On Mon, Dec 29, 2025 at 05:55:58PM +0800, Yumei Huang wrote:

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang

Nice work. There are some things that need polish, but overall this looks pretty good to me. Like Stefano, I'm pleasantly surprised at how simple it turned out to be.

--- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

I feel like this description can be improved, but I'm not exactly sure how, yet.

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice"); + if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr");

These all make sense. It might also make sense to exclude the -i option - setting a template interface also makes no sense in --no-tap mode.

+ if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net");

I don't think this is right. We still can and should bring up 'lo' in the --no-tap case.

+ c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1;

The reasoning for the last two items is a bit unclear to me. IIUC, no_dns and no_dns_search aren't so much about "support" for DNS itself but for advertising DNS settings via DHCP. Since DHCP will be unsupported, so are these as a consequence. Is that right?

+ } + if (!ifi4 && *c->ip4.ifname_out) ifi4 = if_nametoindex(c->ip4.ifname_out);

@@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) log_conf_parsed = true; /* Stop printing everything */

nl_sock_init(c, false); - if (!v6_only) + if (!v6_only && !c->no_tap) c->ifi4 = conf_ip4(ifi4, &c->ip4); - if (!v4_only) + if (!v4_only && !c->no_tap) c->ifi6 = conf_ip6(ifi6, &c->ip6);

if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) (*c->ip6.ifname_out && !c->ifi6)) die("External interface not usable");

- if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) { strncpy(c->pasta_ifn, pasta_default_ifn, sizeof(c->pasta_ifn) - 1); }

if (!c->ifi4 && !v6_only) { - info("IPv4: no external interface as template, use local mode"); - - conf_ip4_local(&c->ip4); + if (!c->no_tap) { + info("IPv4: no external interface as template, use local mode"); + conf_ip4_local(&c->ip4); + } c->ifi4 = -1; }

if (!c->ifi6 && !v4_only) { - info("IPv6: no external interface as template, use local mode"); - - conf_ip6_local(&c->ip6); + if (!c->no_tap) { + info("IPv6: no external interface as template, use local mode"); + conf_ip6_local(&c->ip6); + } c->ifi6 = -1; }

- if (c->ifi4 && !no_map_gw && + if (c->ifi4 > 0 && !no_map_gw &&

This isn't quite right. ifi4 == -1 now occurs in two cases: local mode, and --no-tap mode. Not setting map_host_loopback makes sense for --no-tap mode, but it's still needed for local mode.

IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) c->ip4.map_host_loopback = c->ip4.guest_gw;

- if (c->ifi6 && !no_map_gw && + if (c->ifi6 > 0 && !no_map_gw &&

Same here.

IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) c->ip6.map_host_loopback = c->ip6.guest_gw;

@@ -2116,10 +2142,10 @@ void conf(struct ctx *c, int argc, char **argv) conf_ports(c, name, optarg, &c->udp.fwd_out); } while (name != -1);

- if (!c->ifi4) + if (c->ifi4 <= 0) c->no_dhcp = 1;

- if (!c->ifi6) { + if (c->ifi6 <= 0) { c->no_ndp = 1; c->no_dhcpv6 = 1;

And here. Local mode can still use NDP and DHCP, even though --no-tap mode can't. It might be simpler to force no_ndp, no_dhcp etc. along with no_ra and the rest above.

} else if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr)) { diff --git a/fwd.c b/fwd.c index 44a0e10..2f4a89a 100644 --- a/fwd.c +++ b/fwd.c @@ -780,6 +780,9 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, return PIF_SPLICE; }

+ if (c->no_tap) + return PIF_NONE; + if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index db0d662..2d643f7 100644 --- a/passt.1 +++ b/passt.1 @@ -755,6 +755,11 @@ Default is to let the tap driver build a pseudorandom hardware address. Disable the bypass path for inbound, local traffic. See the section \fBHandling of local traffic in pasta\fR in the \fBNOTES\fR for more details.

+.TP +.BR \-\-no-tap +Do not create a tap device in the namespace. In this mode, only local loopback +traffic between namespaces is forwarded using splice.

This probably wants some work, because I'm not sure "tap device" and "splice" are sufficiently clear in this context.

+ .SH EXAMPLES

.SS \fBpasta diff --git a/passt.h b/passt.h index 79d01dd..0c1ec4c 100644 --- a/passt.h +++ b/passt.h @@ -200,6 +200,7 @@ struct ip6_ctx { * @no_ndp: Disable NDP handler altogether * @no_ra: Disable router advertisements * @no_splice: Disable socket splicing for inbound traffic + * @no_tap: Do not create tap device * @host_lo_to_ns_lo: Map host loopback addresses to ns loopback addresses * @freebind: Allow binding of non-local addresses for forwarding * @low_wmem: Low probed net.core.wmem_max @@ -277,6 +278,7 @@ struct ctx { int no_ndp; int no_ra; int no_splice; + int no_tap; int host_lo_to_ns_lo; int freebind;

diff --git a/pasta.c b/pasta.c index 0ddd6b0..3510ec5 100644 --- a/pasta.c +++ b/pasta.c @@ -316,6 +316,9 @@ void pasta_ns_conf(struct ctx *c) die("Couldn't bring up loopback interface in namespace: %s", strerror_(-rc));

+ if (c->no_tap) + return; + /* Get or set MAC in target namespace */ if (MAC_IS_ZERO(c->guest_mac)) nl_link_get_mac(nl_sock_ns, c->pasta_ifi, c->guest_mac); diff --git a/tap.c b/tap.c index 9d1344b..9b4eedc 100644 --- a/tap.c +++ b/tap.c @@ -1491,13 +1491,16 @@ static int tap_ns_tun(void *arg) */ static void tap_sock_tun_init(struct ctx *c) { - NS_CALL(tap_ns_tun, c); - if (c->fd_tap == -1) - die("Failed to set up tap device in namespace"); + if (!c->no_tap) { + NS_CALL(tap_ns_tun, c); + if (c->fd_tap == -1) + die("Failed to set up tap device in namespace"); + }

pasta_ns_conf(c);

- tap_start_connection(c); + if (!c->no_tap) + tap_start_connection(c); }

/** -- 2.49.0

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

Sorry I was out for a while so I didn't had time to clarify on the bug before. On 29/12/2025 10:55, Yumei Huang wrote:

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

I guess I didn't really communicate my requirements well. When we use rootlessport (rootlesskit) today for custom networks we only do so as rootless user and it forwards ::1 (by possibly mapping this to v4 inside the container) fine. My main point for this feature was using as root (requires further changes to allow pasta running as root). Because as root podman does port forwarding via DNAT firewall rules (i.e. custom nftables rules we add). The kernel however never added support for DNAT on ::1 meaning clients trying to access that are not getting forwarded. The only way to support this is using a user space helper. Right now this doesn't work and we do not use rootlessport for this either so I was just thinking ahead because we do have these users requests who want ::1 to work as root. For the current rootlessport use case we also must bind all ports as given (i.e. also addresses 0.0.0.0 bind address), just forwarding loopback to loopback is not what we want or do for security reasons, see CVE-2021-20199. And logically it would not really work to have another process bind 0.0.0.0 and this pasta helper bind lo on the same port at the same time. The way I am thinking is bind ports as normal, add the no-tap option and add two options to give the v4 and v6 namespace (container) side connect addresses so we never actually connect to lo. Then we also should have a dynamic way to update the connect addresses at runtime which is required for podman network connect/disconnect to work which changes the addresses inside the namespace, see https://github.com/containers/podman/commit/e88d8dbeae2aebd2d816f16a21891764.... Overall none of this is a blocker for removing rootlessport. I think our plan was and still is to use the dynamic port forwarding logic David is working on to replace the rootless custom network port forwarding case with that.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang --- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice"); + if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr"); + if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net"); + + c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1; + } + if (!ifi4 && *c->ip4.ifname_out) ifi4 = if_nametoindex(c->ip4.ifname_out);

@@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) log_conf_parsed = true; /* Stop printing everything */

nl_sock_init(c, false); - if (!v6_only) + if (!v6_only && !c->no_tap) c->ifi4 = conf_ip4(ifi4, &c->ip4); - if (!v4_only) + if (!v4_only && !c->no_tap) c->ifi6 = conf_ip6(ifi6, &c->ip6);

if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) (*c->ip6.ifname_out && !c->ifi6)) die("External interface not usable");

- if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) { strncpy(c->pasta_ifn, pasta_default_ifn, sizeof(c->pasta_ifn) - 1); }

if (!c->ifi4 && !v6_only) { - info("IPv4: no external interface as template, use local mode"); - - conf_ip4_local(&c->ip4); + if (!c->no_tap) { + info("IPv4: no external interface as template, use local mode"); + conf_ip4_local(&c->ip4); + } c->ifi4 = -1; }

if (!c->ifi6 && !v4_only) { - info("IPv6: no external interface as template, use local mode"); - - conf_ip6_local(&c->ip6); + if (!c->no_tap) { + info("IPv6: no external interface as template, use local mode"); + conf_ip6_local(&c->ip6); + } c->ifi6 = -1; }

- if (c->ifi4 && !no_map_gw && + if (c->ifi4 > 0 && !no_map_gw && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) c->ip4.map_host_loopback = c->ip4.guest_gw;

- if (c->ifi6 && !no_map_gw && + if (c->ifi6 > 0 && !no_map_gw && IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) c->ip6.map_host_loopback = c->ip6.guest_gw;

@@ -2116,10 +2142,10 @@ void conf(struct ctx *c, int argc, char **argv) conf_ports(c, name, optarg, &c->udp.fwd_out); } while (name != -1);

- if (!c->ifi4) + if (c->ifi4 <= 0) c->no_dhcp = 1;

- if (!c->ifi6) { + if (c->ifi6 <= 0) { c->no_ndp = 1; c->no_dhcpv6 = 1; } else if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr)) { diff --git a/fwd.c b/fwd.c index 44a0e10..2f4a89a 100644 --- a/fwd.c +++ b/fwd.c @@ -780,6 +780,9 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, return PIF_SPLICE; }

+ if (c->no_tap) + return PIF_NONE; + if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index db0d662..2d643f7 100644 --- a/passt.1 +++ b/passt.1 @@ -755,6 +755,11 @@ Default is to let the tap driver build a pseudorandom hardware address. Disable the bypass path for inbound, local traffic. See the section \fBHandling of local traffic in pasta\fR in the \fBNOTES\fR for more details.

+.TP +.BR \-\-no-tap +Do not create a tap device in the namespace. In this mode, only local loopback +traffic between namespaces is forwarded using splice. + .SH EXAMPLES

.SS \fBpasta diff --git a/passt.h b/passt.h index 79d01dd..0c1ec4c 100644 --- a/passt.h +++ b/passt.h @@ -200,6 +200,7 @@ struct ip6_ctx { * @no_ndp: Disable NDP handler altogether * @no_ra: Disable router advertisements * @no_splice: Disable socket splicing for inbound traffic + * @no_tap: Do not create tap device * @host_lo_to_ns_lo: Map host loopback addresses to ns loopback addresses * @freebind: Allow binding of non-local addresses for forwarding * @low_wmem: Low probed net.core.wmem_max @@ -277,6 +278,7 @@ struct ctx { int no_ndp; int no_ra; int no_splice; + int no_tap; int host_lo_to_ns_lo; int freebind;

diff --git a/pasta.c b/pasta.c index 0ddd6b0..3510ec5 100644 --- a/pasta.c +++ b/pasta.c @@ -316,6 +316,9 @@ void pasta_ns_conf(struct ctx *c) die("Couldn't bring up loopback interface in namespace: %s", strerror_(-rc));

+ if (c->no_tap) + return; + /* Get or set MAC in target namespace */ if (MAC_IS_ZERO(c->guest_mac)) nl_link_get_mac(nl_sock_ns, c->pasta_ifi, c->guest_mac); diff --git a/tap.c b/tap.c index 9d1344b..9b4eedc 100644 --- a/tap.c +++ b/tap.c @@ -1491,13 +1491,16 @@ static int tap_ns_tun(void *arg) */ static void tap_sock_tun_init(struct ctx *c) { - NS_CALL(tap_ns_tun, c); - if (c->fd_tap == -1) - die("Failed to set up tap device in namespace"); + if (!c->no_tap) { + NS_CALL(tap_ns_tun, c); + if (c->fd_tap == -1) + die("Failed to set up tap device in namespace"); + }

pasta_ns_conf(c);

- tap_start_connection(c); + if (!c->no_tap) + tap_start_connection(c); }

/**

-- Paul Holzinger

On Mon, 5 Jan 2026 16:53:49 +0800 Yumei Huang wrote:

On Mon, Jan 5, 2026 at 12:18 PM David Gibson wrote:

...

On Mon, Dec 29, 2025 at 05:55:58PM +0800, Yumei Huang wrote:

...

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang

Nice work. There are some things that need polish, but overall this looks pretty good to me. Like Stefano, I'm pleasantly surprised at how simple it turned out to be.

...

--- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

I feel like this description can be improved, but I'm not exactly sure how, yet.

A few possible alternatives: - "Only enable loopback forwarding" - "Loopback only from/to namespace" - call it --splice-only, and use one of the descriptions above - call it --loopback-only, and use one of the descriptions above

...

...

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice"); + if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr");

These all make sense. It might also make sense to exclude the -i option - setting a template interface also makes no sense in --no-tap mode.

Sure, I can add an if condition with if4 (as if4=if6 in that case).

...

...

+ if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net");

I don't think this is right. We still can and should bring up 'lo' in the --no-tap case.

I see your point, but seems c->pasta_conf_ns is only used for tap as https://passt.top/passt/tree/pasta.c#n328, 'lo' is configured before that line.

Right, and the reason is that there are basic bits of functionality (probing pipe sizes if I recall correctly, or anyway probing for some kind of capability) that need the loopback interface to be up. On the other hand, checks we're adding here are kind of fragile because we'll add other options in the future and probably forget to check which ones are incompatible, so I would try a slightly different approach: only check the options that are *obviously* conflicting with --no-tap. That is, the main thing "--config-net" does is to "Configure networking in the namespace", which we still do with "--no-tap". Now, I see that making sure c->pasta_conf_ns is false saves you checks elsewhere in the implementation, which is, I think, a good reason to have this check here. But in general we don't need to exclude all the possible options that make no sense with --no-tap. We don't really confuse users if we allow them (or, at least, some of them).

...

...

+ c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1;

The reasoning for the last two items is a bit unclear to me. IIUC, no_dns and no_dns_search aren't so much about "support" for DNS itself but for advertising DNS settings via DHCP. Since DHCP will be unsupported, so are these as a consequence. Is that right?

Yeah, I think so. Actually I added c->no_dhcp, c->no_ndp here as well, then removed them as they are set in later changes(conditions about c->ifi4/c->ifi6), though they turn out to be not quite right :'\

Do we care about them, though? That code won't be reachable anyway, unless I'm missing something. Or is it to make the output of conf_print() nicer? In that case I guess it makes sense to go and disable things.

...

...

+ } + if (!ifi4 && *c->ip4.ifname_out) ifi4 = if_nametoindex(c->ip4.ifname_out);

@@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) log_conf_parsed = true; /* Stop printing everything */

nl_sock_init(c, false); - if (!v6_only) + if (!v6_only && !c->no_tap) c->ifi4 = conf_ip4(ifi4, &c->ip4); - if (!v4_only) + if (!v4_only && !c->no_tap) c->ifi6 = conf_ip6(ifi6, &c->ip6);

if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) (*c->ip6.ifname_out && !c->ifi6)) die("External interface not usable");

- if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) { strncpy(c->pasta_ifn, pasta_default_ifn, sizeof(c->pasta_ifn) - 1); }

if (!c->ifi4 && !v6_only) { - info("IPv4: no external interface as template, use local mode"); - - conf_ip4_local(&c->ip4); + if (!c->no_tap) { + info("IPv4: no external interface as template, use local mode"); + conf_ip4_local(&c->ip4); + } c->ifi4 = -1; }

if (!c->ifi6 && !v4_only) { - info("IPv6: no external interface as template, use local mode"); - - conf_ip6_local(&c->ip6); + if (!c->no_tap) { + info("IPv6: no external interface as template, use local mode"); + conf_ip6_local(&c->ip6); + } c->ifi6 = -1; }

- if (c->ifi4 && !no_map_gw && + if (c->ifi4 > 0 && !no_map_gw &&

This isn't quite right. ifi4 == -1 now occurs in two cases: local mode, and --no-tap mode. Not setting map_host_loopback makes sense for --no-tap mode, but it's still needed for local mode.

I'm a bit confused by map_host_loopback. I don't quite understand the use scenario. IIUC, either in --no-tap mode or local mode, guest can only communicate with host.

That's not the case for local mode, the guest can communicate with any other host. Local mode is just about addresses and routes, and the fact that, when pasta started, there was no template interface.

Then why do we need to set map_host_loopback? What's the benefit?

Example: guest has 169.254.2.1 (default in local mode), and wants to use 192.0.2.1 to refer to the host, via loopback interface.

...

...

IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) c->ip4.map_host_loopback = c->ip4.guest_gw;

- if (c->ifi6 && !no_map_gw && + if (c->ifi6 > 0 && !no_map_gw &&

Same here.

...

IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) c->ip6.map_host_loopback = c->ip6.guest_gw;

@@ -2116,10 +2142,10 @@ void conf(struct ctx *c, int argc, char **argv) conf_ports(c, name, optarg, &c->udp.fwd_out); } while (name != -1);

- if (!c->ifi4) + if (c->ifi4 <= 0) c->no_dhcp = 1;

- if (!c->ifi6) { + if (c->ifi6 <= 0) { c->no_ndp = 1; c->no_dhcpv6 = 1;

And here. Local mode can still use NDP and DHCP, even though --no-tap mode can't. It might be simpler to force no_ndp, no_dhcp etc. along with no_ra and the rest above.

Sure, I will add them.

...

...

} else if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr)) { diff --git a/fwd.c b/fwd.c index 44a0e10..2f4a89a 100644 --- a/fwd.c +++ b/fwd.c @@ -780,6 +780,9 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, return PIF_SPLICE; }

+ if (c->no_tap) + return PIF_NONE; + if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index db0d662..2d643f7 100644 --- a/passt.1 +++ b/passt.1 @@ -755,6 +755,11 @@ Default is to let the tap driver build a pseudorandom hardware address. Disable the bypass path for inbound, local traffic. See the section \fBHandling of local traffic in pasta\fR in the \fBNOTES\fR for more details.

+.TP +.BR \-\-no-tap +Do not create a tap device in the namespace. In this mode, only local loopback +traffic between namespaces is forwarded using splice.

This probably wants some work, because I'm not sure "tap device" and "splice" are sufficiently clear in this context.

Yeah, I will think about that. Thanks.

...

...

+ .SH EXAMPLES

.SS \fBpasta diff --git a/passt.h b/passt.h index 79d01dd..0c1ec4c 100644 --- a/passt.h +++ b/passt.h @@ -200,6 +200,7 @@ struct ip6_ctx { * @no_ndp: Disable NDP handler altogether * @no_ra: Disable router advertisements * @no_splice: Disable socket splicing for inbound traffic + * @no_tap: Do not create tap device * @host_lo_to_ns_lo: Map host loopback addresses to ns loopback addresses * @freebind: Allow binding of non-local addresses for forwarding * @low_wmem: Low probed net.core.wmem_max @@ -277,6 +278,7 @@ struct ctx { int no_ndp; int no_ra; int no_splice; + int no_tap; int host_lo_to_ns_lo; int freebind;

diff --git a/pasta.c b/pasta.c index 0ddd6b0..3510ec5 100644 --- a/pasta.c +++ b/pasta.c @@ -316,6 +316,9 @@ void pasta_ns_conf(struct ctx *c) die("Couldn't bring up loopback interface in namespace: %s", strerror_(-rc));

+ if (c->no_tap) + return; + /* Get or set MAC in target namespace */ if (MAC_IS_ZERO(c->guest_mac)) nl_link_get_mac(nl_sock_ns, c->pasta_ifi, c->guest_mac); diff --git a/tap.c b/tap.c index 9d1344b..9b4eedc 100644 --- a/tap.c +++ b/tap.c @@ -1491,13 +1491,16 @@ static int tap_ns_tun(void *arg) */ static void tap_sock_tun_init(struct ctx *c) { - NS_CALL(tap_ns_tun, c); - if (c->fd_tap == -1) - die("Failed to set up tap device in namespace"); + if (!c->no_tap) { + NS_CALL(tap_ns_tun, c); + if (c->fd_tap == -1) + die("Failed to set up tap device in namespace"); + }

pasta_ns_conf(c);

- tap_start_connection(c); + if (!c->no_tap) + tap_start_connection(c); }

/** -- 2.49.0

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

-- Stefano

On Sat, Jan 10, 2026 at 07:12:19PM +0100, Stefano Brivio wrote:

On Mon, 5 Jan 2026 16:53:49 +0800 Yumei Huang wrote:

...

On Mon, Jan 5, 2026 at 12:18 PM David Gibson wrote:

...

On Mon, Dec 29, 2025 at 05:55:58PM +0800, Yumei Huang wrote:

...

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang

Nice work. There are some things that need polish, but overall this looks pretty good to me. Like Stefano, I'm pleasantly surprised at how simple it turned out to be.

...

--- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

I feel like this description can be improved, but I'm not exactly sure how, yet.

A few possible alternatives:

- "Only enable loopback forwarding"

I prefer this one to the one below.

- "Loopback only from/to namespace"

- call it --splice-only, and use one of the descriptions above

- call it --loopback-only, and use one of the descriptions above

...

...

...

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice"); + if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr");

These all make sense. It might also make sense to exclude the -i option - setting a template interface also makes no sense in --no-tap mode.

Sure, I can add an if condition with if4 (as if4=if6 in that case).

...

...

+ if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net");

I don't think this is right. We still can and should bring up 'lo' in the --no-tap case.

I see your point, but seems c->pasta_conf_ns is only used for tap as https://passt.top/passt/tree/pasta.c#n328, 'lo' is configured before that line.

Right, and the reason is that there are basic bits of functionality (probing pipe sizes if I recall correctly, or anyway probing for some kind of capability) that need the loopback interface to be up.

Ah, right. Drat. In general I don't like us touching the guest netlink at all if we don't have --config-net. Hrm.. now what exactly needs this. It's not anything in sock_probe_features() - that runs in the host ns. Not pipe sizes, either - that also takes place in the host ns (and netns is irrelevant to pipes, anyway). There could well be something, but I'm not sure what it is.

On the other hand, checks we're adding here are kind of fragile because we'll add other options in the future and probably forget to check which ones are incompatible, so I would try a slightly different approach: only check the options that are *obviously* conflicting with --no-tap.

I agree.

That is, the main thing "--config-net" does is to "Configure networking in the namespace", which we still do with "--no-tap".

Agreed.

Now, I see that making sure c->pasta_conf_ns is false saves you checks elsewhere in the implementation, which is, I think, a good reason to have this check here.

But in general we don't need to exclude all the possible options that make no sense with --no-tap. We don't really confuse users if we allow them (or, at least, some of them).

...

...

...

+ c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1;

The reasoning for the last two items is a bit unclear to me. IIUC, no_dns and no_dns_search aren't so much about "support" for DNS itself but for advertising DNS settings via DHCP. Since DHCP will be unsupported, so are these as a consequence. Is that right?

Yeah, I think so. Actually I added c->no_dhcp, c->no_ndp here as well, then removed them as they are set in later changes(conditions about c->ifi4/c->ifi6), though they turn out to be not quite right :'\

Do we care about them, though? That code won't be reachable anyway, unless I'm missing something. Or is it to make the output of conf_print() nicer? In that case I guess it makes sense to go and disable things.

I think we want to avoid making conf_print() output misleading, and this seems a reasonable way of doing it. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

On Sun, Jan 11, 2026 at 2:12 AM Stefano Brivio wrote:

On Mon, 5 Jan 2026 16:53:49 +0800 Yumei Huang wrote:

...

On Mon, Jan 5, 2026 at 12:18 PM David Gibson wrote:

...

On Mon, Dec 29, 2025 at 05:55:58PM +0800, Yumei Huang wrote:

...

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang

Nice work. There are some things that need polish, but overall this looks pretty good to me. Like Stefano, I'm pleasantly surprised at how simple it turned out to be.

...

--- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

I feel like this description can be improved, but I'm not exactly sure how, yet.

A few possible alternatives:

- "Only enable loopback forwarding"

Thanks, I will go with this and --splice-only.

- "Loopback only from/to namespace"

- call it --splice-only, and use one of the descriptions above

- call it --loopback-only, and use one of the descriptions above

...

...

...

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice"); + if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr");

These all make sense. It might also make sense to exclude the -i option - setting a template interface also makes no sense in --no-tap mode.

Sure, I can add an if condition with if4 (as if4=if6 in that case).

...

...

+ if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net");

I don't think this is right. We still can and should bring up 'lo' in the --no-tap case.

I see your point, but seems c->pasta_conf_ns is only used for tap as https://passt.top/passt/tree/pasta.c#n328, 'lo' is configured before that line.

Right, and the reason is that there are basic bits of functionality (probing pipe sizes if I recall correctly, or anyway probing for some kind of capability) that need the loopback interface to be up.

On the other hand, checks we're adding here are kind of fragile because we'll add other options in the future and probably forget to check which ones are incompatible, so I would try a slightly different approach: only check the options that are *obviously* conflicting with --no-tap.

That is, the main thing "--config-net" does is to "Configure networking in the namespace", which we still do with "--no-tap".

I added that because I thought --config-net is for tap only (as lo is configured always), and there is no tap for this mode. I can remove it, it still works without it.

Now, I see that making sure c->pasta_conf_ns is false saves you checks elsewhere in the implementation, which is, I think, a good reason to have this check here.

But in general we don't need to exclude all the possible options that make no sense with --no-tap. We don't really confuse users if we allow them (or, at least, some of them).

I see. From a tester's perspective, we used to uncover a few bugs by combining certain options in different ways. I feel it's more user-friendly to explicitly state what is unsupported and what will be ignored, although this is not a strong preference. I can update with only excluding obvious ones.

...

...

...

+ c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1;

The reasoning for the last two items is a bit unclear to me. IIUC, no_dns and no_dns_search aren't so much about "support" for DNS itself but for advertising DNS settings via DHCP. Since DHCP will be unsupported, so are these as a consequence. Is that right?

Yeah, I think so. Actually I added c->no_dhcp, c->no_ndp here as well, then removed them as they are set in later changes(conditions about c->ifi4/c->ifi6), though they turn out to be not quite right :'\

Do we care about them, though? That code won't be reachable anyway, unless I'm missing something. Or is it to make the output of conf_print() nicer? In that case I guess it makes sense to go and disable things.

Just tried, without c->no_dns we would hit a warning "Couldn't get any nameserver address" , without c->no_dns_search, the conf_print will have lines as below, 0.0021: DNS search list: 0.0021: . 0.0021: DNS search list: 0.0022: . Apart from that, seems there is no difference with or without c->ra, c->no_dhcp, c->no_ndp. I guess we only need c->no_dns and c->no_dns_search here.

...

...

...

+ } + if (!ifi4 && *c->ip4.ifname_out) ifi4 = if_nametoindex(c->ip4.ifname_out);

@@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) log_conf_parsed = true; /* Stop printing everything */

nl_sock_init(c, false); - if (!v6_only) + if (!v6_only && !c->no_tap) c->ifi4 = conf_ip4(ifi4, &c->ip4); - if (!v4_only) + if (!v4_only && !c->no_tap) c->ifi6 = conf_ip6(ifi6, &c->ip6);

if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) (*c->ip6.ifname_out && !c->ifi6)) die("External interface not usable");

- if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) { strncpy(c->pasta_ifn, pasta_default_ifn, sizeof(c->pasta_ifn) - 1); }

if (!c->ifi4 && !v6_only) { - info("IPv4: no external interface as template, use local mode"); - - conf_ip4_local(&c->ip4); + if (!c->no_tap) { + info("IPv4: no external interface as template, use local mode"); + conf_ip4_local(&c->ip4); + } c->ifi4 = -1; }

if (!c->ifi6 && !v4_only) { - info("IPv6: no external interface as template, use local mode"); - - conf_ip6_local(&c->ip6); + if (!c->no_tap) { + info("IPv6: no external interface as template, use local mode"); + conf_ip6_local(&c->ip6); + } c->ifi6 = -1; }

- if (c->ifi4 && !no_map_gw && + if (c->ifi4 > 0 && !no_map_gw &&

This isn't quite right. ifi4 == -1 now occurs in two cases: local mode, and --no-tap mode. Not setting map_host_loopback makes sense for --no-tap mode, but it's still needed for local mode.

I'm a bit confused by map_host_loopback. I don't quite understand the use scenario. IIUC, either in --no-tap mode or local mode, guest can only communicate with host.

That's not the case for local mode, the guest can communicate with any other host. Local mode is just about addresses and routes, and the fact that, when pasta started, there was no template interface.

Oh, I thought local mode is only for host without network connectivity. Thanks for the explanation.

...

Then why do we need to set map_host_loopback? What's the benefit?

Example: guest has 169.254.2.1 (default in local mode), and wants to use 192.0.2.1 to refer to the host, via loopback interface.

...

...

...

IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) c->ip4.map_host_loopback = c->ip4.guest_gw;

- if (c->ifi6 && !no_map_gw && + if (c->ifi6 > 0 && !no_map_gw &&

Same here.

...

IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) c->ip6.map_host_loopback = c->ip6.guest_gw;

@@ -2116,10 +2142,10 @@ void conf(struct ctx *c, int argc, char **argv) conf_ports(c, name, optarg, &c->udp.fwd_out); } while (name != -1);

- if (!c->ifi4) + if (c->ifi4 <= 0) c->no_dhcp = 1;

- if (!c->ifi6) { + if (c->ifi6 <= 0) { c->no_ndp = 1; c->no_dhcpv6 = 1;

And here. Local mode can still use NDP and DHCP, even though --no-tap mode can't. It might be simpler to force no_ndp, no_dhcp etc. along with no_ra and the rest above.

Sure, I will add them.

...

...

} else if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr)) { diff --git a/fwd.c b/fwd.c index 44a0e10..2f4a89a 100644 --- a/fwd.c +++ b/fwd.c @@ -780,6 +780,9 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, return PIF_SPLICE; }

+ if (c->no_tap) + return PIF_NONE; + if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index db0d662..2d643f7 100644 --- a/passt.1 +++ b/passt.1 @@ -755,6 +755,11 @@ Default is to let the tap driver build a pseudorandom hardware address. Disable the bypass path for inbound, local traffic. See the section \fBHandling of local traffic in pasta\fR in the \fBNOTES\fR for more details.

+.TP +.BR \-\-no-tap +Do not create a tap device in the namespace. In this mode, only local loopback +traffic between namespaces is forwarded using splice.

This probably wants some work, because I'm not sure "tap device" and "splice" are sufficiently clear in this context.

Yeah, I will think about that. Thanks.

...

...

+ .SH EXAMPLES

.SS \fBpasta diff --git a/passt.h b/passt.h index 79d01dd..0c1ec4c 100644 --- a/passt.h +++ b/passt.h @@ -200,6 +200,7 @@ struct ip6_ctx { * @no_ndp: Disable NDP handler altogether * @no_ra: Disable router advertisements * @no_splice: Disable socket splicing for inbound traffic + * @no_tap: Do not create tap device * @host_lo_to_ns_lo: Map host loopback addresses to ns loopback addresses * @freebind: Allow binding of non-local addresses for forwarding * @low_wmem: Low probed net.core.wmem_max @@ -277,6 +278,7 @@ struct ctx { int no_ndp; int no_ra; int no_splice; + int no_tap; int host_lo_to_ns_lo; int freebind;

diff --git a/pasta.c b/pasta.c index 0ddd6b0..3510ec5 100644 --- a/pasta.c +++ b/pasta.c @@ -316,6 +316,9 @@ void pasta_ns_conf(struct ctx *c) die("Couldn't bring up loopback interface in namespace: %s", strerror_(-rc));

+ if (c->no_tap) + return; + /* Get or set MAC in target namespace */ if (MAC_IS_ZERO(c->guest_mac)) nl_link_get_mac(nl_sock_ns, c->pasta_ifi, c->guest_mac); diff --git a/tap.c b/tap.c index 9d1344b..9b4eedc 100644 --- a/tap.c +++ b/tap.c @@ -1491,13 +1491,16 @@ static int tap_ns_tun(void *arg) */ static void tap_sock_tun_init(struct ctx *c) { - NS_CALL(tap_ns_tun, c); - if (c->fd_tap == -1) - die("Failed to set up tap device in namespace"); + if (!c->no_tap) { + NS_CALL(tap_ns_tun, c); + if (c->fd_tap == -1) + die("Failed to set up tap device in namespace"); + }

pasta_ns_conf(c);

- tap_start_connection(c); + if (!c->no_tap) + tap_start_connection(c); }

/** -- 2.49.0

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

-- Stefano

-- Thanks, Yumei Huang

On Tue, 13 Jan 2026 19:20:47 +0800 Yumei Huang wrote:

On Sun, Jan 11, 2026 at 2:12 AM Stefano Brivio wrote:

...

On Mon, 29 Dec 2025 17:55:58 +0800 Yumei Huang wrote:

...

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang --- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice");

I'm not sure if you need this for other reasons, but as long as it's called --no-tap, it's not really incompatible with --no-splice.

I will update it to --splice-only

...

Maybe users just want to get a disconnected namespace for whatever reason ('pasta' is shorter to type than 'unshare -rUn').

...

+ if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr"); + if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net");

I guess all these checks are to save some checks later, which looks like a good reason to have them here.

If not, though, I don't think we *really* need to tell the user that --ns-ifname will be ignored with --no-tap.

One thing that might confuse users, though, is this:

$ ./pasta --no-tap --mtu 1500 -- ip l 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

or even this:

$ ./pasta --no-tap -a 192.0.2.1 -- ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host proto kernel_lo valid_lft forever preferred_lft forever

but I would rather *not* add conditions and checks for those even if there's a *slight* potential for confusion, otherwise this becomes really long. And it's really not worth it, I think.

Then I guess we only need the c->no_splice check, right?

...maybe? About *needing*, yes, I guess so, but if other checks save more checks later, I would keep them.

...

...

+ + c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1; + } + if (!ifi4 && *c->ip4.ifname_out) ifi4 = if_nametoindex(c->ip4.ifname_out);

@@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) log_conf_parsed = true; /* Stop printing everything */

nl_sock_init(c, false); - if (!v6_only) + if (!v6_only && !c->no_tap) c->ifi4 = conf_ip4(ifi4, &c->ip4); - if (!v4_only) + if (!v4_only && !c->no_tap) c->ifi6 = conf_ip6(ifi6, &c->ip6);

if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) (*c->ip6.ifname_out && !c->ifi6)) die("External interface not usable");

- if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) {

You already checked that !*c->pasta_ifn above.

I guess the check above (aka. if (*c->pasta_ifn && c->no_tap)) doesn't affect this one? If c->pasta_ifn is assigned, we won't come to the check !c->no_tap here. Otherwise, we do need to check !c->no_tap.

Right, but you don't care about resetting c->pasta_ifn to the default value if !c->no_tap, because in that case you know that c->pasta_ifn wasn't set, so you can happily override it. I guess, at least, I haven't thoroughly checked what might happen later with it.

...

...

strncpy(c->pasta_ifn, pasta_default_ifn, sizeof(c->pasta_ifn) - 1); }

if (!c->ifi4 && !v6_only) { - info("IPv4: no external interface as template, use local mode"); - - conf_ip4_local(&c->ip4); + if (!c->no_tap) { + info("IPv4: no external interface as template, use local mode"); + conf_ip4_local(&c->ip4); + } c->ifi4 = -1; }

if (!c->ifi6 && !v4_only) { - info("IPv6: no external interface as template, use local mode"); - - conf_ip6_local(&c->ip6); + if (!c->no_tap) { + info("IPv6: no external interface as template, use local mode"); + conf_ip6_local(&c->ip6); + } c->ifi6 = -1; }

- if (c->ifi4 && !no_map_gw && + if (c->ifi4 > 0 && !no_map_gw && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) c->ip4.map_host_loopback = c->ip4.guest_gw;

- if (c->ifi6 && !no_map_gw && + if (c->ifi6 > 0 && !no_map_gw && IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) c->ip6.map_host_loopback = c->ip6.guest_gw;

@@ -2116,10 +2142,10 @@ void conf(struct ctx *c, int argc, char **argv) conf_ports(c, name, optarg, &c->udp.fwd_out); } while (name != -1);

- if (!c->ifi4) + if (c->ifi4 <= 0) c->no_dhcp = 1;

- if (!c->ifi6) { + if (c->ifi6 <= 0) { c->no_ndp = 1; c->no_dhcpv6 = 1; } else if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr)) { diff --git a/fwd.c b/fwd.c index 44a0e10..2f4a89a 100644 --- a/fwd.c +++ b/fwd.c @@ -780,6 +780,9 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, return PIF_SPLICE; }

+ if (c->no_tap) + return PIF_NONE; + if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index db0d662..2d643f7 100644 --- a/passt.1 +++ b/passt.1 @@ -755,6 +755,11 @@ Default is to let the tap driver build a pseudorandom hardware address. Disable the bypass path for inbound, local traffic. See the section \fBHandling of local traffic in pasta\fR in the \fBNOTES\fR for more details.

+.TP +.BR \-\-no-tap +Do not create a tap device in the namespace. In this mode, only local loopback +traffic between namespaces is forwarded using splice.

"Using splice" isn't really clear, and it's not entirely correct in the case of UDP: there's no splice() system call there, even if we call some UDP flows "spliced" for analogy with TCP.

Maybe just omit it, say:

[...] In this mode, \fIpasta\fR only forwards loopback traffic between namespaces.

Do you think we still need "Do not create a tap device in the namespace" after updating it to --splice-only?

Yes, I think so, because otherwise it might look like we create the tap device anyway, but discard all traffic from/to it. -- Stefano

On Wed, Jan 14, 2026 at 2:31 PM Yumei Huang wrote:

On Wed, Jan 14, 2026 at 7:34 AM Stefano Brivio wrote:

...

On Tue, 13 Jan 2026 19:20:47 +0800 Yumei Huang wrote:

...

On Sun, Jan 11, 2026 at 2:12 AM Stefano Brivio wrote:

...

On Mon, 29 Dec 2025 17:55:58 +0800 Yumei Huang wrote:

...

This patch introduces a mode where we only forward loopback connections and traffic between two namespaces (via the loopback interface, 'lo'), without a tap device.

With this, podman can support forwarding ::1 in custom networks when using rootlesskit for forwarding ports.

In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, --config-net, --outbound-if4/6) are rejected.

Link: https://bugs.passt.top/show_bug.cgi?id=149 Signed-off-by: Yumei Huang --- conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- fwd.c | 3 +++ passt.1 | 5 +++++ passt.h | 2 ++ pasta.c | 3 +++ tap.c | 11 +++++++---- 6 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/conf.c b/conf.c index 84ae12b..353d0a5 100644 --- a/conf.c +++ b/conf.c @@ -1049,7 +1049,8 @@ pasta_opts: " --no-copy-addrs DEPRECATED:\n" " Don't copy all addresses to namespace\n" " --ns-mac-addr ADDR Set MAC address on tap interface\n" - " --no-splice Disable inbound socket splicing\n"); + " --no-splice Disable inbound socket splicing\n" + " --no-tap Don't create tap device\n");

passt_exit(status); } @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-ndp", no_argument, &c->no_ndp, 1 }, {"no-ra", no_argument, &c->no_ra, 1 }, {"no-splice", no_argument, &c->no_splice, 1 }, + {"no-tap", no_argument, &c->no_tap, 1 }, {"freebind", no_argument, &c->freebind, 1 }, {"no-map-gw", no_argument, &no_map_gw, 1 }, {"ipv4-only", no_argument, NULL, '4' }, @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1);

- if (c->mode != MODE_PASTA) + if (c->mode != MODE_PASTA) { c->no_splice = 1; + if (c->no_tap) + die("--no-tap is for pasta mode only"); + }

if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { if (copy_routes_opt) @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) die("--no-copy-addrs needs --config-net"); }

+ if (c->mode == MODE_PASTA && c->no_tap) { + if (c->no_splice) + die("--no-tap is incompatible with --no-splice");

I'm not sure if you need this for other reasons, but as long as it's called --no-tap, it's not really incompatible with --no-splice.

I will update it to --splice-only

...

Maybe users just want to get a disconnected namespace for whatever reason ('pasta' is shorter to type than 'unshare -rUn').

...

+ if (*c->ip4.ifname_out || *c->ip6.ifname_out) + die("--no-tap is incompatible with --outbound-if4/6"); + if (*c->pasta_ifn) + die("--no-tap is incompatible with --ns-ifname"); + if (*c->guest_mac) + die("--no-tap is incompatible with --ns-mac-addr"); + if (c->pasta_conf_ns) + die("--no-tap is incompatible with --config-net");

I guess all these checks are to save some checks later, which looks like a good reason to have them here.

If not, though, I don't think we *really* need to tell the user that --ns-ifname will be ignored with --no-tap.

One thing that might confuse users, though, is this:

$ ./pasta --no-tap --mtu 1500 -- ip l 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

or even this:

$ ./pasta --no-tap -a 192.0.2.1 -- ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host proto kernel_lo valid_lft forever preferred_lft forever

but I would rather *not* add conditions and checks for those even if there's a *slight* potential for confusion, otherwise this becomes really long. And it's really not worth it, I think.

Then I guess we only need the c->no_splice check, right?

...maybe? About *needing*, yes, I guess so, but if other checks save more checks later, I would keep them.

...

...

...

+ + c->host_lo_to_ns_lo = 1; + c->no_icmp = 1; + c->no_ra = 1; + c->no_dns = 1; + c->no_dns_search = 1; + } + if (!ifi4 && *c->ip4.ifname_out) ifi4 = if_nametoindex(c->ip4.ifname_out);

@@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) log_conf_parsed = true; /* Stop printing everything */

nl_sock_init(c, false); - if (!v6_only) + if (!v6_only && !c->no_tap) c->ifi4 = conf_ip4(ifi4, &c->ip4); - if (!v4_only) + if (!v4_only && !c->no_tap) c->ifi6 = conf_ip6(ifi6, &c->ip6);

if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) (*c->ip6.ifname_out && !c->ifi6)) die("External interface not usable");

- if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) {

You already checked that !*c->pasta_ifn above.

I guess the check above (aka. if (*c->pasta_ifn && c->no_tap)) doesn't affect this one? If c->pasta_ifn is assigned, we won't come to the check !c->no_tap here. Otherwise, we do need to check !c->no_tap.

Right, but you don't care about resetting c->pasta_ifn to the default value if !c->no_tap, because in that case you know that c->pasta_ifn wasn't set, so you can happily override it.

I just realized that you probably meant when c->no_tap is set. Actually it would affect conf_print, info("Namespace interface: %s", c->pasta_ifn). But I will add a condition about c->splice_only before this line, so yes, it doesn't matter whether reset it or not. I will remove the check in v2.

I'm not sure I fully understand it. If !c->no_tap, the condition is the same as before without this patch, which is to not reset it if it's specified in cmd line. We won't know if c->pasta_ifn is set until this check, do we?

...

I guess, at least, I haven't thoroughly checked what might happen later with it.

...

...

...

strncpy(c->pasta_ifn, pasta_default_ifn, sizeof(c->pasta_ifn) - 1); }

if (!c->ifi4 && !v6_only) { - info("IPv4: no external interface as template, use local mode"); - - conf_ip4_local(&c->ip4); + if (!c->no_tap) { + info("IPv4: no external interface as template, use local mode"); + conf_ip4_local(&c->ip4); + } c->ifi4 = -1; }

if (!c->ifi6 && !v4_only) { - info("IPv6: no external interface as template, use local mode"); - - conf_ip6_local(&c->ip6); + if (!c->no_tap) { + info("IPv6: no external interface as template, use local mode"); + conf_ip6_local(&c->ip6); + } c->ifi6 = -1; }

- if (c->ifi4 && !no_map_gw && + if (c->ifi4 > 0 && !no_map_gw && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback)) c->ip4.map_host_loopback = c->ip4.guest_gw;

- if (c->ifi6 && !no_map_gw && + if (c->ifi6 > 0 && !no_map_gw && IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback)) c->ip6.map_host_loopback = c->ip6.guest_gw;

@@ -2116,10 +2142,10 @@ void conf(struct ctx *c, int argc, char **argv) conf_ports(c, name, optarg, &c->udp.fwd_out); } while (name != -1);

- if (!c->ifi4) + if (c->ifi4 <= 0) c->no_dhcp = 1;

- if (!c->ifi6) { + if (c->ifi6 <= 0) { c->no_ndp = 1; c->no_dhcpv6 = 1; } else if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr)) { diff --git a/fwd.c b/fwd.c index 44a0e10..2f4a89a 100644 --- a/fwd.c +++ b/fwd.c @@ -780,6 +780,9 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, return PIF_SPLICE; }

+ if (c->no_tap) + return PIF_NONE; + if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index db0d662..2d643f7 100644 --- a/passt.1 +++ b/passt.1 @@ -755,6 +755,11 @@ Default is to let the tap driver build a pseudorandom hardware address. Disable the bypass path for inbound, local traffic. See the section \fBHandling of local traffic in pasta\fR in the \fBNOTES\fR for more details.

+.TP +.BR \-\-no-tap +Do not create a tap device in the namespace. In this mode, only local loopback +traffic between namespaces is forwarded using splice.

"Using splice" isn't really clear, and it's not entirely correct in the case of UDP: there's no splice() system call there, even if we call some UDP flows "spliced" for analogy with TCP.

Maybe just omit it, say:

[...] In this mode, \fIpasta\fR only forwards loopback traffic between namespaces.

Do you think we still need "Do not create a tap device in the namespace" after updating it to --splice-only?

Yes, I think so, because otherwise it might look like we create the tap device anyway, but discard all traffic from/to it.

-- Stefano

-- Thanks,

Yumei Huang

-- Thanks, Yumei Huang

On Wed, Jan 14, 2026 at 6:00 PM Stefano Brivio wrote:

On Wed, 14 Jan 2026 15:28:31 +0800 Yumei Huang wrote:

...

On Wed, Jan 14, 2026 at 2:31 PM Yumei Huang wrote:

...

On Wed, Jan 14, 2026 at 7:34 AM Stefano Brivio wrote:

...

On Tue, 13 Jan 2026 19:20:47 +0800 Yumei Huang wrote:

...

On Sun, Jan 11, 2026 at 2:12 AM Stefano Brivio wrote:

...

On Mon, 29 Dec 2025 17:55:58 +0800 Yumei Huang wrote:

> This patch introduces a mode where we only forward loopback connections > and traffic between two namespaces (via the loopback interface, 'lo'), > without a tap device. > > With this, podman can support forwarding ::1 in custom networks when using > rootlesskit for forwarding ports. > > In --no-tap mode, --host-lo-to-ns-lo, --no-icmp and --no-ra is automatically > enabled. Options requiring a tap device (--ns-ifname, --ns-mac-addr, > --config-net, --outbound-if4/6) are rejected. > > Link: https://bugs.passt.top/show_bug.cgi?id=149 > Signed-off-by: Yumei Huang > --- > conf.c | 56 +++++++++++++++++++++++++++++++++++++++++--------------- > fwd.c | 3 +++ > passt.1 | 5 +++++ > passt.h | 2 ++ > pasta.c | 3 +++ > tap.c | 11 +++++++---- > 6 files changed, 61 insertions(+), 19 deletions(-) > > diff --git a/conf.c b/conf.c > index 84ae12b..353d0a5 100644 > --- a/conf.c > +++ b/conf.c > @@ -1049,7 +1049,8 @@ pasta_opts: > " --no-copy-addrs DEPRECATED:\n" > " Don't copy all addresses to namespace\n" > " --ns-mac-addr ADDR Set MAC address on tap interface\n" > - " --no-splice Disable inbound socket splicing\n"); > + " --no-splice Disable inbound socket splicing\n" > + " --no-tap Don't create tap device\n"); > > passt_exit(status); > } > @@ -1451,6 +1452,7 @@ void conf(struct ctx *c, int argc, char **argv) > {"no-ndp", no_argument, &c->no_ndp, 1 }, > {"no-ra", no_argument, &c->no_ra, 1 }, > {"no-splice", no_argument, &c->no_splice, 1 }, > + {"no-tap", no_argument, &c->no_tap, 1 }, > {"freebind", no_argument, &c->freebind, 1 }, > {"no-map-gw", no_argument, &no_map_gw, 1 }, > {"ipv4-only", no_argument, NULL, '4' }, > @@ -1947,8 +1949,11 @@ void conf(struct ctx *c, int argc, char **argv) > } > } while (name != -1); > > - if (c->mode != MODE_PASTA) > + if (c->mode != MODE_PASTA) { > c->no_splice = 1; > + if (c->no_tap) > + die("--no-tap is for pasta mode only"); > + } > > if (c->mode == MODE_PASTA && !c->pasta_conf_ns) { > if (copy_routes_opt) > @@ -1957,6 +1962,25 @@ void conf(struct ctx *c, int argc, char **argv) > die("--no-copy-addrs needs --config-net"); > } > > + if (c->mode == MODE_PASTA && c->no_tap) { > + if (c->no_splice) > + die("--no-tap is incompatible with --no-splice");

I'm not sure if you need this for other reasons, but as long as it's called --no-tap, it's not really incompatible with --no-splice.

I will update it to --splice-only

...

Maybe users just want to get a disconnected namespace for whatever reason ('pasta' is shorter to type than 'unshare -rUn').

> + if (*c->ip4.ifname_out || *c->ip6.ifname_out) > + die("--no-tap is incompatible with --outbound-if4/6"); > + if (*c->pasta_ifn) > + die("--no-tap is incompatible with --ns-ifname"); > + if (*c->guest_mac) > + die("--no-tap is incompatible with --ns-mac-addr"); > + if (c->pasta_conf_ns) > + die("--no-tap is incompatible with --config-net");

I guess all these checks are to save some checks later, which looks like a good reason to have them here.

If not, though, I don't think we *really* need to tell the user that --ns-ifname will be ignored with --no-tap.

One thing that might confuse users, though, is this:

$ ./pasta --no-tap --mtu 1500 -- ip l 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

or even this:

$ ./pasta --no-tap -a 192.0.2.1 -- ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host proto kernel_lo valid_lft forever preferred_lft forever

but I would rather *not* add conditions and checks for those even if there's a *slight* potential for confusion, otherwise this becomes really long. And it's really not worth it, I think.

Then I guess we only need the c->no_splice check, right?

...maybe? About *needing*, yes, I guess so, but if other checks save more checks later, I would keep them.

...

...

> + > + c->host_lo_to_ns_lo = 1; > + c->no_icmp = 1; > + c->no_ra = 1; > + c->no_dns = 1; > + c->no_dns_search = 1; > + } > + > if (!ifi4 && *c->ip4.ifname_out) > ifi4 = if_nametoindex(c->ip4.ifname_out); > > @@ -1980,9 +2004,9 @@ void conf(struct ctx *c, int argc, char **argv) > log_conf_parsed = true; /* Stop printing everything */ > > nl_sock_init(c, false); > - if (!v6_only) > + if (!v6_only && !c->no_tap) > c->ifi4 = conf_ip4(ifi4, &c->ip4); > - if (!v4_only) > + if (!v4_only && !c->no_tap) > c->ifi6 = conf_ip6(ifi6, &c->ip6); > > if (c->ifi4 && c->mtu < IPV4_MIN_MTU) { > @@ -1998,30 +2022,32 @@ void conf(struct ctx *c, int argc, char **argv) > (*c->ip6.ifname_out && !c->ifi6)) > die("External interface not usable"); > > - if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn) { > + if (!c->ifi4 && !c->ifi6 && !*c->pasta_ifn && !c->no_tap) {

You already checked that !*c->pasta_ifn above.

I guess the check above (aka. if (*c->pasta_ifn && c->no_tap)) doesn't affect this one? If c->pasta_ifn is assigned, we won't come to the check !c->no_tap here. Otherwise, we do need to check !c->no_tap.

Right, but you don't care about resetting c->pasta_ifn to the default value if !c->no_tap, because in that case you know that c->pasta_ifn wasn't set, so you can happily override it.

I just realized that you probably meant when c->no_tap is set. Actually it would affect conf_print, info("Namespace interface: %s", c->pasta_ifn). But I will add a condition about c->splice_only before this line, so yes, it doesn't matter whether reset it or not. I will remove the check in v2.

...

I'm not sure I fully understand it. If !c->no_tap, the condition is the same as before without this patch, which is to not reset it if it's specified in cmd line. We won't know if c->pasta_ifn is set until this check, do we?

Let's assume !c->ifi4 && !c->ifi6. Then we have 2 variables and 2^2 possible cases:

1. !*c->pasta_ifn && !c->no_tap: we need to override c->pasta_ifn

2. !*c->pasta_ifn && c->no_tap: we don't need to override c->pasta_ifn, *but it's harmless if we do*

This will lead conf_print to print "Namespace interface: tap0" which is not correct. But I plan to add a check with c->no_tap in conf_print, so it won't be a problem.

3. *c->pasta_ifn && !c->no_tap: we must not override c->pasta_ifn

4. *c->pasta_ifn && c->no_tap: we must not override c->pasta_ifn

Now, if we make 1. and 2. the same and decide to override c->pasta_ifn also in case 2. (when it's not necessary, but harmless), 1. and 2. as well as 3. and 4. are pairwise the same, so you don't strictly need to add a condition on c->no_tap, I think.

On the other hand... if it's obvious just to me, maybe it's actually simpler to keep the check. :) I realise that my observation is not as clear as I initially thought.

-- Stefano

-- Thanks, Yumei Huang