May 2026 - user

Passt port forwards to guest when host is "offline"
by Niklas Beierl 28 May '26

28 May '26

Hello, I hope I am not violating any mailinglist etiquette. I am not too familiar with this way of communicating and I haven't found a guide for passts list. Please feel free to point me out. I have the following Problem: I have a libvirt VM using passt as usermode networking backend. I set up a port-forward to access a service on the VM. In principle, this setup serves me well. There is just one edge-case that is very unergonomic: When the VM boots while the host (laptop) is offline, the VM get's no IP either and the the port-forward doesn't work since passt has no IP to forward to. 35.2917: ERROR: Flow 0 (INI): No rules to forward HOST TCP [127.0.0.1]:42336 -> [127.0.0.1]:3389 This unfortunately happens quite frequently because I travel a lot. I know this scenario doesn't really have an obvious, well defined solution, because passt is supposed to just make the guest believe it has the same ip as the host and in this case the host has no ip. A few things I have considered: Assigning an additional, static IP to the guest and somehow forcing traffic for it to passt. Not sure if/how this would work. Assigning an additional, static IP on some host interface, hoping passt will pick it up and advertise it via DHCP? Am I missing a more elegant approach? I was also thinking that it would perhaps be cool if passt could make port-forwards for localhost connections work irrespective of whether the host otherwise has network connectivity. Haven't thought it 100% through, but if 127.0.0.1/8 is src and dst of the connection, there is no broken return route on the guest or anything so in theory this should be possible I guess? I'd be happy to bounce ideas back and forth. For reference: The interface definition: <interface type='user'> <mac address='52:54:00:16:63:9f'/> <portForward proto='tcp'> <range start='3389'/> </portForward> <model type='e1000e'/> <backend type='passt' logFile='/tmp/win11passt.log'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> Best Niklas

3 6

passt: new version 2026_05_26.038c51e available
by Stefano Brivio 27 May '26

27 May '26

The new version with tag 2026_05_26.038c51e includes the following changes: 038c51e vhost_user: Offer VIRTIO_NET_F_GUEST_CSUM 196a9e5 ip: Wrap CASE macro body in braces for pre-C23 compatibility da00969 tcp_splice: Simplify tracking of read/written bytes ac9814e tcp_splice: Clean up flow control path for splice forwarding bda8230 tcp_splice: Avoid missing EOF recognition while forwarding aa6b796 tcp_splice: Improve error reporting 21ea343 tcp_vu: Support multibuffer frames in tcp_vu_send_flag() feb9a11 tcp_vu: Support multibuffer frames in tcp_vu_sock_recv() f8cace2 tcp_vu: Build headers on the stack and write them into the iovec 92845dd tcp: Encode checksum computation flags in a single parameter dec66c0 udp: Pass iov_tail to udp_update_hdr4()/udp_update_hdr6() 9361b6b iov: Introduce IOV_PUSH_HEADER() macro 28ee143 udp_vu: Allow virtqueue elements with multiple iovec entries 76fd546 selinux: Allow pasta to create and use its control socket when started by Podman cea2d19 Makefile: Remove misleading comments on BASE_*FLAGS 5038f92 netlink: Fix comments to variables for netlink sockets and sequence d00255b netlink: Use regular request/response netlink socket for initial neighbour sync b64ef53 conf, repair, tap: Document reasons for blocking Unix sockets 5ef0fc4 tap: Report accept() errors 1d16476 treewide: Add SOCK_CLOEXEC to accept() calls that are missing it db798fc vhost-user: Centralise Ethernet frame padding in vu_collect() and vu_pad() de6387a tcp: Pass explicit data length to tcp_fill_headers() d83470f vu_common: Pass explicit frame length to vu_flush() 533ef11 pcap: Pass explicit L2 length to pcap_iov() aa78f63 checksum: Pass explicit L4 length to checksum functions 7cd5afb udp_vu: Pass iov explicitly to helpers instead of using file-scoped array ee0ba3f udp_vu: Move virtqueue management from udp_vu_sock_recv() to its caller d3a4868 vu_common: Move vnethdr setup into vu_flush() d7259ea iov: Add iov_memcpy() to copy data between iovec arrays a804574 iov: Introduce iov_memset() bcc3d37 util: Fix changes to assert_with_msg() 296d7e3 fwd_rule: Allow parsing * as a forwarding address 666ef9e fwd_rule: Don't attempt dual stack listen()s if only one IP family 8bb21e3 test: Add test for builds with -DNDEBUG e514945 Fix build with -DNDEBUG fd4b637 test: Extend exeter build tests to cover more recent binaries ab12293 lib/term: Quote tr character ranges to prevent glob expansion 9b1ef47 pesto: Run static checkers on pesto sources bf63970 passt-repair: Run static checkers 3c6e797 passt-repair: Simplify construction of Unix path from inotify 1254a1f passt-repair: Split out inotify handling to its own function a2a2f40 Makefile: Split static checker targets b356b62 cppcheck, clang-tidy: Static checkers don't need non-preprocessor flags fb9be08 Makefile: Split $(FLAGS) into cpp and cc components 88ce87e Makefile: Add header dependencies for secondary binaries 9015b76 Makefile: Remove unhelpful $(HEADERS) variable d4632a4 Makefile: Use common binary compilation rule 59b14b2 Makefile: Make conditional definition of $(BIN) clearer 1cd6276 Makefile: Use make variables for static checker configuration 4de7c38 clang-tidy: Suppress some new unhelpful new warnings 97e478b treewide: Make some additional variables static 90f175d packet, clang-tidy: Packet pool buffers are not NULL 7bafe71 clang-tidy: Suppress sscanf() warning harder a82a217 clang-tidy: Squash inconsistent brace warnings in foreach macros db02221 conf: Fix not-actually-const parameter to conf_runas() and conf_ugid() 5b3ca87 virtio: Reduce scope of variable 1e6b638 netlink: erromsg should be const in nl_status() https://passt.top/passt/log/?qt=range&q=2026_05_07.1afd4ed..2026_05_26.038c… Packages: - Alpine Linux: https://pkgs.alpinelinux.org/packages?name=passt - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Chimera: https://pkgs.chimera-linux.org/packages?name=passt - Clear Linux: https://github.com/clearlinux-pkgs/passt/ - Copr (CentOS Stream, EPEL, Fedora, Mageia): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/10514454/ permanent mirror: https://passt.top/builds/copr/0^20260526.g038c51e/ - Debian tracker: https://tracker.debian.org/pkg/passt - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Gentoo versions: https://packages.gentoo.org/packages/net-misc/passt - GNU Guix: https://packages.guix.gnu.org/packages/passt/ - Homebrew: https://formulae.brew.sh/formula/passt - NixOS: https://github.com/NixOS/nixpkgs/tree/nixos-unstable/pkgs/by-name/pa/passt - openSUSE: https://software.opensuse.org/package/passt - OpenMandriva: https://github.com/OpenMandrivaAssociation/passt/tree/master - PLD Linux: https://git.pld-linux.org/cgi-bin/gitweb.cgi?p=packages/passt.git - Solus: https://github.com/getsolus/packages/tree/main/packages/p/passt - Ubuntu tracker: https://launchpad.net/ubuntu/+source/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g038c51e-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_038c51e-1_all.deb -- Stefano

1 0

passt: new version 2026_05_07.1afd4ed available
by Stefano Brivio 08 May '26

08 May '26

The new version with tag 2026_05_07.1afd4ed includes the following changes: 1afd4ed hooks: Copy static build of pesto and related man page to server 82523bc fedora: Install pesto, its SELinux policy, and the man page from the spec file 5335770 selinux: Add file context and type enforcement for pesto b3b2632 apparmor: Add policy file for pesto 2692ef3 pesto, conf, fwd_rule: Add options and modes to add, delete, clear rules e371d34 fwd_rule: Fix static checkers warnings in fwd_rule_add() 4ff9887 conf, fwd: Allow switching to new rules received from pesto 7c5b1d7 pesto, conf: Send updated rules from pesto back to passt/pasta cbd58d6 pesto: Parse and add new rules from command line fa06768 pesto: Read current ruleset from passt/pasta and optionally display it 24c7ef9 inany: Prepare inany.[ch] for sharing with pesto tool c9f7ed1 ip: Prepare ip.[ch] for sharing with pesto tool ba3047a pesto: Expose list of pifs to pesto and display them f1d893c pesto, conf: Have pesto connect to passt and check versions 8ad7dd4 pesto, log: Share log.h (but not log.c) with pesto tool 02236db pesto: Introduce stub configuration tool 6cf93ed fwd_rule: Fix some format specifiers cbcd428 pif: Limit pif names to 128 bytes 393c87e fwd: Generalise fwd_rules_info() 279b679 fwd_rule: Move conflict checking back within fwd_rule_add() c0e0c2f fwd, conf: Move rule parsing code to fwd_rule.[ch] 21d565d fwd_rule: Move ephemeral port probing to fwd_rule.c 0aeda87 conf, fwd: Stricter rule checking in fwd_rule_add() a458719 tcp: Use SO_MEMINFO for accurate send buffer overhead accounting ec96f01 tcp: Handle errors from tcp_send_flag() a287375 fwd, conf: Add capabilities bits to each forwarding table 2230d5b conf: Don't pass raw commandline argument to conf_ports_spec() 0521f83 conf: Move SO_BINDTODEVICE workaround to conf_ports() 4e09ddf conf: Allow user-specified auto-scanned port forwarding ranges bf7eebc conf: Move "all" handling to port specifier 0a466eb doc: Rework man page description of port specifiers 831857e tcp: Replace send buffer boost with EPOLLOUT monitoring ea5a4bb conf: Rework checking for garbage after a range 42c49e8 conf: Rework stepping through chunks of port specifiers d62a552 conf: Don't be strict about exclusivity of forwarding mode b68cac0 fwd: Improve error handling in fwd_rule_add() 2bffb63 fwd_rule: Move rule conflict checking from fwd_rule_add() to caller 02742fa fwd: Split rule building from rule adding 2093b33 conf: Pass protocol explicitly to conf_ports_range_except() f9d9926 fwd_rule: Move forwarding rule formatting 438b0df fwd: Better split forwarding rule specification from associated sockets dbe0ba1 conf: Permit -[tTuU] all in pasta mode a47b6ac doc: Consolidate -[tu] option descriptions for passt and pasta 189a3c5 conf: Move first pass handling of -[TU] next to handling of -[tu] de8ebc5 conf: Simplify handling of default forwarding mode 4d8aa0a conf: Split parsing of port specifiers from the rest of -[tuTU] parsing 5ac9cf1 tap, tcp, udp: Use rate-limited logging 926f5b4 conf: use a single buffer for print formatting in conf_print() f758d93 log: Add rate-limiting macros for log messages 6dad076 fwd: Split forwarding rule specification from its implementation state 51eaaa7 bitmap: Split bitmap helper functions into their own module 93c3e35 ip: Define a bound for the string returned by ipproto_name() ed187c3 conf: Remove redundant warning when SO_BINDTODEVICE is unavailable 72e7162 conf: Move check for disabled interfaces earlier 9c37a48 conf: Move check for mapping port 0 to caller 66e26b9 conf: Don't bother complaining about overlapping excluded ranges 1f9ee4f fwd, conf: Expose ephemeral ports as bitmap rather than function 35c56c5 fwd: Allow FWD_DUAL_STACK_ANY flag to be passed directly to fwd_rule_add() 559d4dc fwd: Store forwarding tables indexed by (origin) pif 1f974cc fwd: Look up rule index in fwd_sync_one() 0dc9f20 fwd: Move selecting correct scan bitmap into fwd_sync_one() b7a4718 serialise: Add helpers for serialising unsigned integers 8081aa5 serialise: Split functions user for serialisation from util.c 41b0c7b vhost_user: Fix assorted minor cppcheck warnings e2794c7 fwd: Comparing rule can be const 57117e4 conf: runas can be const bc872d9 treewide: Spell ASSERT() as assert() 451fb76 vu_common: Move iovec management into vu_collect() f5391ae vu_handle_tx: Pass actual remaining out_sg capacity to vu_queue_pop() b9d076d virtio: Pass iovec arrays as separate parameters to vu_queue_pop() 47e56fd pif: Remove unused PIF_NAMELEN b5e6ef4 doc: Fix formatting of (DEPRECATED) notes in man page 744d6df Makefile: Use $^ to avoid duplication in static checker rules 1b32bfe conf: Parse all forwarding options at the same time ea239bf conf: Don't defer handling of --dns option ee0e20e fwd: Always open /proc/net{tcp,tcp6,udp,udp6} in pasta mode d460ca3 fwd: Unify TCP and UDP forwarding tables bb2e4dd fwd: Split forwarding table from port scanning state d30e0b7 Fix misnamed field in struct ctx comments 4fa0076 fwd: Don't initialise unused port bitmaps d2438ef tcp: Remove stale description of port_to_tap field 0294fae conf, fwd: Make overall forwarding mode local to conf path 831e983 netlink: Allow NULL to be passed as addr parameter to nl_addr_get (again) 251e676 netlink: Return prefix length for IPv6 addresses in nl_addr_get() 045560c iov: Add iov_truncate() helper and use it in vu handlers 994bb76 tcp: Avoid comparison of expressions with different signedness in RTT_SET() ab77097 tcp: Avoid comparison of expressions with different signedness in tcp_timer_handler() 5766fe8 migrate: Rename v1 address functions to v2 for clarity 71a0d6c vu_common: Always set num_buffers in virtio-net header 685864d clang-tidy: Don't insist on #ifdef over #if defined() 9ee7805 fwd, pif: Replace with pif_sock_l4() with pif_listen() 7d0fe08 tcp: Use flow_foreach_of_type() in tcp_{keepalive,inactivity} adbf5c1 Add missing includes to headers d2f7c21 tcp: Send TCP keepalive segments after a period of tap-side inactivity a681e44 tcp: Extend tcp_send_flag() to send TCP keepalive segments 1820103 tcp: Re-introduce inactivity timeouts based on a clock algorithm e48ce41 tcp: Remove non-working activity timeout mechanism eb3babf tcp_vu, udp_vu: Fix comment headers for header length functions 66e5941 Fix build when HAS_GETRANDOM is undefined 8636c73 tcp_vu, udp_vu: Account for virtio net header in minimum frame size de5b694 tcp_vu: vu_pad() expects l2 length c320191 conf: Support CIDR notation for -a/--address option 02af38d virtio: Introduce VNET_HLEN macro for virtio net header length 812cdb8 tcp: Move tap header update out of tcp_fill_headers() bebafa7 udp: Split activity timeouts for UDP flows 036fb87 checksum: add VSX fast path for POWER8/POWER9 af7b81b migrate: Use forward table information to close() listening sockets 768baf4 tcp, tcp_splice: Check for failures of shutdown(2) 3581ded tcp: Eliminate FIN_TIMEOUT e992b14 tcp: Retransmit FINs like data segments e3f70c0 tcp_splice: Force TCP RST on abnormal close conditions cce94e9 tcp: Properly propagate tap-side RST to socket side 07390d1 doc: Add test program verifying socket RST behaviour 69ce8ee tcp: Add error checking for flow_epoll_set() in tcp_flow_migrate_target() https://passt.top/passt/log/?qt=range&q=2026_01_20.386b5f5..2026_05_07.1afd… Packages: - Alpine Linux: https://pkgs.alpinelinux.org/packages?name=passt - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Chimera: https://pkgs.chimera-linux.org/packages?name=passt - Clear Linux: https://github.com/clearlinux-pkgs/passt/ - Copr (CentOS Stream, EPEL, Fedora, Mageia): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/10433312/ permanent mirror: https://passt.top/builds/copr/0^20260507.g1afd4ed/ - Debian tracker: https://tracker.debian.org/pkg/passt - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Gentoo versions: https://packages.gentoo.org/packages/net-misc/passt - GNU Guix: https://packages.guix.gnu.org/packages/passt/ - Homebrew: https://formulae.brew.sh/formula/passt - NixOS: https://github.com/NixOS/nixpkgs/tree/nixos-unstable/pkgs/by-name/pa/passt - openSUSE: https://software.opensuse.org/package/passt - OpenMandriva: https://github.com/OpenMandrivaAssociation/passt/tree/master - PLD Linux: https://git.pld-linux.org/cgi-bin/gitweb.cgi?p=packages/passt.git - Solus: https://github.com/getsolus/packages/tree/main/packages/p/passt - Ubuntu tracker: https://launchpad.net/ubuntu/+source/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g1afd4ed-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_1afd4ed-1_all.deb -- Stefano

1 0

Feature request: option to prevent guest from reaching host external addresses
by baleti 04 May '26

04 May '26

Hi, I'd like to propose a new option for passt, working title --no-map-host, as a complement to the existing --no-map-gw. The gap --no-map-gw prevents the guest from reaching host loopback services via the gateway address mapping, which is useful. However, there is currently no mechanism to prevent the guest from reaching services bound to the host's real external address (e.g. 0.0.0.0:22). Because passt proxies outbound guest connections as the host user, a connection from the guest to the host's own external IP is transparently forwarded — passt opens the socket on the host side and the connection succeeds. From the perspective of the service being connected to (e.g. sshd), it appears as a local connection. A concrete example with a typical setup: passt -t 2222 --no-map-gw --vhost-user --socket /tmp/passt-vm ss -tulpn shows: tcp LISTEN 0.0.0.0:22 sshd From inside the guest, a compromised or untrusted workload can reach sshd directly: ssh user(a)192.168.1.x # host's external IP, connection succeeds This also enables VM-to-VM lateral movement when multiple guests share the same host: each guest can reach the others' forwarded ports via the host's external IP. The operator has no indication this is happening. Services bound to 0.0.0.0 are generally considered "LAN-exposed" rather than "VM-guest-exposed", and this assumption is silently violated. Proposed option --no-map-host, which would cause passt to drop or reject TCP/UDP connections from the guest whose destination matches any of the host's own configured addresses (the same addresses passt already knows about for DHCP/NDP assignment purposes). An alternative spelling --map-host-addr none modelled on --map-host-loopback none would also be consistent with the existing option naming. This would stay entirely within passt's existing socket-layer design and require no new privileges. Why this matters for rootless setups The primary audience for passt is rootless VM deployments where TAP+bridge (the traditional isolation mechanism) is not available without privilege. In these setups, passt is the only network layer, so operators rely on it to provide whatever isolation is possible. --no-map-gw is a good step in that direction; --no-map-host would close the remaining obvious gap. Happy to discuss or test patches. Thanks for the project — it's been very useful. Best, baleti

2 1