Re: Port Forwarding between host-guest via passt using QEMU-libvirt

Hi All, This ended up being an issue with the firewall configuration on the Windows guest machine. I needed to apply the rule for inbound traffic to the Domain and Public profiles under the Advanced section of the OpenSSH Server Properties. The inbound rule defaults to only being applied to the Private profile (e.g., a Private network). In my case, the Public profile was still blocking inbound ssh traffic. After setting up a bridged connection on the guest machine, I encountered a connection timeout on an ssh access attempt from the host instead of the almost instantaneous connection reset encountered via the passt port forward. This triggered me to look deeper into the firewall config on the guest. Thank you all for your help and your work on passt! The port forwarding works, and I can access the guest machine via: ssh -p 8022 127.0.0.1 Best, James On Mon, Nov 10, 2025 at 12:16 AM David Gibson wrote:

On Thu, Nov 06, 2025 at 01:37:36PM +0100, Stefano Brivio wrote:

...

On Thu, 6 Nov 2025 12:08:07 +1100 David Gibson wrote:

...

That information might supply some clues, but it's pretty likely we'll need debugging or packet capture output from passt to work this out. Unfortunately, that's a bit trickier than it should be because libvirt doesn't (yet) have the ability to pass the necessary options to passt.

By the way, this feature request for libvirt is currently tracked at (public RHEL ticket, but applies to libvirt in general):

https://issues.redhat.com/browse/RHEL-52281

Meanwhile, one thing you can do is to add a wrapper at /usr/local/bin/passt (don't forget to chmod 755 it) with these lines:

--- #!/bin/sh

/usr/bin/passt --debug --log-file /tmp/passt.log --pcap /tmp/passt.pcap $@ ---

that's the way I currently debug stuff with libvirt, at least.

Note that passt can take guest-side packet captures (you would find it at /tmp/passt.pcap, which you can open with Wireshark / tshark later), which is usually convenient for cases like these.

Right. I think this is the way forward, awkward though it is.

I was considering an alternative approach: to kill the passt instance started by libvirt and manually restart it with the options we want. That requires a pretty recent qemu to reliably reconnect to the new passt, though, and generally has more places something could go wrong. The wrapper script is the way to go, thanks for the instructions Stefano.

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson