If there's no server listening in a guest on a given port, and passt is forwarding that port, the behaviour shown host-side is not entirely transparent: passt accepts the connection first, lets the kernel complete the three-way handshake, and then closes the socket (causing a RST segment to be sent) once the guest doesn't answer the connection attempt (SYN). This is different from denying the connection attempt right away, and we could probably obtain a more transparent behaviour by deferring the accept() call on the listening until the connection to the guest is established. This is probably going to add some latency, though. We should first evaluate if this actually helps: for example by dropping sleep directives in TCP tests and letting the socat client retry the connection as long as the server isn't accepting it. If that works, evaluate latency, and depending on that decide if we should enable this behaviour, even just as an option. See also the discussion around: https://archives.passt.top/passt-dev/20220919102434.187bd423@elisabeth/