Re: [PATCH v2] conf, pasta: Add --splice-only option

On Fri, 16 Jan 2026 11:25:09 +0800 Yumei Huang wrote:

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

It might be used to fix up podman IPv4 / IPv6 loopback mapping when using rootlesskit for forwarding ports, or a way to implement isolated containers.

In this mode, --host-lo-to-ns-lo and --no-icmp are automatically enabled. Option --no-splice is rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang --- conf.c | 39 ++++++++++++++++++++++++++++----------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 48 insertions(+), 15 deletions(-)

diff --git a/conf.c b/conf.c index dbff87c..9d88ad7 100644 --- a/conf.c +++ b/conf.c @@ -1059,7 +1059,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --splice-only Only enable loopback forwarding\n");

passt_exit(status); } @@ -1142,7 +1143,7 @@ static void conf_print(const struct ctx *c) inet_ntop(AF_INET6, &c->ip6.addr_out, buf6, sizeof(buf6))); }

- if (c->mode == MODE_PASTA) + if (c->mode == MODE_PASTA && !c->splice_only) info("Namespace interface: %s", c->pasta_ifn);

info("MAC:");

Actually, I just realised, also the MAC address information printed here is meaningless for the --splice-only mode: $ ./pasta --debug --splice-only 0.0019: MAC: 0.0019: host: 9a:55:9a:55:9a:55 ...but that MAC address will never appear anywhere. But in any case the patch looks good to me (with or without that "fixed"). -- Stefano