diff options
Diffstat (limited to 'passt.1')
| -rw-r--r-- | passt.1 | 232 |
1 files changed, 166 insertions, 66 deletions
@@ -73,6 +73,9 @@ for performance reasons. .SH OPTIONS +Unless otherwise noted below, \fBif conflicting or multiple options are given, +the last one takes effect.\fR + .TP .BR \-d ", " \-\-debug Be verbose, don't log to the system logger. @@ -92,14 +95,18 @@ detached PID namespace after starting, because the PID itself cannot change. Default is to fork into background. .TP -.BR \-e ", " \-\-stderr -Log to standard error too. -Default is to log to the system logger only, if started from an interactive -terminal, and to both system logger and standard error otherwise. +.BR \-e ", " \-\-stderr " " (DEPRECATED) +This option has no effect, and is maintained for compatibility purposes only. + +Note that this configuration option is \fBdeprecated\fR and will be removed in a +future version. .TP .BR \-l ", " \-\-log-file " " \fIPATH\fR -Log to file \fIPATH\fR, not to standard error, and not to the system logger. +Log to file \fIPATH\fR, and not to the system logger. + +Specifying this option multiple times does \fInot\fR lead to multiple log files: +the last given option takes effect. .TP .BR \-\-log-size " " \fISIZE\fR @@ -128,6 +135,9 @@ Show version and exit. Capture tap-facing (that is, guest-side or namespace-side) network packets to \fIfile\fR in \fBpcap\fR format. +Specifying this option multiple times does \fInot\fR lead to multiple capture +files: the last given option takes effect. + .TP .BR \-P ", " \-\-pid " " \fIfile Write own PID to \fIfile\fR once initialisation is done, before forking to @@ -148,7 +158,9 @@ for an IPv6 \fIaddr\fR. This option can be specified zero (for defaults) to two times (once for IPv4, once for IPv6). By default, assigned IPv4 and IPv6 addresses are taken from the host interfaces -with the first default route for the corresponding IP version. +with the first default route, if any, for the corresponding IP version. If no +default routes are available and there is any interface with any route for a +given IP version, the first of these interfaces will be chosen instead. .TP .BR \-n ", " \-\-netmask " " \fImask @@ -172,9 +184,11 @@ Assign IPv4 \fIaddr\fR as default gateway via DHCP (option 3), or IPv6 This option can be specified zero (for defaults) to two times (once for IPv4, once for IPv6). By default, IPv4 and IPv6 gateways are taken from the host interface with the -first default route for the corresponding IP version. If the default route is a -multipath one, the gateway is the first nexthop router returned by the kernel -which has the highest weight in the set of paths. +first default route, if any, for the corresponding IP version. If the default +route is a multipath one, the gateway is the first nexthop router returned by +the kernel which has the highest weight in the set of paths. If no default +routes are available and there is just one interface with any route, that +interface will be chosen instead. Note: these addresses are also used as source address for packets directed to the guest or to the target namespace having a loopback or local source address, @@ -185,9 +199,11 @@ to allow mapping of local traffic to guest and target namespace. See the .BR \-i ", " \-\-interface " " \fIname Use host interface \fIname\fR to derive addresses and routes. Default is to use the interfaces specified by \fB--outbound-if4\fR and -\fB--outbound-if6\fR, for IPv4 and IPv6 addresses and routes, respectively. If -no interfaces are given, the interface with the first default routes for each IP -version is selected. +\fB--outbound-if6\fR, for IPv4 and IPv6 addresses and routes, respectively. + +If no interfaces are given, the interface with the first default routes for each +IP version is selected. If no default routes are available and there is just one +interface with any route, that interface will be chosen instead. .TP .BR \-o ", " \-\-outbound " " \fIaddr @@ -203,30 +219,49 @@ By default, the source address is selected by the routing tables. Bind IPv4 outbound sockets to host interface \fIname\fR, and, unless another interface is specified via \fB-i\fR, \fB--interface\fR, use this interface to derive IPv4 addresses and routes. -By default, the interface given by the default route is selected. + +By default, the interface given by the default route is selected. If no default +routes are available and there is just one interface with any route, that +interface will be chosen instead. .TP .BR \-\-outbound-if6 " " \fIname Bind IPv6 outbound sockets to host interface \fIname\fR, and, unless another interface is specified via \fB-i\fR, \fB--interface\fR, use this interface to derive IPv6 addresses and routes. -By default, the interface given by the default route is selected. + +By default, the interface given by the default route is selected. If no default +routes are available and there is just one interface with any route, that +interface will be chosen instead. .TP .BR \-D ", " \-\-dns " " \fIaddr -Use \fIaddr\fR (IPv4 or IPv6) for DHCP, DHCPv6, NDP or DNS forwarding, as -configured (see options \fB--no-dhcp-dns\fR, \fB--dhcp-dns\fR, -\fB--dns-forward\fR) instead of reading addresses from \fI/etc/resolv.conf\fR. -This option can be specified multiple times. Specifying \fB-D none\fR disables -usage of DNS addresses altogether. +Instruct the guest (via DHCP, DHVPv6 or NDP) to use \fIaddr\fR (IPv4 +or IPv6) as a nameserver, as configured (see options +\fB--no-dhcp-dns\fR, \fB--dhcp-dns\fR) instead of reading addresses +from \fI/etc/resolv.conf\fR. This option can be specified multiple +times. Specifying \fB-D none\fR disables usage of DNS addresses +altogether. Unlike addresses from \fI/etc/resolv.conf\fR, \fIaddr\fR +is given to the guest without remapping. For example \fB--dns +127.0.0.1\fR will instruct the guest to use itself as nameserver, not +the host. .TP .BR \-\-dns-forward " " \fIaddr -Map \fIaddr\fR (IPv4 or IPv6) as seen from guest or namespace to the first -configured DNS resolver (with corresponding IP version). Mapping is limited to -UDP traffic directed to port 53, and DNS answers are translated back with a -reverse mapping. -This option can be specified zero to two times (once for IPv4, once for IPv6). +Map \fIaddr\fR (IPv4 or IPv6) as seen from guest or namespace to the +nameserver (with corresponding IP version) specified by the +\fB\-\-dns-host\fR option. Maps only UDP and TCP traffic to port 53 or +port 853. Replies are translated back with a reverse mapping. This +option can be specified zero to two times (once for IPv4, once for +IPv6). + +.TP +.BR \-\-dns-host " " \fIaddr +Configure the host nameserver which guest or namespace queries to the +\fB\-\-dns-forward\fR address will be redirected to. This option can +be specified zero to two times (once for IPv4, once for IPv6). +By default, the first nameserver from the host's +\fI/etc/resolv.conf\fR. .TP .BR \-S ", " \-\-search " " \fIlist @@ -237,28 +272,28 @@ list altogether (if you need to search a domain called "none" you can use \fB--search none.\fR). .TP -.BR \-\-no-dhcp-dns " " \fIaddr +.BR \-\-no-dhcp-dns In \fIpasst\fR mode, do not assign IPv4 addresses via DHCP (option 23) or IPv6 addresses via NDP Router Advertisement (option type 25) and DHCPv6 (option 23) as DNS resolvers. By default, all the configured addresses are passed. .TP -.BR \-\-dhcp-dns " " \fIaddr +.BR \-\-dhcp-dns In \fIpasta\fR mode, assign IPv4 addresses via DHCP (option 23) or IPv6 addresses via NDP Router Advertisement (option type 25) and DHCPv6 (option 23) as DNS resolvers. By default, configured addresses, if any, are not passed. .TP -.BR \-\-no-dhcp-search " " \fIaddr +.BR \-\-no-dhcp-search In \fIpasst\fR mode, do not send the DNS domain search list addresses via DHCP (option 119), via NDP Router Advertisement (option type 31) and DHCPv6 (option 24). By default, the DNS domain search list resulting from configuration is passed. .TP -.BR \-\-dhcp-search " " \fIaddr +.BR \-\-dhcp-search In \fIpasta\fR mode, send the DNS domain search list addresses via DHCP (option 119), via NDP Router Advertisement (option type 31) and DHCPv6 (option 24). By default, the DNS domain search list resulting from configuration is not @@ -302,33 +337,81 @@ Disable Router Advertisements. Router Solicitations coming from guest or target namespace will be ignored. .TP +.BR \-\-freebind +Allow any binding address to be specified for \fB-t\fR and \fB-u\fR +options. Usually binding addresses must be addresses currently +configured on the host. With \fB\-\-freebind\fR, the +\fBIP_FREEBIND\fR or \fBIPV6_FREEBIND\fR socket option is enabled +allowing any address to be used. This is typically used to bind +addresses which might be configured on the host in future, at which +point the forwarding will immediately start operating. + +.TP +.BR \-\-map-host-loopback " " \fIaddr +Translate \fIaddr\fR to refer to the host. Packets from the guest to +\fIaddr\fR will be redirected to the host. On the host such packets +will appear to have both source and destination of 127.0.0.1 or ::1. + +If \fIaddr\fR is 'none', no address is mapped (this implies +\fB--no-map-gw\fR). Only one IPv4 and one IPv6 address can be +translated, if the option is specified multiple times, the last one +takes effect. + +Default is to translate the guest's default gateway address, unless +\fB--no-map-gw\fR is given, in which case no address is mapped. + +.TP .BR \-\-no-map-gw Don't remap TCP connections and untracked UDP traffic, with the gateway address as destination, to the host. Implied if there is no gateway on the selected -default route for any of the enabled address families. +default route, or if there is no default route, for any of the enabled address +families. + +.TP +.BR \-\-map-guest-addr " " \fIaddr +Translate \fIaddr\fR in the guest to be equal to the guest's assigned +address on the host. That is, packets from the guest to \fIaddr\fR +will be redirected to the address assigned to the guest with \fB-a\fR, +or by default the host's global address. This allows the guest to +access services availble on the host's global address, even though its +own address shadows that of the host. + +If \fIaddr\fR is 'none', no address is mapped. Only one IPv4 and one +IPv6 address can be translated, and if the option is specified +multiple times, the last one for each address type takes effect. + +Default is no mapping. .TP .BR \-4 ", " \-\-ipv4-only Enable IPv4-only operation. IPv6 traffic will be ignored. -By default, IPv6 operation is enabled as long as at least an IPv6 default route -and an interface address are configured on a given host interface. +By default, IPv6 operation is enabled as long as at least an IPv6 route and an +interface address are configured on a given host interface. .TP .BR \-6 ", " \-\-ipv6-only Enable IPv6-only operation. IPv4 traffic will be ignored. -By default, IPv4 operation is enabled as long as at least an IPv4 default route -and an interface address are configured on a given host interface. +By default, IPv4 operation is enabled as long as at least an IPv4 route and an +interface address are configured on a given host interface. .SS \fBpasst\fR-only options .TP -.BR \-s ", " \-\-socket " " \fIpath +.BR \-s ", " \-\-socket-path ", " \-\-socket " " \fIpath Path for UNIX domain socket used by \fBqemu\fR(1) or \fBqrap\fR(1) to connect to \fBpasst\fR. Default is to probe a free socket, not accepting connections, starting from \fI/tmp/passt_1.socket\fR to \fI/tmp/passt_64.socket\fR. .TP +.BR \-\-vhost-user +Enable vhost-user. The vhost-user command socket is provided by \fB--socket\fR. + +.TP +.BR \-\-print-capabilities +Print back-end capabilities in JSON format, only meaningful for vhost-user mode. + +.TP .BR \-F ", " \-\-fd " " \fIFD Pass a pre-opened, connected socket to \fBpasst\fR. Usually the socket is opened in the parent process and \fBpasst\fR inherits it when run as a child. This @@ -531,6 +614,13 @@ Configure UDP port forwarding from target namespace to init namespace. Default is \fBauto\fR. .TP +.BR \-\-host-lo-to-ns-lo " " (DEPRECATED) +If specified, connections forwarded with \fB\-t\fR and \fB\-u\fR from +the host's loopback address will appear on the loopback address in the +guest as well. Without this option such forwarded packets will appear +to come from the guest's public address. + +.TP .BR \-\-userns " " \fIspec Target user namespace to join, as a path. If PID is given, without this option, the user namespace will be the one of the corresponding process. @@ -566,7 +656,7 @@ or sourced from the host, and bring up the tap interface. .BR \-\-no-copy-routes " " (DEPRECATED) With \-\-config-net, do not copy all the routes associated to the interface we derive addresses and routes from: set up only the default gateway. Implied by --g, \-\-gateway. +-g, \-\-gateway, for the corresponding IP version only. Default is to copy all the routing entries from the interface in the outer namespace to the target namespace, translating the output interface attribute to @@ -581,7 +671,7 @@ below. .BR \-\-no-copy-addrs " " (DEPRECATED) With \-\-config-net, do not copy all the addresses associated to the interface we derive addresses and routes from: set up a single one. Implied by \-a, -\-\-address. +\-\-address, for the corresponding IP version only. Default is to copy all the addresses, except for link-local ones, from the interface from the outer namespace to the target namespace. @@ -807,38 +897,41 @@ root@localhost's password: .SH NOTES -.SS Handling of traffic with local destination and source addresses - -Both \fBpasst\fR and \fBpasta\fR can bind on ports with a local address, -depending on the configuration. Local destination or source addresses need to be -changed before packets are delivered to the guest or target namespace: most -operating systems would drop packets received from non-loopback interfaces with -local addresses, and it would also be impossible for guest or target namespace -to route answers back. - -For convenience, and somewhat arbitrarily, the source address on these packets -is translated to the address of the default IPv4 or IPv6 gateway -- this is -known to be an existing, valid address on the same subnet. - -Loopback destination addresses are instead translated to the observed external -address of the guest or target namespace. For IPv6 packets, if usage of a -link-local address by guest or namespace has ever been observed, and the -original destination address is also a link-local address, the observed -link-local address is used. Otherwise, the observed global address is used. For -both IPv4 and IPv6, if no addresses have been seen yet, the configured addresses -will be used instead. +.SS Handling of traffic with loopback destination and source addresses + +Both \fBpasst\fR and \fBpasta\fR can bind on ports with a loopback +address (127.0.0.0/8 or ::1), depending on the configuration. Loopback +destination or source addresses need to be changed before packets are +delivered to the guest or target namespace: most operating systems +would drop packets received with loopback addresses on non-loopback +interfaces, and it would also be impossible for guest or target +namespace to route answers back. + +For convenience, the source address on these packets is translated to +the address specified by the \fB\-\-map-host-loopback\fR option (with +some exceptions in pasta mode, see next section below). If not +specified this defaults, somewhat arbitrarily, to the address of +default IPv4 or IPv6 gateway (if any) -- this is known to be an +existing, valid address on the same subnet. If \fB\-\-no-map-gw\fR or +\fB\-\-map-host-loopback none\fR are specified this translation is +disabled and packets with loopback addresses are simply dropped. + +Loopback destination addresses are translated to the observed external +address of the guest or target namespace. For IPv6, the observed +link-local address is used if the translated source address is +link-local, otherwise the observed global address is used. For both +IPv4 and IPv6, if no addresses have been seen yet, the configured +addresses will be used instead. For example, if \fBpasst\fR or \fBpasta\fR receive a connection from 127.0.0.1, with destination 127.0.0.10, and the default IPv4 gateway is 192.0.2.1, while the last observed source address from guest or namespace is 192.0.2.2, this will be translated to a connection from 192.0.2.1 to 192.0.2.2. -Similarly, for traffic coming from guest or namespace, packets with destination -address corresponding to the default gateway will have their destination address -translated to a loopback address, if and only if a packet, in the opposite -direction, with a loopback destination or source address, port-wise matching for -UDP, or connection-wise for TCP, has been recently forwarded to guest or -namespace. This behaviour can be disabled with \-\-no\-map\-gw. +Similarly, for traffic coming from guest or namespace, packets with +destination address corresponding to the \fB\-\-map-host-loopback\fR +address will have their destination address translated to a loopback +address. .SS Handling of local traffic in pasta @@ -854,8 +947,15 @@ and the new socket using the \fBsplice\fR(2) system call, and for UDP, a pair of \fBrecvmmsg\fR(2) and \fBsendmmsg\fR(2) system calls deals with packet transfers. -This bypass only applies to local connections and traffic, because it's not -possible to bind sockets to foreign addresses. +Because it's not possible to bind sockets to foreign addresses, this +bypass only applies to local connections and traffic. It also means +that the address translation differs slightly from passt mode. +Connections from loopback to loopback on the host will appear to come +from the target namespace's public address within the guest, unless +\fB\-\-host-lo-to-ns-lo\fR is specified, in which case they will +appear to come from loopback in the namespace as well. The latter +behaviour used to be the default, but is usually undesirable, since it +can unintentionally expose namespace local services to the host. .SS Binding to low numbered ports (well-known or system ports, up to 1023) @@ -964,8 +1064,8 @@ https://passt.top/passt/lists. Copyright (c) 2020-2022 Red Hat GmbH. \fBpasst\fR and \fBpasta\fR are free software: you can redistribute them and/or -modify them under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the License, or +modify them under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. .SH SEE ALSO |