mirrors/passt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

passt.1: Clarify and update "Handling of local addresses" section

Browse source 
This section didn't mention the effect of the --map-host-loopback option
which now alters this behaviour.  Update it accordingly.

It used "local addresses" to mean specifically 127.0.0.0/8 and ::1.
However, "local" could also refer to link-local addresses or to addresses
of any scope which happen to be configured on the host.  Use "loopback
address" to be more precise about this.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson 2024-10-18 12:35:54 +11:00 committed by Stefano Brivio
parent ef8a5161d0
commit 1fa421192c
1 changed files with 25 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
passt.1
View file

@ -882,38 +882,40 @@ root@localhost's password:
.SH NOTES .SH NOTES
.SS Handling of traffic with local destination and source addresses .SS Handling of traffic with loopback destination and source addresses
Both \fBpasst\fR and \fBpasta\fR can bind on ports with a local address, Both \fBpasst\fR and \fBpasta\fR can bind on ports with a loopback
depending on the configuration. Local destination or source addresses need to be address (127.0.0.0/8 or ::1), depending on the configuration. Loopback
changed before packets are delivered to the guest or target namespace: most destination or source addresses need to be changed before packets are
operating systems would drop packets received from non-loopback interfaces with delivered to the guest or target namespace: most operating systems
local addresses, and it would also be impossible for guest or target namespace would drop packets received with loopback addresses on non-loopback
to route answers back. interfaces, and it would also be impossible for guest or target
namespace to route answers back.
For convenience, and somewhat arbitrarily, the source address on these packets For convenience, the source address on these packets is translated to
is translated to the address of the default IPv4 or IPv6 gateway (if any) -- the address specified by the \fB\-\-map-host-loopback\fR option. If
this is known to be an existing, valid address on the same subnet. not specified this defaults, somewhat arbitrarily, to the address of
default IPv4 or IPv6 gateway (if any) -- this is known to be an
existing, valid address on the same subnet. If \fB\-\-no-map-gw\fR or
\fB\-\-map-host-loopback none\fR are specified this translation is
disabled and packets with loopback addresses are simply dropped.
Loopback destination addresses are instead translated to the observed external Loopback destination addresses are translated to the observed external
address of the guest or target namespace. For IPv6 packets, if usage of a address of the guest or target namespace. For IPv6, the observed
link-local address by guest or namespace has ever been observed, and the link-local address is used if the translated source address is
original destination address is also a link-local address, the observed link-local, otherwise the observed global address is used. For both
link-local address is used. Otherwise, the observed global address is used. For IPv4 and IPv6, if no addresses have been seen yet, the configured
both IPv4 and IPv6, if no addresses have been seen yet, the configured addresses addresses will be used instead.
will be used instead.
For example, if \fBpasst\fR or \fBpasta\fR receive a connection from 127.0.0.1, For example, if \fBpasst\fR or \fBpasta\fR receive a connection from 127.0.0.1,
with destination 127.0.0.10, and the default IPv4 gateway is 192.0.2.1, while with destination 127.0.0.10, and the default IPv4 gateway is 192.0.2.1, while
the last observed source address from guest or namespace is 192.0.2.2, this will the last observed source address from guest or namespace is 192.0.2.2, this will
be translated to a connection from 192.0.2.1 to 192.0.2.2. be translated to a connection from 192.0.2.1 to 192.0.2.2.
Similarly, for traffic coming from guest or namespace, packets with destination Similarly, for traffic coming from guest or namespace, packets with
address corresponding to the default gateway will have their destination address destination address corresponding to the \fB\-\-map-host-loopback\fR
translated to a loopback address, if and only if a packet, in the opposite address will have their destination address translated to a loopback
direction, with a loopback destination or source address, port-wise matching for address.
UDP, or connection-wise for TCP, has been recently forwarded to guest or
namespace. This behaviour can be disabled with \-\-no\-map\-gw.
.SS Handling of local traffic in pasta .SS Handling of local traffic in pasta