trying to isolate
> the virtual machine as much as possible except for selected
> services.

Ah, ok.  --no-map-gw disables the defaults I was mentioning.  So with
that there's no (direct) way for the guest to reach services on the
host; or at least not via the address which is shared with the guest.
If the services are listening on multiple (non loopback) host
addresses, the guest can reach them via one of the other addresses.

At present there isn't a way to expose only certain host ports to the
guest.  We'd like to have the flexibility to do that (amongst many
other things), and we're working towards it. but it requires quite a
bit of infrastructure work.

In the meantime you have a few options:

 1) Remove --no-map-gw, and use the default NAT.  This does expose the
    host slightly, in the sense that the guest can connect to it in a
    way that appears to come from loopback, so that might not meat
    your isolation requirement.

 2) Use:
 	--map-guest-addr XXXX --map-host-loopback none
	(or equivalently --map-guest-addr XXXX --no-map-gw)
    This will let the guest access the host at address XXXX.  In a
    sense this does expose the host more than your current setup, but
    since connections via this NAT won't appear to come from loopback
    on the host (they'll appear to come from the host's public IP),
    you're not really exposing the host to the VM any more than it's
    already exposed to the outside world.

[Arguably, this should be the default behaviour; it's not for
 historical reasons]

 3) Change the guest address away from the default (which is the same
     as the host's address) with:
	-a YYYY --no-map-gw
    Now the guest will think it has address YYYY, and can access host
    services via the host's usual public address.  Again, those
    connections from the VM won't appear to come from loopback, so
    it's not exposing the host to the VM any more than it's exposed to
    the world.

> On 10/25/25 9:14 AM, David Gibson wrote:
> > On Sat, Oct 25, 2025 at 01:02:36AM +0100, baleti wrote:
> > > does anyone know if passt can port forward from guest to host? I'm tr=
ying to
> > > make a diod server available on the guest?
> > I'm assuming you're using passt (guest is a VM) not pasta (guest is a
> > container).
> >=20
> > > on host I run a service listening on 9564:
> > >  =A0~ $ diod --foreground --listen 0.0.0.0:9564 --export
> > > /home/user/autocad-ballet --no-auth
> > >=20
> > > is there a way for passt to make it available on the guest?
> > Yes, but you don't need an explicit forward for this - passt's default
> > behaviour is to let the guest access things outside, including the
> > host.  The complication is that, by default, the guest gets the same
> > address as the host, so the guest can't access the host using it's
> > normal address.
> >=20
> > However, also by default, we remap the default gateway address to the
> > host.  That is, if on the guest you connect to the address of the
> > default gateway, port 9564, that will actually connect to diod on the
> > host.
> >=20
> > The details of this can be adjusted with the --map-host-loopback,
> > --map-guest-addr and -no-map-gw options.
> >=20
> _______________________________________________
> user mailing list -- passt-user@passt.top
> To unsubscribe send an email to passt-user-leave@passt.top

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--Ftn1seeEs5I85o3+
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmj+zvsACgkQzQJF27ox
2Gd0tA/9Ehmvr9WtxPRJ5O885ee6FJVBUnxkc92byzJxhPzHN951nqNflt/ISkoF
nFwsPu+nz9jY2MYSUW4QdJblgrPyvYIFZN7kNJP8Ye9MHbV/U4zRaWaj1w8sgabB
5PkfcDSOI/92DZkaDDNxtJ48EydCD78vSwyxaB5DLrmBZOu4RpIE06I28+KpQzzt
MeiChmBsiXMQ7T7qsH0vj7fU1NRCVvlGSgOpAQW5UZmdv0RlTa63sQvQVHI7a3Ac
9NirAtqUwXkZKlhQGXRzEvyMT1CmMR+FFlnB8onC9XKjHJ7uIgI5fsabHuwOOV7B
5or763zbHz21HknjEt/po98My5g9gmYcVzR9PlDhiryWt2AEhCeuifZiSlSaQWnP
QvUdCt1DN258vtcEtqlU7xTEb62oWPM6sWy3q/5dbHvoScE7rI8cx5bRHHQ6aM3D
OOsKrzH61hsulo1Mu2S+HrqDj3ldAfcnBSmc1m5zAptfBRhT2SRvKhuwptMtiKZ+
740l1f48KIqO0OdDFj94iPb7ISOQegvo6smLOnkqix939edRufoHn+zCAuAoQqul
ZuNLeBm9K/PssdTBFpOcgr4goa42ztHppVTi4uMkxjwu6YpuW1LwaDVzuyqerdC8
LBinH2GbBt+ylUgY8tQPzTciKRALiPTIRqbys+K0/a2kop27phU=
=2Zt4
-----END PGP SIGNATURE-----

--Ftn1seeEs5I85o3+--