From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=ben.woods.am Authentication-Results: passt.top; dkim=pass (2048-bit key; unprotected) header.d=woods.am header.i=@woods.am header.a=rsa-sha256 header.s=fm2 header.b=AP+gnhgR; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm3 header.b=uzmVVSsL; dkim-atps=neutral Received: from fout-a6-smtp.messagingengine.com (fout-a6-smtp.messagingengine.com [103.168.172.149]) by passt.top (Postfix) with ESMTPS id E792D5A026F for ; Fri, 25 Apr 2025 09:49:37 +0200 (CEST) Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44]) by mailfout.phl.internal (Postfix) with ESMTP id AD868138021C; Fri, 25 Apr 2025 03:49:36 -0400 (EDT) Received: from phl-imap-06 ([10.202.2.83]) by phl-compute-04.internal (MEProxy); Fri, 25 Apr 2025 03:49:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=woods.am; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1745567376; x=1745653776; bh=YcvHkEfBxFlNKhGHuu4PbrMoC856kRY+TCGsAPGAvcQ=; b= AP+gnhgR/YAmLuk4Moopl4ldkXZzixF2TLE2jJWq66QZafwRA9NeZqzzpnD72eP8 +ekDuLw8ELrted4DlIT4A+/YJxdC8NpDlQYiqc8ttaRWSmKjBD4EMQ+U4RJc1umI I20ezPp68NpPLtP+znHf+RRKDTab2xKrEbOvNGhIJnd3GGe78R51Ma9bIOIPLs+Z HmMmYjpO9vFfVKV/PQ2ETQF0cEUKuyTm2OXzE6JeApfGkjHeWO4U3v71HuPUVJk4 D7UsUu5ukY6g//3iiidMf+7Gpqj8t9Kx11A7T3h1LehT2FByJuxrUg2SqrT/Ppv4 XWPuJoOUBV4NwChsj1r49A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1745567376; x= 1745653776; bh=YcvHkEfBxFlNKhGHuu4PbrMoC856kRY+TCGsAPGAvcQ=; b=u zmVVSsL4o05vKQg7i8PMIQoEVtzQ11j4i1TJu3okA+xKntiN62+h5EzNneotWhBT F4mwXTZ9M8k5zda5ApGLMqeAGtxQP6f6z7V0BOozQBt0pCqri5mPrRKCSJRJrN09 Y8X2wPRIZwkE9WpXvlLOFBaKqUYEpatDOyrXA1xOIkyfPXdpMqs4UsBi+Ix1Mclt whqLR+4n/QZis6vxOLVMSfsMzsDDT918kzooipJXKDnqT18BnR0O6N6JvynvcOUU 5xenhVYTrtegZfDvJXS7oM4yEzJBM1Skd4RE+oMIsM/C8R6dXB4VT66rV/IkKaCR kPG+qqiRWM5fejq17Kv1g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvhedujeekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgfgsehtqhertder tdejnecuhfhrohhmpedfuegvnhcuhghoohgushdfuceophgrshhtrgessggvnhdrfihooh gushdrrghmqeenucggtffrrghtthgvrhhnpeefffffleejjeelhfeigefhuedvtddvffdt feffffejuddufeefjeeufedugeevheenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehprghsthgrsegsvghnrdifohhoughsrdgrmhdpnhgspghr tghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepphgrshhsthdquh hsvghrsehprghsshhtrdhtohhppdhrtghpthhtohepshgsrhhivhhiohesrhgvughhrght rdgtohhm X-ME-Proxy: Feedback-ID: i10d149a1:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 78ACA29C0084; Fri, 25 Apr 2025 03:49:36 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 X-ThreadId: T59c900e4f3d14be0 Date: Fri, 25 Apr 2025 15:49:16 +0800 From: "Ben Woods" To: "Stefano Brivio" Message-Id: In-Reply-To: <20250425092620.074e2cce@elisabeth> References: <38893f85-ca3d-4e1e-929d-236df89ab9f6@app.fastmail.com> <20250425092620.074e2cce@elisabeth> Subject: Re: pasta behaviour with multiple NICs Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-MailFrom: pasta@ben.woods.am X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: W5VI4BVE4UXIDS7WZ6U6PRZXB2KPZEHC X-Message-ID-Hash: W5VI4BVE4UXIDS7WZ6U6PRZXB2KPZEHC X-Mailman-Approved-At: Fri, 25 Apr 2025 10:41:22 +0200 CC: passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi Stefano, Thanks for the quick response. I think my questions came from a misunderstanding of how pasta works. I = was thinking about the container network namespace directly sending the = traffic out the host physical interface based on the IP/gateway inside t= he netns. Reading your answer, I think I understand now that in fact the network c= onnection from inside the container netns is connected via a socket to p= asta running on the host=E2=80=A6 and then pasta simply creates the TCP = or UDP socket connection out the host physical interface using the host = network stack. Is that correct? That then explains why you=E2=80=99re saying that pasta itself is not ch= oosing the egress interface, route or source IP=E2=80=A6 it=E2=80=99s th= e kernel that does that when pasta creates the TCP/UDP connection. Hence= the traffic egress interface, source IP and next-hop should be the same= as if it originated from a process on the host. It does make we wonder what=E2=80=99s the purpose of assigning an IP/sub= net/gateway inside the container netns at all - if all connections are s= ent via the socket and host pasta process then creates the actual connec= tion? Cheers, Ben On Fri, 25 Apr 2025, at 3:26 PM, Stefano Brivio wrote: > Hi Ben, > > On Fri, 25 Apr 2025 14:54:18 +0800 > "Ben Woods" wrote: > >> Hi everyone, >>=20 >> I'm struggling to understand how pasta will behave when the host has >> multiple network interfaces. I can't see this mentioned in the >> website or man page. > > Right, yeah, it's not really mentioned anywhere, sorry for that, and > thanks for your question. > >> I'm using pasta with podman if that makes a difference. > > It shouldn't make a difference. > >> Example Scenario - 2 interfaces - eth0 (with default route) and eth1 >> in a different subnet. >>=20 >> When the podman container is created, inside the container there is a >> single interface shown that mimics the eth0 interface name, IP, >> gateway. >>=20 >> If traffic is initiated from the container to an IP within the eth1 >> subnet - how does pasta make it appear to come from the eth1 IP >> address? Does it automatically apply NAT to achieve this? > > The operating system (unfortunately it's Linux only, so far) takes care > of all that, pasta has no idea: it just opens a socket and connect()s > it to the destination address (that might be bind() _and_ connect(), f= or > UDP). The kernel then decides based on routing rules and tables. > > But yes, this typically results in NAT, at least with the default > source address selection Linux does. > > In other words: it's as if your container and everything inside it > behaved like a local process, network-wise, as seen from outside. > > Given that pasta isn't in charge of network (or even transport) headers > "outside", it doesn't really "do NAT", but, with default options and a > matching upstream interface, it avoids that NAT is done in the bigger > picture. > >> If the host has a static route for a subnet not directly connected to >> either eth0 or eth1, but the static route uses a next hop IP address >> within the eth1 subnet - will pasta apply NAT to the eth1 IP address, >> and the use the static route to send it via the next-hop router? > > This also reduces to a question about Linux, essentially. Yes, as far > as I know, that would be the outcome: source NAT using a matching > address assigned to eth1, if any (preferred source address). > > Does that answer your question? > > --=20 > Stefano --=20 From: Ben Woods ben@woods.am