Re: Alpine n

[David Gwynne]

On Tue, Dec 23, 2025 at 02:15:43PM -0600, izzy Meyer wrote:
> 
> Hello misc@
> 
> I had a alpine 3.22 vmm virtual machine using a static ip NAT via
> vport(4) & veb(4) and things were working fine. I did a routine
> upgrade of the vm to 3.23 and networking broke. I can't ping or
> traceroute anything from the virtual machine. Networking works on the
> host. I can't ping the host from the vm. Is this a bug in the newer
> linux kernels? or is this a mistake in my configuration? Any help would
> be appreciated.

i would try following the packets through the host with tcpdump. in this
setup you should see the packets coming from the vm into the host on the
tap interface, through veb0, and into vport0. so `tcpdump -ni tap0`,
then `tcpdump -ni veb0`, and `tcpdump -ni vport`.

if you dont see anything on tap0 then it sounds like a vm or vmm
problem.

did you ugprade the host at the same time? or just the vm?

while im here, i have a couple of notes on your setup below.

if you're only going to be running the one vm then you don't need
need veb in your topology, you can talk to the vm directly on the tap
interface. without veb, you can think of the tap interface as having
a cable between the host and the vm. adding veb plugs that connection
into a switch, and vport then plugs the host into that same switch.

eg, i have a setup like that:

# cat /etc/hostname.tap8 
lladdr fe:e1:ba:d1:ca:57
inet 172.16.0.1 255.255.255.0
# cat /etc/vm.conf  
vm "vm" {
        memory 2G
        disk "/opt/vm/hass.fedora/disk.qcow2" format qcow2

        # Use a specific tap(4) interface with a hardcoded MAC address
        interface tap8 {
                lladdr de:ed:ba:d4:99:a8
        }
}

the vm is configured with a static ip of 172.16.0.2/24, and is able to
talk directly with the host via the tap8 interface.

> 
> relevant information below:
> 
> ```
> ~ $ cat /etc/pf.conf 
> set skip on lo
> set block-policy drop
> set optimization normal
> 
> # vmm NAT
> match out on egress from vport0:network to any nat-to (egress)

alternatively, you can use received-on for a rule like this, eg:

  match out on egress received-on vport0 nat-to (egress)

> # Allow VM traffic
> pass in on veb0 inet from vport0:network nat-to (egress)

veb(4) does not show packets to pf(4) unless you have the link1 flag
set. if you do have link1 set, then pf will generally be run on the
port interfaces (eg, tap0). the only time pf runs against the veb
interface itself is when veb is flooding broadcast, multicast, or
unknown unicast.

> pass out on egress inet keep state
> 
> # Multicast junk
> pass proto udp to 224.0.0.251 port mdns allow-opts
> pass inet6 proto udp to ff02::fb port mdns allow-opts
> pass proto udp to 239.255.255.250 port ssdp allow-opts
> pass inet6 proto udp to { ff02::c, ff05::c, ff08::c } port ssdp
> allow-opts
> 
> # ICMP
> pass inet proto icmp
> pass inet6 proto icmp6
> ```
> 
> ```
> ~ $ cat /etc/hostname.veb0 
> add vport0
> up
> ~ $ cat /etc/hostname.vport0 
> inet 172.16.100.1 255.255.255.0
> up
> ```
> 
> ```
> ~ $ cat /etc/vm.conf 
> switch "uplink" {
>         interface veb0
> }
> 
> vm "alpine" {
>         disable
>         memory 768M
> #       cdrom "/tmp/alpine.iso"
>         disk "/home/izder456/VMs/Alpine.qcow2"
>         interface { switch "uplink" }
>         owner izder456
> }
> ```
> 
> ```
> ~ $ vmctl status         
>    ID   PID VCPUS  MAXMEM  CURMEM     TTY        OWNER    STATE NAME
>     1 41429     1    772M    270M   ttyp3     izder456  running alpine
> ```
> 
> `vmctl console alpine`:
> ```
> alpine-vm:~# uname -a
> Linux alpine-vm 6.17.12-0-stable #1-Alpine SMP PREEMPT_DYNAMIC
> 2025-12-12 18:38:41 x86_64 GNU/Linux 
> 
> alpine-vm:~# cat /etc/network/interfaces 
> auto lo
> iface lo inet loopback
> 
> auto eth0
> iface eth0 inet static
>         address 172.16.100.2
>         netmask 255.255.255.0
>         gateway 172.16.100.1
> 
> alpine-vm:~# cat /etc/resolv.conf 
> search vlan
> nameserver 9.9.9.9
> 
> alpine-vm:~# cat /etc/os-release 
> NAME="Alpine Linux"
> ID=alpine
> VERSION_ID=3.23.2
> PRETTY_NAME="Alpine Linux v3.23"
> HOME_URL="https://alpinelinux.org/";
> BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues";
> 
> alpine-vm:~# ping 172.16.100.1
> PING 172.16.100.1 (172.16.100.1): 56 data bytes
> ^C
> --- 172.16.100.1 ping statistics ---
> 1 packets transmitted, 0 packets received, 100% packet loss
> 
> alpine-vm:~# ping 9.9.9.9
> PING 9.9.9.9 (9.9.9.9): 56 data bytes
> ^C
> --- 9.9.9.9 ping statistics ---
> 1 packets transmitted, 0 packets received, 100% packet loss
> alpine-vm:~# 
> ```
> 
> 
> -- 
> iz (she/her)
> 
> > i like to say mundane things,
> > there are too many uninteresting things
> > that go unnoticed.
> 
> izder456 (dot) neocities (dot) org
>