iptables rule without an ip range applies to all interfaces

The current logic pretends it only applies to 127.0.0.1, which
means the new `guestIPMustBeZero` rule does not detect it properly.

This is a problem with nerdctl and containerd on Alpine. It works
"by accident" on Ubuntu because the port was also bound to [::],
which had an entry in /proc/net/tcp6.

Signed-off-by: Jan Dubois <[email protected]>

Author: jandubois

pkg/guestagent/iptables/iptables.go

@@ -75,12 +75,10 @@ func parsePortsFromRules(rules []string) ([]Entry, error) {
 					istcp = true
 				}
 
-				// if the IP is blank the port forwarding the portforwarding,
-				// which gets information from this, will skip it. When no IP
-				// is present localhost will work.
+				// When no IP is present the rule applies to all interfaces.
 				ip := found[1]
 				if ip == "" {
-					ip = "127.0.0.1"
+					ip = "0.0.0.0"
 				}
 				ent := Entry{
 					IP:   net.ParseIP(ip),

pkg/guestagent/iptables/iptables_test.go

@@ -84,8 +84,8 @@ func TestParsePortsFromRules(t *testing.T) {
 		t.Fatalf("expected 2 ports parsed from iptables but parsed %d", l)
 	}
 
-	if res[0].IP.String() != "127.0.0.1" || res[0].Port != 8082 || res[0].TCP != true {
-		t.Errorf("expected port 8082 on IP 127.0.0.1 with TCP true but go port %d on IP %s with TCP %t", res[0].Port, res[0].IP.String(), res[0].TCP)
+	if res[0].IP.String() != "0.0.0.0" || res[0].Port != 8082 || res[0].TCP != true {
+		t.Errorf("expected port 8082 on IP 0.0.0.0 with TCP true but got port %d on IP %s with TCP %t", res[0].Port, res[0].IP.String(), res[0].TCP)
 	}
 	if res[1].IP.String() != "127.0.0.1" || res[1].Port != 8081 || res[1].TCP != true {
 		t.Errorf("expected port 8081 on IP 127.0.0.1 with TCP true but go port %d on IP %s with TCP %t", res[1].Port, res[1].IP.String(), res[1].TCP)