From 486e525edad7b8e68e5d2c0cafaf7771ffeba39b Mon Sep 17 00:00:00 2001 From: Kroese Date: Sun, 12 Oct 2025 00:01:42 +0200 Subject: [PATCH 1/4] fix: Expose only selected ports with Passt --- src/network.sh | 133 ++++++++++++++++++++++++------------------------- 1 file changed, 64 insertions(+), 69 deletions(-) diff --git a/src/network.sh b/src/network.sh index 3be31985..32c89933 100644 --- a/src/network.sh +++ b/src/network.sh @@ -181,35 +181,26 @@ configureDNS() { return 0 } -getUserPorts() { - - local args="" - local list=$1 - local ssh="22" - - [[ "${BOOT_MODE:-}" == "windows"* ]] && ssh="3389" - [ -z "$list" ] && list="$ssh" || list+=",$ssh" +compat() { - list="${list//,/ }" - list="${list## }" - list="${list%% }" + local gateway="$1" + local interface="$2" + local samba="20.20.20.1" - for port in $list; do - proto="tcp" - num="$port" + [[ "$samba" == "$gateway" ]] && return 0 + [[ "${BOOT_MODE:-}" != "windows"* ]] && return 0 - if [[ "$port" == */udp ]]; then - proto="udp" - num="${port%/udp}" - elif [[ "$port" == */tcp ]]; then - proto="tcp" - num="${port%/tcp}" - fi + if [[ "$interface" != "${interface:0:8}" ]]; then + error "Bridge name too long!" && return 1 + fi - args+="hostfwd=$proto::$num-$VM_NET_IP:$num," - done + # Backwards compatibility with old installations + if ip address add dev "$interface" "$samba/24" label "$interface:compat"; then + SAMBA_INTERFACE="$samba" + else + warn "failed to configure IP alias!" + fi - echo "${args%?}" return 0 } @@ -233,47 +224,52 @@ getHostPorts() { [ -z "$list" ] && list="$WSD_PORT" || list+=",$WSD_PORT" fi - if [[ "${NETWORK,,}" == "passt" ]]; then - - local DNS_PORT="53" - local SAMBA_PORT="445" + echo "$list" + return 0 +} - if [[ "${DNSMASQ_DISABLE:-}" != [Yy1]* ]]; then - [ -z "$list" ] && list="$DNS_PORT" || list+=",$DNS_PORT" - fi +getUserPorts() { - if [[ "${BOOT_MODE:-}" == "windows"* ]]; then - if [[ "${SAMBA:-}" != [Nn]* ]]; then - [ -z "$list" ] && list="$SAMBA_PORT" || list+=",$SAMBA_PORT" - fi - fi + local args="" + local list=$1 + list=$(echo "${list// /}" | sed 's/,*$//g') - fi + local ssh="22" + [[ "${BOOT_MODE:-}" == "windows"* ]] && ssh="3389" + [ -z "$list" ] && list="$ssh" || list+=",$ssh" echo "$list" return 0 } -compat() { +getSlirp() { - local gateway="$1" - local interface="$2" - local samba="20.20.20.1" + local args="" + local list="" - [[ "$samba" == "$gateway" ]] && return 0 - [[ "${BOOT_MODE:-}" != "windows"* ]] && return 0 + list=$(getUserPorts) + list="${list//,/ }" + list="${list## }" + list="${list%% }" - if [[ "$interface" != "${interface:0:8}" ]]; then - error "Bridge name too long!" && return 1 - fi + for port in $list; do - # Backwards compatibility with old installations - if ip address add dev "$interface" "$samba/24" label "$interface:compat"; then - SAMBA_INTERFACE="$samba" - else - warn "failed to configure IP alias!" - fi + proto="tcp" + num="${port%/tcp}" + if [[ "$port" == *"/udp" ]]; then + proto="udp" + num="${port%/udp}" + elif [[ "$port" != *"/tcp" ]]; then + args+="hostfwd=$proto::$num-$VM_NET_IP:$num," + proto="udp" + num="${port%/udp}" + fi + + args+="hostfwd=$proto::$num-$VM_NET_IP:$num," + done + + echo "${args%?}" return 0 } @@ -295,14 +291,14 @@ configureSlirp() { NET_OPTS="-netdev user,id=hostnet0,ipv4=on,host=$gateway,net=${gateway%.*}.0/24,dhcpstart=$ip,${ipv6}hostname=$VM_NET_HOST" - local forward + local forward="" forward=$(getUserPorts "${USER_PORTS:-}") [ -n "$forward" ] && NET_OPTS+=",$forward" if [[ "${DNSMASQ_DISABLE:-}" != [Yy1]* ]]; then cp /etc/resolv.conf /etc/resolv.dnsmasq - echo -e "nameserver 127.0.0.1\nsearch .\noptions ndots:0" >/etc/resolv.conf configureDNS "lo" "$ip" "$VM_NET_MAC" "$VM_NET_HOST" "$VM_NET_MASK" "$gateway" || return 1 + echo -e "nameserver 127.0.0.1\nsearch .\noptions ndots:0" >/etc/resolv.conf fi VM_NET_IP="$ip" @@ -340,16 +336,15 @@ configurePasst() { PASST_OPTS+=" -n $VM_NET_MASK" [ -n "$PASST_MTU" ] && PASST_OPTS+=" -m $PASST_MTU" - exclude=$(getHostPorts "$HOST_PORTS") + local forward="" + forward=$(getUserPorts "${USER_PORTS:-}") - if [ -z "$exclude" ]; then - exclude="%${VM_NET_DEV}/all" - else - exclude="%${VM_NET_DEV}/~${exclude//,/,~}" + if [ -n "$forward" ]; then + forward="%${VM_NET_DEV}/$forward" + PASST_OPTS+=" -t $forward" + PASST_OPTS+=" -u $forward" fi - PASST_OPTS+=" -t $exclude" - PASST_OPTS+=" -u $exclude" PASST_OPTS+=" -H $VM_NET_HOST" PASST_OPTS+=" -M $GATEWAY_MAC" PASST_OPTS+=" -P /var/run/passt.pid" @@ -701,11 +696,6 @@ getInfo() { [ -z "$MTU" ] && MTU="$mtu" [ -z "$MTU" ] && MTU="0" - if [ "$MTU" -gt "1500" ]; then - [[ "$DEBUG" == [Yy1]* ]] && echo "MTU size is too large: $MTU, ignoring..." - MTU="0" - fi - if [[ "${ADAPTER,,}" != "virtio-net-pci" ]]; then if [[ "$MTU" != "0" && "$MTU" != "1500" ]]; then warn "MTU size is $MTU, but cannot be set for $ADAPTER adapters!" && MTU="0" @@ -823,12 +813,17 @@ else exit 24 fi + *) + error "Unrecognized NETWORK value: \"$NETWORK\"" && exit 24 ;; + esac + + case "${NETWORK,,}" in + "passt" | "slirp" ) + if [ -z "$USER_PORTS" ]; then - info "Notice: slirp networking is active, so when you want to expose ports, you will need to map them using this variable: \"USER_PORTS=80,443\"." + info "Notice: because user-mode networking is active, if you need to expose ports, add them to the \"USER_PORTS\" variable." fi ;; - *) - error "Unrecognized NETWORK value: \"$NETWORK\"" && exit 24 ;; esac fi From 863d8ef8a3038b73a4d607103572e9c0e5fb1885 Mon Sep 17 00:00:00 2001 From: Kroese Date: Sun, 12 Oct 2025 00:08:34 +0200 Subject: [PATCH 2/4] docs: Readme Clarified instructions for exposing network ports in Docker Compose. --- readme.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index c04c2c18..3e993128 100644 --- a/readme.md +++ b/readme.md @@ -242,7 +242,7 @@ kubectl apply -f https://raw.githubusercontent.com/qemus/qemu/refs/heads/master/ ### How do I expose network ports? - You can expose ports just by adding them to your compose file. If you want to be able to connect to the SSH service of the machine for example, you would add it like this: + When using bridge networking, you can expose ports by adding them to your compose file. If you want to be able to connect to the SSH service of the machine for example, you would add it like this: ```yaml ports: @@ -251,6 +251,13 @@ kubectl apply -f https://raw.githubusercontent.com/qemus/qemu/refs/heads/master/ This will make port 2222 on your host redirect to port 22 of the virtual machine. + When using user-mode networking (for example when running under Podman), you will also need to add those ports to the `USER_PORTS` variable like this: + + ```yaml + environment: + USER_PORTS: "22,80,443" + ``` + ### How do I assign an individual IP address to the container? By default, the container uses bridge networking, which shares the IP address with the host. From 4f9bc851ab214d15a092be243441731654f7fbcf Mon Sep 17 00:00:00 2001 From: Kroese Date: Sun, 12 Oct 2025 00:56:41 +0200 Subject: [PATCH 3/4] Update network.sh --- src/network.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/network.sh b/src/network.sh index 32c89933..034c14ab 100644 --- a/src/network.sh +++ b/src/network.sh @@ -338,6 +338,8 @@ configurePasst() { local forward="" forward=$(getUserPorts "${USER_PORTS:-}") + forward="${forward///tcp}" + forward="${forward///udp}" if [ -n "$forward" ]; then forward="%${VM_NET_DEV}/$forward" From b1236dc838ffe1f0fed20c7eef3c714da73df133 Mon Sep 17 00:00:00 2001 From: Kroese Date: Sun, 12 Oct 2025 00:57:56 +0200 Subject: [PATCH 4/4] Update network.sh --- src/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network.sh b/src/network.sh index 034c14ab..a172d93f 100644 --- a/src/network.sh +++ b/src/network.sh @@ -813,7 +813,7 @@ else if ! configureSlirp; then error "Failed to configure user-mode networking!" exit 24 - fi + fi ;; *) error "Unrecognized NETWORK value: \"$NETWORK\"" && exit 24 ;;