From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=R00Sv/Yu;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id D28135A0265
	for <passt-user@passt.top>; Mon, 11 May 2026 13:24:49 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1778498686;
	bh=NfTQWCG/5wnVewoGExrK0FrRgDpW0Z8tz1V0kkGt6ak=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=R00Sv/Yu2Te7LH6oE8j7uOIe3M23O+z3StJsTSAolUDn44D+ehWqlH3hcJPug6Jw7
	 /rNUp3jshHY7S243ka3DfpkSWKD0WY+cuShJlv5KBt5TuS0rvJ4//1ZnayNV8HHCfw
	 qYsuBgydaA4+4PaKtxey+vNi1W+2rxsxg4EEdqj6kUk7ImKZ45KnRZfxKAnID1aNqH
	 485BYPq6ydKCS/Xk1Ip6lxO8owI1SWfUj+CZJztpjIaV6TpfhD0MQKeNedM4B2o+c2
	 Nucsf+QuofwCk9GSfAVpvERu0ocAYgSxePJ8KUL6KtsFDCglHpfPiAqg1s45Rr8bcp
	 rO1hjBgIXRWCQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4gDcnp5ZnLz4wCX; Mon, 11 May 2026 21:24:46 +1000 (AEST)
Date: Mon, 11 May 2026 21:24:42 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Niklas Beierl <no.shoes@posteo.net>
Subject: Re: Passt port forwards to guest when host is "offline"
Message-ID: <agG8eoXMd-CWqjwb@zatzit>
References: <ca6e16de-771b-4e58-8c35-2a1acbc03473@posteo.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="V7mgWeby6qntzyIL"
Content-Disposition: inline
In-Reply-To: <ca6e16de-771b-4e58-8c35-2a1acbc03473@posteo.net>
Message-ID-Hash: 2BQAIWX4MLGFM62VLIOTJ7LKYOARU7S2
X-Message-ID-Hash: 2BQAIWX4MLGFM62VLIOTJ7LKYOARU7S2
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-user@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/agG8eoXMd-CWqjwb@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/2BQAIWX4MLGFM62VLIOTJ7LKYOARU7S2/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>


--V7mgWeby6qntzyIL
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 10, 2026 at 01:40:56PM +0000, Niklas Beierl wrote:
> Hello,
>=20
> I hope I am not violating any mailinglist etiquette. I am not too familiar
> with this way of communicating and I haven't found a guide for passts lis=
t.
> Please feel free to point me out.
>=20
> I have the following Problem: I have a libvirt VM using passt as usermode
> networking backend. I set up a port-forward to access a service on the VM.
> In principle, this setup serves me well. There is just one edge-case that=
 is
> very unergonomic:
> When the VM boots while the host (laptop) is offline, the VM get's no IP
> either and the the port-forward doesn't work since passt has no IP to
> forward to.

Ok, this is a known problem - or, rather a known cluster of
overlapping problems.  There are some a fair few complications in
working out exactly how best to address it though, which is why it's
still there.

> 35.2917: ERROR:=A0 =A0Flow 0 (INI): No rules to forward HOST TCP
> [127.0.0.1]:42336 -> [127.0.0.1]:3389
>=20
> This unfortunately happens quite frequently because I travel a lot. I know
> this scenario doesn't really have an obvious, well defined solution, beca=
use
> passt is supposed to just make the guest believe it has the same ip as the
> host and in this case the host has no ip. A few things I have considered:
>=20
> Assigning an additional, static IP to the guest and somehow forcing traff=
ic
> for it to passt. Not sure if/how this would work.
> Assigning an additional, static IP on some host interface, hoping passt w=
ill
> pick it up and advertise it via DHCP?
> Am I missing a more elegant approach?
>=20
> I was also thinking that it would perhaps be cool if passt could make
> port-forwards for localhost connections work irrespective of whether the
> host otherwise has network connectivity. Haven't thought it 100% through,
> but if 127.0.0.1/8 is src and dst of the connection, there is no broken
> return route on the guest or anything so in theory this should be possibl=
e I
> guess? I'd be happy to bounce ideas back and forth.
>=20
> For reference: The interface definition:
>=20
> =A0 =A0 <interface type=3D'user'>
> =A0 =A0 =A0 <mac address=3D'52:54:00:16:63:9f'/>
> =A0 =A0 =A0 <portForward proto=3D'tcp'>
> =A0 =A0 =A0 =A0 <range start=3D'3389'/>
> =A0 =A0 =A0 </portForward>
> =A0 =A0 =A0 <model type=3D'e1000e'/>
> =A0 =A0 =A0 <backend type=3D'passt' logFile=3D'/tmp/win11passt.log'/>
> =A0 =A0 =A0 <address type=3D'pci' domain=3D'0x0000' bus=3D'0x01' slot=3D'=
0x00'
> function=3D'0x0'/>
> =A0 =A0 </interface>

So, this isn't really related to port forwarding at all.  As long as
the forward doesn't have a specific listening address (which your
example doesn't), it should work fine whatever the guest address -
even if the guest changes address.

The problem with forwards is just due to not getting an address at
all.  The primary difficulty here is that if the host has no address,
we have to conjure one out of thin air for the guest.  But, if the
host later goes online, we don't want whatever we picked for the guest
to conflict with that.  Finding a safe choice is quite tricky.

Jon Maloy is currently working on a series of patches that reworks the
management of guest addresses.  The primary aim is to support multiple
concurrent guest addresses.  However, it will also provide a better
foundation on which to handle the assignment of addresses when we
can't take one from the host.

In the meantime there's are some workarounds you could try:

 * What version of passt do you have?  Newer versions have "local
   mode".  It isn't perfect, but it has at least some ability to
   assign a guest address when the host doesn't have one.

 * If it's not important to you that the guest take the host address
   when the host *is* online, then passt has the ability to explicitly
   assign a guest address.  You can use that via libvirt by adding
   lines like:
	<ip address=3D'172.17.2.0' family=3D'ipv4' prefix=3D'24'/>
	<ip address=3D'2001:db8:ac10:fd01::feed' family=3D'ipv6'/>
   to the  interface block.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--V7mgWeby6qntzyIL
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmoBvHkACgkQzQJF27ox
2Gdt5RAAg34xthUAEPIUBH6S115BCkFtsqDTGhZ8eJtZ4RPp1X9yGgG3ZVYXZ/N9
MdV8jukycOTiGS8lHHgMeQgDYD/zKHKU1RjeR2QBeGi3tKOvy2pnygVg/56HLas3
HalRlD9DwVHWF4Y8iySWcvRcK2z4hVmllLPlssBY6ogGw5lx2z74R4XOGY2jHI7N
1GGpr1FJUR9l7rw1Gqc8vDhUPHAtMstroJVCSeKusd5XfvkP2WibrRBvY2oW9gzB
6JzNacgxAlXD0bKkDm6FhPxK6W7afpaxXHuq2X+w7ukPHGmyQKgp0475KDcYAdtE
Gem/7IQIe/nW0yALERQxIh2tE727iBj+coavPX8KT+OWDbO6YO4sYRt/8L8Gwti0
hGJtGI1YnMx+zz5l3z5KeYQ6Q7T4QfU/KcDfpASxvp86xFj8I44qaBV++vRW0Dm3
5oxUDf82g0Eyqn0p3WuBroZ8dpfbBbC9+yCdfpyjqEa9H1mf7/s6kCPBNC3WcqlK
6+PL06QemOGHcNKTWLNfdPqtiPNeUR7sZY4UInuoH8efmyryVio5/hhmcWh+HsZM
ZWpWwSCwkIsR2Q1va3Q7skPD4Bvzoa3QsVMx/RGgY9s7XCJbsgVhyfizFEXlvZXZ
zmAPvX/hSWv0ciyDJ/xblE7hebqvkLz2ZQ/3n1bJCOW5fIatNtw=
=mNcI
-----END PGP SIGNATURE-----

--V7mgWeby6qntzyIL--