port forward from guest to host- inquiry

port forward from guest to host- inquiry

[baleti]

does anyone know if passt can port forward from guest to host? I'm 
trying to make a diod server available on the guest?

on host I run a service listening on 9564:
  ~ $ diod --foreground --listen 0.0.0.0:9564 --export 
/home/user/autocad-ballet --no-auth

is there a way for passt to make it available on the guest?

Re: port forward from guest to host- inquiry

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 1308 bytes --]

On Sat, Oct 25, 2025 at 01:02:36AM +0100, baleti wrote:
> does anyone know if passt can port forward from guest to host? I'm trying to
> make a diod server available on the guest?

I'm assuming you're using passt (guest is a VM) not pasta (guest is a
container).

> 
> on host I run a service listening on 9564:
>  ~ $ diod --foreground --listen 0.0.0.0:9564 --export
> /home/user/autocad-ballet --no-auth
> 
> is there a way for passt to make it available on the guest?

Yes, but you don't need an explicit forward for this - passt's default
behaviour is to let the guest access things outside, including the
host.  The complication is that, by default, the guest gets the same
address as the host, so the guest can't access the host using it's
normal address.

However, also by default, we remap the default gateway address to the
host.  That is, if on the guest you connect to the address of the
default gateway, port 9564, that will actually connect to diod on the
host.

The details of this can be adjusted with the --map-host-loopback,
--map-guest-addr and -no-map-gw options.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: port forward from guest to host- inquiry

[baleti]

Thanks for explaining David, that makes sense. I've added --no-map-gw to 
my setup and ended up forwarding diod using vsock and socat. Sorry are 
you saying that guest still has access to services listening on the 
host? Is there a way to block it and any other private IPs? I was trying 
to isolate the virtual machine as much as possible except for selected 
services.

On 10/25/25 9:14 AM, David Gibson wrote:
> On Sat, Oct 25, 2025 at 01:02:36AM +0100, baleti wrote:
>> does anyone know if passt can port forward from guest to host? I'm trying to
>> make a diod server available on the guest?
> I'm assuming you're using passt (guest is a VM) not pasta (guest is a
> container).
>
>> on host I run a service listening on 9564:
>>   ~ $ diod --foreground --listen 0.0.0.0:9564 --export
>> /home/user/autocad-ballet --no-auth
>>
>> is there a way for passt to make it available on the guest?
> Yes, but you don't need an explicit forward for this - passt's default
> behaviour is to let the guest access things outside, including the
> host.  The complication is that, by default, the guest gets the same
> address as the host, so the guest can't access the host using it's
> normal address.
>
> However, also by default, we remap the default gateway address to the
> host.  That is, if on the guest you connect to the address of the
> default gateway, port 9564, that will actually connect to diod on the
> host.
>
> The details of this can be adjusted with the --map-host-loopback,
> --map-guest-addr and -no-map-gw options.
>

Re: port forward from guest to host- inquiry

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 3939 bytes --]

On Sat, Oct 25, 2025 at 10:23:07PM +0100, baleti wrote:
> Thanks for explaining David, that makes sense. I've added --no-map-gw to my
> setup and ended up forwarding diod using vsock and socat. Sorry are you
> saying that guest still has access to services listening on the host? Is
> there a way to block it and any other private IPs? I was trying to isolate
> the virtual machine as much as possible except for selected
> services.

Ah, ok.  --no-map-gw disables the defaults I was mentioning.  So with
that there's no (direct) way for the guest to reach services on the
host; or at least not via the address which is shared with the guest.
If the services are listening on multiple (non loopback) host
addresses, the guest can reach them via one of the other addresses.

At present there isn't a way to expose only certain host ports to the
guest.  We'd like to have the flexibility to do that (amongst many
other things), and we're working towards it. but it requires quite a
bit of infrastructure work.

In the meantime you have a few options:

 1) Remove --no-map-gw, and use the default NAT.  This does expose the
    host slightly, in the sense that the guest can connect to it in a
    way that appears to come from loopback, so that might not meat
    your isolation requirement.

 2) Use:
 	--map-guest-addr XXXX --map-host-loopback none
	(or equivalently --map-guest-addr XXXX --no-map-gw)
    This will let the guest access the host at address XXXX.  In a
    sense this does expose the host more than your current setup, but
    since connections via this NAT won't appear to come from loopback
    on the host (they'll appear to come from the host's public IP),
    you're not really exposing the host to the VM any more than it's
    already exposed to the outside world.

[Arguably, this should be the default behaviour; it's not for
 historical reasons]

 3) Change the guest address away from the default (which is the same
     as the host's address) with:
	-a YYYY --no-map-gw
    Now the guest will think it has address YYYY, and can access host
    services via the host's usual public address.  Again, those
    connections from the VM won't appear to come from loopback, so
    it's not exposing the host to the VM any more than it's exposed to
    the world.

> On 10/25/25 9:14 AM, David Gibson wrote:
> > On Sat, Oct 25, 2025 at 01:02:36AM +0100, baleti wrote:
> > > does anyone know if passt can port forward from guest to host? I'm trying to
> > > make a diod server available on the guest?
> > I'm assuming you're using passt (guest is a VM) not pasta (guest is a
> > container).
> > 
> > > on host I run a service listening on 9564:
> > >   ~ $ diod --foreground --listen 0.0.0.0:9564 --export
> > > /home/user/autocad-ballet --no-auth
> > > 
> > > is there a way for passt to make it available on the guest?
> > Yes, but you don't need an explicit forward for this - passt's default
> > behaviour is to let the guest access things outside, including the
> > host.  The complication is that, by default, the guest gets the same
> > address as the host, so the guest can't access the host using it's
> > normal address.
> > 
> > However, also by default, we remap the default gateway address to the
> > host.  That is, if on the guest you connect to the address of the
> > default gateway, port 9564, that will actually connect to diod on the
> > host.
> > 
> > The details of this can be adjusted with the --map-host-loopback,
> > --map-guest-addr and -no-map-gw options.
> > 
> _______________________________________________
> user mailing list -- passt-user@passt.top
> To unsubscribe send an email to passt-user-leave@passt.top

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: port forward from guest to host- inquiry

[baleti]

Thanks David for writing down these options and confirming that:
 > At present there isn't a way to expose only certain host ports to the
guest.

That was my main objective as vm guest is not trusted and I didn't want 
to expose other services listening on the host. Also thanks for 
confirming that with --no-map-gw option host network interfaces get 
properly isolated from the guest.

On 10/27/25 1:46 AM, David Gibson wrote:
> On Sat, Oct 25, 2025 at 10:23:07PM +0100, baleti wrote:
>> Thanks for explaining David, that makes sense. I've added --no-map-gw to my
>> setup and ended up forwarding diod using vsock and socat. Sorry are you
>> saying that guest still has access to services listening on the host? Is
>> there a way to block it and any other private IPs? I was trying to isolate
>> the virtual machine as much as possible except for selected
>> services.
> Ah, ok.  --no-map-gw disables the defaults I was mentioning.  So with
> that there's no (direct) way for the guest to reach services on the
> host; or at least not via the address which is shared with the guest.
> If the services are listening on multiple (non loopback) host
> addresses, the guest can reach them via one of the other addresses.
>
> At present there isn't a way to expose only certain host ports to the
> guest.  We'd like to have the flexibility to do that (amongst many
> other things), and we're working towards it. but it requires quite a
> bit of infrastructure work.
>
> In the meantime you have a few options:
>
>   1) Remove --no-map-gw, and use the default NAT.  This does expose the
>      host slightly, in the sense that the guest can connect to it in a
>      way that appears to come from loopback, so that might not meat
>      your isolation requirement.
>
>   2) Use:
>   	--map-guest-addr XXXX --map-host-loopback none
> 	(or equivalently --map-guest-addr XXXX --no-map-gw)
>      This will let the guest access the host at address XXXX.  In a
>      sense this does expose the host more than your current setup, but
>      since connections via this NAT won't appear to come from loopback
>      on the host (they'll appear to come from the host's public IP),
>      you're not really exposing the host to the VM any more than it's
>      already exposed to the outside world.
>
> [Arguably, this should be the default behaviour; it's not for
>   historical reasons]
>
>   3) Change the guest address away from the default (which is the same
>       as the host's address) with:
> 	-a YYYY --no-map-gw
>      Now the guest will think it has address YYYY, and can access host
>      services via the host's usual public address.  Again, those
>      connections from the VM won't appear to come from loopback, so
>      it's not exposing the host to the VM any more than it's exposed to
>      the world.
>
>> On 10/25/25 9:14 AM, David Gibson wrote:
>>> On Sat, Oct 25, 2025 at 01:02:36AM +0100, baleti wrote:
>>>> does anyone know if passt can port forward from guest to host? I'm trying to
>>>> make a diod server available on the guest?
>>> I'm assuming you're using passt (guest is a VM) not pasta (guest is a
>>> container).
>>>
>>>> on host I run a service listening on 9564:
>>>>    ~ $ diod --foreground --listen 0.0.0.0:9564 --export
>>>> /home/user/autocad-ballet --no-auth
>>>>
>>>> is there a way for passt to make it available on the guest?
>>> Yes, but you don't need an explicit forward for this - passt's default
>>> behaviour is to let the guest access things outside, including the
>>> host.  The complication is that, by default, the guest gets the same
>>> address as the host, so the guest can't access the host using it's
>>> normal address.
>>>
>>> However, also by default, we remap the default gateway address to the
>>> host.  That is, if on the guest you connect to the address of the
>>> default gateway, port 9564, that will actually connect to diod on the
>>> host.
>>>
>>> The details of this can be adjusted with the --map-host-loopback,
>>> --map-guest-addr and -no-map-gw options.
>>>
>> _______________________________________________
>> user mailing list -- passt-user@passt.top
>> To unsubscribe send an email to passt-user-leave@passt.top