Thanks for explaining David, that makes sense. I've added --no-map-gw to my setup and ended up forwarding diod using vsock and socat. Sorry are you saying that guest still has access to services listening on the host? Is there a way to block it and any other private IPs? I was trying to isolate the virtual machine as much as possible except for selected services. On 10/25/25 9:14 AM, David Gibson wrote:
On Sat, Oct 25, 2025 at 01:02:36AM +0100, baleti wrote:
does anyone know if passt can port forward from guest to host? I'm trying to make a diod server available on the guest? I'm assuming you're using passt (guest is a VM) not pasta (guest is a container).
on host I run a service listening on 9564: ~ $ diod --foreground --listen 0.0.0.0:9564 --export /home/user/autocad-ballet --no-auth
is there a way for passt to make it available on the guest? Yes, but you don't need an explicit forward for this - passt's default behaviour is to let the guest access things outside, including the host. The complication is that, by default, the guest gets the same address as the host, so the guest can't access the host using it's normal address.
However, also by default, we remap the default gateway address to the host. That is, if on the guest you connect to the address of the default gateway, port 9564, that will actually connect to diod on the host.
The details of this can be adjusted with the --map-host-loopback, --map-guest-addr and -no-map-gw options.